LoA (Letter of Authorization) for Prefix Filter Modification?

Thu Sep 18 16:17:07 UTC 2008

I use RWHOIS for proof of who we assign and allocate address space to.  I dont believe an LOA is any more valid or secure than my RWHOIS data base that I keep and update on a daily basis.  In this case I find it a waste of time when people ask me for LOA's when they can verify the info on my RWHOIS site.  And I point these people to my RWHOIS site when they ask for LOA as opposed to wasting my time on creating paperwork. However, if you dont have something like that set up, then I do see the value in people asking for LOA and thus helping to ensure address space isnt getting hijacked.

My 2 cents
Marla Azinger
Frontier Communications

-----Original Message-----
From: Joe Greco [mailto:jgreco at ns.sol.net]
Sent: Wednesday, September 17, 2008 9:22 AM
To: Raoul Bhatia [IPAX]
Cc: nanog at nanog.org
Subject: Re: LoA (Letter of Authorization) for Prefix Filter Modification?

> Joe Greco wrote:
> > How do you verify the authenticity of anything?  This is a common
> > problem in the Real World, and is hardly limited to LoA's.
> >
> > How do you prove that what was on Pages 1 to (N-1) of an N page
> > contract contained the words you think they said?  I knew a guy,
> > back in the early days, who habitually changed the SLA's in his
> > contracts so that he could cancel a contract for virtually no reason
> > at all ... the folly of mailing around contracts as .doc files in
> > e-mail.  But even failing that, it's pretty trivial to reprint a
> > document, so where do you stop, do you use special paper, special
> > ink, watermarking of documents, initial each page, all of the above, etc?
>
> what about using a digital signation of e.g. a pdf version of a scan?

Try putting that up next to an apparently legitimate but actually subtly modified paper contract with signatures, in a court of law, and feel free to inform us of which one the court finds more compelling.

In an environment where there's an established history and standard procedures, they're typically going to prefer the familiar method.

In our world, if we were to have some sort of crypto-based way to have a netblock owner sign something like that, yeah, that'd be great, and it would mean that the community would generally be able to manage the issue without having to resort to faxed-around LoA's, etc., but we don't have that infrastructure, or even a common/widespread LoA system.  Sigh.

I'm not arguing that some sort of technical/crypto infrastructure for authorizing the advertisement of space shouldn't be developed, and in fact I think it should.  However, as an interim step, things like LoA's are much better than nothing at all, and worrying about the authenticity of an LoA is probably not worth the time and effort, given the way these things tend to work out.  If there's cause for concern, those who are receiving the LoA's will ramp up the paranoia.

... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.