Carriers need to independently verify LOAs

Matt Erculiani merculiani at
Mon Apr 19 21:01:02 UTC 2021

Nothing is stopping the perpetrator of a BGP hijack as a result of a forged
or otherwise illegitimate LOA from facing civil litigation as a result of
revenue loss or other harm done.

This thread and others like it highlight that there is absolutely some
negligence here and could very well find itself in an evidence pile at some
point in the future.

So there IS liability, but the lack of solid precedent means that the bean
counters can't assign a dollar amount to the risk associated with blindly
accepting LOAs, and therefore it might as well not exist.

Someday, somebody will have the pants sued off them because they let their
new customer hijack the hell out of a government entity, bank, oil company,
etc. and we'll start to see better processes.


On Mon, Apr 19, 2021 at 11:59 AM Sean Donelan <sean at> wrote:

> On Mon, 19 Apr 2021, Peter Beckman wrote:
> > And while it would be nice if everyone "independently verified every LOA"
> > the cost of doing so in the far-too-many edge cases is business-endingly
> > high.
> If carriers faced legal liability, with appropriate incentatives, I'd bet
> they would solve the verification problem -- quickly, cheaply.
> No liability -- no reason to solve the problem.

Matt Erculiani
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list