<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>RPKI can be very useful to mitigate an attempt.</p>
<p>I used to process IP LOAs all the time. I never saw a RR
attached but usually we did a check against the RIR just to make
sure (because we made access-list per interface as well)<br>
</p>
<div class="moz-cite-prefix">On 3/9/2021 1:42 PM, Mel Beckman wrote:<br>
</div>
<blockquote type="cite"
cite="mid:4B68492D-D1F2-4C3C-B444-34A3B43DEDAC@beckman.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Not everyone uses RRs, and there is also the possibility that
their upstream would register it. Having an RR doesn’t seem
definitive either way. I can see reasons to wait on the RR until
ready to receive traffic. <br>
<br>
<div dir="ltr">-mel via cell</div>
<div dir="ltr"><br>
<blockquote type="cite">On Mar 9, 2021, at 11:14 AM, Brian
Turnbow <a class="moz-txt-link-rfc2396E" href="mailto:b.turnbow@twt.it"><b.turnbow@twt.it></a> wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<div style="font-family:Calibri, Arial, Helvetica, sans-serif;
font-size:12.0pt; line-height:1.3; color:#1F497D"
id="nine_body_n178186-4d096" class="nine_body" dir="auto">
<div class="nine-pg" dir="auto">If they had a route record
that was close, I Would give them the benefit of doubt. </div>
<div class="nine-pg" dir="auto">They do not however as the
only records start with 217. And our IPs are 45.</div>
<div class="nine-pg" dir="auto"><br data-mce-bogus="1">
</div>
<div class="nine-pg" dir="auto">So It Is very strange. Would
you send a LOA without a route record?</div>
<div class="nine-pg" dir="auto"> </div>
<div class="nine-pg blank sign" dir="auto"><br>
</div>
<div id="nine-sign-n178186-4d096" class="nine_signature"
dir="auto">
<div class="nine-pg" dir="auto">Brian Turnbow</div>
</div>
</div>
<div id="quoted_header_n178186-4d096"
class="quoted_header_editor fold" dir="auto">
<hr style="border:none; height:1px; color:#E1E1E1;
background-color:#E1E1E1;" class="nine-pg">
<div style="border:none; padding:3.0pt 0cm 0cm 0cm"
class="nine-pg" dir="auto"><span
style="font-size:11.0pt;font-family:Calibri, Arial,
Helvetica, sans-serif"><b>Da:</b> Mel Beckman
<a class="moz-txt-link-rfc2396E" href="mailto:mel@beckman.org"><mel@beckman.org></a><br>
<b>Inviato:</b> martedì 9 marzo 2021 19:17<br>
<b>A:</b> Brian Turnbow<br>
<b>Cc:</b> North American Network Operators' Group<br>
<b>Oggetto:</b> Re: an IP hijacking attempt<br>
</span></div>
</div>
<div id="quoted_body_n178186-4d096" class="quoted_body_editor
mceEditable fold" dir="auto">
<div class="nine-pg" dir="auto"><br type="attribution">
</div>
<div class="nine-pg" dir="auto">It could just be a typo on
the LOA. It seems unlikely any ISP would approve a forged
LOA that could readily be debunked by contacting the IP
space owner. The whole point of LOA’s is to facilitate
this verification.
<br>
<br>
-mel via cell <br>
<br>
> On Mar 9, 2021, at 10:01 AM, Brian Turnbow via NANOG
<a class="moz-txt-link-rfc2396E" href="mailto:nanog@nanog.org"><nanog@nanog.org></a> wrote: <br>
> <br>
> Hello everyone, <br>
> <br>
> We received a strange request that I wanted to share.
<br>
> An email was sent to us asking to confirm a LOA from
a diligent ISP. <br>
> The Loa was a request to open bgp for an AS , that is
not ours, to announce a /23 prefix that is ours.
<br>
> So basically this entity sent to their upstream a
request to announce a prefix from one our allocated
ranges.
<br>
> We have the allocation correctly registered and ROAs
in place , but it is worrisome that someone would attempt
this.
<br>
> Obviously we have informed the ISP that the LOA is
not valid and are trying to contact the originating party.
<br>
> Aside from RIRs for the offending AS and our IPs, Is
there anywhere to report this type of activity?
<br>
> We have dealt with hijacking technically speaking in
the past but this is the first time, to my knowledge, of
someone forging a LOA with our IPs.
<br>
> <br>
> Thanks in advance for any advice <br>
> <br>
> Brian <br>
> <br>
> P.S. a big thanks to Chris for checking the boxes
before activating the filter if you are on the list!
<br>
> <br>
> <br>
> <br>
> <br>
</div>
</div>
</div>
</blockquote>
</blockquote>
</body>
</html>