Hi,
(please see inline)
On Mon, 26 Feb 2024, Tom Samplonius wrote:
There is one purpose: to facilitate IP fraud, and maintain currently
fraudulently routed IPs.
Yes!
Anyone can dummy up a LOA. And there is still quite a lot of unrouted
IP space.
Yes. But the endgame is not always the same, when miscreants push fake
LOAs (for routing).
I was recently made aware about https://loa.tools
This is how easy it gets......
VPS providers know this, and know their customers are submitting fake
LOAs.
Then it's a good idea to require cryptographic evidence of
ownership/authorization, by resorting to RPKI/ROV.
But it is sort of the business VPS providers are in.
That can by true for some. I hope it isn't true for the majority of them.
Is it some sort of serious crime in the US though? Well, just submit
the LOA from outside the US. Plus, the entity being defrauded is the IP
holder, not the VPS provider or their customer. If you are an IP
holder, good luck getting the VPS provider to give you a copy of the
fake LOA. It is not in their interest to throw their customers under
the bus. You would have to give them a court order. So if you look
for unrouted IP space, registered to a non-US organization (ex. Canada),
and submit a fake LOA from another country (London, UK for instance),
you are unlikely to get tracked down for wire fraud.
Good example, but there are also some less central
jurisdictions/coutries/territories, where local law enforcement
cooperation is even harder to get. And miscreants know this very well.
And you might ask, well, why would a VPS provider accept an LOA from
the UK for an IP block registered to a Canadian organization? Well,
clearly it isn?t in the VPS provider?s interest to look into the LOAs
too much.
While it doesn't change anything in the "interest" vector, resorting to
RPKI/ROV would probably be less work.
As long as the IP space is unrouted, they will approve it. The LOA is
basically just a liability shield for the VPS provider. It is not a
crime to be deceived, though the due diligence beggars belief.
Even if the IP space is routed, can't anycast be invoked...? :-)))
So I had this happen. There was a /24 being hijacked by a VPS
provider. I told them this was fraud, and they asked me if I wanted to
?rescind the LOA?. I told them I never gave them a LOA. They dropped
the /24 immediately. They refused to provide a copy of the LOA. So
pretty hard to pursue any sort of wire fraud charges.
That's the thing with LOAs for routing, the only way to be sure is to
check if there is a valid ROA with the prefix, length and ASN. :-)
If the customer can't make a valid ROA, or make the legitimate owner
produce one, then the claim on the LOA is bogus...
So a VPS provider asking for a paper LOA is basically asking you to
lie to them, to protect them from liability. They will just drop the IP
prefix if there is any contact from the actual IP holder.
If the legitimate IP holder has closed shop, there will not be a contact.
And miscreants also know this very well...
Cheers,
Carlos
Tom
On Feb 26, 2024, at 10:57 AM, Seth Mattinen via NANOG <nanog@nanog.org> wrote:
Why do companies still insist on, or deploy new systems that rely on paper LOA
for IP and ASN resources? How can this be considered more trustworthy than RIR
based IRR records?
And I'm not even talking about old companies, I have a situation right now
where a VPS provider I'm using will no longer use IRR and only accepts new
paper LOAs. In the year 2024. I don't understand how anyone can go backwards
like that.
~Seth
