"authority" to route?

Hi,

Is there a common practice of providers to vet / validate requests to advertise
blocks?

Who is the "authority" when it comes to determining if a request for routing
is valid?

Is it the WHOIS data maintained by the various RIR?

It seems I'm playing whack-a-mole to get some routes shut down for some
blocks I've taken over admin for.

If I email the contacts for the AS in WHOIS, and get no response, or a
negative response, should I start going to their peers?

Some practical advice would be appreciated.

Hi, > Is there a common practice of providers to vet / validate requests to
advertise > blocks?

There is a common practice of providers to require an initial Letter
of authorization from the org listed in WHOIS when first setting up,
and manual request to allow the prefix or entry of the route in an
internet routing registry, for end users to originate prefixes.

Who is the "authority" when it comes to determining if a request for
routing > is valid?

Defined by routing policy of the provider considering the request, and
their upstreams.

Is it the WHOIS data maintained by the various RIR?

WHOIS data is often used for that purpose; the basic information
about the organization listed as registrant of the block is considered
authoritative, in general.

It seems I'm playing whack-a-mole to get some routes shut down for some
blocks I've taken over admin for.

It would probably help to submit to them in writing, that the org
responsible for the block never authorized the space to be announced
by the provider originating it, inform that their unauthorized
announcement is causing network issues and costing money, and request
that they suppress it.

If that's not the case, e.g. if at any time there was bonafide
authorization, then the dispute is something to be discussed with the
downstream org. still routing the block.

If their peers question them about it, they might have the prior LOA
on file to show the peers; it is not as if such things expire, or can
necessarily be easily withdrawn, it depends on the agreement that
allowed the advertisement to be authorized, in that case.

Listing of an e-mail address in WHOIS as an admin contact, does not
necessarily imply authority that a provider is entitled to rely upon,
to tell a peer to shutdown the network.

If I email the contacts for the AS in WHOIS, and get no response, or a
negative response, should I start going to their peers?

It's an option. Their peers may summarily ignore the request to
disrupt the network by "shutting down" a customer's announcements,
though, on the word of an email, if it's not very obvious that they
are bad announcements.

You may need to email and call, and possibly fax and mail.

Yes, most providers whose customers request a particular route to be pointed towards them will ask for ambiguous instructions, written on letterhead with crayon, and signed illegibly by someone who may or may not have authority to do so but who in any case cannot be identified clearly by their scrawl.

Ideally the letterhead should be crudely constructed in photoshop and then faxed across a noisy analogue line.

Once you have one of those babies in your file, no lawyer can touch you.

Joe

Is there a common practice of providers to vet / validate requests to advertise
blocks?

Yes, most providers whose customers request a particular route to be pointed towards them will ask for ambiguous instructions, written on letterhead with crayon, and signed illegibly by someone who may or may not have authority to do so but who in any case cannot be identified clearly by their scrawl.

Some providers ask for route objects and appropriate import/export policy in RADB. that fandamently no higher quality an attestation than a LOA but it's a lot easier to read.

Careful though cause the crayons must be crayola approved

Another big-name-big-$$$ vendor whose name begins with "C". Sounds like a "c"onspiracy to me............

"..for some blocks I've taken over admin for."

  Make sure you are visibly listed as a Point of Contact on those records in the appropriate RIR, so that folks who get your request can verify you. Even better, register in your RIR's RPKI program and generate a ROA for it. Info about ARIN's here: https://www.arin.net/resources/rpki/index.html

Then yes, notify their upstreams/peers if needed and post here if things get really desperate - have your records in order first.

--Heather

Jeez, isn't RPKI supposed to solve this problem?

That would presume the existence of a deployed system that
everybody actually used.

I think Heather was pointing out that this would be a good time to actually
use it.