Aftab Siddiqui is currently exploring the possibility of using Route Object Authorisations (ROAs) as a potential replacement to LOAs. Separate to this (and unknowing of Aftab’s research), I had started a discussion on the RPKI Community guild on Discord (https://discord.gg/9jYcqpbdRE) discussing the usage of ROAs instead of LOAs.
An LOA, or “Letter of Authority” / “Letter of Authorization,” is a formal document granting permission for third parties to take specific actions regarding network resources or services. In the service provider industry, its primary use is for advertising address resources (IPv4/v6 and ASN). When an organization intends to announce its IP prefixes through its own or a transit provider’s ASN to the global internet, it typically needs to provide an LOA to their transit provider, confirming their custodianship or ownership of the resources.
RPKI ROA, stands for “Resource Public Key Infrastructure Route Origin Authorization,” is part of a security framework designed to validate the authenticity of internet routing information. It involves a digitally signed object that specifies which Autonomous Systems (ASes) are permitted to announce specific IP address prefixes.
Could you please take a moment to fill out our brief survey? Your feedback will play a crucial role in our understanding of this topic.
There is similar work also being done in the NETSEC SIG in FIRST.org.
Aftab may be aware of that and possibly this is where it seems from.
Started by Carlos Friacas (fccn.pt) there is a blog post in the works
that begins by raising questions about when and whether to accept a LoA
as the primary means of agreeing to announce a prefix. The answer is
not so cut and dry. If anyone wants to comment on the draft before it
gets published, which should be imminently, let me know and I'll put
you in touch with Carlos and a draft.
I would think there are a few uses of LOA in the telco/SP world, at least:
1) 'can I make this cross-connect happen?'
2) 'can I do some work on this link/path/fiber/conduit on behalf of
<customerX> where the entity to be worked on is <providerY>
infrastructure'
3) 'Please accept this internet number resource from <customerX>
when the number resource is authorized for use by <entityA>'
I would love to see ROA take over the 3rd of those, since it's a clear
indicator that:
"RIR authorizes LIR to use <number resource>, LIR authorizes
AS-OWNER to originate <number resource>"
and by 'clear indicator' I mean: "has some cryptographic/PKI backing
you can follow to the RIR in an automated fashion"
Where 'LOA' generally is a xerox of a photocopy of a fax of a
dot-matrix printed MS-Word templated document which perhaps has an X
on the 'signature' line...
In a decade working on the SP side of the world, I worked with prob 20 different upstream carriers. I can only think of one that required LOA to accept prefixes via BGP. Everyone else was via RIR methods, or nothing. There are of course providers out there that do, but not nearly as many to state it’s a “primary use case”, especially relative to #1 and #2 on your list.
Aftab Siddiqui is currently exploring the possibility of using Route Object Authorisations (ROAs) as a potential replacement to LOAs. Separate to this (and unknowing of Aftab's research), I had started a discussion on the RPKI Community guild on Discord (RPKI Community) discussing the usage of ROAs instead of LOAs.
An LOA, or "Letter of Authority" / "Letter of Authorization," is a formal document granting permission for third parties to take specific actions regarding network resources or services. In the service provider industry, its primary use is for advertising address resources (IPv4/v6 and ASN). When an organization intends to announce its IP prefixes through its own or a transit provider's ASN to the global internet, it typically needs to provide an LOA to their transit provider, confirming their custodianship or ownership of the resources.
I've found WHOIS is a good enough resource for this purpose. The SPs that are delegating prefixes are good about using SWIP to show assignment.
North American SPs are motivated to keep SWIP assignments up to date because of ARIN's requirement to demonstrate usage of IP resources for IP block transfers.
I think I've needed to request an LOA from a customer for this purpose just once in the past 10 years because the SWIP wasn't done. IIRC the assigning provider did a SWIP instead.
RPKI ROA, stands for "Resource Public Key Infrastructure Route Origin Authorization," is part of a security framework designed to validate the authenticity of internet routing information. It involves a digitally signed object that specifies which Autonomous Systems (ASes) are permitted to announce specific IP address prefixes.
Could you please take a moment to fill out our brief survey? Your feedback will play a crucial role in our understanding of this topic.
I’ll reply to you together, as they seem to be along the same lines.
For the purposes of this survey/research, a reference to an LOA is a reference to an LOA for the advertisement/filtering of IP space. I agree, the acronym LOA has multiple uses in the world of IT for things such as datacentre cross-connects, however given what we are looking into, I believe its quite clear that any references to an LOA is a reference to a Letter of Authorisation for the advertisement/filtering of IP space.
Other facility providers (such as Equinix, see https://docs.equinix.com/en-us/Content/Interconnection/DiLOA/xc-Loa.htm) have already started looking into the realm of digital LOAs for services such as cross-connects. While they are not the same as traditional LOAs, in my belief they are designed to reduce the timeframes in issuing them, having them sent across and completed.