Origin AS: An Easier Way to Validate Letters of Authority [Archived]

By Mark Kosters

One challenge that Internet Service Providers (ISPs) face today is dealing with end customers who have their own IP address blocks and want their ISP to route them. ISPs want to satisfy their customers, but they also want to ensure that the customer has valid use of the IP address block.  Determining a customer’s valid use of an address block is fairly simple if the customer is the address block holder and if the ISP can easily see, using tools such as Whois, that they are the rightful holder.  However, in the case where the customer does not provide a clear assertion that they are the rightful holder, determining valid use becomes more challenging. In this case, the customer presents a “Letter of Authority” (LOA) that asserts that the IP address holder has authorized the customer use of their block. The ISP must figure out how to verify the letter so that Internet routing of the address block can be enabled by that ISP.

The challenge in validating LOAs is that it requires looking at the past history of the IP address block within the directory services of the various Regional Internet Registries (RIRs) and the Internet Routing Registry (IRR).  If the validation is done carefully, ISPs need to follow the registration trail of the companies if the name of the company providing the LOA does not match the current holder of that space within the registry. This effort is time consuming, inherently manual, and often fraught with questionable information. Further, there is no standard process or recordkeeping for the validation process, so that vetting may be uneven between ISPs and is likely non-transferrable when the customer moves between ISPs and wishes to use the address block again. This situation creates redundant work when the holder moves on to the second ISP, who also needs to determine the current organization with the registration rights before they can validate the customer’s offered LOA, and accept the IP address space to be originated from their network.

Long term, better maintenance of IP address blocks in the registry would make vetting LOA’s easier, and the adoption of Resource Public Key Infrastructure (RPKI) resource certification would eliminate most, if not all, of the issues.  However, until there is more widespread adoption of RPKI, the community is seeking an easier way to validate that the customer presenting an LOA is actually authorized by the address block holder.

One possible solution that can be implemented with the existing ARIN registry system is to make use of the “Origin AS” address block attribute.   Specifically, if a customer asks that an IP address block be routed because of an LOA, the ISP can request that the customer configure the Origin Autonomous System (AS) associated with the IP address block that is reflected in ARIN’s directory services to match the ISP’s AS number.  IP address block holders (including legacy address holders) can easily set this attribute using an ARIN Online account. Organizations that don’t have current contact information associated with their address block will need to be validated by ARIN, but this only needs to occur once. Once validated, the resource holder can update their IP address record, including the Origin AS, as necessary.   The other advantage of this approach is that it ensures that organization information is consistently reviewed by ARIN and eliminates any potential change of the ISP, thus preventing the hijacking of IP address blocks by parties that don’t have the registration rights to those address blocks.

The Origin AS can be set by the appropriate contact (tech, admin, or resource) in one of two ways:

• SWIP-EZ: A web interface through ARIN Online that allows any authenticated user to make changes to their registration information for that IP address block.

• Reg-RWS: An API that allows for automated and authorized updates by an authenticated user to occur via ARIN’s provisioning system for that IP address block.

Once the information is updated, an ISP can manually validate that the Origin AS of the IP address matches theirs, or validate using automated scripts.  Either way, after the IP address block has an Origin AS that matches the AS of the ISP, the ISP can provision the route of this IP address without worry.