Re: Defeating DoS Attacks Through Accountability

[Sean Donelan <sean () donelan com>]

On Sat, 11 November 2000, Mark Prior wrote:
> How would you propose to handle the case where an organisation has
> their own IP space which isn't currently advertised and then you
> receive a request from a third party to route it to them?

First I would suggest they register their claim to use the IP address
with the appropriate registration agencies.  As I understand it,
every register has a method for recording further delegations.  It
is providers who choose to create the problem by not recording the
delegation.

If for some reason they can't change the organization of record for
the IP address, there is a concept called a "Letter of Agency" which
is used when someone wants to authorize a third-party to take actions
on their behalf.  If the third-party does not have a LOA from the
coordinator of record for the IP address, I wouldn't view it as a
valid request.

If they can't change the coordinator of record, nor can they get the
coordinator of record to give them a LOA; you should have known there
is not clear authorization for the third-party to use the IP address.

How would you propose to handle the case where a person has a credit
card number, and then you receive a request from a third party with
no evidence of any authorization from the registered card owner to
charge stuff on that card number?