Re: Carriers need to independently verify LOAs

[Matt Erculiani <merculiani () gmail com>]

Nothing is stopping the perpetrator of a BGP hijack as a result of a forged
or otherwise illegitimate LOA from facing civil litigation as a result of
revenue loss or other harm done.

This thread and others like it highlight that there is absolutely some
negligence here and could very well find itself in an evidence pile at some
point in the future.

So there IS liability, but the lack of solid precedent means that the bean
counters can't assign a dollar amount to the risk associated with blindly
accepting LOAs, and therefore it might as well not exist.

Someday, somebody will have the pants sued off them because they let their
new customer hijack the hell out of a government entity, bank, oil company,
etc. and we'll start to see better processes.

-Matt

On Mon, Apr 19, 2021 at 11:59 AM Sean Donelan <sean () donelan com> wrote:

> On Mon, 19 Apr 2021, Peter Beckman wrote:
> > And while it would be nice if everyone "independently verified every LOA"
> > the cost of doing so in the far-too-many edge cases is business-endingly
> > high.
>
> If carriers faced legal liability, with appropriate incentatives, I'd bet
> they would solve the verification problem -- quickly, cheaply.
>
> No liability -- no reason to solve the problem.

-- 
Matt Erculiani
ERCUL-ARIN