Building Trust Events Improving Technical Security Mutually Agreed Norms for Routing Security (MANRS) Open Internet Standards Securing Border Gateway Protocol (BGP) Technology

Routing Security BoF – APRICOT 2018

On Sunday, 25 February, the first day of APRICOT 2018, a “Routing Security BoF” (birds of a feather: An informal discussion group) was organized to address the ever-growing routing related incidents happening on daily basis. We have discussed routing security in general within the Asia Pacific region but there was a need to have a platform for open and candid discussion among the network operator community to find a possible way forward, where operators can share their approach in securing their own infrastructure and keeping the internet routing table clean as well.

A quick introduction was provided by the moderator (Aftab Siddiqui) on why it is important to have this BoF. Here are the introductory slides:

The first technical community presenter was Yoshinobu Matsuzaki (Maz) from Internet Initiative Japan (IIJ), the first ISP in Japan started in 1992. IIJ is one of the few ISPs in the region implementing prefix filtering, source address validation for their end customers, and making sure that all their routing information is reflecting the current status in the peeringdb for AS2497. IIJ was the first Asia Pacific ISP to join MANRS (Mutually Agreed Norms for Routing Security), a global initiative, supported by the Internet Society, to work with operators, enterprises, and policymakers to implement crucial fixes needed to eliminate the most common routing threats.

The rest of the BoF was based on a panel discussion, with panelists representing some of the top global CDNs (Content Delivery Networks) along with the technical lead of the MANRS initiative from the Internet Society.

The discussion started with the following questions:

Q1. You just heard from one of the largest ISP in the region (IIJ) and, being one of the biggest CDN providers globally, what measures do you take to ensure that you are keeping the internet routing table clean?

A1 (summary). CDNs mostly rely on the peering fabrics and they do put filters in place to safeguard their infrastructure and also don’t usually pollute the global routing table. They can’t control any peer network and hence cannot avoid any accidental/intentional prefix hijack. To safeguard against such incidents, all CDNs actively monitor the global routing table to quickly fix incidents and reduce the outage or impact.

Q2. There are ISPs that implement routing security and there those who don’t. Do you have the same peering policies for both? Do you enforce any policy to make sure that your peering partners are doing the right things?

A2 (summary). It is not possible for CDNs to create different peering policies on the basis of network reputation, but they do make sure that they have good visibility of the network in order to find the problem as early as possible. Also, it is hard for CDNs to de-peer in case of an incident because there are commercial interests in place as well. The counter argument from Andrei (ISOC) was: CDNs can’t apply different policies to networks/peers on the basis of reputation because it is realistically difficult to differentiate the bad from the majority of good peers. This is where MANRS can provide a platform to show if a network is accidentally/intentionally polluting the internet routing table.

Q3. Do you see any benefit of RPKI and BGPSEC to secure internet routing in the future?

A3 (summary). It was clear from the discussion that BGPSEC is too new to have any constructive discussion; there are many changes required in the protocol and even after that it is optional for a peer to use BGPSEC. However, RPKI can play some role in the future but at the moment no CDN is actively pursuing RPKI as a solution. The topic of RPKI resulted in some interesting debate between Geoff Huston and panelists.

At the end of the panel discussion we asked four questions through an interactive poll and the results were very interesting and encouraging.

Around 62 members of the community participated in this poll, which clearly shows that the vast majority of them consider routing security a problem we need to address. While some are not clear if there was an impact on internet services because of routing security incidents (lack of data), it was very clear that networks don’t follow guidelines to implement routing security because there is no incentive for them to do so. At the end the clear winner was MANRS, as most respondents believe that only a community-driven initiative such as MANRS can convince the network operators to implement routing security. (Here’s how to join MANRS.)

Building Trust Events Improving Technical Security Mutually Agreed Norms for Routing Security (MANRS) Technology

Routing Security is a Serious Problem – and MANRS Can Help. A Report from APRICOT 2018.

Last week, at APRICOT 2018 in Kathmandu, Nepal, there were a lot of talks and discussions focused on routing security and the Mutually Agreed Norms for Routing Security (MANRS).

First, there was a Routing Security BoF, attended by about 150 people, where we talked about what it takes to implement routing security practices, how CDNs and other players can help, and why it is so difficult to make progress in this area. The BoF included an interactive poll at the end, and it showed some interesting results:

  • Participants almost unanimously see lack of routing security as a serious problem.
  • Slow progress in this area is largely seen as due to a lack of incentives
  • Participants see community initiatives (like MANRS) as the main driving forces for improvement, followed by CDNs and cloud providers. They doubt that governments or end-customers can effectively drive change.

My colleague Aftab Siddiqui is writing a separate blog post just about that BoF, so watch the blog in the next day or two.

Later, in the security track of the main APRICOT programme, Andrei Robachevsky, ISOC’s Technology Programme Manager, presented statistics on routing incidents and suggested a way forward based on the MANRS approach. In his presentation, “Routing Security in 2017 – We can do better! And how MANRS can help”, he provided a detailed overview of simple steps a network operator should take to improve routing hygiene and overall security of the routing system we all depend on so much.

His slides are available here:

An interactive poll that followed offered interesting insights into the challenges and state of securing routing:

  • More than 50% of the operators polled experienced routing incidents with varying impact, and only a lucky <20% were not terribly affected by them
  • There were remarkable differences regarding the security posture of networks. More than half of respondents have no resources to implement even such simple measures as MANRS. At the same time 1/3 of network operators already implement those measures and actively promote them in the community

It was very encouraging to see that a majority of the participants valued MANRS and wanted to join. At least when they become ready to implement the actions.

I’ll leave you with a quote Aftab shared at the beginning of the Routing BoF, from Nobel Peace Prize Winner Jane Addams: “The good we secure for ourselves is precarious and uncertain until it is secured for all of us and incorporated into our common life.”

Are you ready to look into the four MANRS Actions and start moving your network in the right direction? We have an Implementation Guide and Training Modules available! Or perhaps you are ready to join MANRS? Sign up here!

[This post originally appeared on the MANRS Blog here.]