Deploy360 Mutually Agreed Norms for Routing Security (MANRS) Securing Border Gateway Protocol (BGP)

Routing Health Measurement BoF @ RIPE 75

Jan Žorž and Kevin Meynell from the Deploy360 team, with support from Andrei Robachevsky and Benno Overreinder (NLnet Labs), hosted a BoF session on ‘Internet Routing Health’ during the RIPE 75 meeting on 22 October 2017 in Dubai, United Arab Emirates. This discussed ideas for measuring the health of the Internet routing system, in order to obtain empirical data to strengthen the case for collaborative routing security which is the rationale behind the MANRS initiative.

The BoF attracted 20 participants variously drawn from commercial network operators and cloud providers, Regional Internet Registries (RIRs), and academia, and proved to be a lively session with some interesting and arguably controversial suggestions. In fact, the outcome ended up being somewhat different from the original objectives of the BoF, but in the true spirit of the bottom-up process.

There was a consensus that there was little purpose in trying to devise metrics to measure the health of the Internet routing system before identifying why previous and current attempts to address the issue of route leaks, hijacks and general BGP churn were essentially failures. Indeed, less than 2% of IP prefixes cause 90% of the BGP routing updates, so the problem lies with a relatively small number of networks. In addition, any mechanisms and metrics for identifying route misconfiguration or hijacking cannot generate too many false positives if they’re going to be useful, and must be lightweight enough not to affect the basic functioning and scalability of Border Gateway Protocol (BGP).

[BGP is the standard mechanism for exchange reachability and routing information amongst different networks (Autonomous Systems or AS) on the Internet.]

There was also some consensus that the RPKI (Resource Public Key Infrastructure) that provides a mechanism to validate the ownership of IP addresses and AS numbers against established trust anchors (provided by the RIRs), was not addressing the problem and there should be some neutral and dispassionate analysis as to why it currently had such limited deployment. This should include an evaluation of the prospects for BGPsec which offers cryptographic attestation of routing paths, but will require support to be added in routers and which introduces significant processing overhead.

To this end, it was felt any analysis should primarily focus on the vendor and network operator industries to understand what the specific concerns were, how would they address the issues or do they even think the issues need solving, and what can be done better? The Internet Society was therefore asked by the participants to organise series of stakeholder workshops as a neutral, independent, and dispassionate third-party.

Of course, the BoF only reflected a relatively small cross-section of those involved in Internet routing, so further consultations will be necessary before deciding exactly how to proceed. But it nevertheless provided some useful feedback on the issues and concerns of some of those deploying routing systems.

Deploy360 Human Rights Internet of Things (IoT) Mutually Agreed Norms for Routing Security (MANRS) Securing Border Gateway Protocol (BGP)

RIPE 75: IoT & Routing Security

RIPE 75 was held on 22-26 October 2017 in Dubai, United Arab Emirates, and was the second time the meeting has come to the Middle East. 483 participants from 54 countries including 175 newcomers came together to discuss operational issues and share expertise about the Internet, with a particular focus on the RIPE region that covers Europe, the Middle East and Central Asia.

Jan Žorž and Kevin Meynell from the Deploy360 team, along with Salam Yamout from the Middle East Bureau were also actively involved in the launch of a new Internet-of-Things Working Group, hosting a Routing Security BoF, and raising awareness of IRTF work on Human Rights Protocol Considerations.

The BoF session on ‘Internet Routing Health’ was organised by the Internet Society, and chaired by Jan and Benno Overreinder (NLnet Labs). The BoF attracted 20 participants variously drawn from commercial network operators and cloud providers, Regional Internet Registries (RIRs), and academia, with the aim of discussing ideas for measuring the health of the Internet routing system in order to obtain empirical data to strengthen the case for collaborative routing security.

The IoT session aimed to build on the RIPE IoT Roundtable meeting that was held on 21 September 2017 in Leeds, UK, and featured a presentation on the Online Trust Alliance’s IoT Security & Privacy Trust Framework given by Kevin. OTA is an Internet Society initiative to promote best practices in protection of user security, privacy and identity, and has developed these recommendations in consultation with over 100 device manufacturers, major retailers, security and private experts, consumer testing and advocacy organisations, and governments.

Other presentations in the session included one on Trusted Routing in IoT from Ivana Tomić (Imperial College London) who discussed sensor networks, the security risks involved with them, and how to establish trusted routing. The remaining talk was on key factors for successful entry into the IoT from Farzad Ibrahim (IoT Academy), following which it was agreed to establish an new RIPE IoT Working Group.

The proposed chartered activities are to serve as a focal point for the RIPE NCC regarding community input to their IoT activities; to establish a dialogue on matters of operational relevance including security, the numbering system, and applicability of standards; and develop the positions of the RIPE community on IoT. Jim Reid volunteered as interim chair to get the working group up-and-running, and until permanent co-chairs can be agreed.

Finally, it’s not a subject that Deploy360 normally covers, but Salam presented an update on the Internet Research Task Force initiative on Human Rights Protocols Considerations. This is researching the human rights threats on the Internet, whether standards and protocols can enable or threaten these, and is developing recommendations on developing Internet protocols around this. There are currently four drafts under consideration that can be found on the HRPC RG website.

The next RIPE meeting will be held on 14-18 May 2018 in Marseille, France. This will in fact be only the second time a RIPE meeting has been held in France – the first time being in Paris way back in 1992 – so we look forward to this long awaited return.