Deploy360 12 November 2015

ION Cape Town: Mind Your MANRS

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement

ion-capetown-ai-pngThis week we’re highlighting some of the topics that were covered during ION Cape Town a couple of months back. This was our third ION conference of 2015, and was held in conjunction with South Africa iWeek 2015 which has been South Africa’s leading annual Internet industry conference since 2001.

Today we turn our attention to the global routing system and the collective responsibility for its resilience and security as discussed by Andrei Robachevsky, one of the ISOC Technology Program Managers. The issue is that BGP is based on global trust and there’s no validation of the legitimacy of routing updates. Whilst RPKI is currently being rolled out by the Regional Internet Registries, this will have limited effectiveness until BGPSEC is fully implemented and more widely deployed.

The consequences are that network prefixes can be hijacked, resulting in denial-of-service, impersonating of a network or service, or traffic interception. Route leaks can also occur, as well as IP spoofing which is the root cause of DDoS attacks.

Whilst tools such as network address prefix and AS-PATH filtering, RPKI and IRR are available to help mitigate these problems, the reality is that the security of your traffic is often reliant on others. Implementing security measures at network interfaces does not solve the wider issues.

The Mutually Agreed Norms for Routing Security (MANRS) programme therefore aims to promote a culture of collaborative responsibility by defining four concrete actions that network operators should implement. These four ‘Good MANRS’ include:

  • Filtering to prevent propagation of incorrect routing information by ensuring that customers hold the AS numbers and address space they’re announcing.
  • Anti-spoofing filtering to prevent packets with an incorrect source IP address from entering and leaving a network.
  • Facilitate operational communication and coordination between network operators by maintaining globally accessible and up-to-date information.
  • Validation of routing information on a global scale by publicly documenting routing resources that are intended to be advertised to external parties.

MANRS is a commitment by network operators to support the principles of the programme and implement at least one of the four actions for the majority of its infrastructure. There is a growing list of participants, but routing security is the sum of all contributions and a critical mass will raise the baseline and persuade others they should participate.

If you’re interested in finding out more about MANRS, please head to the Routing Resilience Manifesto. You can also find out more from the START HERE! page of the Deploy360 website.

Please also check out the other presentations and videos from the conference, as there’s some interesting deployment case studies and trials of the Deploy360 technologies.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...