To wrap-up our reports on APRICOT 2017, we’d like to highlight the Network Security session that featured our Internet Society colleague Andrei Robachevsky, as well as highlight other routing security related topics.
Andrei presented the Mutually Assured Norms for Routing Security (MANRS) initiative that has now been running for two years. This aims to address the issue that BGP is largely based on trust, with no inherent validation of the legitimacy of routing updates and limited ways of authenticating Internet resource data. Whilst there are tools and techniques to improve this, these only have limited deployment and there’s little incentive to do so as implementing them on your own network has little direct benefit to yourself.
MANRS therefore aims to help network operators around the world to work together to improve the security and resilience of the global routing system through four actions that include filtering, anti-spoofing, coordination and global validation. The initiative was launched on 6 November 2014 with 9 network operators, and has since expanded to encompass 90 Autonomous Systems.
In order to help network operators facilitate the actions, a MANRS Best Current Operational Practices (BCOP) document has been produced, and a set of online training modules is under development. These will walk students through a tutorial and provide a test at the end, with a view to this being the first step towards a MANRS certification. A partnership programme is currently being developed with IXPs, and other partners are being sought who’d be interested in including it in their curricula.
If you’re interested in signing-up to MANRS, more information is available on the Routing Resilience Manifesto website.
Tom Paseka (Cloudflare) then covered some of threats to the Internet in more detail, and how to mitigate them. Spoofing and Denial-of-Service attacks were becoming wider in scope and involving more-and-more bandwidth such as the Mirai botnet that exceeded 500 Gb/s. A number of recommendations and techniques exist to mitigate these attacks, but operators and vendors in many cases simply did not implement these. There needed to be more awareness and responsibility amongst those involved in provisioning networks about the collective security of the Internet.
On the practical side of things though, there was a tutorial held during the conference on how to implement RPSL and RPKI which are two ways of improving security. Routing Policy Specification Language (RPSL) is used by network operators describe their routing policies, whilst Resource Public Key Infrastructure allows the holders of Internet resources (IP address and AS numbers) to be authenticated and can be used to prevent route hijacking.
Securing Internet Routing: RPSL & RPKI Tutorial
- Tutorial Slides
- Video – Part 1 (YouTube)
- Video – Part 2 (YouTube)