Donate
‹ Back
Deploy360 24 March 2017

Securing Routing: MANRS, RPSL & RPKI @ APRICOT 2017

Kevin Meynell
By Kevin MeynellManager, Technical and Operational Engagements

To wrap-up our reports on APRICOT 2017, we’d like to highlight the Network Security session that featured our Internet Society colleague Andrei Robachevsky, as well as highlight other routing security related topics.

Andrei presented the Mutually Assured Norms for Routing Security (MANRS) initiative that has now been running for two years. This aims to address the issue that BGP is largely based on trust, with no inherent validation of the legitimacy of routing updates and limited ways of authenticating Internet resource data. Whilst there are tools and techniques to improve this, these only have limited deployment and there’s little incentive to do so as implementing them on your own network has little direct benefit to yourself.

MANRS therefore aims to help network operators around the world to work together to improve the security and resilience of the global routing system through four actions that include filtering, anti-spoofing, coordination and global validation. The initiative was launched on 6 November 2014 with 9 network operators, and has since expanded to encompass 90 Autonomous Systems.

In order to help network operators facilitate the actions, a MANRS Best Current Operational Practices (BCOP) document has been produced, and a set of online training modules is under development. These will walk students through a tutorial and provide a test at the end, with a view to this being the first step towards a MANRS certification. A partnership programme is currently being developed with IXPs, and other partners are being sought who’d be interested in including it in their curricula.

If you’re interested in signing-up to MANRS, more information is available on the Routing Resilience Manifesto website.

Tom Paseka (Cloudflare) then covered some of threats to the Internet in more detail, and how to mitigate them. Spoofing and Denial-of-Service attacks were becoming wider in scope and involving more-and-more bandwidth such as the Mirai botnet that exceeded 500 Gb/s. A number of recommendations and techniques exist to mitigate these attacks, but operators and vendors in many cases simply did not implement these. There needed to be more awareness and responsibility amongst those involved in provisioning networks about the collective security of the Internet.

On the practical side of things though, there was a tutorial held during the conference on how to implement RPSL and RPKI which are two ways of improving security. Routing Policy Specification Language (RPSL) is used by network operators describe their routing policies, whilst Resource Public Key Infrastructure allows the holders of Internet resources (IP address and AS numbers) to be authenticated and can be used to prevent route hijacking.

Securing Internet Routing: RPSL & RPKI Tutorial

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Show Your Commitment To Routing Security - Join the MANRS Initiative!
6 November 2014

Show Your Commitment To Routing Security – Join the MANRS Initiative!

Do you want to make the Internet's routing infrastructure more secure?  Have you implemented anti-spoofing techniques to help protect against...

ION Cape Town: Mind Your MANRS
Deploy36012 November 2015

ION Cape Town: Mind Your MANRS

This week we're highlighting some of the topics that were covered during ION Cape Town a couple of months back. This was...

MANRS BCOP published as RIPE document
MANRS BCOP published as RIPE document
Mutually Agreed Norms for Routing Security (MANRS)13 June 2018

MANRS BCOP published as RIPE document

The MANRS initiative's set of Best Current Operational Practices has received recognition from the RIPE community by being published as...

Join the conversation with Internet Society members around the world