This week we’re highlighting some of the topics that were covered during ION Cape Town a couple of months back. This was our third ION conference of 2015, and was held in conjunction with South Africa iWeek 2015 which has been South Africa’s leading annual Internet industry conference since 2001.
Today we turn our attention to the global routing system and the collective responsibility for its resilience and security as discussed by Andrei Robachevsky, one of the ISOC Technology Program Managers. The issue is that BGP is based on global trust and there’s no validation of the legitimacy of routing updates. Whilst RPKI is currently being rolled out by the Regional Internet Registries, this will have limited effectiveness until BGPSEC is fully implemented and more widely deployed.
The consequences are that network prefixes can be hijacked, resulting in denial-of-service, impersonating of a network or service, or traffic interception. Route leaks can also occur, as well as IP spoofing which is the root cause of DDoS attacks.
Whilst tools such as network address prefix and AS-PATH filtering, RPKI and IRR are available to help mitigate these problems, the reality is that the security of your traffic is often reliant on others. Implementing security measures at network interfaces does not solve the wider issues.
The Mutually Agreed Norms for Routing Security (MANRS) programme therefore aims to promote a culture of collaborative responsibility by defining four concrete actions that network operators should implement. These four ‘Good MANRS’ include:
- Filtering to prevent propagation of incorrect routing information by ensuring that customers hold the AS numbers and address space they’re announcing.
- Anti-spoofing filtering to prevent packets with an incorrect source IP address from entering and leaving a network.
- Facilitate operational communication and coordination between network operators by maintaining globally accessible and up-to-date information.
- Validation of routing information on a global scale by publicly documenting routing resources that are intended to be advertised to external parties.
MANRS is a commitment by network operators to support the principles of the programme and implement at least one of the four actions for the majority of its infrastructure. There is a growing list of participants, but routing security is the sum of all contributions and a critical mass will raise the baseline and persuade others they should participate.