Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

Knowledge Sharing and Meaningful Conversation at InterCommunity 2020: Securing Global Routing

Recently, five routing security experts shared how they’ve been working to protect the Internet from the most common routing threats – by implementing and promoting the actions called for in Mutually Agreed Norms for Routing Security, or MANRS. They were all participants in InterCommunity, which gives the Internet Society community a way to connect for meaningful conversations about the issues that matter most to the Internet.

Want to join the InterCommunity conversation? Become an Internet Society member today!

This session of InterCommunity, “Securing Global Routing,” set out to increase awareness of MANRS, share good routing practices, and encourage more network operators to take the MANRS actions to make the Internet more secure for us all.

The speakers shared their network operations and capacity building knowledge while more than 200 participants participated live in the informative conversation.

Special thanks to Melchior Aelmans of Juniper Networks who moderated the discussion skillfully!

Here’s what the panelists had to say:

Abdul Awal, Bangladesh National DataCentre
Awal spoke about his goals in building technical capacity around Resource Public Key Infrastructure (RPKI) and raising awareness of MANRS principles in South Asia. He also discussed how we can help networks validate their routing information by implementing Route Origin Authorizations (ROAs).

ROAs enable network operators to cryptographically sign routing advertisements sent over Border Gateway Protocol (BGP) to other networks on the Internet. Using RPKI, other networks can cryptographically verify ROAs and drop similar routing information that may be received from other networks.

This significantly improves Internet security by preventing distribution of invalid route advertisements that may lead to parts of the Internet being unreachable or being hijacked by malicious networks.

Awal has worked with networks in the Asia-Pacific region to increase the percentage of valid routing information, thus improving the region’s secure routing.

Mark Tinka, SEACOM
Mark has been in the routing and network engineering industry for several years, active in both the Asia-Pacific and African regions as a network operator and trainer.

Working with RPKI since 2014, Mark explained how routing hardware from Cisco and Juniper has helped improve RPKI support over the years. He also described the process of deploying RPKI in Africa and some of the challenges he faced.

Kevin Blumberg, TORIX
Kevin spoke about implementing MANRS principles from the viewpoint of an Internet Exchange Point (IXP).

TORIX is an IXP in Toronto, Canada that has grown from 1 Gigabit per second in 2000 to 1.1 Terabits per second in 2020. He said it was easy for TORIX to become a MANRS participant as it had been running Internet Routing Registry (IRR) based filtering for more than a decade.

He also said IXP operators are generally less restrictive and so IXPs can easily become a source of a BGP hijack where different networks trust the routing information they receive. Therefore, TORIX feel they have a social obligation to ensure the peering data at their IXP is valid. Without this, it would be easy to permeate route hijacks via IXPs and TORIX wants to prevent that.

Jorge Cano,
Jorge spoke about FORT, a free and open source RPKI validator. An RPKI validator helps routers quickly validate routing information received over BGP without burdening routers with more processing load. FORT works on both Linux and BSD that (the Mexican registry) are working on with the help of LACNIC. The validator is free to use and open to everyone.

Jorge ran a poll to see which validator was most commonly used by the audience. We learned that most participants were currently using the RIPE Validator, with a few already using FORT.

Tashi Phuntsho, APNIC
Tashi gave a presentation on why it is important to secure global routing, highlighting the issues with differences in validated ROA outputs observed with different validators, and the ROA outreach work by the APNIC Training team in the region. Tashi also noted the beta testing the APNIC Training team has done with ROSv7.

If you run an ISP, IXP, CDN, or cloud network let’s protect the Internet ecosystem together. Join MANRS!