Categories
Building Trust Improving Technical Security Mutually Agreed Norms for Routing Security (MANRS)

Dear Network Operators, Where Are Your MANRS?!

As we just published over on the MANRS blog, we are approaching the second anniversary of launching the MANRS initiative in which network operators from around the globe work together to improve the security and resilience of the global routing system. We have just published a press release about MANRS and are working to increase MANRS’ visibility in wider circles.

We have now grown to over 40 network operators. From the press release: “As networks have come under increased stress from corporations, governments and other actors, not all benign, the visibility of the Internet’s routing infrastructure as a critical component has become as high as that of the Domain Name System (DNS) or other core infrastructure,” said Olaf Kolkman, Chief Internet Technology Officer (CITO) at the Internet Society. “By promoting routing security and resilience, MANRS gives operators a way to demonstrate their commitment to networking excellence, helping to restore trust in the Internet to anxious peers, businesses, customers and individuals.”

We are embarking upon this public relations outreach to inform more network operators about the initiative, grow its membership, and work toward improving routing security for everyone on the Internet.

Read the full release here, and stay tuned for a coverage recap in a few days! You can also follow along on the MANRS Twitter account or MANRS blog for coverage as it comes in.

Categories
Improving Technical Security Mutually Agreed Norms for Routing Security (MANRS) Technology

Discussing MANRS at RIPE 72 Next Week

Some time ago, a group of MANRS participants agreed that it’d be a good idea to have more precise guidance for the implementation of MANRS Actions. Having such a document could serve at least two purposes:

  • Ease deployment of measures required by MANRS (stub networks or small providers – the majority of ASNs)
  • Help check if the network setup is compliant with MANRS

Job Snijders presented this idea and an outline of the MANRS BCOP document at RIPE71 in November 2015. The idea was supported by several network operators and experts who joined the team to develop such guidance. Since then the team has done some heavy lifting as it appeared even the implementation of basic routing security practices cannot be accomplished by a single line in a config file!

We plan to present this work at the RIPE BCOP TF on May 23 during the RIPE meeting. If you are planning to attend RIPE72, please join the discussion.

This is a work in progress, but you can find the current version of the document here:

https://docs.google.com/document/d/1fQxknkC3_ggdNnPF3NfaWFpmc4ajTonVQIiD9DYBhlg/edit?usp=sharing

We welcome your review and contributions. We expect that shaping up of the document will continue in the RIPE BCOP TF.

[Editor’s Note: This post was originally published on the Routing Resilience Manifesto blog at https://www.routingmanifesto.org/2016/05/discussing-manrs-at-ripe-72-next-week/.]

Categories
Improving Technical Security Mutually Agreed Norms for Routing Security (MANRS)

Paving the Way Forward for MANRS

How do you get a community effort off the ground and make it a success? How do we even define success? Is it the number of participants, general awareness beyond its participants, or new parallel activities that the effort stimulates? Last week during NANOG 66, several MANRS participants met to discuss the challenges we want to address in 2016 and beyond that are critical to the success of this effort.

Someone recently commented that MANRS will start paying off when it begins to motivate network operators to implement the outlined Actions in order to join the initiative. That is, indeed, our objective and that is what we really see as success.

We are not there yet. In the 14 months since MANRS launched, the membership has grown steadily, but the questions remain: What are the main components that can grow it faster, solidify the membership, and mature the whole effort?

In our view there are three: Scalability, Credibility, and Community.

Scalability is about how we facilitate exponential growth and wider promotion of MANRS. We discussed a few potential ideas for us to will work on:

  • Encourage and support existing participants to become active ambassadors of the effort and MANRS.
  • Allow participants to publish guest blog posts related to their experiences on the MANRS website.
  • Develop guidance on how an organization can leverage MANRS to differentiate itself; market it internally and externally; and encourage customers, peers and suppliers to meet this security baseline.
  • Design a cool t-shirt, for MANRS members only.

Credibility is crucial. The attractiveness and motivation to join can be severely affected if operators don’t believe existing participants are running their networks above the norm documented by MANRS. There are two possible avenues to explore:

  • Compliance tests. For some Actions, such tests are relatively easy and we are already doing them when evaluating sign-up requests. Is up-to-date contact information recorded in the PeeringDB, RADB, or RIPE? Does the network publish its routing policy in one of the IRRs?

    It is more difficult to tell if the first two Actions are properly implemented by looking from the outside. Can you say if a network has deployed measures preventing wrong announcements from its customers, or those originated in the network itself? Probably not. But you can infer the opposite – there are potential holes in a network’s outward defense – if you observe announcements from it. It has the caveat of having false negatives, but it is better than no checks. That is what we are probably going to develop: look at the network’s BGP activity over past, say six months, and see if there are “suspicious” events that need further explanation.

    It is almost impossible to test from the outside whether or not a network blocks packets with spoofed source IP addresses (see, for example http://dev.internetsociety.org/doc/addressing-challenge-ip-spoofing). Fortunately, there is a tool operated and maintained by CAIDA called Spoofer that we can ask a potential participant to run to verify compliance with Action 2.

  • Vouching. When building trusted communities, it is common to use vouching when accepting new members. In many cases, peers, upstreams, and customers have a pretty good idea of the quality and security of a network they are dealing with. This probably cannot be the only acceptance test, but vouching for new members can positively contribute to the credibility and further strengthen the community around MANRS.

Community is probably one of the most important elements, since it makes the effort both scalable and credible. How can we make MANRS not a one-off sign-up event, but a continuous collaborative activity? Like security in general, MANRS is not a product – it is a process. Here, participants offered three ideas:

  • Develop a BCOP document that provides guidance for practical implementation of the Actions. This activity is already underway.
  • Use the member-only mailing list for MANRS participants to discuss issues and coordinate actions in a more trusted environment than on a public NOG list. This mailing list already exists.
  • Encourage MANRS participants to contribute to related activities, like URSA.

It was only a lunch meeting, and we could not touch on all aspects or do a deep dive into any specific issue, but the discussion provided great feedback and guidance for the improvements and expansion of the effort.

What other ideas do you have for bringing MANRS to the wider global technical community?

Note: This post originally appeared on the Routing Resilience Manifesto blog at https://www.routingmanifesto.org/2016/02/paving-the-way-forward-for-manrs/.