Transcription
Improving routing security throughconcerted actionRIPE 80, May 12, 2020Andrei Robachevskyrobachevsky@isoc.org1
There is a problem (2019)Incidents in 2019 10,036 total incidents - either outages or attacks, likeroute leaks and hijacks 2.5% of all networks were affected by an outage4232, 42%58% 3.8% of all networks were affected by a routing incident 2% of all networks were responsible for 4232 routingincidentsOutageRouting incident2Source: https://www.bgpstream.com/
Routing Incidents Cause Real World /RouteHijackingA network operator or attackerimpersonates another networkoperator, pretending that a serveror network is their client.Packets are forwarded to The 2008 YouTube hijackthe wrong place, and can April 2018 Amazon Route 53cause Denial of Service hijack(DoS) attacks or trafficinterception.Route LeakA network operator with multipleupstream providers (often due toaccidental misconfiguration)announces to one upstreamprovider that is has a route to adestination through the otherupstream provider.Can be used for a MITM,including trafficinspection, modificationand reconnaissance.IP AddressSpoofingSomeone creates IP packets with a The root cause offalse source IP address to hide the reflection DDoS attacksidentity of the sender or toNovember 2018. Google faceda major outage in many parts ofthe world thanks to a BGP leak.This incident that was causedby a Nigerian ISP MainOne.June 2019. Allegheny leakedroutes from another provider toVerizon, causing significantoutage.March 1, 2018. Memcached1.3Tb/s reflection-amplification3attack reported by Akamai
Why routing security is so hard? Each player can contribute to routing security And be the cause of an incident Most of them would like to have a more secure routing system Routing incidents are hard to debug and fix Most of them have little incentive One’s network security is in the hands of othersWe have a typical collective action problem4
We Are In This TogetherNetwork operators have acollective responsibility to ensurea globally robust and securerouting infrastructure.Your network’s safety depends on a routinginfrastructure that mitigates incidents frombad actors and accidental misconfigurationsthat wreak havoc on the Internet.Security of your network depends onmeasures taken by other operators.The more network operators work together,the fewer incidents there will be, and the lessdamage they can do.5
Can this problem be solved without regulation?Norms may provide a solution in some cases Need to agree on values. And behaviors that support these valuesCommon Value Resilient and secure global routing systemBehaviors Do not accept and propagate others mistakes (Validate what you accept from the neighbors)Protect your neighbors from your own mistakes (avoid policy violations) Do not hijack Do not leakEnable others to validate6
From Behaviors to NormsWidely accepted as a good practiceNot exactly a least commondenominator, but not too high eitherVisible and Measurable7
Mutually Agreed Norms for RoutingSecurity (MANRS)Provides crucial fixes to reduce the most common routing threats8
Mutually Agreed Norms for Routing SecurityMANRS provides baseline recommendations in the form of Actions Distilled from common behaviors – BCPs, optimized for low cost and low risk of deployment With high potential of becoming normsMANRS builds a visible community of security minded operators Social acceptance and peer pressure9
MANRS – increasing adoption10
Action – who can make an impact? Enterprise and access networks Transit providers IXPs CDNs and Cloud providersIXTransitAccessContentCloud
Network operators – MANRS launch, November 2014FilteringAnti-spoofingCoordinationPrevent propagation ofincorrect routinginformationPrevent traffic withspoofed source IPaddressesEnsure the correctness ofyour own announcementsand announcements fromyour customers to adjacentnetworks with prefix andAS-path granularityEnable source addressvalidation for at leastsingle-homed stubcustomer networks, theirown end-users, andinfrastructureFacilitate globaloperationalcommunication andcoordination betweennetwork operatorsMaintain globallyaccessible up-to-datecontact information incommon databases (RIRwhois, IRR, PeeringDB)GlobalValidationFacilitate validation ofrouting information on aglobal scalePublish your data, soothers can validate12
MANRS IXP ProgrammeThere is synergy between MANRS and IXPs IXPs form communities with a common operational objective MANRS is a reference point with a global presence – useful for building a “safeneighborhood”How can IXPs contribute? Implement a set of Actions that demonstrate the commitment of an IXP and bring significantimprovement to the resilience and security of the peering relationships13
MANRS IXP ActionsAction 1Action 2Action 3Action 4Action 5Preventpropagation ofincorrect routinginformationPromoteMANRS to theIXP membershipProtect thepeering platformFacilitate globaloperationalcommunicationand coordinationProvidemonitoring anddebugging toolsto the members.This mandatoryaction requiresIXPs to implementfiltering of routeannouncements atthe Route Serverbased on routinginformation data(IRR and/or RPKI).IXPs joiningMANRS areexpected toprovideencouragement orassistance for theirmembers toimplementMANRS actions.This actionrequires that theIXP has apublished policy oftraffic not allowedon the peeringfabric andperforms filteringof such traffic.The IXP facilitatescommunicationamong membersby providingnecessary mailinglists and memberdirectories.The IXP providesa looking glass forits members.14
MANRS IXP Program – launched in April 201815
The CDN and Cloud programme(launched on March 31))Leverage their peering power, but also bring benefits: Create a secure network peering environment, preventing potential attacks attheir border Encourage better routing hygiene from your peering partners Signal organization security-forward posture Demonstrate responsible behavior Improve operational efficiency for peering interconnections, minimizingincidents and providing more granular insight for troubleshooting16
The Task ForceAlejandro Becerra GonzalezGary Ratterree (Microsoft)Rob Spiger (Microsoft)(Telefonica)Ibrahim Seremet (Verisign)Rogério Mariano (Azion)Andrei Robachevsky (InternetJerome Fleury (Cloudflare)Ronan Mullally (Akamai)Society, Editor)JJ Crawford (Facebook)Ray Sliteris (Facebook)Arturo Servin (Google)Kay Rechthien (Akamai)Steve Peters (Facebook)Carlos Asensio (Nexica)Kevin Blumberg (TORIX)Tale Lawrence (Oracle)Chris Morrow (Google)Marcus Grando (Azion)Tony Tauber (Comcast)Christian Kaufmann (Akamai)Martin J. Levy (Cloudflare)Yong Kim (Verisign)Daniel Ponticello (Redder)Marty Strong (Facebook)17
MANRS Actions for CDN&CloudAction 1Action 2Action 3Action 4Action 5Action 6Preventpropagation ofincorrect routinginformationPrevent trafficwith illegitimatesource IPaddressesFacilitate globaloperationalcommunicationand coordinationFacilitatevalidation ofroutinginformation on aglobal scaleEncourageMANRS adoptionProvidemonitoring anddebugging toolsto peeringpartnersEgress filteringIngress filtering –non-transit peers,explicit whitelistsAnti-spoofingcontrols to preventpackets withillegitimate sourceIP addressContactinformation inPeeringDBand relevant RIRdatabasesPublicly documentASNs and prefixesthat are intendedto be advertised toexternal parties.Actively encourageMANRS adoptionamong the peersProvide monitoringtools to indicateincorrectannouncementsfrom peers thatwere filtered bythe CDN&Cloudoperator.18
19
GROWTH OF THE MANRS MEMBERSHIP (NETWORK OPERATORS)364 ISPs52 IXPs8 CDN&Clouds3002001005020
Demography of participants IT21
22
Measuring MANRS ReadinessMANRS Observatory23
MotivationInform MANRS members about their degree of commitment Improve reputation and transparency of the effort Facilitate continuous improvement and correctionProvide a factual state of routing security as it relates to MANRS Support the problem statement with data Demonstrate the impact and progress Network, country, region, over timeImprove robustness of the evaluation process Make it more comprehensive and consistent Reduce the load Allow preparation (self-assessment)
MANRS ObservatoryProvides a factual state ofrouting security as it relates toMANRS25
MANRS ObservatoryProvides a factual state ofrouting security as it relates toMANRS26
MANRS ObservatoryInforms MANRS membersabout their degree ofcommitment27
MANRS is anImportant StepSecurity is a process, not a state. MANRSprovides a structure and a consistentapproach to solving security issues facingthe Internet.MANRS is the minimum an operator shouldconsider, with low risk and cost-effectiveactions.MANRS is not a one-stop solution to all ofthe Internet’s routing problems, but it is animportant step toward a globally robust andsecure routing infrastructure.28
Why join MANRS? Improve your security posture and reduce thenumber and impact of routing incidents Demonstrate that these practices are reality Meet the expectations of the operatorscommunity Join a community of security-minded operatorsworking together to make the Internet better Use MANRS as a competitive differentiator29
Join UsVisit https://www.manrs.org Fill out the sign up form with as much detailas possible. We may ask questions and run testsGet Involved in the Community Members support the initiative andimplement the actions in their own networks Members maintain and improve thedocument and promote MANRS objectives30
manrs.org#ProtectTheCoreMANRS Observatory:https://observatory.manrs.org31
Questions?https://www.manrs.orgFeedback: manrs@isoc.org32
cause Denial of Service (DoS) attacks or traffic interception. The 2008 YouTube hijack April 2018 Amazon Route 53 hijack Route Leak A network operator with multiple upstream providers (often due to accidental misconfiguration) announces to one upstream provider that is has a route to a destination through the other upstream provider.
