Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
www.internetsociety.org
Collective responsibility
for security and resilience
of the global routing system
Andrei Robachev...
www.internetsociety.org
Routing Resilience Manifesto,
aka MANRS
https://www.routingmanifesto.org/
https://www.manrs.org/
The Internet Society
Let us look at the problem first
• BGP is based on trust
• No validation of the legitimacy of
updates...
The Internet Society
But also
• Source IP address spoofing
• Forging the source IP address of packets
• Collaboration
• Ho...
The Internet Society
Impact
• Prefix hijack
• Denial of service, impersonating a
network or a service, traffic intercept
•...
The Internet Society
What is available to address these problems?
• Tools
• Prefix and AS-PATH filtering, RPKI, IRR, …
• I...
The Internet Society
Mutually Agreed Norms for
Routing Security (MANRS)
8
MANRS builds a visible community of
security-min...
The Internet Society
Good MANRS
1. Filtering – Prevent propagation of incorrect
routing information.
2. Anti-spoofing – Pr...
The Internet Society
1. Filtering
Prevent propagation of incorrect routing information
Network operator defines a clear ro...
The Internet Society
2. Anti-Spoofing
Prevent traffic with spoofed source IP address
Network operator implements a system ...
The Internet Society
3. Coordination
Facilitate global operational communication and
coordination between the network oper...
The Internet Society
4. Global Validation
Facilitate validation of routing information on a
global scale.
Network operator...
The Internet Society
MANRS is not (only) a document – it is a
commitment
1) The company supports the Principles and implem...
The Internet Society
Public launch of the initiative - 6 November 2014
15
The Internet Society
A growing list of participants
16
The Internet Society
Current Activities
• Expanding the group of participants
• Looking for industry leaders in the region...
The Internet Society
Are you interested in participating?
18
Anti-SpoofingFiltering Coordination Global scale
The Internet Society
I suspect some of you are asking yourself
19
My company has always taken security seriously, we’ve
im...
The Internet Society
Let me suggest three reasons
20
Because routing security is a sum of all contributions
Because this i...
The Internet Society21
What the participants say
The Internet Society22
We believe the security, stability, and resiliency of the Internet operation can be improved
via di...
www.internetsociety.org
https://www.routingmanifesto.org/
https://www.manrs.org/
Upcoming SlideShare
Loading in …5
×

ION Cape Town - Collective Responsibility for Routing Security and MANRS

1,179 views

Published on

ION Cape Town, 8 September 2015 - Andrei Robachevsky discusses the Routing Resilience Manifesto initiative, underpinned by the “Mutually Agreed Norms for Routing Security (MANRS)” document that includes a set of actionable recommendations, which aims to help network operators around the world work together to improve the security and resilience of the global routing system. In this session, we’ll explain the basic principles outlined in MANRS, how to sign up and support the effort, and how to get involved in helping to further increase global routing security.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

ION Cape Town - Collective Responsibility for Routing Security and MANRS

  1. 1. www.internetsociety.org Collective responsibility for security and resilience of the global routing system Andrei Robachevsky <robachevsky@isoc.org>
  2. 2. www.internetsociety.org Routing Resilience Manifesto, aka MANRS https://www.routingmanifesto.org/ https://www.manrs.org/
  3. 3. The Internet Society Let us look at the problem first • BGP is based on trust • No validation of the legitimacy of updates • Chain of trust spans continents • Tools outside BGP exist, but not widely deployed • BGPSEC is under development in the IETF 3
  4. 4. The Internet Society But also • Source IP address spoofing • Forging the source IP address of packets • Collaboration • How do you reach someone on the other side of the Net to help you out? • How do you mitigate a DDoS? 5
  5. 5. The Internet Society Impact • Prefix hijack • Denial of service, impersonating a network or a service, traffic intercept • “Route leak” • Traffic intercept, but may result in denial of service • IP spoofing • The root cause of reflection DDoS attacks 6
  6. 6. The Internet Society What is available to address these problems? • Tools • Prefix and AS-PATH filtering, RPKI, IRR, … • Ingress and egress anti-spoofing filtering, uRPF, … • Coordination and DDoS mitigation • Challenges • Your safety is in someone else’s hands. Implementing control plane fixes at just one network to network interface does not resolve the problem. • Too many problems to solve, too many cases 7
  7. 7. The Internet Society Mutually Agreed Norms for Routing Security (MANRS) 8 MANRS builds a visible community of security-minded operators  Promotes culture of collaborative responsibility Defines four concrete actions that network operators should implement  Technology-neutral baseline for global adoption
  8. 8. The Internet Society Good MANRS 1. Filtering – Prevent propagation of incorrect routing information. 2. Anti-spoofing – Prevent traffic with spoofed source IP addresses. 3. Coordination – Facilitate global operational communication and coordination between network operators. 4. Global Validation – Facilitate validation of routing information on a global scale. 9
  9. 9. The Internet Society 1. Filtering Prevent propagation of incorrect routing information Network operator defines a clear routing policy and implements a system that ensures correctness of their own announcements and announcements from their customers to adjacent networks with prefix and AS-path granularity. Network operator is able to communicate to their adjacent networks which announcements are correct. Network operator applies due diligence when checking the correctness of their customer’s announcements, specifically that the customer legitimately holds the ASN and the address space it announces.10
  10. 10. The Internet Society 2. Anti-Spoofing Prevent traffic with spoofed source IP address Network operator implements a system that enables source address validation for at least single-homed stub customer networks, their own end-users and infrastructure. Network operator implements anti- spoofing filtering to prevent packets with an incorrect source IP address from entering and leaving the network. 11
  11. 11. The Internet Society 3. Coordination Facilitate global operational communication and coordination between the network operators Network operators should maintain globally accessible up-to-date contact information. 12
  12. 12. The Internet Society 4. Global Validation Facilitate validation of routing information on a global scale. Network operator has publicly documented routing policy, ASNs and prefixes that are intended to be advertised to external parties. 13
  13. 13. The Internet Society MANRS is not (only) a document – it is a commitment 1) The company supports the Principles and implements at least one of the Actions for the majority of its infrastructure. 2) The company becomes a Participant of MANRS, helping to maintain and improve the document and to promote MANRS objectives 14
  14. 14. The Internet Society Public launch of the initiative - 6 November 2014 15
  15. 15. The Internet Society A growing list of participants 16
  16. 16. The Internet Society Current Activities • Expanding the group of participants • Looking for industry leaders in the region • Building a community around MANRS • A trusted mailing list, possible other activities • Developing better guidance • Tailored to MANRS • In collaboration with existing efforts, like BCOP 17
  17. 17. The Internet Society Are you interested in participating? 18 Anti-SpoofingFiltering Coordination Global scale
  18. 18. The Internet Society I suspect some of you are asking yourself 19 My company has always taken security seriously, we’ve implemented many of the Actions and much more long time ago… - Why joining MANRS now? What difference will it make?
  19. 19. The Internet Society Let me suggest three reasons 20 Because routing security is a sum of all contributions Because this is a way to demonstrate a new baseline Because a community has gravity that can attract others
  20. 20. The Internet Society21 What the participants say
  21. 21. The Internet Society22 We believe the security, stability, and resiliency of the Internet operation can be improved via distributed and shared responsibilities as documented in MANRS. As one of the largest academic networks in the world, CERNET is committed to the MANRS actions. Xing Li, Deputy Director, CERNET Adherence to MANRS is an important commitment that operators make back to the Internet community. Together we aim to remove the havens from which miscreants maintain the freedom and anonymity to attack our network and our customers. David Freedman, Claranet Group Comcast is committed to helping drive improvements to the reliability of the Internet ecosystem. We are thrilled to be engaged with other infrastructure participants across the spectrum and around the globe in pursuit of these goals. Jason Livingood, Vice President, Internet Services, Comcast Cogent supports the efforts championed by the MANRS document. The issues being promoted need practical, effective improvements to support the continued growth and reliance on the Internet. Hank Kilmer, Cogent Workonline implements the recommendations contained in the MANRS document by
  22. 22. www.internetsociety.org https://www.routingmanifesto.org/ https://www.manrs.org/

×