SlideShare a Scribd company logo

ION Cape Town - Collective Responsibility for Routing Security and MANRS

Download as PPTX, PDF
Deploy360 Programme (Internet Society)
Deploy360 Programme (Internet Society)

ION Cape Town, 8 September 2015 - Andrei Robachevsky discusses the Routing Resilience Manifesto initiative, underpinned by the “Mutually Agreed Norms for Routing Security (MANRS)” document that includes a set of actionable recommendations, which aims to help network operators around the world work together to improve the security and resilience of the global routing system. In this session, we’ll explain the basic principles outlined in MANRS, how to sign up and support the effort, and how to get involved in helping to further increase global routing security.

Technology
1 of 22
www.internetsociety.org Collective responsibility for security and resilience of the global routing system Andrei Robachevsky <robachevsky@isoc.org>
www.internetsociety.org Routing Resilience Manifesto, aka MANRS https://www.routingmanifesto.org/ https://www.manrs.org/
The Internet Society Let us look at the problem first • BGP is based on trust • No validation of the legitimacy of updates • Chain of trust spans continents • Tools outside BGP exist, but not widely deployed • BGPSEC is under development in the IETF 3
The Internet Society But also • Source IP address spoofing • Forging the source IP address of packets • Collaboration • How do you reach someone on the other side of the Net to help you out? • How do you mitigate a DDoS? 5
The Internet Society Impact • Prefix hijack • Denial of service, impersonating a network or a service, traffic intercept • “Route leak” • Traffic intercept, but may result in denial of service • IP spoofing • The root cause of reflection DDoS attacks 6
The Internet Society What is available to address these problems? • Tools • Prefix and AS-PATH filtering, RPKI, IRR, … • Ingress and egress anti-spoofing filtering, uRPF, … • Coordination and DDoS mitigation • Challenges • Your safety is in someone else’s hands. Implementing control plane fixes at just one network to network interface does not resolve the problem. • Too many problems to solve, too many cases 7
The Internet Society Mutually Agreed Norms for Routing Security (MANRS) 8 MANRS builds a visible community of security-minded operators  Promotes culture of collaborative responsibility Defines four concrete actions that network operators should implement  Technology-neutral baseline for global adoption
The Internet Society Good MANRS 1. Filtering – Prevent propagation of incorrect routing information. 2. Anti-spoofing – Prevent traffic with spoofed source IP addresses. 3. Coordination – Facilitate global operational communication and coordination between network operators. 4. Global Validation – Facilitate validation of routing information on a global scale. 9
The Internet Society 1. Filtering Prevent propagation of incorrect routing information Network operator defines a clear routing policy and implements a system that ensures correctness of their own announcements and announcements from their customers to adjacent networks with prefix and AS-path granularity. Network operator is able to communicate to their adjacent networks which announcements are correct. Network operator applies due diligence when checking the correctness of their customer’s announcements, specifically that the customer legitimately holds the ASN and the address space it announces.10
The Internet Society 2. Anti-Spoofing Prevent traffic with spoofed source IP address Network operator implements a system that enables source address validation for at least single-homed stub customer networks, their own end-users and infrastructure. Network operator implements anti- spoofing filtering to prevent packets with an incorrect source IP address from entering and leaving the network. 11
The Internet Society 3. Coordination Facilitate global operational communication and coordination between the network operators Network operators should maintain globally accessible up-to-date contact information. 12
The Internet Society 4. Global Validation Facilitate validation of routing information on a global scale. Network operator has publicly documented routing policy, ASNs and prefixes that are intended to be advertised to external parties. 13
The Internet Society MANRS is not (only) a document – it is a commitment 1) The company supports the Principles and implements at least one of the Actions for the majority of its infrastructure. 2) The company becomes a Participant of MANRS, helping to maintain and improve the document and to promote MANRS objectives 14
The Internet Society Public launch of the initiative - 6 November 2014 15
The Internet Society A growing list of participants 16
The Internet Society Current Activities • Expanding the group of participants • Looking for industry leaders in the region • Building a community around MANRS • A trusted mailing list, possible other activities • Developing better guidance • Tailored to MANRS • In collaboration with existing efforts, like BCOP 17
The Internet Society Are you interested in participating? 18 Anti-SpoofingFiltering Coordination Global scale
The Internet Society I suspect some of you are asking yourself 19 My company has always taken security seriously, we’ve implemented many of the Actions and much more long time ago… - Why joining MANRS now? What difference will it make?
The Internet Society Let me suggest three reasons 20 Because routing security is a sum of all contributions Because this is a way to demonstrate a new baseline Because a community has gravity that can attract others
The Internet Society21 What the participants say
The Internet Society22 We believe the security, stability, and resiliency of the Internet operation can be improved via distributed and shared responsibilities as documented in MANRS. As one of the largest academic networks in the world, CERNET is committed to the MANRS actions. Xing Li, Deputy Director, CERNET Adherence to MANRS is an important commitment that operators make back to the Internet community. Together we aim to remove the havens from which miscreants maintain the freedom and anonymity to attack our network and our customers. David Freedman, Claranet Group Comcast is committed to helping drive improvements to the reliability of the Internet ecosystem. We are thrilled to be engaged with other infrastructure participants across the spectrum and around the globe in pursuit of these goals. Jason Livingood, Vice President, Internet Services, Comcast Cogent supports the efforts championed by the MANRS document. The issues being promoted need practical, effective improvements to support the continued growth and reliance on the Internet. Hank Kilmer, Cogent Workonline implements the recommendations contained in the MANRS document by
www.internetsociety.org https://www.routingmanifesto.org/ https://www.manrs.org/

Recommended

ION Cape Town - Welcome from ISOC Gauteng Chapter
ION Cape Town - Welcome from ISOC Gauteng ChapterION Cape Town - Welcome from ISOC Gauteng Chapter
ION Cape Town - Welcome from ISOC Gauteng ChapterDeploy360 Programme (Internet Society)
 
ION Cape Town - Opening Remarks
ION Cape Town - Opening RemarksION Cape Town - Opening Remarks
ION Cape Town - Opening RemarksDeploy360 Programme (Internet Society)
 
ION Cape Town - IETF, Operational Experience, and Africa
ION Cape Town - IETF, Operational Experience, and AfricaION Cape Town - IETF, Operational Experience, and Africa
ION Cape Town - IETF, Operational Experience, and AfricaDeploy360 Programme (Internet Society)
 
ION Trinidad and Tobago - Opening Slides
ION Trinidad and Tobago - Opening SlidesION Trinidad and Tobago - Opening Slides
ION Trinidad and Tobago - Opening SlidesDeploy360 Programme (Internet Society)
 
ISOC Engagement Activities
ISOC Engagement ActivitiesISOC Engagement Activities
ISOC Engagement ActivitiesBangladesh Network Operators Group
 
ION Cape Town - Closing Remarks
ION Cape Town - Closing RemarksION Cape Town - Closing Remarks
ION Cape Town - Closing RemarksDeploy360 Programme (Internet Society)
 
ION Trinidad and Tobago - IPv6 Global Connectivity Three Years After World IP...
ION Trinidad and Tobago - IPv6 Global Connectivity Three Years After World IP...ION Trinidad and Tobago - IPv6 Global Connectivity Three Years After World IP...
ION Trinidad and Tobago - IPv6 Global Connectivity Three Years After World IP...Deploy360 Programme (Internet Society)
 
ION Durban - MANRS Introduction
ION Durban - MANRS IntroductionION Durban - MANRS Introduction
ION Durban - MANRS IntroductionDeploy360 Programme (Internet Society)
 

Recommended

ION Cape Town - Welcome from ISOC Gauteng Chapter
ION Cape Town - Welcome from ISOC Gauteng ChapterION Cape Town - Welcome from ISOC Gauteng Chapter
ION Cape Town - Welcome from ISOC Gauteng ChapterDeploy360 Programme (Internet Society)
 
ION Cape Town - Opening Remarks
ION Cape Town - Opening RemarksION Cape Town - Opening Remarks
ION Cape Town - Opening RemarksDeploy360 Programme (Internet Society)
 
ION Cape Town - IETF, Operational Experience, and Africa
ION Cape Town - IETF, Operational Experience, and AfricaION Cape Town - IETF, Operational Experience, and Africa
ION Cape Town - IETF, Operational Experience, and AfricaDeploy360 Programme (Internet Society)
 
ION Trinidad and Tobago - Opening Slides
ION Trinidad and Tobago - Opening SlidesION Trinidad and Tobago - Opening Slides
ION Trinidad and Tobago - Opening SlidesDeploy360 Programme (Internet Society)
 
ISOC Engagement Activities
ISOC Engagement ActivitiesISOC Engagement Activities
ISOC Engagement ActivitiesBangladesh Network Operators Group
 
ION Cape Town - Closing Remarks
ION Cape Town - Closing RemarksION Cape Town - Closing Remarks
ION Cape Town - Closing RemarksDeploy360 Programme (Internet Society)
 
ION Trinidad and Tobago - IPv6 Global Connectivity Three Years After World IP...
ION Trinidad and Tobago - IPv6 Global Connectivity Three Years After World IP...ION Trinidad and Tobago - IPv6 Global Connectivity Three Years After World IP...
ION Trinidad and Tobago - IPv6 Global Connectivity Three Years After World IP...Deploy360 Programme (Internet Society)
 
ION Durban - MANRS Introduction
ION Durban - MANRS IntroductionION Durban - MANRS Introduction
ION Durban - MANRS IntroductionDeploy360 Programme (Internet Society)
 
Engage with The Internet Society
Engage with The Internet SocietyEngage with The Internet Society
Engage with The Internet SocietyAPNIC
 
ION Malta - Closing Slides
ION Malta - Closing SlidesION Malta - Closing Slides
ION Malta - Closing SlidesDeploy360 Programme (Internet Society)
 
Engaging with Internet Society
Engaging with Internet SocietyEngaging with Internet Society
Engaging with Internet SocietyBangladesh Network Operators Group
 
ION Belgrade - Opening Slides
ION Belgrade - Opening SlidesION Belgrade - Opening Slides
ION Belgrade - Opening SlidesDeploy360 Programme (Internet Society)
 
ION Durban - Opening Slides
ION Durban - Opening SlidesION Durban - Opening Slides
ION Durban - Opening SlidesDeploy360 Programme (Internet Society)
 
Internet Society - an update on activities by Rajnesh Singh
Internet Society - an update on activities by Rajnesh SinghInternet Society - an update on activities by Rajnesh Singh
Internet Society - an update on activities by Rajnesh SinghAPNIC
 
ION Bangladesh - Opening Remarks
ION Bangladesh - Opening RemarksION Bangladesh - Opening Remarks
ION Bangladesh - Opening RemarksDeploy360 Programme (Internet Society)
 
ION Durban - Closing Slides
ION Durban - Closing SlidesION Durban - Closing Slides
ION Durban - Closing SlidesDeploy360 Programme (Internet Society)
 
ION Bangladesh - ISOC Dhaka Chapter Welcome
ION Bangladesh - ISOC Dhaka Chapter WelcomeION Bangladesh - ISOC Dhaka Chapter Welcome
ION Bangladesh - ISOC Dhaka Chapter WelcomeDeploy360 Programme (Internet Society)
 
ISOC Overview and ISOC Canada
ISOC Overview and ISOC CanadaISOC Overview and ISOC Canada
ISOC Overview and ISOC CanadaGlenn McKnight
 
ISOC Update
ISOC UpdateISOC Update
ISOC UpdateAPNIC
 
ION Malta - Opening Slides
ION Malta - Opening SlidesION Malta - Opening Slides
ION Malta - Opening SlidesDeploy360 Programme (Internet Society)
 
3. icann policy slidesv1
3. icann policy slidesv13. icann policy slidesv1
3. icann policy slidesv1DNS Entrepreneurship Center
 
ION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityDeploy360 Programme (Internet Society)
 
ISOC Update
ISOC UpdateISOC Update
ISOC UpdateAPNIC
 
ION Bangladesh - IETF Update
ION Bangladesh - IETF UpdateION Bangladesh - IETF Update
ION Bangladesh - IETF UpdateDeploy360 Programme (Internet Society)
 
Michael Yakushev - ICANN accountability and IANA transition - ArmIGF2015
Michael Yakushev - ICANN accountability and IANA transition - ArmIGF2015Michael Yakushev - ICANN accountability and IANA transition - ArmIGF2015
Michael Yakushev - ICANN accountability and IANA transition - ArmIGF2015Arm Igf
 
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationDeploy360 Programme (Internet Society)
 
ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?Deploy360 Programme (Internet Society)
 
ION Belgrade - Closing Slides
ION Belgrade - Closing SlidesION Belgrade - Closing Slides
ION Belgrade - Closing SlidesDeploy360 Programme (Internet Society)
 
Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...
Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...
Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...Internet Society
 
Collective responsibility for security and resilience of the global routing s...
Collective responsibility for security and resilience of the global routing s...Collective responsibility for security and resilience of the global routing s...
Collective responsibility for security and resilience of the global routing s...APNIC
 

More Related Content

What's hot

Engage with The Internet Society
Engage with The Internet SocietyEngage with The Internet Society
Engage with The Internet SocietyAPNIC
 
Internet Society - an update on activities by Rajnesh Singh
Internet Society - an update on activities by Rajnesh SinghInternet Society - an update on activities by Rajnesh Singh
Internet Society - an update on activities by Rajnesh SinghAPNIC
 
ISOC Overview and ISOC Canada
ISOC Overview and ISOC CanadaISOC Overview and ISOC Canada
ISOC Overview and ISOC CanadaGlenn McKnight
 
ISOC Update
ISOC UpdateISOC Update
ISOC UpdateAPNIC
 
ISOC Update
ISOC UpdateISOC Update
ISOC UpdateAPNIC
 
Michael Yakushev - ICANN accountability and IANA transition - ArmIGF2015
Michael Yakushev - ICANN accountability and IANA transition - ArmIGF2015Michael Yakushev - ICANN accountability and IANA transition - ArmIGF2015
Michael Yakushev - ICANN accountability and IANA transition - ArmIGF2015Arm Igf
 

What's hot (20)

Engage with The Internet Society
Engage with The Internet SocietyEngage with The Internet Society
Engage with The Internet Society
 
ION Malta - Closing Slides
ION Malta - Closing SlidesION Malta - Closing Slides
ION Malta - Closing Slides
 
Engaging with Internet Society
Engaging with Internet SocietyEngaging with Internet Society
Engaging with Internet Society
 
ION Belgrade - Opening Slides
ION Belgrade - Opening SlidesION Belgrade - Opening Slides
ION Belgrade - Opening Slides
 
ION Durban - Opening Slides
ION Durban - Opening SlidesION Durban - Opening Slides
ION Durban - Opening Slides
 
Internet Society - an update on activities by Rajnesh Singh
Internet Society - an update on activities by Rajnesh SinghInternet Society - an update on activities by Rajnesh Singh
Internet Society - an update on activities by Rajnesh Singh
 
ION Bangladesh - Opening Remarks
ION Bangladesh - Opening RemarksION Bangladesh - Opening Remarks
ION Bangladesh - Opening Remarks
 
ION Durban - Closing Slides
ION Durban - Closing SlidesION Durban - Closing Slides
ION Durban - Closing Slides
 
ION Bangladesh - ISOC Dhaka Chapter Welcome
ION Bangladesh - ISOC Dhaka Chapter WelcomeION Bangladesh - ISOC Dhaka Chapter Welcome
ION Bangladesh - ISOC Dhaka Chapter Welcome
 
ISOC Overview and ISOC Canada
ISOC Overview and ISOC CanadaISOC Overview and ISOC Canada
ISOC Overview and ISOC Canada
 
ISOC Update
ISOC UpdateISOC Update
ISOC Update
 
ION Malta - Opening Slides
ION Malta - Opening SlidesION Malta - Opening Slides
ION Malta - Opening Slides
 
3. icann policy slidesv1
3. icann policy slidesv13. icann policy slidesv1
3. icann policy slidesv1
 
ION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & Accountability
 
ISOC Update
ISOC UpdateISOC Update
ISOC Update
 
ION Bangladesh - IETF Update
ION Bangladesh - IETF UpdateION Bangladesh - IETF Update
ION Bangladesh - IETF Update
 
Michael Yakushev - ICANN accountability and IANA transition - ArmIGF2015
Michael Yakushev - ICANN accountability and IANA transition - ArmIGF2015Michael Yakushev - ICANN accountability and IANA transition - ArmIGF2015
Michael Yakushev - ICANN accountability and IANA transition - ArmIGF2015
 
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
 
ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?
 
ION Belgrade - Closing Slides
ION Belgrade - Closing SlidesION Belgrade - Closing Slides
ION Belgrade - Closing Slides
 

Similar to ION Cape Town - Collective Responsibility for Routing Security and MANRS

Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...
Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...
Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...Internet Society
 
Collective responsibility for security and resilience of the global routing s...
Collective responsibility for security and resilience of the global routing s...Collective responsibility for security and resilience of the global routing s...
Collective responsibility for security and resilience of the global routing s...APNIC
 
How can we work together to improve security and resilience of the global rou...
How can we work together to improve security and resilience of the global rou...How can we work together to improve security and resilience of the global rou...
How can we work together to improve security and resilience of the global rou...APNIC
 
ARM 7 - ISOC: MANRS, Security and resilience of global routing system
ARM 7 - ISOC: MANRS, Security and resilience of global routing systemARM 7 - ISOC: MANRS, Security and resilience of global routing system
ARM 7 - ISOC: MANRS, Security and resilience of global routing systemAPNIC
 
Two years of good MANRS
Two years of good MANRSTwo years of good MANRS
Two years of good MANRSAPNIC
 
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPROIDEA
 
“Security” In a Digital Interconnected World
“Security” In a Digital Interconnected World “Security” In a Digital Interconnected World
“Security” In a Digital Interconnected World Internet Society
 
MANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing SecurityMANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing SecurityObika Gellineau
 
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...Deploy360 Programme (Internet Society)
 
World Wide Web and Internet
World Wide Web and InternetWorld Wide Web and Internet
World Wide Web and InternetJanecatalla
 
Paper id 2820149
Paper id 2820149Paper id 2820149
Paper id 2820149IJRAT
 
Internet service provision_terminology_and_principles
Internet service provision_terminology_and_principlesInternet service provision_terminology_and_principles
Internet service provision_terminology_and_principlesInternet Society
 
IEEE PROJECT TITLES FOR BE, B.TECH, (CSE, IT) ME, M.TECH, MSC, MCA PROJECT TI...
IEEE PROJECT TITLES FOR BE, B.TECH, (CSE, IT) ME, M.TECH, MSC, MCA PROJECT TI...IEEE PROJECT TITLES FOR BE, B.TECH, (CSE, IT) ME, M.TECH, MSC, MCA PROJECT TI...
IEEE PROJECT TITLES FOR BE, B.TECH, (CSE, IT) ME, M.TECH, MSC, MCA PROJECT TI...John Britto
 
Net Neutrality Capacity Building Seminar
Net Neutrality Capacity Building SeminarNet Neutrality Capacity Building Seminar
Net Neutrality Capacity Building SeminarExcel Asama
 
CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01Irsandi Hasan
 

Similar to ION Cape Town - Collective Responsibility for Routing Security and MANRS (20)

Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...
Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...
Mind Your MANRS: Improving the Security and Resilience of the Global Routing ...
 
Collective responsibility for security and resilience of the global routing s...
Collective responsibility for security and resilience of the global routing s...Collective responsibility for security and resilience of the global routing s...
Collective responsibility for security and resilience of the global routing s...
 
How can we work together to improve security and resilience of the global rou...
How can we work together to improve security and resilience of the global rou...How can we work together to improve security and resilience of the global rou...
How can we work together to improve security and resilience of the global rou...
 
ARM 7 - ISOC: MANRS, Security and resilience of global routing system
ARM 7 - ISOC: MANRS, Security and resilience of global routing systemARM 7 - ISOC: MANRS, Security and resilience of global routing system
ARM 7 - ISOC: MANRS, Security and resilience of global routing system
 
Improving routing security through concerted action
Improving routing security through concerted actionImproving routing security through concerted action
Improving routing security through concerted action
 
Two years of good MANRS
Two years of good MANRSTwo years of good MANRS
Two years of good MANRS
 
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12
 
“Security” In a Digital Interconnected World
“Security” In a Digital Interconnected World “Security” In a Digital Interconnected World
“Security” In a Digital Interconnected World
 
MANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing SecurityMANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing Security
 
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...
ION Costa Rica - Two Years of Good MANRS: Improving Global Routing Security &...
 
World Wide Web and Internet
World Wide Web and InternetWorld Wide Web and Internet
World Wide Web and Internet
 
ION Malta - MANRS Introduction
ION Malta - MANRS IntroductionION Malta - MANRS Introduction
ION Malta - MANRS Introduction
 
PPT on MS-CIT Unit-2
PPT on MS-CIT Unit-2PPT on MS-CIT Unit-2
PPT on MS-CIT Unit-2
 
Paper id 2820149
Paper id 2820149Paper id 2820149
Paper id 2820149
 
Internet service provision_terminology_and_principles
Internet service provision_terminology_and_principlesInternet service provision_terminology_and_principles
Internet service provision_terminology_and_principles
 
IEEE PROJECT TITLES FOR BE, B.TECH, (CSE, IT) ME, M.TECH, MSC, MCA PROJECT TI...
IEEE PROJECT TITLES FOR BE, B.TECH, (CSE, IT) ME, M.TECH, MSC, MCA PROJECT TI...IEEE PROJECT TITLES FOR BE, B.TECH, (CSE, IT) ME, M.TECH, MSC, MCA PROJECT TI...
IEEE PROJECT TITLES FOR BE, B.TECH, (CSE, IT) ME, M.TECH, MSC, MCA PROJECT TI...
 
CCNA_ITN_Chp1.pptx
CCNA_ITN_Chp1.pptxCCNA_ITN_Chp1.pptx
CCNA_ITN_Chp1.pptx
 
Net Neutrality Capacity Building Seminar
Net Neutrality Capacity Building SeminarNet Neutrality Capacity Building Seminar
Net Neutrality Capacity Building Seminar
 
CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01
 

More from Deploy360 Programme (Internet Society)

More from Deploy360 Programme (Internet Society) (18)

ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success StoriesION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
 
ION Belgrade - IETF Update
ION Belgrade - IETF UpdateION Belgrade - IETF Update
ION Belgrade - IETF Update
 
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
 
AusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSAusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRS
 
ION Malta - IETF Update
ION Malta - IETF UpdateION Malta - IETF Update
ION Malta - IETF Update
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLS
 
ION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: FinlandION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: Finland
 
ION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 TransitionION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 Transition
 
ION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for youION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for you
 
ION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internetION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internet
 
ION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng ChapterION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng Chapter
 
ION Durban - NAT64/DNS64 Experiments and the NAT64Check Tool
ION Durban - NAT64/DNS64 Experiments and the NAT64Check ToolION Durban - NAT64/DNS64 Experiments and the NAT64Check Tool
ION Durban - NAT64/DNS64 Experiments and the NAT64Check Tool
 
ION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid ItION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid It
 
ION Durban - IPv6 Case Study (Liquid Telecom)
ION Durban - IPv6 Case Study (Liquid Telecom)ION Durban - IPv6 Case Study (Liquid Telecom)
ION Durban - IPv6 Case Study (Liquid Telecom)
 
ION Costa Rica - About the IETF and How to Get Involved
ION Costa Rica - About the IETF and How to Get InvolvedION Costa Rica - About the IETF and How to Get Involved
ION Costa Rica - About the IETF and How to Get Involved
 
ION Costa Rica - Closing Slides
ION Costa Rica - Closing SlidesION Costa Rica - Closing Slides
ION Costa Rica - Closing Slides
 
ION Costa Rica - Validacion en el origen
ION Costa Rica - Validacion en el origenION Costa Rica - Validacion en el origen
ION Costa Rica - Validacion en el origen
 

Recently uploaded

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Recently uploaded (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

ION Cape Town - Collective Responsibility for Routing Security and MANRS

  • 1. www.internetsociety.org Collective responsibility for security and resilience of the global routing system Andrei Robachevsky <robachevsky@isoc.org>
  • 2. www.internetsociety.org Routing Resilience Manifesto, aka MANRS https://www.routingmanifesto.org/ https://www.manrs.org/
  • 3. The Internet Society Let us look at the problem first • BGP is based on trust • No validation of the legitimacy of updates • Chain of trust spans continents • Tools outside BGP exist, but not widely deployed • BGPSEC is under development in the IETF 3
  • 4. The Internet Society But also • Source IP address spoofing • Forging the source IP address of packets • Collaboration • How do you reach someone on the other side of the Net to help you out? • How do you mitigate a DDoS? 5
  • 5. The Internet Society Impact • Prefix hijack • Denial of service, impersonating a network or a service, traffic intercept • “Route leak” • Traffic intercept, but may result in denial of service • IP spoofing • The root cause of reflection DDoS attacks 6
  • 6. The Internet Society What is available to address these problems? • Tools • Prefix and AS-PATH filtering, RPKI, IRR, … • Ingress and egress anti-spoofing filtering, uRPF, … • Coordination and DDoS mitigation • Challenges • Your safety is in someone else’s hands. Implementing control plane fixes at just one network to network interface does not resolve the problem. • Too many problems to solve, too many cases 7
  • 7. The Internet Society Mutually Agreed Norms for Routing Security (MANRS) 8 MANRS builds a visible community of security-minded operators  Promotes culture of collaborative responsibility Defines four concrete actions that network operators should implement  Technology-neutral baseline for global adoption
  • 8. The Internet Society Good MANRS 1. Filtering – Prevent propagation of incorrect routing information. 2. Anti-spoofing – Prevent traffic with spoofed source IP addresses. 3. Coordination – Facilitate global operational communication and coordination between network operators. 4. Global Validation – Facilitate validation of routing information on a global scale. 9
  • 9. The Internet Society 1. Filtering Prevent propagation of incorrect routing information Network operator defines a clear routing policy and implements a system that ensures correctness of their own announcements and announcements from their customers to adjacent networks with prefix and AS-path granularity. Network operator is able to communicate to their adjacent networks which announcements are correct. Network operator applies due diligence when checking the correctness of their customer’s announcements, specifically that the customer legitimately holds the ASN and the address space it announces.10
  • 10. The Internet Society 2. Anti-Spoofing Prevent traffic with spoofed source IP address Network operator implements a system that enables source address validation for at least single-homed stub customer networks, their own end-users and infrastructure. Network operator implements anti- spoofing filtering to prevent packets with an incorrect source IP address from entering and leaving the network. 11
  • 11. The Internet Society 3. Coordination Facilitate global operational communication and coordination between the network operators Network operators should maintain globally accessible up-to-date contact information. 12
  • 12. The Internet Society 4. Global Validation Facilitate validation of routing information on a global scale. Network operator has publicly documented routing policy, ASNs and prefixes that are intended to be advertised to external parties. 13
  • 13. The Internet Society MANRS is not (only) a document – it is a commitment 1) The company supports the Principles and implements at least one of the Actions for the majority of its infrastructure. 2) The company becomes a Participant of MANRS, helping to maintain and improve the document and to promote MANRS objectives 14
  • 14. The Internet Society Public launch of the initiative - 6 November 2014 15
  • 15. The Internet Society A growing list of participants 16
  • 16. The Internet Society Current Activities • Expanding the group of participants • Looking for industry leaders in the region • Building a community around MANRS • A trusted mailing list, possible other activities • Developing better guidance • Tailored to MANRS • In collaboration with existing efforts, like BCOP 17
  • 17. The Internet Society Are you interested in participating? 18 Anti-SpoofingFiltering Coordination Global scale
  • 18. The Internet Society I suspect some of you are asking yourself 19 My company has always taken security seriously, we’ve implemented many of the Actions and much more long time ago… - Why joining MANRS now? What difference will it make?
  • 19. The Internet Society Let me suggest three reasons 20 Because routing security is a sum of all contributions Because this is a way to demonstrate a new baseline Because a community has gravity that can attract others
  • 20. The Internet Society21 What the participants say
  • 21. The Internet Society22 We believe the security, stability, and resiliency of the Internet operation can be improved via distributed and shared responsibilities as documented in MANRS. As one of the largest academic networks in the world, CERNET is committed to the MANRS actions. Xing Li, Deputy Director, CERNET Adherence to MANRS is an important commitment that operators make back to the Internet community. Together we aim to remove the havens from which miscreants maintain the freedom and anonymity to attack our network and our customers. David Freedman, Claranet Group Comcast is committed to helping drive improvements to the reliability of the Internet ecosystem. We are thrilled to be engaged with other infrastructure participants across the spectrum and around the globe in pursuit of these goals. Jason Livingood, Vice President, Internet Services, Comcast Cogent supports the efforts championed by the MANRS document. The issues being promoted need practical, effective improvements to support the continued growth and reliance on the Internet. Hank Kilmer, Cogent Workonline implements the recommendations contained in the MANRS document by

Editor's Notes

  1. Security problems of the global routing system are known, as well as various solutions. So how do we improve security and resilience of the global routing system I think many of us know that one of the challenges is that the problem cannot be solved alone, the real effect of the measures depends on how broad the measures are adopted. And if we look from an individual ISP point of view there are additional challenges, while the overall problem is significant, a typical ISP doesn’t feel a lot of pain. Good array of technologies, BCPs, etc. – but what to pick? And how to convince an ISP/management that doing this is a Good Thing? So here comes another facet – a social aspect, based on things like community, reciprocity and collaboration. This effort tries to merge the two (technology and people) together.
  2. Almost a year ago a group of network operators came together to build a platform
  3. Limited scope: e.g. ensures correctness of their own announcements and announcements from their customers to adjacent networks with prefix and AS-path granularity e.g. enables source address validation for at least single-homed stub customer networks, their own end-users and infrastructure e.g. maintain globally accessible up-to-date contact information.