This presentation is an overview of MANRS which is an initiative supported by the Internet Society. It fixes issues concerning internet routing that lead to security incidents that affect ISP and internet users alike.

1. MANRS:
Intro to Internet Routing
Security
Presenter: Obika Gellineau
Twitter: @AntiPhishClub
Linkedin: https://tt.linkedin.com/in/obikag

2. Objectives
 To understand the issues associated with internet routing incidents
and the impact these incidents have on the security and reliability
of the internet.
 To highlight the importance and benefits of MANRS with respect to
the routing of internet traffic.
 To determine the actions required to implement MANRS and the
tools used for its implementation.

3. Agenda
 Routing Incidents
 Internet Routing Basics
 What is MANRS?
 Benefits of MANRS
 The Four Pillars
 Global Validation
 Filtering
 Anti-Spoofing
 Coordination
 Key Takeaways

4. Routing Incidents
 In 2017, over 14,000 routing outages or attacks were recorded.
 These routing incidents lead to:
 Data Theft
 Loss of Revenue
 Loss or Reputation
 Loss of Productivity
 Some of these incidents are global in scale. Impacting internet users far and wide.
 Attacks can last from hours and take months to recognize.
 These incidents affected large internet giants, such as YouTube, Amazon and
Netflix.

5. Routing Incidents
 The common threats that cause these incidents include:
 BGP Hijacking (Prefix/Route) – Impersonation of another network operator and
pretending that a server on their network is their client
 Route Leak – Announcement of misconfigured routing paths from a network
operator who has multiple upstream providers, altering the destination path
through one of the upstream providers.
 IP Address Spoofing – Impersonation of an IP address using a fake source IP
address to hide the identity of the sender or impersonate another computer system.

6. Internet Routing Basics
 Internet traffic is routed through
networks called Autonomous Systems.
 ~60,000 AS route traffic of which each
is identified by an Autonomous System
Number (ASN).
 Routers use Border Gateway Protocol
(BGP) to exchange network paths.
 Routers owned by AS build a routing
table and pick the best route (i.e.
shortest path) for sending packets.
 BGP is based on trust between
networks.
 Some issues with BGP exchanges
between AS networks are:
 The chain of trust spans continents
 Lack of reliable data
 Lack of validation of updates
 These can lead to routing incidents
such as, incorrectly routed traffic and
successful DDoS attacks.
 One prevention mechanism against
these types of incidents is MANRS

7. What is MANRS?
Mutually Agreed Norms for Routing Security
 It improves the security and reliability of the global Internet routing system, based on
collaboration among participants and shared responsibility for the Internet
infrastructure.
 Defines four concrete actions (or pillars) that network operators must implement to
dramatically improve Internet security and reliability
 Two (2) of these pillars minimize the root cause of common routing issues and
attacks
 The other two (2) of these pillars mitigate the likelihood of future incidents.

8. Benefits of MANRS
Internet Exchange Providers (IXP)
• Prevents propagation of accidentally or intentionally
misconfigured routing information.
• Protects the peering platform between networks
• Improves communication between local, regional
and global operators
• Provides network operators with easily accessible
monitoring tools
Internet Service Providers (ISP)
• Validation of routing information on a global scale
• Provides protection against cyber attacks through IP
address validation and network filtering.
• Expansive and real-time monitoring of global events
• Improves brand value through increased reliability
and security

9. Four Pillars
Global
Validation
Validation of routing
information on a global
scale
Network operators must
publish their data, so that
other participants can
validate.
Filtering
Prevention of propagation
of incorrect routing
information
Network operators must
ensure correctness of their
and customer’s
announcements with prefix
and AS-path granularity
Anti-
Spoofing
Prevention of traffic with
spoofed source IP
addresses
Network operators must
enable source address
validation for at least
single-homed networks,
end-users and
infrastructure
Collaboration
Improved global
communication and
coordination between
network operators
Network operators must
maintain globally
accessible up-to-date
contact information in
routing databases.

10. Four Pillars – Global Validation
“Validation of routing information on a global scale”
Actions:
 Communicate which announcements are correct to adjacent networks
 Publicly document routing policy, ASNs and prefixes that are intended to be advertised to external
parties
Implementation:
 Register policy documentation, Network Layer Reachability Information (i.e. route/route6) and ASNs
in publicly available databases
 Route Origin Authorization (ROA) should also be registered with a certificate authority.
Tools:
 Internet Routing Registry (IRR) for route/route6, policy documentation and ASN
 Resource Public Key Infrastructure (RPKI) for ROA’s (e.g. RIPE, ARIN, APNIC, etc.)

11. Four Pillars – Filtering
“Prevention of propagation of incorrect routing information”
Actions:
 Clearly define routing policy and implement a system for correctness of their and customer
announcements to adjacent networks with granular prefix and AS-path.
 Due diligence for the correctness of customer announcements.
Implementation:
 Use IRR and RPKI authorities to build filters by requiring customers (i.e. upstream network
operators) to register their route objects.
 Use an internal database of valid IP addresses and verified route objects to build filters.
Tools:
 BGPQ3 or IRRToolset to build prefix-lists from IRR which will be used by routers for filtering
 RIPE NCC RPKI Validator and Dragon Research Labs RPKI Toolkit to validate ROAs

12. Four Pillars – Anti-Spoofing
“Prevention of traffic with spoofed source IP addresses”
Actions:
 Implement a system that enables source address validation for at least single-homed
customer networks, their own end-user and infrastructure.
Implementation:
 Source-Address Validation on cable-modem networks
 Unicast Reverse-Path Forwarding (uRPF) on router networks
 Access Control Lists for networks where the other anti-spoofing technologies are not
available.
Tools:
 Vendor-specific tools for routers (e.g. Cisco, Juniper, MikroTik etc.)

13. Four Pillars – Collaboration
“Improved global communication and coordination between network operators”
Actions:
 Maintain up-to-date and globally accessible contact information
Implementation:
 Maintaining contact information in Regional Internet Registries (RIR)
Tools:
 Registering contact information and consistently updating it with RIRs:
 AFRINIC – African Network Information Centre
 APNIC – Asia-Pacific Network Information Centre
 LACNIC – Latin America Network Information Centre
 ARIN – American Registry for Internet Numbers
 RIPE – Reseaux IP Europeens Network Coordination Centre

14. Key Takeaways
 Internet routing incidents lead to a reduced quality of internet services, cyber
attacks and brand/reputational damage for internet service providers.
 MANRS assists with the mitigation of internet routing incidents and improves the
security and reliability of the internet.
 Through global validation, filtering, anti-spoofing and collaboration, IXPs and ISPs
can better secure their services.
 MANRS ensures a safe internet for all end-users.

15. Thank You
Twitter: @AntiPhishClub
Linkedin: https://tt.linkedin.com/in/obikag