This presentation is an overview of MANRS which is an initiative supported by the Internet Society. It fixes issues concerning internet routing that lead to security incidents that affect ISP and internet users alike.
Complet Documnetation for Smart Assistant Application for Disabled Person
MANRS - Introduction to Internet Routing Security
1. MANRS:
Intro to Internet Routing
Security
Presenter: Obika Gellineau
Twitter: @AntiPhishClub
Linkedin: https://tt.linkedin.com/in/obikag
2. Objectives
To understand the issues associated with internet routing incidents
and the impact these incidents have on the security and reliability
of the internet.
To highlight the importance and benefits of MANRS with respect to
the routing of internet traffic.
To determine the actions required to implement MANRS and the
tools used for its implementation.
3. Agenda
Routing Incidents
Internet Routing Basics
What is MANRS?
Benefits of MANRS
The Four Pillars
Global Validation
Filtering
Anti-Spoofing
Coordination
Key Takeaways
4. Routing Incidents
In 2017, over 14,000 routing outages or attacks were recorded.
These routing incidents lead to:
Data Theft
Loss of Revenue
Loss or Reputation
Loss of Productivity
Some of these incidents are global in scale. Impacting internet users far and wide.
Attacks can last from hours and take months to recognize.
These incidents affected large internet giants, such as YouTube, Amazon and
Netflix.
5. Routing Incidents
The common threats that cause these incidents include:
BGP Hijacking (Prefix/Route) – Impersonation of another network operator and
pretending that a server on their network is their client
Route Leak – Announcement of misconfigured routing paths from a network
operator who has multiple upstream providers, altering the destination path
through one of the upstream providers.
IP Address Spoofing – Impersonation of an IP address using a fake source IP
address to hide the identity of the sender or impersonate another computer system.
6. Internet Routing Basics
Internet traffic is routed through
networks called Autonomous Systems.
~60,000 AS route traffic of which each
is identified by an Autonomous System
Number (ASN).
Routers use Border Gateway Protocol
(BGP) to exchange network paths.
Routers owned by AS build a routing
table and pick the best route (i.e.
shortest path) for sending packets.
BGP is based on trust between
networks.
Some issues with BGP exchanges
between AS networks are:
The chain of trust spans continents
Lack of reliable data
Lack of validation of updates
These can lead to routing incidents
such as, incorrectly routed traffic and
successful DDoS attacks.
One prevention mechanism against
these types of incidents is MANRS
7. What is MANRS?
Mutually Agreed Norms for Routing Security
It improves the security and reliability of the global Internet routing system, based on
collaboration among participants and shared responsibility for the Internet
infrastructure.
Defines four concrete actions (or pillars) that network operators must implement to
dramatically improve Internet security and reliability
Two (2) of these pillars minimize the root cause of common routing issues and
attacks
The other two (2) of these pillars mitigate the likelihood of future incidents.
8. Benefits of MANRS
Internet Exchange Providers (IXP)
• Prevents propagation of accidentally or intentionally
misconfigured routing information.
• Protects the peering platform between networks
• Improves communication between local, regional
and global operators
• Provides network operators with easily accessible
monitoring tools
Internet Service Providers (ISP)
• Validation of routing information on a global scale
• Provides protection against cyber attacks through IP
address validation and network filtering.
• Expansive and real-time monitoring of global events
• Improves brand value through increased reliability
and security
9. Four Pillars
Global
Validation
Validation of routing
information on a global
scale
Network operators must
publish their data, so that
other participants can
validate.
Filtering
Prevention of propagation
of incorrect routing
information
Network operators must
ensure correctness of their
and customer’s
announcements with prefix
and AS-path granularity
Anti-
Spoofing
Prevention of traffic with
spoofed source IP
addresses
Network operators must
enable source address
validation for at least
single-homed networks,
end-users and
infrastructure
Collaboration
Improved global
communication and
coordination between
network operators
Network operators must
maintain globally
accessible up-to-date
contact information in
routing databases.
10. Four Pillars – Global Validation
“Validation of routing information on a global scale”
Actions:
Communicate which announcements are correct to adjacent networks
Publicly document routing policy, ASNs and prefixes that are intended to be advertised to external
parties
Implementation:
Register policy documentation, Network Layer Reachability Information (i.e. route/route6) and ASNs
in publicly available databases
Route Origin Authorization (ROA) should also be registered with a certificate authority.
Tools:
Internet Routing Registry (IRR) for route/route6, policy documentation and ASN
Resource Public Key Infrastructure (RPKI) for ROA’s (e.g. RIPE, ARIN, APNIC, etc.)
11. Four Pillars – Filtering
“Prevention of propagation of incorrect routing information”
Actions:
Clearly define routing policy and implement a system for correctness of their and customer
announcements to adjacent networks with granular prefix and AS-path.
Due diligence for the correctness of customer announcements.
Implementation:
Use IRR and RPKI authorities to build filters by requiring customers (i.e. upstream network
operators) to register their route objects.
Use an internal database of valid IP addresses and verified route objects to build filters.
Tools:
BGPQ3 or IRRToolset to build prefix-lists from IRR which will be used by routers for filtering
RIPE NCC RPKI Validator and Dragon Research Labs RPKI Toolkit to validate ROAs
12. Four Pillars – Anti-Spoofing
“Prevention of traffic with spoofed source IP addresses”
Actions:
Implement a system that enables source address validation for at least single-homed
customer networks, their own end-user and infrastructure.
Implementation:
Source-Address Validation on cable-modem networks
Unicast Reverse-Path Forwarding (uRPF) on router networks
Access Control Lists for networks where the other anti-spoofing technologies are not
available.
Tools:
Vendor-specific tools for routers (e.g. Cisco, Juniper, MikroTik etc.)
13. Four Pillars – Collaboration
“Improved global communication and coordination between network operators”
Actions:
Maintain up-to-date and globally accessible contact information
Implementation:
Maintaining contact information in Regional Internet Registries (RIR)
Tools:
Registering contact information and consistently updating it with RIRs:
AFRINIC – African Network Information Centre
APNIC – Asia-Pacific Network Information Centre
LACNIC – Latin America Network Information Centre
ARIN – American Registry for Internet Numbers
RIPE – Reseaux IP Europeens Network Coordination Centre
14. Key Takeaways
Internet routing incidents lead to a reduced quality of internet services, cyber
attacks and brand/reputational damage for internet service providers.
MANRS assists with the mitigation of internet routing incidents and improves the
security and reliability of the internet.
Through global validation, filtering, anti-spoofing and collaboration, IXPs and ISPs
can better secure their services.
MANRS ensures a safe internet for all end-users.