3 July 2017 - At ION Costa Rica, Kevin Meynell begins a panel on Routing Security & MANRS by explaining the Mutually Agreed Norms for Routing Security (MANRS) and the basic concepts of routing security.

1. Internet Society © 1992–2016
https://www.manrs.org/
Two years of good MANRS
Improving Global Routing Security and Resilience
January 2017

2. Internet Routing
• About 53,000 networks participate in global Internet routing – with 21,000 being single
“stub” networks (e.g. a small enterprise) and about 7,000 participating in the core Internet
http://www.cidr-report.org/as2.0/
• Routers use Border Gateway Protocol (BGP) to “announce” networks they know about and
to receive route announcements from connected networks.
• Routers build a “routing table” and pick the “best” route when sending a packet, typically
based on the shortest path.
• Routers have Autonomous System Numbers (ASN) uniquely identifying them to all other
routers
http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
http://www.whatismyasn.org/
2

3. The Problem
• Border Gateway Protocol (BGP) is based on trust
• No built-in validation of the legitimacy of updates
• Chain of trust spans continents
• Lack of reliable resource data
3

4. Case study: http://bit.ly/youtube-pakistan

5. 7 years later...
https://bgpstream.com/

7. What’s behind these incidents?
• IP prefix hijack
• AS announces prefix it doesn’t originate
• AS announces more specific prefix than what may be announced by originating AS
• AS announces it can route traffic through shorter route, whether it exists or not
• Packets end-up being forwarded to wrong part of Internet
• Denial-of-Service, traffic interception, or impersonating network or service
• Route leaks
• Similar to prefix hijacking
• Usually not malicious and due to misconfigurations
• IP address spoofing
• Creation of IP packets with false source address
• The root cause of reflection DDoS attacks
7

8. Are there solutions?
• Yes!
• Prefix and AS-PATH filtering, RPKI, IRR, …
• BGPSEC under development at the IETF
• Whois, Routing Registries and Peering databases
• But…
• Lack of deployment
• Lack of reliable data
8

9. It is a socio-economic problem –
A tragedy of the Commons
• From a routing perspective, securing one’s own network does not
make it more secure. Network security is in someone else’s hands
• The more hands – the better the security
• Is there a clear, visible and industry supported line between good and
bad?
• A cultural norm
9

10. A clearly articulated baseline –
a minimum requirement (MCOP)
+
Visible support with commitment
10

11. Mutually Agreed Norms for Routing Security
(MANRS)
MANRS defines four concrete actions that network
operators should implement
• Technology-neutral baseline for global adoption
MANRS builds a visible community of security-minded
operators
• Promotes culture of collaborative responsibility
11

12. Good MANRS
• Filtering – Prevent propagation of incorrect routing information
Own announcements and the customer cone
• Anti-spoofing – Prevent traffic with spoofed source IP addresses
Single-homed stub customers and own infra
• Coordination – Facilitate global operational communication and coordination
between network operators
Up-to-date and responsive public contacts
• Global Validation – Facilitate validation of routing information on a global scale
Publish your data, so others can validate
12

13. MANRS is not (only) a document – it is a
commitment
• The members support the Principles and implement the
majority of the Actions in their networks
• A member becomes a Participant of MANRS, helping to
maintain and improve the document and to promote
MANRS objectives
13

14. A growing list of participants
14

15. 0
10
20
30
40
50
60
70
80
90
100
2014 2015 2016 2017 (so far)
# of AS
# of AS
Two years of MANRS
15
MANRS members by # of AS’es

16. 0
1000
2000
3000
4000
5000
6000
7000
8000
2014 2015 2016 2017 . . . . . . ?
# of AS
# of AS
You may say we’re dreamers…
16
MANRS members by # of AS’es

17. How to bridge this gap?
17

18. Leveraging market forces and peer pressure
• Developing a better “business case” for MANRS
• MANRS value proposition for your customers and your own network
• Creating a trusted community
• A group with a similar attitude towards security
18

19. Increasing gravity by making MANRS a
platform for related activities
• Developing better guidance
• MANRS Best Current Operational Practices (BCOP) document:
http://www.routingmanifesto.org/bcop/
• Training/certification programme
• Based on BCOP document and an online module
• Bringing new types of members on board
• IXPs
19

20. MANRS Training & Certification
• Routing security is complex
• The MANRS BCOP was envisaged as a simple instruction set
• Instead we have a 50-page document that assumes certain level of expertise
• How can we make it more accessible?
• A set of online training modules
• Based on the MANRS BCOP
• Walks a student through the tutorial with a test at the end
• Working with and looking for partners that are interested in integrating it in their curricula
• A hands-on lab to achieve MANRS certification
• Completing an online module as a first step in MANRS certification
• Looking for partners
20

21. MANRS IXP Partnership Programme
• There is synergy between MANRS and IXPs in this area
• IXPs form a community with a common operational objective
• MANRS is a reference point with a global presence – useful for building a
“safe neighbourhood”
• How can IXPs contribute?
• Technical measures: Route Server with validation, alerting on unwanted
traffic, providing debugging and monitoring tools
• Social measures: MANRS ambassador role, local audit as part of the on-
boarding process
• A development team is working on a set of useful actions
21

22. MANRS Participants in Latin America
• 7,130 ASNs assigned in LACNIC region
• 6 ASNs participating in MANRS (0.08%)
• LACNIC (AS28000-28002) - 4 actions
• Algar Telecom (AS16735, 53006, 27664) - 3 actions
22

23. MANRS: How to Sign-Up
• Go to https://www.manrs.org/signup/
• Provide requested information
• Please provide as much detail on how Actions are implemented as possible
• We may ask questions and ask you to run a few tests
• Routing “background check”
• Spoofer https://www.caida.org/projects/spoofer/
• Your answer to “Why did you decide to join?” may be displayed in the
testimonials
• Download the logo and use it
• Become an active MANRS participant
23