This document discusses the Mutually Agreed Norms for Routing Security (MANRS) initiative, which aims to improve routing security and resilience on the global internet. The document outlines key issues with the current routing system like route leaks and prefix hijacking. It then describes the four concrete actions that MANRS defines for network operators to implement, including filtering, anti-spoofing, coordination, and validation. The document notes that while MANRS participation has grown, overall deployment remains low, especially in Africa. It discusses strategies for bridging this gap, like developing better guidance, training programs, and bringing new types of members on board.
2. Internet Routing
• About 53,000 networks participate in global Internet routing – with 21,000 being single
“stub” networks (e.g. a small enterprise) and about 7,000 participating in the core Internet
http://www.cidr-report.org/as2.0/
• Routers use Border Gateway Protocol (BGP) to “announce” networks they know about and
to receive route announcements from connected networks.
• Routers build a “routing table” and pick the “best” route when sending a packet, typically
based on the shortest path.
• Routers have Autonomous System Numbers (ASN) uniquely identifying them to all other
routers
http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
http://www.whatismyasn.org/
2
3. The Problem
• Border Gateway Protocol (BGP) is based on trust
• No built-in validation of the legitimacy of updates
• Chain of trust spans continents
• Lack of reliable resource data
3
7. What’s behind these incidents?
• IP prefix hijack
• AS announces prefix it doesn’t originate
• AS announces more specific prefix than what may be announced by originating AS
• AS announces it can route traffic through shorter route, whether it exists or not
• Packets end-up being forwarded to wrong part of Internet
• Denial-of-Service, traffic interception, or impersonating network or service
• Route leaks
• Similar to prefix hijacking
• Usually not malicious and due to misconfigurations
• IP address spoofing
• Creation of IP packets with false source address
• The root cause of reflection DDoS attacks
7
8. Are there solutions?
• Yes!
• Prefix and AS-PATH filtering, RPKI, IRR, …
• BGPSEC under development at the IETF
• Whois, Routing Registries and Peering databases
• But…
• Lack of deployment
• Lack of reliable data
8
9. It is a socio-economic problem –
A tragedy of the Commons
• From a routing perspective, securing one’s own network does not
make it more secure. Network security is in someone else’s hands
• The more hands – the better the security
• Is there a clear, visible and industry supported line between good and
bad?
• A cultural norm
9
10. A clearly articulated baseline –
a minimum requirement (MCOP)
+
Visible support with commitment
10
11. Mutually Agreed Norms for Routing Security
(MANRS)
MANRS defines four concrete actions that network
operators should implement
• Technology-neutral baseline for global adoption
MANRS builds a visible community of security-minded
operators
• Promotes culture of collaborative responsibility
11
12. Good MANRS
• Filtering – Prevent propagation of incorrect routing information
Own announcements and the customer cone
• Anti-spoofing – Prevent traffic with spoofed source IP addresses
Single-homed stub customers and own infra
• Coordination – Facilitate global operational communication and coordination
between network operators
Up-to-date and responsive public contacts
• Global Validation – Facilitate validation of routing information on a global scale
Publish your data, so others can validate
12
13. MANRS is not (only) a document – it is a
commitment
• The members support the Principles and implement the
majority of the Actions in their networks
• A member becomes a Participant of MANRS, helping to
maintain and improve the document and to promote
MANRS objectives
13
17. MANRS Participants in Africa
• 1,516 ASNs assigned in AfriNIC region
• 443 ASNs in South Africa (ZA)
• 2 ASNs participating in MANRS (0.13%)
• Workonline Communications (AS3271) - 4 actions
• NOOR Data Networks (AS20928) - 3 actions
17
19. Leveraging market forces and peer pressure
• Developing a better “business case” for MANRS
• MANRS value proposition for your customers and your own network
• Creating a trusted community
• A group with a similar attitude towards security
19
20. Increasing gravity by making MANRS a
platform for related activities
• Developing better guidance
• MANRS Best Current Operational Practices (BCOP) document:
http://www.routingmanifesto.org/bcop/
• Training/certification programme
• Based on BCOP document and an online module
• Bringing new types of members on board
• IXPs
20
21. MANRS: How to Sign-Up
• Go to https://www.manrs.org/signup/
• Provide requested information
• Please provide as much detail on how Actions are implemented as possible
• We may ask questions and ask you to run a few tests
• Routing “background check”
• Spoofer https://www.caida.org/projects/spoofer/
• Your answer to “Why did you decide to join?” may be displayed in the
testimonials
• Download the logo and use it
• Become an active MANRS participant
21
Hinweis der Redaktion
Limited scope:
MANRS use case: the network and topology
e.g. ensures correctness of their own announcements and announcements from their customers to adjacent networks with prefix and AS-path granularity
e.g. enables source address validation for at least single-homed stub customer networks, their own end-users and infrastructure
e.g. maintain globally accessible up-to-date contact information.