SlideShare ist ein Scribd-Unternehmen logo

MANRS for Network Operators

Bangladesh Network Operators Group
Bangladesh Network Operators Group

MANRS for Network Operators

Technologie
1 von 56
Downloaden Sie, um offline zu lesen
MANRS for Network Operators in Bangladesh bdNOG14 27th June - 1st July, 2022 Cox's Bazar, Bangladesh. 1 Presented By : Simon Sohel Baroi Prepared By: Indra Raj Basnet, MANRS Fellow Muhammad Yasir Shamim, MANRS Fellow
Network Means - Problem 2
Prefix/Route Hijacking 3 Route hijacking, also known as “BGP hijacking,” is when a network operator or attacker (accidentally or deliberately) impersonates another network operator or pretends that a server or network is their client. This routes traffic to the wrong network operator, when another real route is available. Example: The 2008 YouTube hijack; an attempt to block YouTube through route hijacking led to much of the traffic to YouTube being dropped around the world. Fix: Strong filtering policies (adjacent networks should strengthen their filtering policies to avoid accepting false announcements).
Routing Incidents are increasing (Vodafone Idea AS55410 Hijack) 4 Vodafone Idea (AS55410) started originating 31,000+ routes which don’t belong to them. Prefixes belonged to Google, Microsoft, Akamai, Cloudflare, Fastly, and many others were affected. https://twitter.com/DougMadory/status/1383138595112955909 https://www.manrs.org/2021/04/a-major-bgp-hijack-by-as55410- vodafone-idea-ltd/
Routing Incidents Cause Real World Problems 5
Routing Incidents (South Asia) May ~ June 2021 6 Event Type Event Details Prefixes affected BGP Hijack Expected Origin: AS45609 BHARTI-MOBILITY-AS-AP Bharti Airtel Ltd Detected Origin: ASN 45069 CNNIC-CTTSDNET-AP China Tietong Shandong net, CN 106.193.255.0/24 BGP Leak Origin AS: AS 4797 Wipro Spectramind Services Pvt Ltd, IN Leaker AS: AS4775 GLOBE-TELECOM-AS Globe Telecoms, PH Leaked to: AS 4637 (ASN-TELSTRA-GLOBAL Telstra Global, HK) 112.198.30.0/24 BGP Leak Origin AS: AS132497 DNA-AS-AP DIGITAL NETWORK, IN Leaker AS: AS55644 VIL-AS-AP Vodafone Idea Ltd, IN Leaked to: AS3556 (Level3, US) AS3549 (LVLT-3549, US) 150.242.197.0/24 BGP Hijack Expected Origin: AS328608 Africa-on-Cloud-AS, ZA Detected Origin: ASN 139879 GALAXY-AS-AP Galaxy Broadband, PK 156.241.0.0/16 BGP Hijack Expected Origin: AS7018 ATT-INTERNET4, US Detected Origin: ASN18229 CTRLS-AS-IN CtrlS Datacenters Ltd., IN 172.0.0.0/12 BGP Hijack Expected Origin: AS33567 TELECOM-LESOTHO, LS Detected Origin: ASN 55410 (VIL-AS-AP Vodafone Idea Ltd, IN) 41.203.176.0/20 BGP Leak Origin AS: AS 132497 DIGITAL NETWORK ASSOCIATES, IN Leaker AS:AS 55644 Vodafone Idea Ltd, IN (AS 55644) Leaked to: AS3356 (LEVEL3, US) 103.245.69.0/24 Source: bgpstream.com
Routing Incidents cause real World problems 7 Prefix/Route Hijacking Route Leaks IP address spoofing Bangladesh also faces routing incidents every year….
8 The Solution: Mutually Agreed Norms for Routing Security (MANRS) Provides crucial fixes to eliminate the most common routing threats
MANRS improves the security and reliability of the global Internet routing system, based on collaboration among participants and shared responsibility for the Internet infrastructure. MANRS sets a new norm for routing security. 9
MANRS Programs Network Operators Internet Exchange Points (IXP) Content Delivery Networks (CDNs) and Cloud Providers 10 Content Delivery Networks (CDNs) and Cloud Providers Equipment Vendors
Action 3: Coordination Facilitate global operational communication and coordination between network operators ● Communication between network operators ● PeeringDB, route/AS objects, NOC contact details up to date Action 2: Anti-spoofing Prevent traffic with spoofed source IP addresses ● Block traffic with spoofed source addresses ● BCP 38 / Unicast reverse path forwarding on interfaces MANRS Actions for Network Operators Action 1: Filtering Prevent propagation of incorrect routing information ● Implement filters (Inbound/Outbound) on eBGP sessions ● Prevent propagation of incorrect routing information Action 4: Global Validation Facilitate validation of routing information on a global scale ● Validation of routing information (IRR) ● Route origination authorization (ROA) and validation 11 Blue shading = Mandatory Action MANRS Implementation Guide https://www.manrs.org/isps/bcop/
MANRS for Network Operators 12 Launched in 2014 by a handful of network operators with the following goals: • Raise awareness of routing security problems and encourage the implementation of actions that can address them. • Promote a culture of collective responsibility toward the security and resilience of the Internet’s global routing system. • Demonstrate the ability of the Internet industry to address routing security problems. • Provide a framework for network operators to better understand and address issues relating to the security and resilience of the Internet’s global routing system.
Ensure the correctness of your own announcements and those from your customers to adjacent networks 13 Action 1: Filtering
Why Filter? ● Your first line of defense. ● You control what routes you are announcing - You have no control over what other networks announce ● To avoid issues, you have to decide what routes to accept from other networks. 14
Inbound Filtering (Loose - Strict) ● Loose - where no check will be done against RIR allocations ● Strict - where it will be verified that announcements strictly comply to what is declared in routing registries. 15
BCP 194 - Prefix Filtering Inbound Filtering Loose Option In this case, the following prefixes received from a BGP peer will be filtered: ● prefixes that are not globally routable ● prefixes not allocated by IANA (IPv6 only) ● routes that are too specific ● prefixes belonging to the local AS ● IXP LAN prefixes ● default route (depending on whether or not the route is requested) 16
BCP 194 - Prefix Filtering Inbound Filtering Strict Option In this case, filters are applied to make sure advertisements strictly conform to what is declared in routing registries. This varies across the registries and regions of the Internet. Apply the following filters beforehand in case the routing registry that’s used as the source of information by the script is not fully trusted: ● prefixes that are not globally routable ● routes that are too specific ● prefixes belonging to the local AS ● IXP LAN prefixes ● the default route (depending on whether or not the route is requested) 17
BCP 194 - Prefix Filtering Outbound Filtering The configuration should ensure that only appropriate prefixes are sent. These can be, for example, prefixes belonging to both the network in question and its downstream. This can be achieved by using BGP communities, AS paths, or both. It may be desirable to add the following filter: ● prefixes that are not globally routable ● routes that are too specific ● IXP LAN prefixes ● the default route (not willing to receive it) 18
Network Ingress Filtering Enable source address validation for at least single-homed stub customer networks, their own end-users, and infrastructure 19 Action 2: Anti-Spoofing
Source Address Validation (SAV) Source Address Validation (SAV) is the best current practice (BCP 38/RFC 2827) aimed at filtering packets based on source IP addresses at the network edges. Check the source IP address of IP packets • filter invalid source address • filter close to the packets origin as possible • filter precisely as possible If no networks allow IP spoofing, we can eliminate these kinds of attacks 20
IP Address Spoofing 21 https://spoofer.caida.org/country_stats.php 37%
IP Address Spoofing 22 https://spoofer.caida.org/recent_tests.php?as_include=&country_include=BGD
Source Address Validation ACL ● Create an access-list that lists all customer IP blocks and use ingress filtering to filter packets that are sourced from spoofed IP address uRPF (Unicast Reverse Path Forwarding) ● Designed to help mitigate attacks based on source address spoofing. ● Interface configured for uRPF drops packets if they are from spoofed IP source address ● Check incoming packets using ‘routing table’ ● Uses less CPU and RAM, compared to implementing access-lists ● Most preferred mechanism for anti-spoofing technique 23
Recommendation ● Test your configuration ○ CAIDA Spoofer Client Software https://www.caida.org/projects/spoofer/#download-client-software ● Obtaining a peering session ○ Team Cymru https://www.team-cymru.com/bogon-reference.html ○ Remote Triggered Black Hole Filtering with uRPF https://tools.ietf.org/html/rfc5635 24
Maintain globally accessible, up-to-date contact information in common routing databases. 25 Action 3: Coordination
26 Coordination
Coordination Maintaining Contact Information in Regional Internet Registries (RIRs): APNIC 27 whois -h whois.apnic.net AS4007
Coordination 28 APNIC’s Incident Response Team Contact
Facilitate routing information on a Global Scale - IRR 29 Action 4: Global Validation
Global Validation There are 2 ways to provide the validation information (IRR and/or RPKI) Providing information through the IRR system Internet Routing Registries (IRRs) contain information—submitted and maintained by ISPs or other entities—about Autonomous System Numbers (ASNs) and routing prefixes. IRRs can be used by ISPs to develop routing plans. The global IRR is comprised of a network of distributed databases maintained by Regional Internet Registries (RIRs) such as APNIC, service providers (such as NTT), and third parties (such as RADB). 30
Global Validation - IRR Routing information should be made available on a global scale to facilitate validation, which includes routing policy, ASNs and prefixes that are intended to be advertised to third parties. Since the extent of the internet is global, information should be made public and published in a well-known place using a common format. 31 Object Source Description aut-num IRR Policy documentation route/route6 IRR NLRI/origin as-set IRR Customer cone ROA RPKI NLRI/origin
Global Validation $ whois -h whois.apnic.net 1.1.1.0/24 route: 1.1.1.0/24 origin: AS13335 descr: APNIC Research and Development, 6 Cordelia St mnt-by: MAINT-AU-APNIC-GM85-AP last-modified: 2018-03-16T16:58:06Z source: APNIC 32
Global Validation $ whois -h whois.radb.net 1.1.1.0/24 route: 1.1.1.0/24 origin: AS13335 descr: APNIC Research and Development, 6 Cordelia St mnt-by: MAINT-AU-APNIC-GM85-AP last-modified: 2018-03-16T16:58:06Z source: APNIC route: 1.1.1.0/24 descr: Cloudflare, Inc. descr: 101 Townsend Street, San Francisco, California 94107, US origin: AS13335 mnt-by: MNT-CLOUD14 notify: rir@cloudflare.com 33
Global Validation Internet Routing Registry (IRR) ● Network operators can document which AS is originating their IPv4/IPv6 prefixes ● Used by operators to filter prefixes received from their customers and peers • Third party databases need to be used (RADB, Operators/NTT) • RADB comes with a recurring yearly subscription costs • For RADB, a commercial relationship with merit is required. (lacks accuracy of data) • For RADB any paid member can update/delete information for their resources (lots of junk data) • For NTTCOM, a customer relationship with them is required. 34
35 Facilitate routing information on a Global Scale - RPKI Action 4: Global Validation
Global Validation Providing information through the RPKI system • Store information about prefixes originated by your network in the form of Route Origin Authorization (ROA) objects. • Only prefixes that belong to your ASN is covered. • Only the origin ASN is verified, not the full path. • All Regional Internet Registries (RIR) offers a hosted Resource Certification service. 36
RPKI A security framework for verifying the association between resource holders and their Internet resources Attaches digital certificates to network resources upon request that lists all resources held by the member • AS Numbers • IP Addresses Operators associate those two resources • Route Origin Authorisations (ROAs) 37
Prefix The network for which you are creating the ROA The ASN supposed to be originating the BGP Announcement Origin ASN Max Length The Maximum prefix length accepted for this ROA Prefix 103.229.82.0/23 Max-Length /24 Origin ASN AS10075 ROA (Route Origin Authorization)
RPKI Validation States Valid ● the prefix (prefix length) and AS pair found in the database. Invalid ● prefix is found, but origin AS is wrong ● the prefix length is longer than the maximum length Not Found ● No valid ROA found ● Neither valid nor invalid (perhaps not created) 39
RPKI-RTR 40 ROAs ROAs VALIDATOR SOFTWARE Verification Validated Cache RPKI-RTR ROUTERS RIR REPOSITORIES
41 Why and Who will join MANRS?
Implementing MANRS Actions 42 ● Signals an organization’s security-forward posture and can eliminate SLA violations that reduce profitability or cost customer relationships. ● Reduces routing incidents, helping networks readily identify and address problems with customers or peers. ● Improves network’s operations by establishing better and cleaner peering communication pathways, while also providing granular insight for troubleshooting. ● Addresses many concerns of security-focused enterprises and other customers.
MANRS Observatory 43
MANRS Observatory 44 Provide a factual state of security and resilience of the Internet routing system and track it over time Measurements are: • Transparent – using publicly accessible data • Passive – no cooperation from networks required • Evolving – MANRS community decide what gets measured and how
Architecture of the System 45
46
47
Operator Basis Report (May 2022)
Operator Basis Report (May 2022)
Historical Incidents Data :
Historical Filtering Data:
Incidents :
53 ASN : XXXXXXXXXX
Join Us & Learn 54 Visit https://www.manrs.org • Fill out the sign-up form with as much detail as possible. • We may ask questions and run tests Get Involved in the Community • Members support the initiative and implement the actions in their own networks • Members maintain and improve the document and promote MANRS objectives https://www.manrs.org/join/
MANRS Participants (June 2022): 813 ● 685 Network Operators ● 103 Internet eXchange Points (IXP) ● 19 CDN and Cloud Providers ● 6 Equipment Vendors 55 MANRS Participants in Bangladesh (June 2022): 13
Thank You 56 Questions ! Acknowledgements : This tutorial is made of notes, configurations and diagrams from contributions by Aftab Siddiqui, Dr. Philip Smith, Tashi Phuntsho and Md. Zobair Khan

Empfohlen

Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesia
NaveenLakshman
 
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PROIDEA
 
ION Bangladesh - Secure BGP and Operational Report of Bangladesh
ION Bangladesh - Secure BGP and Operational Report of BangladeshION Bangladesh - Secure BGP and Operational Report of Bangladesh
ION Bangladesh - Secure BGP and Operational Report of Bangladesh
Deploy360 Programme (Internet Society)
 
Secure BGP and Operational Report of Bangladesh
Secure BGP and Operational Report of BangladeshSecure BGP and Operational Report of Bangladesh
Secure BGP and Operational Report of Bangladesh
Bangladesh Network Operators Group
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
Bangladesh Network Operators Group
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12
Bangladesh Network Operators Group
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!
APNIC
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-Keynote
LKNOG
 

Empfohlen

Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesia
NaveenLakshman
 
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It TogetherPLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PLNOG 21: Andrei Robachevsky - Routing Is At Risk. Let's Secure It Together
PROIDEA
 
ION Bangladesh - Secure BGP and Operational Report of Bangladesh
ION Bangladesh - Secure BGP and Operational Report of BangladeshION Bangladesh - Secure BGP and Operational Report of Bangladesh
ION Bangladesh - Secure BGP and Operational Report of Bangladesh
Deploy360 Programme (Internet Society)
 
Secure BGP and Operational Report of Bangladesh
Secure BGP and Operational Report of BangladeshSecure BGP and Operational Report of Bangladesh
Secure BGP and Operational Report of Bangladesh
Bangladesh Network Operators Group
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
Bangladesh Network Operators Group
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12
Bangladesh Network Operators Group
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!
APNIC
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-Keynote
LKNOG
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
APNIC
 
Improving routing security through concerted action
Improving routing security through concerted actionImproving routing security through concerted action
Improving routing security through concerted action
CSUC - Consorci de Serveis Universitaris de Catalunya
 
MANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing SecurityMANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing Security
Obika Gellineau
 
Part1
Part1Part1
Part1
cisconetworker
 
BGP
BGPBGP
BGP
KHNOG
 
MikroTik BGP Security - MUM 2014 (rofiq fauzi)
MikroTik BGP Security - MUM 2014 (rofiq fauzi)MikroTik BGP Security - MUM 2014 (rofiq fauzi)
MikroTik BGP Security - MUM 2014 (rofiq fauzi)
Rofiq Fauzi
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
APNIC
 
PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006
Pace IT at Edmonds Community College
 
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS PoisoningMonitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning
ThousandEyes
 
Improving the peering business case with RPKI
Improving the peering business case with RPKIImproving the peering business case with RPKI
Improving the peering business case with RPKI
APNIC
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure Connections
APNIC
 
Visualizing and Troubleshooting BGP Routing
Visualizing and Troubleshooting BGP RoutingVisualizing and Troubleshooting BGP Routing
Visualizing and Troubleshooting BGP Routing
ThousandEyes
 
PACE-IT: Introduction_to Routing Concepts (part 2) - N10 006
PACE-IT: Introduction_to Routing Concepts (part 2) - N10 006PACE-IT: Introduction_to Routing Concepts (part 2) - N10 006
PACE-IT: Introduction_to Routing Concepts (part 2) - N10 006
Pace IT at Edmonds Community College
 
Visualizing Network Security Threats
Visualizing Network Security ThreatsVisualizing Network Security Threats
Visualizing Network Security Threats
ThousandEyes
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoS
APNIC
 
A Guide to Securing Networks for Wi-Fi (IEEE 802.11 Family).pptx
A Guide to Securing Networks for Wi-Fi (IEEE 802.11 Family).pptxA Guide to Securing Networks for Wi-Fi (IEEE 802.11 Family).pptx
A Guide to Securing Networks for Wi-Fi (IEEE 802.11 Family).pptx
Yousef Al-Mutayeb
 
3 ip routing vrf lite - v2
3 ip routing vrf lite - v23 ip routing vrf lite - v2
3 ip routing vrf lite - v2
SagarR24
 
Running BGP with Mikrotik
Running BGP with MikrotikRunning BGP with Mikrotik
Running BGP with Mikrotik
GLC Networks
 
CCNA CHAPTER 6 BY jetarvind kumar madhukar
CCNA CHAPTER 6 BY jetarvind kumar madhukarCCNA CHAPTER 6 BY jetarvind kumar madhukar
CCNA CHAPTER 6 BY jetarvind kumar madhukar
ALLCAD Services Pvt Limited
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Bangladesh Network Operators Group
 
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Bangladesh Network Operators Group
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Bangladesh Network Operators Group
 

Weitere ähnliche Inhalte

Ähnlich wie MANRS for Network Operators

Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS PoisoningMonitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning
ThousandEyes
 

Ähnlich wie MANRS for Network Operators (20)

LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
 
Improving routing security through concerted action
Improving routing security through concerted actionImproving routing security through concerted action
Improving routing security through concerted action
 
MANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing SecurityMANRS - Introduction to Internet Routing Security
MANRS - Introduction to Internet Routing Security
 
Part1
Part1Part1
Part1
 
BGP
BGPBGP
BGP
 
MikroTik BGP Security - MUM 2014 (rofiq fauzi)
MikroTik BGP Security - MUM 2014 (rofiq fauzi)MikroTik BGP Security - MUM 2014 (rofiq fauzi)
MikroTik BGP Security - MUM 2014 (rofiq fauzi)
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006
 
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS PoisoningMonitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning
 
Improving the peering business case with RPKI
Improving the peering business case with RPKIImproving the peering business case with RPKI
Improving the peering business case with RPKI
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure Connections
 
Visualizing and Troubleshooting BGP Routing
Visualizing and Troubleshooting BGP RoutingVisualizing and Troubleshooting BGP Routing
Visualizing and Troubleshooting BGP Routing
 
PACE-IT: Introduction_to Routing Concepts (part 2) - N10 006
PACE-IT: Introduction_to Routing Concepts (part 2) - N10 006PACE-IT: Introduction_to Routing Concepts (part 2) - N10 006
PACE-IT: Introduction_to Routing Concepts (part 2) - N10 006
 
Visualizing Network Security Threats
Visualizing Network Security ThreatsVisualizing Network Security Threats
Visualizing Network Security Threats
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoS
 
A Guide to Securing Networks for Wi-Fi (IEEE 802.11 Family).pptx
A Guide to Securing Networks for Wi-Fi (IEEE 802.11 Family).pptxA Guide to Securing Networks for Wi-Fi (IEEE 802.11 Family).pptx
A Guide to Securing Networks for Wi-Fi (IEEE 802.11 Family).pptx
 
3 ip routing vrf lite - v2
3 ip routing vrf lite - v23 ip routing vrf lite - v2
3 ip routing vrf lite - v2
 
Running BGP with Mikrotik
Running BGP with MikrotikRunning BGP with Mikrotik
Running BGP with Mikrotik
 
CCNA CHAPTER 6 BY jetarvind kumar madhukar
CCNA CHAPTER 6 BY jetarvind kumar madhukarCCNA CHAPTER 6 BY jetarvind kumar madhukar
CCNA CHAPTER 6 BY jetarvind kumar madhukar
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
 

Mehr von Bangladesh Network Operators Group

Mehr von Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 
Measuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create ValueMeasuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create Value
 

Kürzlich hochgeladen

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Kürzlich hochgeladen (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

MANRS for Network Operators

  • 1. MANRS for Network Operators in Bangladesh bdNOG14 27th June - 1st July, 2022 Cox's Bazar, Bangladesh. 1 Presented By : Simon Sohel Baroi Prepared By: Indra Raj Basnet, MANRS Fellow Muhammad Yasir Shamim, MANRS Fellow
  • 2. Network Means - Problem 2
  • 3. Prefix/Route Hijacking 3 Route hijacking, also known as “BGP hijacking,” is when a network operator or attacker (accidentally or deliberately) impersonates another network operator or pretends that a server or network is their client. This routes traffic to the wrong network operator, when another real route is available. Example: The 2008 YouTube hijack; an attempt to block YouTube through route hijacking led to much of the traffic to YouTube being dropped around the world. Fix: Strong filtering policies (adjacent networks should strengthen their filtering policies to avoid accepting false announcements).
  • 4. Routing Incidents are increasing (Vodafone Idea AS55410 Hijack) 4 Vodafone Idea (AS55410) started originating 31,000+ routes which don’t belong to them. Prefixes belonged to Google, Microsoft, Akamai, Cloudflare, Fastly, and many others were affected. https://twitter.com/DougMadory/status/1383138595112955909 https://www.manrs.org/2021/04/a-major-bgp-hijack-by-as55410- vodafone-idea-ltd/
  • 5. Routing Incidents Cause Real World Problems 5
  • 6. Routing Incidents (South Asia) May ~ June 2021 6 Event Type Event Details Prefixes affected BGP Hijack Expected Origin: AS45609 BHARTI-MOBILITY-AS-AP Bharti Airtel Ltd Detected Origin: ASN 45069 CNNIC-CTTSDNET-AP China Tietong Shandong net, CN 106.193.255.0/24 BGP Leak Origin AS: AS 4797 Wipro Spectramind Services Pvt Ltd, IN Leaker AS: AS4775 GLOBE-TELECOM-AS Globe Telecoms, PH Leaked to: AS 4637 (ASN-TELSTRA-GLOBAL Telstra Global, HK) 112.198.30.0/24 BGP Leak Origin AS: AS132497 DNA-AS-AP DIGITAL NETWORK, IN Leaker AS: AS55644 VIL-AS-AP Vodafone Idea Ltd, IN Leaked to: AS3556 (Level3, US) AS3549 (LVLT-3549, US) 150.242.197.0/24 BGP Hijack Expected Origin: AS328608 Africa-on-Cloud-AS, ZA Detected Origin: ASN 139879 GALAXY-AS-AP Galaxy Broadband, PK 156.241.0.0/16 BGP Hijack Expected Origin: AS7018 ATT-INTERNET4, US Detected Origin: ASN18229 CTRLS-AS-IN CtrlS Datacenters Ltd., IN 172.0.0.0/12 BGP Hijack Expected Origin: AS33567 TELECOM-LESOTHO, LS Detected Origin: ASN 55410 (VIL-AS-AP Vodafone Idea Ltd, IN) 41.203.176.0/20 BGP Leak Origin AS: AS 132497 DIGITAL NETWORK ASSOCIATES, IN Leaker AS:AS 55644 Vodafone Idea Ltd, IN (AS 55644) Leaked to: AS3356 (LEVEL3, US) 103.245.69.0/24 Source: bgpstream.com
  • 7. Routing Incidents cause real World problems 7 Prefix/Route Hijacking Route Leaks IP address spoofing Bangladesh also faces routing incidents every year….
  • 8. 8 The Solution: Mutually Agreed Norms for Routing Security (MANRS) Provides crucial fixes to eliminate the most common routing threats
  • 9. MANRS improves the security and reliability of the global Internet routing system, based on collaboration among participants and shared responsibility for the Internet infrastructure. MANRS sets a new norm for routing security. 9
  • 10. MANRS Programs Network Operators Internet Exchange Points (IXP) Content Delivery Networks (CDNs) and Cloud Providers 10 Content Delivery Networks (CDNs) and Cloud Providers Equipment Vendors
  • 11. Action 3: Coordination Facilitate global operational communication and coordination between network operators ● Communication between network operators ● PeeringDB, route/AS objects, NOC contact details up to date Action 2: Anti-spoofing Prevent traffic with spoofed source IP addresses ● Block traffic with spoofed source addresses ● BCP 38 / Unicast reverse path forwarding on interfaces MANRS Actions for Network Operators Action 1: Filtering Prevent propagation of incorrect routing information ● Implement filters (Inbound/Outbound) on eBGP sessions ● Prevent propagation of incorrect routing information Action 4: Global Validation Facilitate validation of routing information on a global scale ● Validation of routing information (IRR) ● Route origination authorization (ROA) and validation 11 Blue shading = Mandatory Action MANRS Implementation Guide https://www.manrs.org/isps/bcop/
  • 12. MANRS for Network Operators 12 Launched in 2014 by a handful of network operators with the following goals: • Raise awareness of routing security problems and encourage the implementation of actions that can address them. • Promote a culture of collective responsibility toward the security and resilience of the Internet’s global routing system. • Demonstrate the ability of the Internet industry to address routing security problems. • Provide a framework for network operators to better understand and address issues relating to the security and resilience of the Internet’s global routing system.
  • 13. Ensure the correctness of your own announcements and those from your customers to adjacent networks 13 Action 1: Filtering
  • 14. Why Filter? ● Your first line of defense. ● You control what routes you are announcing - You have no control over what other networks announce ● To avoid issues, you have to decide what routes to accept from other networks. 14
  • 15. Inbound Filtering (Loose - Strict) ● Loose - where no check will be done against RIR allocations ● Strict - where it will be verified that announcements strictly comply to what is declared in routing registries. 15
  • 16. BCP 194 - Prefix Filtering Inbound Filtering Loose Option In this case, the following prefixes received from a BGP peer will be filtered: ● prefixes that are not globally routable ● prefixes not allocated by IANA (IPv6 only) ● routes that are too specific ● prefixes belonging to the local AS ● IXP LAN prefixes ● default route (depending on whether or not the route is requested) 16
  • 17. BCP 194 - Prefix Filtering Inbound Filtering Strict Option In this case, filters are applied to make sure advertisements strictly conform to what is declared in routing registries. This varies across the registries and regions of the Internet. Apply the following filters beforehand in case the routing registry that’s used as the source of information by the script is not fully trusted: ● prefixes that are not globally routable ● routes that are too specific ● prefixes belonging to the local AS ● IXP LAN prefixes ● the default route (depending on whether or not the route is requested) 17
  • 18. BCP 194 - Prefix Filtering Outbound Filtering The configuration should ensure that only appropriate prefixes are sent. These can be, for example, prefixes belonging to both the network in question and its downstream. This can be achieved by using BGP communities, AS paths, or both. It may be desirable to add the following filter: ● prefixes that are not globally routable ● routes that are too specific ● IXP LAN prefixes ● the default route (not willing to receive it) 18
  • 19. Network Ingress Filtering Enable source address validation for at least single-homed stub customer networks, their own end-users, and infrastructure 19 Action 2: Anti-Spoofing
  • 20. Source Address Validation (SAV) Source Address Validation (SAV) is the best current practice (BCP 38/RFC 2827) aimed at filtering packets based on source IP addresses at the network edges. Check the source IP address of IP packets • filter invalid source address • filter close to the packets origin as possible • filter precisely as possible If no networks allow IP spoofing, we can eliminate these kinds of attacks 20
  • 23. Source Address Validation ACL ● Create an access-list that lists all customer IP blocks and use ingress filtering to filter packets that are sourced from spoofed IP address uRPF (Unicast Reverse Path Forwarding) ● Designed to help mitigate attacks based on source address spoofing. ● Interface configured for uRPF drops packets if they are from spoofed IP source address ● Check incoming packets using ‘routing table’ ● Uses less CPU and RAM, compared to implementing access-lists ● Most preferred mechanism for anti-spoofing technique 23
  • 24. Recommendation ● Test your configuration ○ CAIDA Spoofer Client Software https://www.caida.org/projects/spoofer/#download-client-software ● Obtaining a peering session ○ Team Cymru https://www.team-cymru.com/bogon-reference.html ○ Remote Triggered Black Hole Filtering with uRPF https://tools.ietf.org/html/rfc5635 24
  • 25. Maintain globally accessible, up-to-date contact information in common routing databases. 25 Action 3: Coordination
  • 27. Coordination Maintaining Contact Information in Regional Internet Registries (RIRs): APNIC 27 whois -h whois.apnic.net AS4007
  • 29. Facilitate routing information on a Global Scale - IRR 29 Action 4: Global Validation
  • 30. Global Validation There are 2 ways to provide the validation information (IRR and/or RPKI) Providing information through the IRR system Internet Routing Registries (IRRs) contain information—submitted and maintained by ISPs or other entities—about Autonomous System Numbers (ASNs) and routing prefixes. IRRs can be used by ISPs to develop routing plans. The global IRR is comprised of a network of distributed databases maintained by Regional Internet Registries (RIRs) such as APNIC, service providers (such as NTT), and third parties (such as RADB). 30
  • 31. Global Validation - IRR Routing information should be made available on a global scale to facilitate validation, which includes routing policy, ASNs and prefixes that are intended to be advertised to third parties. Since the extent of the internet is global, information should be made public and published in a well-known place using a common format. 31 Object Source Description aut-num IRR Policy documentation route/route6 IRR NLRI/origin as-set IRR Customer cone ROA RPKI NLRI/origin
  • 32. Global Validation $ whois -h whois.apnic.net 1.1.1.0/24 route: 1.1.1.0/24 origin: AS13335 descr: APNIC Research and Development, 6 Cordelia St mnt-by: MAINT-AU-APNIC-GM85-AP last-modified: 2018-03-16T16:58:06Z source: APNIC 32
  • 33. Global Validation $ whois -h whois.radb.net 1.1.1.0/24 route: 1.1.1.0/24 origin: AS13335 descr: APNIC Research and Development, 6 Cordelia St mnt-by: MAINT-AU-APNIC-GM85-AP last-modified: 2018-03-16T16:58:06Z source: APNIC route: 1.1.1.0/24 descr: Cloudflare, Inc. descr: 101 Townsend Street, San Francisco, California 94107, US origin: AS13335 mnt-by: MNT-CLOUD14 notify: rir@cloudflare.com 33
  • 34. Global Validation Internet Routing Registry (IRR) ● Network operators can document which AS is originating their IPv4/IPv6 prefixes ● Used by operators to filter prefixes received from their customers and peers • Third party databases need to be used (RADB, Operators/NTT) • RADB comes with a recurring yearly subscription costs • For RADB, a commercial relationship with merit is required. (lacks accuracy of data) • For RADB any paid member can update/delete information for their resources (lots of junk data) • For NTTCOM, a customer relationship with them is required. 34
  • 35. 35 Facilitate routing information on a Global Scale - RPKI Action 4: Global Validation
  • 36. Global Validation Providing information through the RPKI system • Store information about prefixes originated by your network in the form of Route Origin Authorization (ROA) objects. • Only prefixes that belong to your ASN is covered. • Only the origin ASN is verified, not the full path. • All Regional Internet Registries (RIR) offers a hosted Resource Certification service. 36
  • 37. RPKI A security framework for verifying the association between resource holders and their Internet resources Attaches digital certificates to network resources upon request that lists all resources held by the member • AS Numbers • IP Addresses Operators associate those two resources • Route Origin Authorisations (ROAs) 37
  • 38. Prefix The network for which you are creating the ROA The ASN supposed to be originating the BGP Announcement Origin ASN Max Length The Maximum prefix length accepted for this ROA Prefix 103.229.82.0/23 Max-Length /24 Origin ASN AS10075 ROA (Route Origin Authorization)
  • 39. RPKI Validation States Valid ● the prefix (prefix length) and AS pair found in the database. Invalid ● prefix is found, but origin AS is wrong ● the prefix length is longer than the maximum length Not Found ● No valid ROA found ● Neither valid nor invalid (perhaps not created) 39
  • 41. 41 Why and Who will join MANRS?
  • 42. Implementing MANRS Actions 42 ● Signals an organization’s security-forward posture and can eliminate SLA violations that reduce profitability or cost customer relationships. ● Reduces routing incidents, helping networks readily identify and address problems with customers or peers. ● Improves network’s operations by establishing better and cleaner peering communication pathways, while also providing granular insight for troubleshooting. ● Addresses many concerns of security-focused enterprises and other customers.
  • 44. MANRS Observatory 44 Provide a factual state of security and resilience of the Internet routing system and track it over time Measurements are: • Transparent – using publicly accessible data • Passive – no cooperation from networks required • Evolving – MANRS community decide what gets measured and how
  • 45. Architecture of the System 45
  • 46. 46
  • 47. 47
  • 48. Operator Basis Report (May 2022)
  • 49. Operator Basis Report (May 2022)
  • 54. Join Us & Learn 54 Visit https://www.manrs.org • Fill out the sign-up form with as much detail as possible. • We may ask questions and run tests Get Involved in the Community • Members support the initiative and implement the actions in their own networks • Members maintain and improve the document and promote MANRS objectives https://www.manrs.org/join/
  • 55. MANRS Participants (June 2022): 813 ● 685 Network Operators ● 103 Internet eXchange Points (IXP) ● 19 CDN and Cloud Providers ● 6 Equipment Vendors 55 MANRS Participants in Bangladesh (June 2022): 13
  • 56. Thank You 56 Questions ! Acknowledgements : This tutorial is made of notes, configurations and diagrams from contributions by Aftab Siddiqui, Dr. Philip Smith, Tashi Phuntsho and Md. Zobair Khan