Now in this series, we’ve discussed what routing is, how it works, what’s wrong with routing, and types of routing incidents. In this last part, let’s talk about how to fix some of the problems by working together to improve routing security.
Routing was not designed with security in mind, but as the Internet proliferated and bad guys learned its vulnerabilities, engineers realized there are many security issues that need to be addressed. In response, the Internet community developed several solutions to address these concerns over the years. However, these solutions have generally been poorly adopted, either because network operators are unaware of them, or because they’re unwilling or unable to devote resources to implementing them.
The unfortunate reality is that implementing routing security measures does not bring you many immediate benefits. It might cost time and/or money to implement basic security measures, and they might still not even work unless a critical mass of other network operators are also doing the right thing.
Back to our online dating parallel, you can be completely honest in your profile about who you are and what you want. It takes time to think through what you’re looking for in a partner and articulate it clearly, to pick the right pictures, or to answer all the questions thoroughly and thoughtfully. But if others haven’t bothered taking the time to do it right, you’re going to end up going on some bad dates with people who are totally wrong for you. But if you could somehow be assured that everyone on that website is telling the truth about who they are and what they want? What a game changer that would be!
On the Internet, routing incidents have been increasing and becoming more problematic. At a time when Internet users are becoming far more security-conscious, they would probably be quite surprised at the insecurity of the global routing system that’s responsible for delivering their data. Clearly something needs to be done, and this is where MANRS comes in.
Mutually Agreed Norms for Routing Security, or MANRS, is an industry-led global initiative designed to collaboratively provide crucial fixes to reduce the most common routing incidents. The acronym is no accident: it is good etiquette, good manners, to say trustworthy things when speaking to one’s neighbor. MANRS actions result in trustworthy Internet routing. Network operators (like ISPs or large enterprises), Internet Exchange Points (infrastructure that lets ISPs trade traffic locally), and cloud and content delivery networks (distributed servers that help speed up web traffic) who join MANRS are taking collective responsibility for the resilience and security of a critical part of the Internet infrastructure by agreeing to implement and adhere to basic routing security practices.
In Part 4 we talked about types of routing incidents including route hijacks and route leaks. These happen because incorrect routing information spreads from network to network unchecked. Filtering is a way for routers to prevent that incorrect information from spreading. When a router filters traffic, it checks that networks are only announcing the ASNs and IP prefixes they or their customers are legitimately authorised to originate.
We also talked about IP address spoofing in Part 4. This happens when an attacker fakes, or spoofs, a source IP address to hide the sender’s identity or to impersonate another computing system. Anti-spoofing is exactly what it sounds like – preventing traffic with spoofed source IP addresses from leaving a network by validating that the source address is correct.
But how do routers know what traffic is legitimate and what is not? Route validation is ensuring the ownership of IP resources (both IPv4 and IPv6), which can ultimately be used for filtering and anti-spoofing. There are two basic ways to do this:
- Publish a network’s routing policy in a recognised Internet Routing Registry (IRR) that includes all the ASNs and IP prefixes that a network advertises to other networks.
- Create valid Route Origination Authorizations (ROAs) for all IP prefixes that a network is authorised to originate. ROAs allow other networks to cryptographically validate that a network announcing ASNs and IP prefixes is the actual holder of those resources.
As we’ve seen with over 12,000 routing incidents in 2018, sometimes things go wrong. Even with all the technical tools in the world, it’s people who solve problems. Coordination means ensuring your network has up-to-date contact information in one of the Regional Internet Registry Whois or PeeringDB databases, and responding in a timely fashion when incidents occur.
To help networks identify how they’re doing with respect to each of these actions, the MANRS Observatory tracks routing incidents and shows the state of global routing security. This collates publicly available data sources into easy-to-read summaries that can be displayed for individual networks as well as by region and country/economy. Everyone has access to the Observatory, but MANRS participants have special access to more detailed information about their own networks.
Routing security and MANRS really are a match made in heaven. The Internet brings many benefits, but we also need to make it a safer and more secure place. Routing remains one of the most vulnerable components of the Internet, and whilst it may be out of sight for most users, it should not be out of mind.
There are now approximately 600 networks that have demonstrated their commitment to the MANRS actions, and have made good practices a reality. Other networks are also starting to see MANRS as a competitive differentiator and are working towards implementing the actions. And as more networks adopt the MANRS actions, it will become easier to identify the bad actors and ultimately restrict or even completely drop traffic from those networks.
Neighbours should be there for one another, and that’s when good neighbours become good friends – as the theme tune of a popular Australian soap goes!