South Asia, Bangladesh leading Routing Completeness

This week, the 39th South Asian Network Operators Group conference, SANOG 39, is happening in Dhaka, Bangladesh.

With around one-quarter of the world’s population living in the sub-continent, the network operators who oversee the Internet infrastructure for this growing number of Internet users play a critical role in helping to ensure that the Internet remains open, secure, and accessible to all.

One area where network operators in South Asian countries are excelling is securing their routing infrastructure from mistaken and malicious incidents caused by other network operators that can take whole countries offline. In this post, I will provide insight into how networks in SANOG 39 host country, Bangladesh, are doing in this respect, highlighting their successes and where they can improve to consolidate what they’ve done so far.

IP Resources

The latest APNIC delegation file shows 1,442 resource holders in Bangladesh have been delegated:

• 1,577 ASNs, of which 1,249 are visible on the global routing table.
• 1,902 IPv4 address blocks (1,944,832 IPv4 addresses), the majority of which are /22s, /23s and /24s (Table 1).

• 1,319 IPv6 address blocks, most of which are /32s (standard delegation size for an ISP) and /48s (standard delegation size for end-site or enterprise) (Table 1).

RIPE Stat shows that 6,880 IPv4 and 1,995 IPv6 routes from the IP resources allocated to networks in Bangladesh are visible on the Internet (Figure 1).

RPKI

Resource Public Key Infrastructure is a framework that is designed to provide necessary security to Border Gateway Protocol (BGP), the gateway protocol that enables the Internet to exchange routing information between Autonomous Systems (AS). It does this by enabling network operators to create Route Origin Authorizations (ROAs), which can be validated.

ROAs are digitally signed records that associate IP address prefixes with the originating ASN. Route Origin Validation (ROV) is the process of using these ROA records to validate the legitimacy of routing information. In other words, ROA is a data structure used to specify valid route origination, while ROV is the mechanism that verifies if the route origination is authorized or not.

All eight countries in South Asia (Afghanistan, Pakistan, India, Nepal, Bhutan, Bangladesh, Sri Lanka, and Maldives) have some of the highest ROA counts in the world. Bangladesh ranks in the top three in the region with nearly 95% valid ROAs (Figure 2).

While the uptake of ROAs is exceptionally good in Bangladesh, the number of networks in the country implementing ROV (Route Origin Validation) is exceptionally low. Only one network, Bangladesh Computer Council (AS63932), scores more than 50% in the APNIC RPKI-ROV measurement.

MANRS Observatory

The MANRS Observatory is a tool that measures the level of a network’s adherence to routing security. The tool aggregates data from several trusted third-party sources into a user-friendly online dashboard. This snapshot enables network operators to identify problem areas to help them improve the security of their networks.

In the last 12 months, the MANRS Observatory has recorded an average of 17 incidents every month originating from networks in Bangladesh (Figure 3).

Many of these incidents are related to simple configuration mistakes, such as a single-digit ASN hijack —several such incidents have originated in Bangladesh this year (Figure 4).

MANRS Participants

Nearly 1,000 network operators have committed to the MANRS initiative and implemented the Actions relevant to the four programs for Network Operators, Internet Exchange Points, CDN and Cloud Providers, and Equipment Vendors. There are 16 participants from Bangladesh in the Network Operators program (Table 3).

These participants have the highest degree of routing security compliance — close to 100% of routes under these MANRS participants have valid ROA with a mere 0.3% invalid (Figure 5).

While the country reported 17 incidents per month on average, MANRS participants recorded 0.5 incidents a month in the same period (Figure 6).

Given the significant impact of routing incidents on our daily lives, we need to prioritize protecting and improving our network infrastructure.

MANRS Actions, whether it’s route filtering, anti-spoofing, coordination, or keeping your routing information up to date, aren’t new concepts but as seen above, those that are implementing them have far more secure and robust networks, which are protecting their customers from disruptions.

Learn more about the MANRS initiative and how you can join the growing list of networks that are prioritizing the security of their routes.

This work is supported by the Internet Society. Consider becoming an organization member.