Greater MANRS Alignment Will Benefit the US Research and Education Community
By Steven Wallace, Internet2 Security Architect and MANRS Ambassador (2021 cohort)
This article is adapted from the original version that appeared on Internet2, which has kindly let us republish it.
Ninety-five percent of network routes originating from US research and education (R&E) institutions lack a form of hijack protection recommended by MANRS (Mutually Agreed Norms for Routing Security), known as RPKI, or Resource Public Key Infrastructure. Adding this layer of security is something that the IP address owners, typically campuses in the US, will want to address. Internet2 is working to build tools, training and outreach programs to support this need and we hope this blog highlights the opportunities for us to work together to improve the community’s security posture.
According to the MANRS Observatory, by comparison to US academic institutions, the public Internet’s use of RPKI is eight times greater than our community’s. In other research and education networks around the globe, including GÉANT’s pan-European network, RPKI adoption by member institutions exceeds the United States R&E community by a wide margin.
Without RPKI, 95% of the US R&E community’s routes are at a greater risk of being hijacked or blocked. These routes are of particular interest, due to their large size, to spammers seeking to hijack a subnet to host mail-spamming servers. There’s potential to harm the reputation of a campus’ email infrastructure by allowing even a small subnet to be hijacked.
The barriers to RPKI adoption aren’t technical. Enabling RPKI protection for a campus requires completing a web form. The additional cost associated with RPKI protection is, at most, $150 a year for an organization. For many, the additional cost is $0.
The barrier preventing many from using RPKI is the lack of an agreement for the IP numbers to be protected with the American Registry for Internet Numbers (ARIN). This is a legacy of early assignment of IP addresses to US institutions before ARIN existed, but now is a barrier to modern routing security and puts unregistered legacy address spaces at significant risk.
The webform to enable RPKI can be accessed from ARIN’s website. To protect a network using RPKI, the network owner must have a current registration services agreement with ARIN covering the network to be protected, and agree to ARIN’s RPKI Terms of Use.
The ARIN agreements contain the phrase “indemnify, defend, and hold harmless.” According to a published report by Yoo and Wishnick titled Lowering Legal Barriers to RPKI Adoption, which includes network operator community interviews and legal framework analysis, they note that this phrase is the source (for some) for their RPKI adoption hesitancy. ARIN has shown willingness to amend language prohibited by state law, but the process is handled on an individual case basis.
While a case-by-case approach to creating mutually acceptable agreements is far from ideal, it’s what we have today. A key step will be identifying campus champions to advocate for the broad adoption of RPKI across the R&E community.
To help identify and track progress across all MANRS’ recommended actions, Internet2 has begun providing reports to each of the Internet2 network connectors that detail current status for all routes advertised to Internet2 by each connector and their campuses. This status is interpreted from public data about member organizations routing security status.
Given the increasing pace at which the rest of the world is addressing this gap, we have offered several webinars and are offering assistance related to this increasing risk. We welcome opportunities to help Internet2 member campuses understand and address this gap.
For more information, contact us at: [email protected]
Editor’s note: This is a guest post by a MANRS Ambassador. Viewpoints expressed in this post are those of the author’s and may or may not reflect official positions.
Leave a Comment