Explainer: About Routing Security
This post is part of our MANRS Basics series. It is intended for non-experts who are interested in learning more about routing security terms with reasonably simple explanations.
What is routing security and why does this matter?
There are over 70,000 Autonomous Systems on the Internet. An Autonomous System (AS) is a collection of networks that operate together under a consistent set of rules. Each AS operates independently, building its own “roadmap” of the Internet by exchanging routes – other networks they know how to reach – with other ASes using a set of technical rules called Border Gateway Protocol (BGP). BGP is fundamental to how the Internet works technically.
But BGP was created in 1989, before Internet security was a concern— it assumes all networks are trustworthy and offers no built-in validation to verify the information it receives. Incidents like route leaks and route hijacks have the potential to slow down Internet speeds, make parts of the Internet unreachable, allow hackers to infiltrate and steal revenue, or provide an opportunity for surveillance.
What is RPKI?
In light of the known issues with BGP, the technical community created a variety of mitigation tools and technologies including something called Resource Public Key Infrastructure, or RPKI. RPKI is a security framework that helps network operators make more informed and secure routing decisions. With RPKI, the legitimate holder of network resources has a certification called a Route Origin Authorization (ROA), which can be validated cryptographically. A ROA says, “I am Network X.” On the other end, the recipient of the route can rely on RPKI to perform something called Route Origin Validation (ROV) to look at the ROA and verify that the route received via BGP does indeed lead to Network X and not an imposter.
How do we improve routing security?
RPKI and other BGP security mechanisms are working well and their adoption is vastly improving over time. However, the bottom line is they only have full impact if they are applied at scale across the whole Internet. Routing security is truly a global problem, as one network’s issues can cascade to affect others and you are only as safe as your neighbors.
That’s where MANRS comes in. Mutually Agreed Norms for Routing Security is a ten-year-old global initiative to support the deployment of routing security best practices, including RPKI. Now more than 1,000 networks strong across four programs for Network Operators, Internet Exchange Points (IXPs), Content Delivery Network (CDN) and Cloud Providers, and Equipment Vendors, we fully believe in the ability of the global technical community to work in a coordinated and collaborative way to continue improving routing security practices.
MANRS fits into the Global Cyber Alliance’s Internet Integrity program, which brings together key players in Internet infrastructure operations and other stakeholders to identify top priorities for addressing cybersecurity issues that cannot be solved by any single actor or subset of actors independently. GCA is proud to be the secretariat of MANRS.
Leave a Comment