Draft 1 – Routing Resilience Manifesto
This draft document, v1.0, was under discussion from June-August 2014.
It has been succeeded by the MANRS Document.
Introduction
Security in general is a difficult area when it comes to incentives. Security of the global Internet infrastructure, be it DNS or routing, brings additional challenges: the utility of security measures depends on coordinated actions of many other parties.
Throughout the history of the Internet, collaboration among participants and shared responsibility for its smooth operation, have been two of the pillars supporting the Internet’s tremendous growth and success, as well as its security and resilience. Technology solutions are an essential element here, but technology alone is not sufficient. In order to stimulate visible improvements in this area a greater change towards the culture of collective responsibility is needed.
This document aims at capturing this collaborative spirit and providing guidance to network operators in addressing issues of security and resilience of the global Internet routing system. Another important goal is to document commitment of industry leaders to address these issues, which should amplify the impact as more supporters join.
Objectives
- Raise awareness and encourage actions by demonstrating commitment of the growing group of supporters
- Promote the culture of collective responsibility for resilience and security of the Internet’s global routing system
- Demonstrate the ability of the industry to address issues of resilience and security of the Internet’s global routing system in the spirit of collective responsibility
- Provide a framework for ISPs to better understand and help address issues related to resilience and security of the Internet’s global routing system
Principles
- The organization (ISP/network operator) recognizes the interdependent nature of the global routing system and its own role in contributing to a secure and resilient Internet
- The organization integrates best current practices related to routing security and resilience in its network management processes in line with the Guidelines
- The organization is committed to preventing, detecting and mitigating routing incidents through collaboration and coordination with peers and other ISPs in line with the Guidelines
- The organization encourages its customers and peers to adopt these Principles and Guidelines
Scope
BGP is deployed in many different kinds of networks of different size and profiles. Many different recommendations exist to improve the security and resilience of the inter-domain routing system. Some of the advice can even appear somewhat contradictory and often the key decision can come down to understanding what is most important or appropriate for a given network considering its size and resource, the number of external connections, number of BGP routers, size and expertise of the staff and so forth.
The Guidelines underline a minimum set of recommendations which are definitely valuable to the overall security and resilience of the global routing system, as well as to the network operator itself. They address three main classes of problems:
- Problems related to incorrect routing information.
- Problems related to traffic with spoofed source IP addresses.
- Problems related to coordination and collaboration between network operators.
The guidelines are defining a minimum “package” – a set of recommendations that should definitely be implemented by operators supporting this Manifesto. They are called “requested actions” in the Manifesto. This set is not exclusive and the expectation is that many network operators are implementing stronger measures and controls already, or plan to do that in the future.
We are conscious of the fact that any particular requested action is not a comprehensive solution to the outlined problems. But each of them is a small step that, if multiplied by large number of supporters, can become a significant improvement in the resilience of the global Internet routing system. Therefore the selection of actions was based on the assessment of the balance between the small incremental individual costs and the potential common benefit.
Definitions
In order to articulate the specifics of the requested actions, it is necessary to define a number of terms explicitly, to relate to their general usage in the Internet industry.
- Infrastructure – Operator’s internal networks which must be reachable on the Internet.
- End User – Networks within operator’s routing and administrative domain.
- Peer Network – An external network with whom traffic is exchanged relating to both your respective Infrastructure, and Customer Networks.
- Transit Network – An external network to whom traffic relating to your Infrastructure and Customer Networks is sent, but from whom traffic from the Internet in general is received.
- Customer Network – an external network for which operator provides transit services
- Single Homed – A single, uncomplicated link between networks, or connecting an End User to the Infrastructure. This represents a single path over which traffic can flow within or between networks.
- Multi Homed – Multiple paths between networks (even multiple networks), or connections between and End User and the Infrastructure, this can create multiple paths over the Infrastructure and the Internet over which traffic can traverse.
Guidelines
1. Prevent propagation of incorrect routing information
Network operators are encouraged to define a clear routing policy and implement a system that ensures correctness of their own announcements and announcements from their customers to adjacent networks with a prefix and as-path granularity. Network operators should be able to communicate to their adjacent networks which announcements are correct.
Discussion: Most important is to secure inbound routing advertisements, particularly from customer networks through the use of explicit prefix-level filters, or equivalent mechanisms. Secondarily, AS-path filters might be used to require that the customer network be explicit about which Autonomous Systems (ASes) are downstream of that customer. Alternately, AS-path filters which block announcements by customers of ASes with which the provider has a settlement-free relationship can prevent some types of routing “leaks”. Filtering customer BGP announcements by AS-path filters alone is insufficient to prevent catastrophic routing problems at a systemic level.
2. Prevent traffic with spoofed source IP address
Network operators should implement a system that enables source address validation for at least single-homed stub customer networks, their own end-users and infrastructure. Network operators are encouraged to implement filtering to prevent packets with incorrect source IP address from entering and leaving the network.
Discussion: Common approaches to this problem has involved software features such SAV (Source-Address Validation) on cable-modem networks or strict uRPF (unicast Reverse-Path Forwarding) validation on router networks. These methods can ease the overhead of administration in cases where routing and topology are less relatively dynamic. Another approach could be to use the inbound prefix filter information to form a packet-filter which allows only packets with source IP addresses in the ranges which serve as a whitelist to allow only packets with source addresses which the network would be allowed to advertise reachability for.
3. Facilitate global operational communication and coordination between the network operators
Network operators are encouraged to maintain globally accessible up-to-date contact information
Discussion: Most common places where such information is maintained are PeeringDB, RIRs’ whois databases and large IRRs: RADB, RIPE. A network operator should register and maintain 24/7 contact information at least in one of these databases.