Internet Routing with MANRS
By Fred Baker
November 2018
The Internet as we know it is approximately 35 years old. The Border Gateway Protocol (BGP), the primary backbone routing protocol, was designed before we knew much about security; we have been changing and fixing it as our knowledge has increased. Improvements include the establishment of specific data to help operators identify what routing data is valid and what is not, as well as specific operational practices to address known attacks. To date, the biggest problem with those capabilities is that many operators remain either unaware or unconvinced that their participation is needed if matters are to improve.
Charles Dudley Warner famously said, “Everybody complains about the weather, but nobody does anything about it.” In the summer of 2014, a group of companies made the same observation about Internet routing—and then did something about it. The result is the Mutually Agreed Norms for Routing Security[1], or MANRS, a global initiative designed to collaboratively provide crucial fixes to reduce the most common routing threats. And the acronym is no accident, the authors are making a point: it is good etiquette, good manners, to say trustworthy things when speaking to one’s neighbor. MANRS actions result in trustworthy Internet routing, a reasonable basis for a business.
At the writing of this report, more than 100 Internet service providers (ISPs)[2] and Internet exchange points (IXPs)[3] , comprising hundreds of Autonomous Systems (ASs) in many countries, have agreed to take the following four actions:
- Filtering route origins
- Anti-spoofing of source addresses in Internet traffic
- Coordination of actions
- Global validation of routing announcements
Individually, the four steps are quite straightforward. While they require some effort, that effort is neither difficult nor expensive for most implementations. The issues those steps address, however, are costly from both insurance and public relations perspectives. For example, if a company’s traffic is misrouted to someone who harvests access credentials and uses them to hack the company or its customers, hundreds of millions of dollars in damage could be accrued. What’s more, the company misrouting the traffic could be found culpable. More than simply good route hygiene or cheap insurance, these recommended actions might be all that stands between your network and the financial and public relations nightmare of a security breach.
Governments are taking notice of routing issues. For example, in the United States, the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) recently reinforced the importance of the MANRS project by publishing a draft US standard[4], [5] along the same lines. In addition to Resource Public Key Infrastructure (RPKI)[6] and route origin validation (ROV)[7] , the NIST–DHS standard calls for path validation via Border Gateway Protocol Security (BGPsec), which is a possible future building block for routing security. US Government networks and companies that contract with governments in the United States should anticipate fulfilling requirements similar to those outlined in the MANRS agreement.
This paper explores some of the issues surrounding routing security and provides examples of both implementation approaches and where those approaches have been used to successfully prevent or mitigate attacks. It includes the following sections:
- Section 2: Introduction. A description of the issues around Internet routing and why we need to address the security of it.
- Section 3: The Four MANRS Actions. An outline of the four MANRS actions and how they may be cost-efficiently and effectively carried out.
- Section 4: Conclusion. Possible next steps.
- References. For those interested in more detail, this paper references a number of reports and relevant online commentary.
Read and download Fred Baker’s white paper, “Internet Routing with MANRS“.
Endnotes
[1] https://manrs.org/
[2] https://manrs.org/participants/
[3] https://manrs.org/participants/ixps/
[4] https://www.zdnet.com/article/standard-to-protect-against-bgp-hijack-attacks-gets-first-official-draft/
[5] https://www.zdnet.com/article/standard-to-protect-against-bgp-hijack-attacks-gets-first-official-draft/
[6] Resource Public Key Infrastructure, also known as Resource Certification, is a specialized public key infrastructure framework designed to secure the Internet’s routing infrastructure.
[7] Route Original Validation describes route filtering in order to ensure that the routes received match RPKI-certified specifications