Date post: | 12-Apr-2017 |
Category: |
Technology |
Upload: | deploy360-programme-internet-society |
View: | 64 times |
Download: | 1 times |
Internet Society © 1992–2016
https://www.manrs.org/
Mind your MANRSMutually Agreed Norms for Routing Security
Aftab [email protected]
January 2017
Presentation title – Client name 1
What problems are we trying to address?
Border Gateway Protocol (BGP) is based on trust
• No built-in validation of the legitimacy of updates
• Chain of “trust” spans continents
• Lack of reliable resource data
2
Do we have enough tools?
Probably yes
• Prefix and AS-PATH filtering, RPKI, IRR, …
• BGPSEC under development at the IETF
• Whois, Routing Registries and Peering databases
3
Are they effectively deployed?
Probably not
• BGPStream
It is a socio-economic problem
4
From the routing perspective securing one’s own network does not make it more secure. The
network security is in someone else’s hands
• The more hands – the better the security
Is there a clear, visible and industry supported line between good and bad?
• A cultural norm
A clearly articulated baseline –a minimum requirement (MCOP)
+Visible support with commitment
5
Mutually A
greed Norm
s for Routing Security (M
AN
RS)
6
MA
NR
S defines four concrete actions that network operators should
implem
ent
•Technology-neutral baseline for global adoption
MA
NR
S builds a visible comm
unity of security-minded operators
•Prom
otes culture of collaborative responsibility
Good M
AN
RS
1.Filtering
–Prevent propagation of incorrect routing inform
ation.
2.A
nti-spoofing–
Prevent traffic with spoofed source IP addresses.
3.C
oordination–
Facilitate global operational comm
unication and coordination betw
een network operators.
4.G
lobal Validation–
Facilitate validation of routing information on a global scale.
7
8
To bring about a trusted Internet of opportunity
for all, we m
ust work
collaborativelyto secure the Internet’s
routing infrastructure.
MA
NR
S provides the framew
ork and com
munity
for this collaboration.
The Internet is a shared responsibility, and only through these im
portant collaborative efforts can w
e continue to ensure the protection of this collective infrastructure.
Dale D
rew, Senior Vice President, Chief
Security Officer at Level 3
Com
munications
Comcast Exam
ple
•B
efore MA
NR
S, Com
cast implem
ented these actions w
ithin their 33 networks covering 20 m
illion custom
ers in North A
merica.
•B
ut they realized their actions alonew
ould not be sufficient.
•R
ecognized need to join with others and to prom
ote this type of conduct by all netw
ork operators.
Com
cast is comm
itted to helping drive im
provements to the
reliability of the Internet ecosystem
. We are thrilled to be
engaged with other
infrastructure participantsacross the spectrum
and around the globe in pursuit of these goals.
-Jason Livingood, Vice President, Internet Services, C
omcast
10
MA
NRS is not a firew
all that w
ill protect your network.
MA
NR
S is a comm
itment –
and a comm
unity.
MA
NR
S is a mark of quality.
Good netw
ork routing practice is the fundam
ental requirement
for trust between providers, and
ultimately creates a safer and
stronger Internet for customers.
Jaya Baloo, Chief Inform
ation Security O
fficer, KPN
MA
NRS is not (only) a docum
ent –it is a com
mitm
ent
1)The m
ember supports
the Principles and implem
entsat least one of
the Actions for the majority of its infrastructure.
2)The m
ember becom
es a Participant of MAN
RS, helping to m
aintain
and improve the docum
ent and to promote
MAN
RS objectives
11
Public launch of the initiative -6 Novem
ber 2014
12
A growing list of participants
13
0 10 20 30 40 50 60 70 80 90100
20142015
2016
# of AS
# of AS
Two years of M
AN
RS
14
MA
NR
S mem
bers by # of AS’es
0
1000
2000
3000
4000
5000
6000
7000
8000
20142015
20162017 (Proj)
. . .. . .
?
# of AS
# of AS
You may say I'm
a dreamer…
15
MA
NR
S mem
bers by # of AS’es
How
to bridge this gap?
16
Increasing gravity by making M
AN
RS a platform for related activities
Developing better guidance
•M
AN
RS B
est Current O
perational Practices (BC
OP) docum
ent: http://tinyurl.com/M
AN
RS-B
CO
P
Potential training/certification programm
e
•B
ased on BC
OP docum
ent and an online module
Bringing new
types of mem
bers on board
•IX
Ps, vendors
Developing a better “business case” for M
AN
RS
•M
AN
RS value proposition for your custom
ers
Creating a trusted com
munity
•A
group with a sim
ilar attitude towards security
17
MA
NRS training and certification
18
Routing security is hard
—The M
AN
RS BCOP w
as envisaged as a simple instruction set
—Instead w
e have a 50-page document that assum
es certain level of expertise—
How
can we m
ake it more accessible?
A set of online training m
odules
—Based on the M
AN
RS BCOP
—W
alks a student through the tutorial with a test at the end
—W
orking with and looking for partners that are interested in integrating it in their curricula
A hands-on lab to achieve M
AN
RS certification
—Com
pleting an online module as a first step in M
AN
RS certification—
Looking for partners
MA
NRS IX
P Partnership Programm
e
19
There is synergy between M
AN
RS and IX
Ps in this area
—IX
Ps form a com
munity w
ith a comm
on operational objective—
MA
NRS is a reference point w
ith a global presence –useful for building a “safe neighborhood”
How
IXPs can contribute?
—Technical m
easures: Route Server with validation, alerting on unw
anted traffic, providing debugging and m
onitoring tools—
Social measures: M
AN
RS ambassador role, local audit as part of the on-boarding process
One m
embership or a separate category?
—The existing set m
ay not be directly applicable —
A development team
is working on a set of useful actions
How
to sign up
Go to http://w
ww.routingm
anifesto.org/signup/•
Provide requested information
•Please provide as m
uch detail on how A
ctions are implem
ented as possible
We m
ay ask questions and ask you to run a few tests
•Routing “background check”
•Spooferhttps://w
ww.caida.org/projects/spoofer/
Your answer to “W
hy did you decide to join?” may be displayed in the testim
onials
Dow
nload the logo and use it
Becom
e an active MA
NR
S participant
20
Visit us at
ww
w.internetsociety.org
Follow us
@internetsociety
21
Join us to make routing m
ore secure
https://ww
w.m
anrs.org/http://w
ww
.routingmanifesto.org/