Internet Society © 1992–2018
Routing is at RiskLet’s secure it together!
MANRS: Mutually Agreed Norms for Routing Security
Kevin MeynellManager, Technical & Operational [email protected]
15 October 2018Internet2 Technology Exchange
Presentation title – Client name1
Some Facts & Figures
How big is the problem?
2
Routing Incidents Cause Real World Problems
3
Event Explanation Repercussions Example
Prefix/Route Hijacking
A network operator or attacker impersonates another network operator, pretending that a server or network is their client.
Packets are forwarded to the wrong place, and can cause Denial of Service (DoS) attacks or traffic interception.
The 2008 YouTube hijack
April 2018 Amazon Route 53 hijack
Route Leak A network operator with multiple upstream providers (often due to accidental misconfiguration) announces to one upstream provider that is has a route to a destination through the other upstream provider.
Can be used for a MITM, including traffic inspection, modification and reconnaissance.
September 2014. VolumeDrive
began announcing to Atrato nearly
all the BGP routes it learned from
Cogent causing disruptions to
traffic in places as far-flung from
the USA as Pakistan and Bulgaria.
IP Address Spoofing
Someone creates IP packets with a false source IP address to hide the identity of the sender or to impersonate another computing system.
The root cause of reflection DDoS attacks
March 1, 2018. Memcached
1.3Tb/s reflection-
amplificationattack reported by
Akamai
The routing system is constantly under attack
4
• 13,935 total incidents (either outages or attacks like route leaks and hijacks)
• Over 10% of all Autonomous Systems on the Internet were affected
• 3,106 Autonomous Systems were a victim of at least one routing incident
• 1,546 networks were responsible for 5304 routing incidents
• 547 networks were responsible for 1576 routing incidents
Source: https://www.bgpstream.com/
3668, 70%
1576, 30%
Five months of routing incidents (2018)
Outage Routing incident
No Day Without an Incident
5
0
20
40
60
80
100
120
1/1/17 2/1/17 3/1/17 4/1/17 5/1/17 6/1/17 7/1/17 8/1/17
6monthofsuspicious activity
Hijack
Leak
http://bgpstream.com/
Outages 2017
6
Source: https://www.bgpstream.com/
7.96
1.77
10.82
5.75
5.581.94
2.87
8.83
8.82
4.90
% of networks affected by an outage
BR
USIR
INID
RU
UAAR
NGBD
Potential culprits 2017
7
Source: https://www.bgpstream.com/
324
197
105
55
50
44
4139
35 32
Number of AS's in a country responsible for a routing incident (a route leak or hijack)
BRUSRUGBINHKDEIDIRNL
6.55
1.18
2.10
3.02
3.50
9.40
2.33
4.27
7.73
3.76
Percent of AS's in a country responsible for a routing incident (a route leak or hijack)
BRUSRUGBINHKDEIDIRNL
Positive dynamics
8
0
1
2
3
4
5
6
7
8
9
10
US BR RU IN BD ID DE IR GB HK
% of AS's in a country responsible for a routing incident
2017 2018
Provides crucial fixes to eliminate the most common threats in the global routing system
Based on collaboration among participants and shared responsibility for the Internet infrastructure
Mutually Agreed Norms for Routing Security (MANRS)
9
CoordinationFacilitate global
operational communication and
coordination between network operators
Maintain globally accessible up-to-date contact
information in common routing databases
Anti-spoofingPrevent traffic with spoofed source IP
addresses
Enable source address validation for at least single-
homed stub customer networks, their own end-users, and infrastructure
MANRS Actions
FilteringPrevent propagation of
incorrect routing information
Ensure the correctness of your own announcements and announcements from
your customers to adjacent networks with prefix and AS-
path granularity
Global ValidationFacilitate validation of
routing information on a global scale
Publish your data, so others can validate
10
Filtering: Prevent propagation of incorrect routing information
Ensure the correctness of your own announcements and announcements from your customers to adjacent networks
11
Use an IRR (e.g. APINIC IRR)
• In a typical scenario, an operator (AS64500) will require its customers, such as AS64501, to register their expected announcements as route objects in the IRR
• AS64500 will need to register its own route object, define its customer-cone using an as-set object, and publish its routing policy with an aut-num object.
• AS64500 will use IRRToolset, BGPQ3, IRRPT to generate filters
Filtering: Prevent propagation of incorrect routing information
Ensure the correctness of your own announcements and announcements from your
customers to adjacent networks
12
Use RPKI
• In a typical scenario, an operator (AS64500) will require its
customers, such as AS64501, to get RPKI certificates from
APNIC and create ROAs for their expected announcements
• AS64500 will do the same
• AS64500 can use RPKI validator to directly tag the
announcements, e.g.
route-map rpki permit 10match rpki validset local-preference 999
…
Anti-spoofing: Prevent traffic with spoofed source IP addresses
13
Use ingress ACLs
ip access-list extended customer1-in-ipv4permit ip 192.0.2.0 0.0.0.255 any!ipv6 access-list customer1-in-ipv6permit ipv6 2001:db8:1001::/48 any!interface xip access-group customer1-in-ipv4 inipv6 traffic-filter customer1-in-ipv6 in
Convince the customer to egress-filter
Interface yip access-group egress-provider out
Enable source address validation for at least single-homed stub customer networks, their own end-users and infrastructure.
Anti-spoofing: Prevent traffic with spoofed source IP addresses
14
Use uRPF
ip verify unicast reachable-via rxipv6 verify unicast reachable-via rx
Convince the customer to egress-filter
Interface yip access-group egress-provider out
Enable source address validation for at least single-homed stub customer networks, their own end-users and infrastructure.
mntnerroleInetnumInet6num.
15
Coordination: Facilitate global operational communication and coordination between network operators
Maintain globally accessible up-to-date contact information
aut-numas-setroute-set
MyAPNICPortal
AbusePolicyTechnicalNOCPublic RelationsSales
Network Operations CenterSupport TeamAbuse TeamSecurity Team
ROA:2001:db8:2002::/4
8origin: AS64502
ROA:2001:db8:2002::/4
8origin: AS64502
ROA:2001:db8:2002::/4
8origin: AS64502
Global Validation: Facilitate validation of routing information on a global scale
16
Publicly document the routing policy, ASNs and prefixes that are intended to be advertised to external parties
aut-num: AS64500mp-import: from AS64501 accept AS64501mp-export: to AS64501 announce ANY...mp-import: from AS64511 accept AS64511:AS-ALLmp-export: to AS64511 announce 64500:AS-ALL...source: APNIC
route: 192.0.2.0/24origin: AS64501source: APNIC
route6: 2001:db8:1001::/48origin: AS64501source: APNIC
route: 198.51.100.0/24origin: AS64502source: APNIC
route6: 2001:db8:2002::/48origin: AS64502source: APNIC
route: 203.0.113.0/24origin: AS64500source: APNIC
route6:2001:db8:1000::/3
6origin: AS64500source: APNICas-set: AS64500:AS-ALLmembers: AS64500members: AS64501, AS64502source: APNIC
ROA:2001:db8:2002::/4
8origin: AS64502
MANRS Implementation Guide
If you’re not ready to join yet,
implementation guidance is available to
help you.
• Based on Best Current Operational
Practices deployed by network operators
around the world
• Recognition from the RIPE community by
being published as RIPE-706
• https://www.manrs.org/bcop/
17
MANRS Training Tutorials and Hands-on Lab
18
6 training tutorials based on information in the Implementation Guide.
A test at the end of each tutorial.
About to begin training moderators for online classes (43 applications received!)
The prototype lab is ready, finalizing the production version.
https://www.manrs.org/tutorials
Measuring Routing Security: MANRS Observatory
- Impartial benchmarking of MANRS members to improve reputation and transparency
- Provide factual state of security and resilience of Internet routing system over time
- Support the problem statement with data
- Self-assessment purposes and automating sign-up
- How to Measure?
- Transparent - Use publicly available data sources and open source code
- Passive - No cooperation is required from a network
- Metrics - Measure the rate of member (ASN) commitment (0 – non-compliant to 100 –fully compliant)
19
MANRS Member Report and MANRS Observatory
20
MANRS Audit ProcessActions Checks ToolsFiltering
Check the description to ensure that prefix filters are generated for the customer cone dynamically, and not only static bogon filters are in place. Usually this is done by using recursive AS-SETs (IRR).
Check that the ASN does not announce bogons https://www.cidr-report.org/as2.0/
Check that the ASN was not implicated in recent incidents. If it was - ask for the explanation https://bgpstream.com/
Anti-Spoofing
Check that ASN does not show up in CAIDA spoofer database as an ASN or as a provider
https://spoofer.caida.org/provider.php?asn=[ASN]
Run Spoofer test in two of infrastructure network segments (not behind a NAT) https://spoofer.caida.org/as.php?asn=[ASN]
Check the spoofer resultsCoordination
Check that contacts are in the whois https://stat.ripe.net/widget/whois#w.resource=[ASN]
Check that contact info is registered iin the PeeringDB (arobach/HyFerUupU@Wi3M) https://www.peeringdb.com
Global Validation
Check that routing information is registered in an IRR https://stat.ripe.net/widget/as-routing-consistency#w.resource=[ASN]
If ROAs are registered - it is a plus http://localcert.ripe.net:8088/bgp-preview
21
MANRS – increasing adoption
22
“I believe only 20 major network operators need to start doing Route Origin Validation in order to greatly improve routing security and achieve big benefits.”
- Job Snijders, NTT @ NLNOG 2018
MANRS Participants – as of October 2018
- 96 Network Operators
- 21 R&E networks and institutions
- 194 Autonomous Systems (ASes)
- 24 Internet Exchange Points
- Internet2/ESnet community
Internet2, ESnet, CAAREN, Connecticut Education Network, DePaul University, GWU, Indiana University & KanREN
24
Why Research & Education Networks Should Join MANRS
- To show technical leadership and distinguish you from commercial ISPs- Customers increasing willing to pay more for secure services
- To add competitive value and enhance operational effectiveness- Growing demand from customers for managed security services
- -To show security proficiency and commitment to your customers- Promote MANRS compliance to security-focused customers
- To help solve global network problems- NRENs are often early adopters of new developments. Lead by example- Being part of the MANRS community can strengthen enterprise security credentials
25
MANRS IXP Programme
26
There is synergy between MANRS and IXPs
• IXPs form a community with a common operational objective• MANRS is a reference point with a global presence – useful for building a “safe neighborhood”
How can IXPs contribute?
• Implement a set of Actions that demonstrate the IXP commitment and also bring significant improvement to the resilience and security of the routing system
MANRS IXP Program – launched on April 23!
27
MANRS IXP Actions
Action 1Prevent
propagation of incorrect routing
information
This mandatory action requires IXPs
to implement filtering of route
announcements at the Route Server based on routing information data
(IRR and/or RPKI).
28
Action 2Promote MANRS
to the IXP membership
IXPs joining MANRS are expected to
provide encouragement or assistance for their
members to implement MANRS
actions.
Action 3Protect the
peering platform
This action requires that the IXP has a
published policy of traffic not allowed
on the peering fabric and performs
filtering of such traffic.
Action 4Facilitate global
operational communication
and coordination
The IXP facilitates communication
among members by providing necessary
mailing lists and member directories.
Action 5Provide
monitoring and debugging tools to the members.
The IXP provides a looking glass for its
members.
MANRS Community
29
MANRS needs to be community driven
30
MANRS should be (and is) a collaborative initiative of Internet operators
• Internet operators undertaking MANRS principles need to encourage use of best practices
• MANRS needs to be driven by leaders within their communities who strongly believe that routing security is an essential component for the future well being of the Internet
• Generate MANRS awareness through word-of-mouth, presentations and social media in their communities + running workshops on routing security
• Bring forward feedback and recommendations for improving MANRS principles, tools and disseminating best practices, e.g. MANRS observatory, network monitoring tools, and training materials
• Internet Society can help with presentations, informational materials and merchandise (shirts and stickers)
Join Us
31
Visit https://www.manrs.org
• Fill out the sign up form with as much detail as possible.
• We may ask questions and run tests
Get Involved in the Community
• Members support the initiative and implement the actions in their own networks
• Members maintain and improve the manifesto and promote MANRS objectives
Visit us atwww.internetsociety.orgFollow us@internetsociety
Galerie Jean-Malbuisson 15, CH-1204 Geneva, Switzerland.+41 22 807 1444
1775 Wiehle Avenue, Suite 201, Reston, VA 20190-5108 USA. +1 703 439 2120
Thank you.
32
Kevin [email protected]