Post on 15-Aug-2020
Internet Society © 1992–2016
https://www.manrs.org/
TwoyearsofgoodMANRSImprovingGlobalRoutingSecurityandResilience
January2017
Isthereaproblem?
• Internetroutinginfrastructureisvulnerable• Trafficcanbehijacked,blackholedordetoured• Trafficcanbespoofed• Fat-fingersandmaliciousattacks
• BGPisbasedontrust• Nobuilt-invalidationofthelegitimacyof updates
2
Aretheresolutions?
• Yes!• PrefixandAS-PATHfiltering,RPKI,IRR,…• BGPSECunderdevelopmentattheIETF• Whois,RoutingRegistriesandPeeringdatabases
• But…• Lackofdeployment• Lackofreliabledata
3
Itisasocio-economicproblem– atragedyofthecommons• Fromtheroutingperspectivesecuringone’sownnetworkdoesnotmakeitmoresecure.Thenetworksecurityisinsomeoneelse’shands• Themorehands– thebetterthesecurity
• Isthereaclear,visibleandindustrysupportedlinebetweengoodandbad?• Aculturalnorm
4
Aclearlyarticulatedbaseline–aminimumrequirement(MCOP)
+
Visiblesupportwithcommitment
5
MutuallyAgreedNormsforRoutingSecurity(MANRS)
MANRSdefinesfourconcreteactionsthatnetworkoperatorsshouldimplement
• Technology-neutralbaselineforglobaladoption
MANRSbuildsavisiblecommunityofsecurity-mindedoperators
• Promotescultureofcollaborativeresponsibility
6
GoodMANRS
• Filtering – Preventpropagationofincorrectroutinginformation• Ownannouncementsandthecustomercone
• Anti-spoofing – PreventtrafficwithspoofedsourceIPaddresses• Single-homedstubcustomersandowninfra
• Coordination – Facilitateglobaloperationalcommunicationandcoordinationbetweennetworkoperators• Up-to-dateandresponsivepubliccontacts
• Global Validation – Facilitatevalidationofroutinginformationonaglobalscale• Publishyourdata,sootherscanvalidate
7
MANRSisnot(only)adocument– itisacommitment• Thememberssupport thePrinciplesandimplement themajorityoftheActionsintheirnetworks.
• A memberbecomesaParticipantofMANRS,helpingtomaintain and improve thedocumentandtopromote MANRSobjectives
8
Agrowinglistofparticipants
9
0102030405060708090100
2014 2015 2016 2017(sofar)
#ofAS
#ofAS
TwoyearsofMANRS
10
MANRS members by # of AS’es
0
1000
2000
3000
4000
5000
6000
7000
8000
2014 2015 2016 2017 . . . . . . ?
# of AS
# of AS
Youmaysaywe’redreamers…
11
MANRS members by # of AS’es
•Howtobridgethisgap?
12
Leveragingmarketforcesandpeerpressure• Developingabetter“businesscase”forMANRS
• MANRSvaluepropositionforyourcustomersandyourownnetwork
• Creatingatrustedcommunity
• Agroupwithasimilarattitudetowardssecurity
13
IncreasinggravitybymakingMANRSaplatformforrelatedactivities• Developingbetterguidance
• MANRSBestCurrentOperationalPractices(BCOP)document:
http://www.routingmanifesto.org/bcop/
• Training/certificationprogramme
• BasedonBCOPdocumentandanonlinemodule
• Bringingnewtypesofmembersonboard
• IXPs
14
MANRStrainingandcertification
15
• Routingsecurityishard• TheMANRSBCOPwasenvisagedasasimple instructionset• Insteadwehavea50-pagedocumentthatassumes certainlevelofexpertise• Howcanwemakeitmoreaccessible?
• Asetofonlinetrainingmodules• BasedontheMANRSBCOP• Walksastudentthroughthetutorialwithatestattheend• Workingwithandlookingforpartnersthatareinterestedinintegratingitintheircurricula
• Ahands-onlabtoachieveMANRScertification• CompletinganonlinemoduleasafirststepinMANRScertification• Lookingforpartners
MANRSIXPPartnershipProgramme
16
• ThereissynergybetweenMANRSandIXPsinthisarea• IXPsformacommunitywithacommonoperationalobjective• MANRSisareferencepointwithaglobalpresence– usefulforbuildinga“safeneighborhood”
• HowcanIXPscontribute?• Technicalmeasures:RouteServerwithvalidation,alertingonunwantedtraffic,providingdebuggingandmonitoringtools
• Socialmeasures:MANRSambassadorrole,localauditaspartoftheon-boardingprocess• Adevelopmentteamisworkingonasetofusefulactions
Howtosignup
• Gotohttps://www.manrs.org/signup/• Providerequestedinformation
• PleaseprovideasmuchdetailonhowActionsareimplementedaspossible
• Wemayaskquestionsandaskyoutorunafewtests• Routing“backgroundcheck”
• Spoofer https://www.caida.org/projects/spoofer/
• Youranswerto“Whydidyoudecidetojoin?”maybedisplayedinthetestimonials
• Downloadthelogoanduseit
• BecomeanactiveMANRSparticipant
17
Pleasejoinustomakeroutingmoresecure
https://www.manrs.org/signup
18