Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect...
Transcript of Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect...
![Page 1: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/1.jpg)
Internet Society © 1992–2016
https://www.manrs.org/
TwoyearsofgoodMANRSImprovingGlobalRoutingSecurityandResilience
January2017
![Page 2: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/2.jpg)
Isthereaproblem?
• Internetroutinginfrastructureisvulnerable• Trafficcanbehijacked,blackholedordetoured• Trafficcanbespoofed• Fat-fingersandmaliciousattacks
• BGPisbasedontrust• Nobuilt-invalidationofthelegitimacyof updates
2
![Page 3: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/3.jpg)
Aretheresolutions?
• Yes!• PrefixandAS-PATHfiltering,RPKI,IRR,…• BGPSECunderdevelopmentattheIETF• Whois,RoutingRegistriesandPeeringdatabases
• But…• Lackofdeployment• Lackofreliabledata
3
![Page 4: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/4.jpg)
Itisasocio-economicproblem– atragedyofthecommons• Fromtheroutingperspectivesecuringone’sownnetworkdoesnotmakeitmoresecure.Thenetworksecurityisinsomeoneelse’shands• Themorehands– thebetterthesecurity
• Isthereaclear,visibleandindustrysupportedlinebetweengoodandbad?• Aculturalnorm
4
![Page 5: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/5.jpg)
Aclearlyarticulatedbaseline–aminimumrequirement(MCOP)
+
Visiblesupportwithcommitment
5
![Page 6: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/6.jpg)
MutuallyAgreedNormsforRoutingSecurity(MANRS)
MANRSdefinesfourconcreteactionsthatnetworkoperatorsshouldimplement
• Technology-neutralbaselineforglobaladoption
MANRSbuildsavisiblecommunityofsecurity-mindedoperators
• Promotescultureofcollaborativeresponsibility
6
![Page 7: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/7.jpg)
GoodMANRS
• Filtering – Preventpropagationofincorrectroutinginformation• Ownannouncementsandthecustomercone
• Anti-spoofing – PreventtrafficwithspoofedsourceIPaddresses• Single-homedstubcustomersandowninfra
• Coordination – Facilitateglobaloperationalcommunicationandcoordinationbetweennetworkoperators• Up-to-dateandresponsivepubliccontacts
• Global Validation – Facilitatevalidationofroutinginformationonaglobalscale• Publishyourdata,sootherscanvalidate
7
![Page 8: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/8.jpg)
MANRSisnot(only)adocument– itisacommitment• Thememberssupport thePrinciplesandimplement themajorityoftheActionsintheirnetworks.
• A memberbecomesaParticipantofMANRS,helpingtomaintain and improve thedocumentandtopromote MANRSobjectives
8
![Page 9: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/9.jpg)
Agrowinglistofparticipants
9
![Page 10: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/10.jpg)
0102030405060708090100
2014 2015 2016 2017(sofar)
#ofAS
#ofAS
TwoyearsofMANRS
10
MANRS members by # of AS’es
![Page 11: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/11.jpg)
0
1000
2000
3000
4000
5000
6000
7000
8000
2014 2015 2016 2017 . . . . . . ?
# of AS
# of AS
Youmaysaywe’redreamers…
11
MANRS members by # of AS’es
![Page 12: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/12.jpg)
•Howtobridgethisgap?
12
![Page 13: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/13.jpg)
Leveragingmarketforcesandpeerpressure• Developingabetter“businesscase”forMANRS
• MANRSvaluepropositionforyourcustomersandyourownnetwork
• Creatingatrustedcommunity
• Agroupwithasimilarattitudetowardssecurity
13
![Page 14: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/14.jpg)
IncreasinggravitybymakingMANRSaplatformforrelatedactivities• Developingbetterguidance
• MANRSBestCurrentOperationalPractices(BCOP)document:
http://www.routingmanifesto.org/bcop/
• Training/certificationprogramme
• BasedonBCOPdocumentandanonlinemodule
• Bringingnewtypesofmembersonboard
• IXPs
14
![Page 15: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/15.jpg)
MANRStrainingandcertification
15
• Routingsecurityishard• TheMANRSBCOPwasenvisagedasasimple instructionset• Insteadwehavea50-pagedocumentthatassumes certainlevelofexpertise• Howcanwemakeitmoreaccessible?
• Asetofonlinetrainingmodules• BasedontheMANRSBCOP• Walksastudentthroughthetutorialwithatestattheend• Workingwithandlookingforpartnersthatareinterestedinintegratingitintheircurricula
• Ahands-onlabtoachieveMANRScertification• CompletinganonlinemoduleasafirststepinMANRScertification• Lookingforpartners
![Page 16: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/16.jpg)
MANRSIXPPartnershipProgramme
16
• ThereissynergybetweenMANRSandIXPsinthisarea• IXPsformacommunitywithacommonoperationalobjective• MANRSisareferencepointwithaglobalpresence– usefulforbuildinga“safeneighborhood”
• HowcanIXPscontribute?• Technicalmeasures:RouteServerwithvalidation,alertingonunwantedtraffic,providingdebuggingandmonitoringtools
• Socialmeasures:MANRSambassadorrole,localauditaspartoftheon-boardingprocess• Adevelopmentteamisworkingonasetofusefulactions
![Page 17: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/17.jpg)
Howtosignup
• Gotohttps://www.manrs.org/signup/• Providerequestedinformation
• PleaseprovideasmuchdetailonhowActionsareimplementedaspossible
• Wemayaskquestionsandaskyoutorunafewtests• Routing“backgroundcheck”
• Spoofer https://www.caida.org/projects/spoofer/
• Youranswerto“Whydidyoudecidetojoin?”maybedisplayedinthetestimonials
• Downloadthelogoanduseit
• BecomeanactiveMANRSparticipant
17
![Page 18: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent](https://reader036.fdocuments.net/reader036/viewer/2022081613/5fb6464472898b39ee767e29/html5/thumbnails/18.jpg)
Pleasejoinustomakeroutingmoresecure
https://www.manrs.org/signup
18