two years of good manrs - sinog · good manrs • filtering–prevent propagation of incorrect...

Internet Society © 1992–2016

https://www.manrs.org/

TwoyearsofgoodMANRSImprovingGlobalRoutingSecurityandResilience

January2017

Isthereaproblem?

• Internetroutinginfrastructureisvulnerable• Trafficcanbehijacked,blackholedordetoured• Trafficcanbespoofed• Fat-fingersandmaliciousattacks

• BGPisbasedontrust• Nobuilt-invalidationofthelegitimacyof updates

2

Aretheresolutions?

• Yes!• PrefixandAS-PATHfiltering,RPKI,IRR,…• BGPSECunderdevelopmentattheIETF• Whois,RoutingRegistriesandPeeringdatabases

• But…• Lackofdeployment• Lackofreliabledata

3

Itisasocio-economicproblem– atragedyofthecommons• Fromtheroutingperspectivesecuringone’sownnetworkdoesnotmakeitmoresecure.Thenetworksecurityisinsomeoneelse’shands• Themorehands– thebetterthesecurity

• Isthereaclear,visibleandindustrysupportedlinebetweengoodandbad?• Aculturalnorm

4

Aclearlyarticulatedbaseline–aminimumrequirement(MCOP)

+

Visiblesupportwithcommitment

5

MutuallyAgreedNormsforRoutingSecurity(MANRS)

MANRSdefinesfourconcreteactionsthatnetworkoperatorsshouldimplement

• Technology-neutralbaselineforglobaladoption

MANRSbuildsavisiblecommunityofsecurity-mindedoperators

• Promotescultureofcollaborativeresponsibility

6

GoodMANRS

• Filtering – Preventpropagationofincorrectroutinginformation• Ownannouncementsandthecustomercone

• Anti-spoofing – PreventtrafficwithspoofedsourceIPaddresses• Single-homedstubcustomersandowninfra

• Coordination – Facilitateglobaloperationalcommunicationandcoordinationbetweennetworkoperators• Up-to-dateandresponsivepubliccontacts

• Global Validation – Facilitatevalidationofroutinginformationonaglobalscale• Publishyourdata,sootherscanvalidate

7

MANRSisnot(only)adocument– itisacommitment• Thememberssupport thePrinciplesandimplement themajorityoftheActionsintheirnetworks.

• A memberbecomesaParticipantofMANRS,helpingtomaintain and improve thedocumentandtopromote MANRSobjectives

8

Agrowinglistofparticipants

9

0102030405060708090100

2014 2015 2016 2017(sofar)

#ofAS

#ofAS

TwoyearsofMANRS

10

MANRS members by # of AS’es

0

1000

2000

3000

4000

5000

6000

7000

8000

2014 2015 2016 2017 . . . . . . ?

# of AS

# of AS

Youmaysaywe’redreamers…

11

MANRS members by # of AS’es

•Howtobridgethisgap?

12

Leveragingmarketforcesandpeerpressure• Developingabetter“businesscase”forMANRS

• MANRSvaluepropositionforyourcustomersandyourownnetwork

• Creatingatrustedcommunity

• Agroupwithasimilarattitudetowardssecurity

13

IncreasinggravitybymakingMANRSaplatformforrelatedactivities• Developingbetterguidance

• MANRSBestCurrentOperationalPractices(BCOP)document:

http://www.routingmanifesto.org/bcop/

• Training/certificationprogramme

• BasedonBCOPdocumentandanonlinemodule

• Bringingnewtypesofmembersonboard

• IXPs

14

MANRStrainingandcertification

15

• Routingsecurityishard• TheMANRSBCOPwasenvisagedasasimple instructionset• Insteadwehavea50-pagedocumentthatassumes certainlevelofexpertise• Howcanwemakeitmoreaccessible?

• Asetofonlinetrainingmodules• BasedontheMANRSBCOP• Walksastudentthroughthetutorialwithatestattheend• Workingwithandlookingforpartnersthatareinterestedinintegratingitintheircurricula

• Ahands-onlabtoachieveMANRScertification• CompletinganonlinemoduleasafirststepinMANRScertification• Lookingforpartners

MANRSIXPPartnershipProgramme

16

• ThereissynergybetweenMANRSandIXPsinthisarea• IXPsformacommunitywithacommonoperationalobjective• MANRSisareferencepointwithaglobalpresence– usefulforbuildinga“safeneighborhood”

• HowcanIXPscontribute?• Technicalmeasures:RouteServerwithvalidation,alertingonunwantedtraffic,providingdebuggingandmonitoringtools

• Socialmeasures:MANRSambassadorrole,localauditaspartoftheon-boardingprocess• Adevelopmentteamisworkingonasetofusefulactions

Howtosignup

• Gotohttps://www.manrs.org/signup/• Providerequestedinformation

• PleaseprovideasmuchdetailonhowActionsareimplementedaspossible

• Wemayaskquestionsandaskyoutorunafewtests• Routing“backgroundcheck”

• Spoofer https://www.caida.org/projects/spoofer/

• Youranswerto“Whydidyoudecidetojoin?”maybedisplayedinthetestimonials

• Downloadthelogoanduseit

• BecomeanactiveMANRSparticipant

17

Pleasejoinustomakeroutingmoresecure

https://www.manrs.org/signup

18