MANRS IXP Partnership Programme January 2017 MANRS IXP Partnership Programme https://www.manrs.org/
Outline: Quick overview of MANRS IXP Partnership Programme concept IXPP Actions and a poll
The Problem Border Gateway Protocol (BGP) is based entirely on trust Caption 10/12pt Caption body copy Border Gateway Protocol (BGP) is based entirely on trust No built-in validation of the legitimacy of updates The chain of trust spans continents Lack of reliable resource data
No Day Without an Incident http://bgpstream.com/
What’s Happening? IP prefix hijack Route leaks AS announces prefix it doesn’t originate and wins the ‘best route’ selection AS announces more specific prefix than what may be announced by originating AS AS announces it can route traffic through shorter route, whether it exists or not Packets end up being forwarded to wrong part of Internet Denial-of-Service (DoS), traffic interception, or impersonating network or service Route leaks Violation of valley-free routing (e.g. re-announcing transit provider routes to another provider) Usually due to misconfigurations, but can be used for traffic inspection and reconnaissance Can be equally devastating
Are there solutions? Building blocks - Yes! But… Prefix and AS-PATH filtering RPKI validator, IRRToolset, IRRPT, BGPQ3 BGPSEC is standardized But… Lack of deployment Lack of reliable data
A Tragedy of the Commons From a routing perspective, securing your own network does not necessarily make it more secure. Network security is in someone else’s hands. The more hands – the better the security Is there a clear, visible, and industry- supported line between good and bad? A cultural norm?
Mutually Agreed Norms for Routing Security MANRS defines four concrete actions that network operators should implement Technology-neutral baseline for global adoption A minimum set of requirements MANRS builds a visible community of security-minded operators Promotes culture of collective responsibility
MANRS Actions Filtering – Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks with prefix and AS-path granularity Anti-spoofing – Prevent traffic with spoofed source IP addresses Enable source address validation for at least single-homed stub customer networks, their own end-users, and infrastructure Coordination – Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information Global Validation – Facilitate validation of routing information on a global scale Publish your data, so others can validate
https://www.manrs.org
MANRS are designed for network operators How do IXPs fit in?
An important question is “What is in MANRS for an IXP?” Is routing security important for your community? An opportunity to build a “safe neighborhood” Do you need a global reference point? a platform, where you can organize related activities Are you willing to feed your expertise back to MANRS? Strengthening the global community
MANRS IXP Partnership Programme There is synergy between MANRS and IXPs in this area IXPs form a community with a common operational objective MANRS is a reference point with a global presence – useful for building a “safe neighborhood” How can IXPs contribute? Technical measures: Route Server with validation, sanitized peering fabric, providing debugging and monitoring tools Social measures: MANRS ambassador role, general security awareness and communications
Developing focused actions The criteria Improve routing resilience and security Are useful to the members of the IXP Do not set the bar too high, so that only few IXPs can join Do not set it too low, so it makes no difference Make them concrete and measurable The current set of actions went through a few iterations based on contributions from IXPs around the globe
Eligibility Criteria To join an IXP needs to meet the following criteria an IXP must demonstrate commitment by implementing a majority of the IXP Programme Actions (at least three out of five). Actions 1 and 2 are mandatory, and the IXP must implement at least one additional Action.
Actions
Action 1. Facilitate prevention of propagation of incorrect routing information (Mandatory) The IXP implements filtering of route announcements at the Route Server based on routing information data (IRR and/or RPKI). Based on the outcome of the validation process, the invalid announcements are filtered in accordance with the IXP published policy. IXPs using a Route Server to facilitate multilateral peerings should use it to validate received route announcements from a peer and subsequently filter them to other peers. Special purpose cases, such as research projects, are out of scope for this requirement. Validation is usually done by checking BGP announcements against IRR data (by resolving the AS-SET object) or RPKI data (ROA objects or a validated cache). It is also common to check the announcements against “bogons” or “martians” (IP prefixes as defined in RFC1918, RFC5735, and RFC6598; ASNs in the AS-PATH as defined by RFC5398, RFC6793, RFC6996, RFC7300, RFC7607).
Action 2: Promote MANRS to the IXP membership. (Mandatory) The IXP provides encouragement or assistance for members to implement MANRS actions. There are 4 separate check-boxes for different levels of incentives; one or more must be checked. Action 2-1: Offer assistance to its members to maintain accurate routing information in an appropriate repository (IRR and/or RPKI), OR Action 2-2: Offer assistance in implementing MANRS ISP Actions for the members, OR Action 2-3: Indicate MANRS participation on the member list and the website, OR Action 2-4: Provide incentives linked to MANRS readiness
Action 3. Protect the peering platform The IXP has a published policy of traffic not allowed on the peering fabric and performs filtering of such traffic. Commonly, filtering applies to: Not allowed Ethernet frame formats Not allowed Ethertypes Link-local protocols, such as IRDP, ICMP redirects, Discovery protocols (CDP, EDP), VLAN/trunking protocols (VTP, DTP), BOOTP/DHCP, etc. Restricted by the MAC port security configuration While not strictly routing, applying hygiene on Layer 2 can ensure the smooth operation of the platform and contribute to the stability of the IXP infrastructure and routing.
Action 4. Facilitate global operational communication and coordination between network operators The IXP facilitates communication among members by providing necessary mailing lists and member directories. The IXP and each of its members has at least one valid, active email address and one phone number that other members can use for cases of abuse, security, and operational incidents. Effective communication among members of an IXP is essential in mitigating network incidents such as misconfigurations, outages, or DoS attacks. Mailing lists or other means of communication and a member directory available to all members of the exchange containing up-to-date contact information play a crucial role.
Action 5. Provide monitoring and debugging tools to the members. The IXP provides a looking glass for its members. A looking glass is an important facility that can help debug routing incidents or anomalies and prevent or shorten potential outages. An IXP should offer a looking glass interface of its Route Server to its members.
Participating IXPs There are 20 participating IXPs Majority of IXPs from Europe Only 1 IXP from Africa (RINEX) There is a need to increase the number of participating IXPs from Africa.
Make your community stronger Help improving routing security globally Please join! Make your community stronger Help improving routing security globally https://www.manrs.org/participants/ixp/ https://www.manrs.org