Improving global routing security and resilience

Slides:



Advertisements
Similar presentations
LACNIC Policy Update Roque Gagliano LACNIC. Current Policies Proposals - LACNIC As a result of the Open Policy Forum at LACNIC XI four policy proposals.
Advertisements

1 Taiwan Routing table statistics – a new service in TWNIC Ching-Heng Ku IP Department TWNIC.
Presenter: Mark Elkins Topic: Things not getting done.
1 Muhammed Rudman
1 Overview of policy proposals Policy SIG Wednesday 26 August 2009 Beijing, China.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
Best current operational practices (BCOP) Richard Jimmerson.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Final Exam Part 1. Internet Regulation Internet regulation according to internet society states that it is about restricting or controlling certain pieces.
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
Copyright © 2011 Japan Network Information Center JPNIC ’ s RQA and Routing Related Activities JPNIC IP Department Izumi Okutani APNIC32 Aug 2011, Busan.
Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4.
APNIC Policy Update 1 st TWNIC IP Open Policy Meeting 3 December, 2003 Taipei, Taiwan.
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.
APNIC Policy Update 1 st TWNIC Open Policy Meeting 3 December, 2003 Taipei, Taiwan.
Jessica Lavoie CSC 101 November 27, Societal Topics Weeks 7 and 8 Internet Regulation Internet regulation is restricting or controlling access to.
APNIC Depletion of the IPv4 free address pool – IPv6 deployment The day after!! 8 August 2008 Queenstown, New Zealand In conjunction with APAN Cecil Goldstein,
Technical Area Report Byron Ellacott Technical Area Manager.
David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Hierarchical Routing (§5.2.6)
Prop-080: Removal of IPv4 Prefix Exchange Policy Guangliang Pan Resource Services Manager, APNIC.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
AFRINIC Update Anne-Rachel Inné COO, AFRINIC ARIN 32, Phoenix October 2013.
Building a More Trusted and Secure Internet RIPE 70, May
17 March 2002IEPG - Minneapolis RIR Update A Joint Presentation Prepared By APNIC, ARIN, RIPE NCC.
Information-Centric Networks04b-1 Week 4 / Paper 2 Understanding BGP Misconfiguration –Rahil Mahajan, David Wetherall, Tom Anderson –ACM SIGCOMM 2002 Main.
How can we work together to improve security and resilience of the global routing system? Andrei Robachevsky.
APNIC update AfriNIC-7 26 September 2007 Paul Wilson.
Information-Centric Networks Section # 4.2: Routing Issues Instructor: George Xylomenos Department: Informatics.
Internet Protocol Addresses What are they like and how are the managed? Paul Wilson APNIC.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
AFRINIC Update Madhvi Gokool Registration Service Manager RIPE66 meeting, Dublin May 2013.
RPKI implementation experiences in the LAC Region Carlos M. Martínez – Arturo Servín LACSEC 2012 – LACNIC XVIII.
A BCOP document: Implementing MANRS Job Snijders (NTT) Andrei Robachevsky (ISOC)
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
1 Transition to IPv6: Should ISPs consider it now? PITA 11th AGM Meeting 2007 Tahiti, French Polynesia 24 April 2007.
1 Internet Society Collaborative Security & MANRS ENOG 10 – 14 October 2015, Odessa Maarit Palovirta
IPv6 Adoption Status and Scheduling for Sustainable Development 24 July 2012 Nate Davis Chief Operating Officer, ARIN.
Ghana Academic and Research Network (GARNET)
Regional Internet Registries An Overview
Technical Info, BCOP, DNSSEC Coordination, ION Conferences
Internet Routing Health Measurement Bar BoF
Stateless Source Address Mapping for ICMPv6 Packets
Firewalls.
AFRINIC Services Update
COS 561: Advanced Computer Networks
Does Scale, Size, and Locality Matter
Introduction to ARIN and the Internet Registry System
Some Thoughts on Integrity in Routing
Working together to improve routing security for all
MANRS IXP Partnership Programme
Measuring routing (in)security
Propuestas Concepción 2018
MANRS for IXPs Why we did it? What did we do?
APNIC 29 Policy SIG report
Why don’t we have a Secure and Trusted Inter-Domain Routing System?
COS 561: Advanced Computer Networks
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
AFRINIC's services to Universities/RENs in AFRICA
Fixing the Internet: Think Locally, Impact Globally
Peering Security DKNOG, March 14-15, 2019 Susan Forney and Walt Wollny
FIRST How can MANRS actions prevent incidents .
MANRS Implementation Guides
By Keessun Fokeerah Member Services(MS) Team
Amreesh Phokeer Research Manager AfPIF-10, Mauritius
Validating MANRS of a network
AFRINIC Update RIPE79 Rotterdam, The Netherlands 18 October 2019.
Presentation transcript:

Improving global routing security and resilience March 2018 MANRS Improving global routing security and resilience Michuki Mwangi mwangi@isoc.org

Internet Routing – what is the problem? Internet routing infrastructure is vulnerable Traffic can be hijacked, blackholed or detoured Traffic can be spoofed Fat-fingers and malicious attacks BGP is based on trust No built-in validation of the legitimacy of updates

https://bgpstream.com/ Plenty of evidence https://bgpstream.com/

Not a day without an incident data source: http://bgpstream.com/ 388 Incidents [December 2017 – January 2018] BGP Leaks: 226 BGP Hijacks (possible): 162

What’s behind these incidents? IP prefix hijack AS announces prefix it doesn’t originate AS announces more specific prefix than what may be announced by originating AS Packets end-up being forwarded to a wrong part of Internet Denial-of-Service, traffic interception, or impersonating network or service Route leaks Similar to prefix hijacking Usually not malicious and due to misconfigurations But may also aid traffic inspection and reconnaissance IP address spoofing Creation of IP packets with false source address The root cause of reflection DDoS attacks

Are there solutions? Yes! But… Prefix and AS-PATH filtering, RPKI … BGPSEC under development at the IETF Whois, Routing Registries and Peering databases But… Lack of deployment Lack of reliable data

Mutually Agreed Norms for Routing Security (MANRS) MANRS defines four concrete actions that network operators should implement Technology-neutral baseline for global adoption MANRS builds a visible community of security-minded operators Promotes culture of collaborative responsibility

Good MANRS Filtering – Prevent propagation of incorrect routing information Own announcements and the customer cone Anti-spoofing – Prevent traffic with spoofed source IP addresses Single-homed stub customers and own infra Coordination – Facilitate global operational communication and coordination between network operators Up-to-date and responsive public contacts Global Validation – Facilitate validation of routing information on a global scale Publish your data, so others can validate Limited scope: MANRS use case: the network and topology e.g. ensures correctness of their own announcements and announcements from their customers to adjacent networks with prefix and AS-path granularity e.g. enables source address validation for at least single-homed stub customer networks, their own end-users and infrastructure e.g. maintain globally accessible up-to-date contact information.

Growth so far… MANRS members by # of AS

Increasing gravity by making MANRS a platform for related activities Developing better guidance MANRS Best Current Operational Practices (BCOP) document: http://www.routingmanifesto.org/bcop/ Training/certification programme Based on BCOP document and an online module http://www.manrs.org/tutorials/ Bringing new types of members on board IXPs

Resource Statistics

AfriNIC IPv4 Allocations (from 2000 onwards)

Total Prefixes as at Dec 2017 IPv4 (/24) : 415,746 Pv6 (/32) : 729 ASN : 1,534

AfriNIC Region Analysis Summary – March 2018 Prefixes being announced by AfriNIC Region ASes:                  18476    Total AfriNIC prefixes after maximum aggregation:              4005    AfriNIC Deaggregation factor:                                  4.61 Prefixes being announced from the AfriNIC address blocks:         20777    Unique aggregates announced from the AfriNIC address blocks:   7466 AfriNIC Region origin ASes present in the Internet Routing Table:  1123    AfriNIC Prefixes per ASN:                                     18.50 AfriNIC Region origin ASes announcing only one prefix:              365 AfriNIC Region transit ASes present in the Internet Routing Table:  227 Average AfriNIC Region AS path length visible:                      4.6    Max AfriNIC Region AS path length visible:                       21 Number of AfriNIC region 32-bit ASNs visible in the Routing Table:  398 Number of AfriNIC addresses announced to Internet:             95974144    Equivalent to 5 /8s, 184 /16s and 115 /24s AfriNIC AS Blocks      36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks  41/8, 102/8, 105/8, 154/8, 196/8, 197/8,

RPKI Validation Comparison

Bogus Prefixes/ASN from Africa

Possible Bogus Prefixes Origin AS   AS Description Unallocated block 14.128.14.0/23   AS10247   NETLINE, ZA 14.128.12.0 - 14.128.15.255 14.192.50.0/23   14.192.48.0 - 14.192.51.255 14.192.58.0/23   14.192.56.0 - 14.192.59.255 27.100.7.0/24   AS56096   27.100.4.0 - 27.100.7.255 36.255.250.0/23   36.255.248.0 - 36.255.251.255 Possible Bogus ASNs AS36886   Announced by      AS9129   KE-NET2000, ZA AS37061   Safaricom, KE AS37265 AS37179   AFRICAINX, ZA AS37330 AS37500 AS37451   CongoTelecom, CG

Spoofer Results for Ghana and Cote d’Ivoire https://spoofer.caida.org/recent_tests.php?sid=425560&as_include=&country_include=gha%2Cciv&no_block=1

Conclusion

Please join us to make routing more secure Go to https://www.manrs.org/signup/ Provide requested information Please provide as much detail on how Actions are implemented as possible We may ask questions and ask you to run a few tests Routing “background check” Spoofer https://www.caida.org/projects/spoofer/ Your answer to “Why did you decide to join?” may be displayed in the testimonials Download the logo and use it Become an active MANRS participant

Questions? Feel free to contact us if you are interested and want to learn more http://www.routingmanifesto.org/contact/ Mail: routingmanifesto@isoc.org Looking forward to your sign-ups: http://www.routingmanifesto.org/signup/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.