Validating MANRS of a network

Slides:

Advertisements

Similar presentations

Chapter 9: Access Control Lists

Advertisements

Technical Aspects of Peering Session 4. Overview Peering checklist/requirements Peering step by step Peering arrangements and options Exercises.

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

Best Practices for ISPs

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—4-1 Implement an IPv4-Based Redistribution Solution Assessing Network Routing Performance and.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Scaling the Network with NAT and PAT.

Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.

Objectives Configure routing in Windows Server 2008 Configure Network Address Translation 1.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network BGP Attributes and Path Selection Process.

TCP/SYN Attack – use ACL to allow traffic from TCP connections that were established from the internal network and block packets from an external network.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

Access Control List ACL. Access Control List ACL.

APNIC Internet Routing Registry An introduction to the IRR TWNIC Meeting, 3 December 2003 Nurani Nimpuno, APNIC.

RIPE NCC IRR training 4 February 2011 Zurich, Switzerland IPv6 Golden Networks Jeroen Massar Things to watch.

Access-Lists Securing Your Router and Protecting Your Network.

Chapter 5: Implementing Intrusion Prevention

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.

Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.

Chapter 9: Implementing the Cisco Adaptive Security Appliance

How can we work together to improve security and resilience of the global routing system? Andrei Robachevsky.

Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—6-1 Scaling Service Provider Networks Scaling IGP and BGP in Service Provider Networks.

Route Selection Using Policy Controls

Role of Router. The Router as a Perimeter Device  Usually the main function of a router is considered as the forwarding of packets between two network.

A BCOP document: Implementing MANRS Job Snijders (NTT) Andrei Robachevsky (ISOC)

1 Internet Society Collaborative Security & MANRS ENOG 10 – 14 October 2015, Odessa Maarit Palovirta

BGP Validation Russ White Rule11.us.

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

Instructor Materials Chapter 7: EIGRP Tuning and Troubleshooting

Chapter 1 Computer Technology: Your Need to Know

Connecting an Enterprise Network to an ISP Network

Instructor Materials Chapter 7: Access Control Lists

Routing and Routing Protocols: Routing Static

Goals of soBGP Verify the origin of advertisements

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Filtering Spoofed Packets

BGP supplement Abhigyan Sharma.

CCNA 2 v3.1 Module 6 Routing and Routing Protocols

Chapter 3: Dynamic Routing

Chapter 3: Dynamic Routing

Routing and Switching Essentials v6.0

Routing and Routing Protocols: Routing Static

Chapter 3: Dynamic Routing

Chapter 4: Access Control Lists

Access Control Lists CCNA 2 v3 – Module 11

Working together to improve routing security for all

MANRS IXP Partnership Programme

Measuring routing (in)security

Propuestas Concepción 2018

Chapter 7: EIGRP Tuning and Troubleshooting

Scaling Service Provider Networks

MANRS for IXPs Why we did it? What did we do?

BGP Multiple Origin AS (MOAS) Conflict Analysis

CIT 384: Network Administration

COS 561: Advanced Computer Networks

Improving global routing security and resilience

Peering Security DKNOG, March 14-15, 2019 Susan Forney and Walt Wollny

FIRST How can MANRS actions prevent incidents .

MANRS Implementation Guides

Amreesh Phokeer Research Manager AfPIF-10, Mauritius

Presentation transcript:

Validating MANRS of a network Andrei Robachevsky robachevsky@isoc.org

Mutually Agreed Norms for Routing Security MANRS provides baseline recommendations in the form of Actions Distilled from common behaviors – BCPs, optimized for low cost and low risk of deployment With high potential of becoming norms MANRS builds a visible community of security minded operators Social acceptance and peer pressure

MANRS for Network operators Filtering Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks with prefix and AS-path granularity Anti-spoofing Prevent traffic with spoofed source IP addresses Enable source address validation for at least single-homed stub customer networks, their own end-users, and infrastructure Coordination Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information in common routing databases Global Validation Facilitate validation of routing information on a global scale Publish your data, so others can validate

Commitment, transparency and credibility Inform and improve MANRS participants about their degree of commitment Establish measurable indicators of MANRS readiness Publish through the MANRS Observatory (https://observatory.manrs.org/) MANRS Observatory provides a view from the outside (with its limitations), but how does the network really looks for the inside? Create a local auditing tool. It will automate parsing router configurations to detect a wide range of common configuration issues Help network engineers secure their eBGP speaking routers, implement MANRS actions to prevent spoofed traffic, secure BGP route policy and help validate global routesWhile Potentially use this as a complementary indicator for MANRS readiness when evaluating an application

Project vision A locally run tool for auditing BGP and anti-spoofing configurations on various platforms Tool will take in a configuration file and output a report showing how well the router did against the pre-defined rules MANRS is a first candidate, but there may be other sets Audit configs from different vendors/OSes

What kind of checks? Action 1 – Filtering Action 2 – Anti-spoofing Are inbound routing advertisements from customers and peers secured by applying prefix- level filters? Is the router configured to connect to a RPKI-to-Router interface for ROA validation? Is the router configured to drop RPKI invalids? Action 2 – Anti-spoofing Is uRPF strict mode enabled on interfaces connected to customers? Are there ACLs applied to stub customers to prevent them from sending spoofed traffic?

More difficult kind of checks Action 1 – Filtering Are prefix-level filters dynamically applied from IRR entries? Do prefix filters match the customer cone? Action 2 – Anti-spoofing Are the ACLs correctly match customer’s network blocks?

Prototype Implementation Developed as part of a hackathon at Charter Communications Robot Framework based automatic router configuration analyzer Use of a single, high level, cross-platform tool makes it more accessible to a broad range of users Produces graphical/web based reports to make it easier to understand and act on the results Extensible w/Python for more complex analysis if needed

Sample output Screenshot courtesy Rich Compton and Pratik Lotia

Reports Screenshot courtesy Rich Compton and Pratik Lotia

From a prototype to a tool Beta-test the prototype. Verify that the results that the tool is outputting are results that people can actually use and will help them Verify that people would actually use this tool. If not, then it's not worth putting in time to work on it. I'm not sure how we can verify this. Maybe a survey? Increase the platforms supported by the tool. Populate a “library” of configurations: what is the priority – MikroTik, Cisco IOS, Huawei? Share the tool with others to encourage them to use it.

Would like to contribute? Could this be useful? Would like to contribute? manrs@isoc.org