Presentation is loading. Please wait.

Presentation is loading. Please wait.

MANRS IXP Partnership Programme

Published byRaymond Norton Modified over 5 years ago

Similar presentations

Presentation on theme: "MANRS IXP Partnership Programme"— Presentation transcript:

1 MANRS IXP Partnership Programme
January 2017 MANRS IXP Partnership Programme

2 Outline: Quick overview of MANRS IXP Partnership Programme concept
IXPP Actions and a poll

3 The Problem Border Gateway Protocol (BGP) is based entirely on trust
Caption 10/12pt Caption body copy Border Gateway Protocol (BGP) is based entirely on trust No built-in validation of the legitimacy of updates The chain of trust spans continents Lack of reliable resource data

4 No Day Without an Incident

5 What’s Happening? IP prefix hijack Route leaks
AS announces prefix it doesn’t originate and wins the ‘best route’ selection AS announces more specific prefix than what may be announced by originating AS AS announces it can route traffic through shorter route, whether it exists or not Packets end up being forwarded to wrong part of Internet Denial-of-Service (DoS), traffic interception, or impersonating network or service Route leaks Violation of valley-free routing (e.g. re-announcing transit provider routes to another provider) Usually due to misconfigurations, but can be used for traffic inspection and reconnaissance Can be equally devastating

6 Are there solutions? Building blocks - Yes! But…
Prefix and AS-PATH filtering RPKI validator, IRRToolset, IRRPT, BGPQ3 BGPSEC is standardized But… Lack of deployment Lack of reliable data

7 A Tragedy of the Commons
From a routing perspective, securing your own network does not necessarily make it more secure. Network security is in someone else’s hands. The more hands – the better the security Is there a clear, visible, and industry- supported line between good and bad? A cultural norm?

8 Mutually Agreed Norms for Routing Security
MANRS defines four concrete actions that network operators should implement Technology-neutral baseline for global adoption A minimum set of requirements MANRS builds a visible community of security-minded operators Promotes culture of collective responsibility

9 MANRS Actions Filtering – Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks with prefix and AS-path granularity Anti-spoofing – Prevent traffic with spoofed source IP addresses Enable source address validation for at least single-homed stub customer networks, their own end-users, and infrastructure Coordination – Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information Global Validation – Facilitate validation of routing information on a global scale Publish your data, so others can validate

10

11 MANRS are designed for network operators How do IXPs fit in?

12 An important question is “What is in MANRS for an IXP?”
Is routing security important for your community? An opportunity to build a “safe neighborhood” Do you need a global reference point? a platform, where you can organize related activities Are you willing to feed your expertise back to MANRS? Strengthening the global community

13 MANRS IXP Partnership Programme
There is synergy between MANRS and IXPs in this area IXPs form a community with a common operational objective MANRS is a reference point with a global presence – useful for building a “safe neighborhood” How can IXPs contribute? Technical measures: Route Server with validation, sanitized peering fabric, providing debugging and monitoring tools Social measures: MANRS ambassador role, general security awareness and communications

14 Developing focused actions
The criteria Improve routing resilience and security Are useful to the members of the IXP Do not set the bar too high, so that only few IXPs can join Do not set it too low, so it makes no difference Make them concrete and measurable The current set of actions went through a few iterations based on contributions from IXPs around the globe

15 Eligibility Criteria To join an IXP needs to meet the following criteria an IXP must demonstrate commitment by implementing a majority of the IXP Programme Actions (at least three out of five). Actions 1 and 2 are mandatory, and the IXP must implement at least one additional Action.

16 Actions

17 Action 1. Facilitate prevention of propagation of incorrect routing information (Mandatory)
The IXP implements filtering of route announcements at the Route Server based on routing information data (IRR and/or RPKI). Based on the outcome of the validation process, the invalid announcements are filtered in accordance with the IXP published policy. IXPs using a Route Server to facilitate multilateral peerings should use it to validate received route announcements from a peer and subsequently filter them to other peers. Special purpose cases, such as research projects, are out of scope for this requirement. Validation is usually done by checking BGP announcements against IRR data (by resolving the AS-SET object) or RPKI data (ROA objects or a validated cache). It is also common to check the announcements against “bogons” or “martians” (IP prefixes as defined in RFC1918, RFC5735, and RFC6598; ASNs in the AS-PATH as defined by RFC5398, RFC6793, RFC6996, RFC7300, RFC7607).

18 Action 2: Promote MANRS to the IXP membership. (Mandatory)
The IXP provides encouragement or assistance for members to implement MANRS actions. There are 4 separate check-boxes for different levels of incentives; one or more must be checked. Action 2-1: Offer assistance to its members to maintain accurate routing information in an appropriate repository (IRR and/or RPKI),  OR Action 2-2: Offer assistance in implementing MANRS ISP Actions for the members, OR Action 2-3: Indicate MANRS participation on the member list and the website, OR Action 2-4: Provide incentives linked to MANRS readiness

19 Action 3. Protect the peering platform
The IXP has a published policy of traffic not allowed on the peering fabric and performs filtering of such traffic. Commonly, filtering applies to: Not allowed Ethernet frame formats Not allowed Ethertypes Link-local protocols, such as IRDP, ICMP redirects, Discovery protocols (CDP, EDP), VLAN/trunking protocols (VTP, DTP), BOOTP/DHCP, etc. Restricted by the MAC port security configuration While not strictly routing, applying hygiene on Layer 2 can ensure the smooth operation of the platform and contribute to the stability of the IXP infrastructure and routing.

20 Action 4. Facilitate global operational communication and coordination between network operators
The IXP facilitates communication among members by providing necessary mailing lists and member directories. The IXP and each of its members has at least one valid, active address and one phone number that other members can use for cases of abuse, security, and operational incidents. Effective communication among members of an IXP is essential in mitigating network incidents such as misconfigurations, outages, or DoS attacks.  Mailing lists or other means of communication and a member directory available to all members of the exchange containing up-to-date contact information play a crucial role.

21 Action 5. Provide monitoring and debugging tools to the members.
The IXP provides a looking glass for its members. A looking glass is an important facility that can help debug routing incidents or anomalies and prevent or shorten potential outages. An IXP should offer a looking glass interface of its Route Server to its members.

22 Participating IXPs There are 20 participating IXPs
Majority of IXPs from Europe Only 1 IXP from Africa (RINEX) There is a need to increase the number of participating IXPs from Africa.

23 Make your community stronger Help improving routing security globally
Please join! Make your community stronger Help improving routing security globally

Download ppt "MANRS IXP Partnership Programme"

Similar presentations

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
APNIC eLearning: Intro to RPKI 10 December 2014 12:30 PM AEST Brisbane (UTC+10)

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Final Exam Part 1. Internet Regulation Internet regulation according to internet society states that it is about restricting or controlling certain pieces.

Final Exam Part 1. Internet Regulation Internet regulation according to internet society states that it is about restricting or controlling certain pieces.
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.

Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
Jessica Lavoie CSC 101 November 27, 2012. Societal Topics Weeks 7 and 8 Internet Regulation Internet regulation is restricting or controlling access to.

Jessica Lavoie CSC 101 November 27, Societal Topics Weeks 7 and 8 Internet Regulation Internet regulation is restricting or controlling access to.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.

Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.
BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk

BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.

Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, 20071 A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.

A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
Building a More Trusted and Secure Internet RIPE 70, May 12 2015.

Building a More Trusted and Secure Internet RIPE 70, May
CSC 104 December 13,2012. Internet Regulation: States that it is about restricting or controlling certain pieces of information. This consisting of censorship.

CSC 104 December 13,2012. Internet Regulation: States that it is about restricting or controlling certain pieces of information. This consisting of censorship.
Information-Centric Networks04b-1 Week 4 / Paper 2 Understanding BGP Misconfiguration –Rahil Mahajan, David Wetherall, Tom Anderson –ACM SIGCOMM 2002 Main.

Information-Centric Networks04b-1 Week 4 / Paper 2 Understanding BGP Misconfiguration –Rahil Mahajan, David Wetherall, Tom Anderson –ACM SIGCOMM 2002 Main.
Consultant Advance Research Team. Outline UNDERSTANDING M&E DATA NEEDS PEOPLE, PARTNERSHIP AND PLANNING 1.Organizational structures with HIV M&E functions.

Consultant Advance Research Team. Outline UNDERSTANDING M&E DATA NEEDS PEOPLE, PARTNERSHIP AND PLANNING 1.Organizational structures with HIV M&E functions.
Www.internetsociety.org How can we work together to improve security and resilience of the global routing system? Andrei Robachevsky.

How can we work together to improve security and resilience of the global routing system? Andrei Robachevsky.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Similar presentations

Ads by Google