MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together!

Size: px

Start display at page:

Download "MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together!"

Charlotte Young
5 years ago
Views:

1 15 October 2018 Internet2 Technology Exchange MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together! Kevin Meynell Manager, Technical & Operational Engagement meynell@isoc.org Presentation title Client name Internet Society

2 How big is the problem? Some Facts & Figures 2

3 Routing Incidents Cause Real World Problems Event Explanation Repercussions Example Prefix/Route Hijacking A network operator or attacker impersonates another network operator, pretending that a server or network is their client. Packets are forwarded to the wrong place, and can cause Denial of Service (DoS) attacks or traffic interception. The 2008 YouTube hijack April 2018 Amazon Route 53 hijack Route Leak A network operator with multiple upstream providers (often due to accidental misconfiguration) announces to one upstream provider that is has a route to a destination through the other upstream provider. Can be used for a MITM, including traffic inspection, modification and reconnaissance. September VolumeDrive began announcing to Atrato nearly all the BGP routes it learned from Cogent causing disruptions to traffic in places as far-flung from the USA as Pakistan and Bulgaria. IP Address Spoofing Someone creates IP packets with a false source IP address to hide the identity of the sender or to impersonate another computing system. The root cause of reflection DDoS attacks March 1, Memcached 1.3Tb/s reflectionamplificationattack reported by Akamai 3

4 The routing system is constantly under attack 13,935 total incidents (either outages or attacks like route leaks and hijacks) Five months of routing incidents (2018) Over 10% of all Autonomous Systems on the Internet were affected 3,106 Autonomous Systems were a victim of at least one routing incident 1576, 30% 1,546 networks were responsible for 5304 routing incidents 547 networks were responsible for 1576 routing incidents 3668, 70% Source: Outage Routing incident 4

5 No Day Without an Incident 6 month of suspicious activity Hijack Leak /1/17 2/1/17 3/1/17 4/1/17 5/1/17 6/1/17 7/1/17 8/1/17 5

6 Outages 2017 % of networks affected by an outage BR US IR IN ID RU 8.83 UA AR NG BD Source: 6

7 Potential culprits 2017 Number of AS's in a country responsible for a routing incident (a route leak or hijack) Percent of AS's in a country responsible for a routing incident (a route leak or hijack) BR US RU GB BR US RU GB IN HK DE ID IR NL IN HK DE ID IR NL Source: 7

8 Positive dynamics % of AS's in a country responsible for a routing incident US BR RU IN BD ID DE IR GB HK

9 Mutually Agreed Norms for Routing Security (MANRS) Provides crucial fixes to eliminate the most common threats in the global routing system Based on collaboration among participants and shared responsibility for the Internet infrastructure 9

10 MANRS Actions Filtering Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks with prefix and ASpath granularity Anti-spoofing Prevent traffic with spoofed source IP addresses Enable source address validation for at least singlehomed stub customer networks, their own endusers, and infrastructure Coordination Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information in common routing databases Global Validation Facilitate validation of routing information on a global scale Publish your data, so others can validate 10

11 Filtering: Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks Use an IRR (e.g. APINIC IRR) In a typical scenario, an operator (AS64500) will require its customers, such as AS64501, to register their expected announcements as route objects in the IRR AS64500 will need to register its own route object, define its customer-cone using an as-set object, and publish its routing policy with an aut-num object. AS64500 will use IRRToolset, BGPQ3, IRRPT to generate filters 11

12 Filtering: Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks Use RPKI In a typical scenario, an operator (AS64500) will require its customers, such as AS64501, to get RPKI certificates from APNIC and create ROAs for their expected announcements AS64500 will do the same AS64500 can use RPKI validator to directly tag the announcements, e.g. route-map rpki permit 10 match rpki valid set local-preference

Anti-spoofing: Prevent traffic with spoofed source IP addresses Enable source address validation for at least single-homed stub customer networks, their own end-users and infrastructure.

13 Anti-spoofing: Prevent traffic with spoofed source IP addresses Enable source address validation for at least single-homed stub customer networks, their own end-users and infrastructure. Use ingress ACLs ip access-list extended customer1-in-ipv4 permit ip any! ipv6 access-list customer1-in-ipv6 permit ipv6 2001:db8:1001::/48 any! interface x ip access-group customer1-in-ipv4 in ipv6 traffic-filter customer1-in-ipv6 in Convince the customer to egress-filter Interface y ip access-group egress-provider out 13

14 Anti-spoofing: Prevent traffic with spoofed source IP addresses Enable source address validation for at least single-homed stub customer networks, their own end-users and infrastructure. Use urpf ip verify unicast reachable-via rx ipv6 verify unicast reachable-via rx Convince the customer to egress-filter Interface y ip access-group egress-provider out 14

Coordination: Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information MyAPNIC

15 Coordination: Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information MyAPNIC Portal mntner role Inetnum Inet6num. aut-num as-set route-set Abuse Policy Technical NOC Public Relations Sales Network Operations Center Support Team Abuse Team Security Team 15

Global Validation: Facilitate validation of routing information on a global scale Publicly document the routing policy, ASNs and prefixes that are intended to be advertised to external parties

0/24 mp-export: to AS64511 origin: announce AS64500 2001:db8:1000::/3 64500:AS-ALL... source: 6 APNIC source: APNIC origin: as-set: AS64500 AS64500:AS-ALL source: members: APNIC AS64500 route: 192.0.2.0/24 members: AS64501, AS64502 route6: 2001:db8:1001::/48 origin: AS64501 origin: route: AS64501 198.

16 Global Validation: Facilitate validation of routing information on a global scale Publicly document the routing policy, ASNs and prefixes that are intended to be advertised to external parties aut-num: AS64500 mp-import: from AS64501 accept AS64501 mp-export: to AS64501 announce ANY... mp-import: from AS64511 accept AS64511:AS- ALL route: route6: /24 mp-export: to AS64511 origin: announce AS :db8:1000::/ :AS-ALL... source: 6 APNIC source: APNIC origin: as-set: AS64500 AS64500:AS-ALL source: members: APNIC AS64500 route: /24 members: AS64501, AS64502 route6: 2001:db8:1001::/48 origin: AS64501 origin: route: AS /24source: APNIC source: origin: route6: APNIC AS :db8:2002::/48 source: origin: APNIC AS64502 source: APNIC source: APNIC ROA: ROA: ROA: ROA: 2001:db8:2002::/4 2001:db8:2002::/ :db8:2002::/ :db8:2002::/4 origin: 8 origin: 8 AS64502 AS64502 origin: AS64502 origin: AS

17 MANRS Implementation Guide If you re not ready to join yet, implementation guidance is available to help you. Based on Best Current Operational Practices deployed by network operators around the world Recognition from the RIPE community by being published as RIPE

MANRS Training Tutorials and Hands-on Lab 6 training tutorials based on information in the Implementation Guide. A test at the end of each tutorial.

18 MANRS Training Tutorials and Hands-on Lab 6 training tutorials based on information in the Implementation Guide. A test at the end of each tutorial. About to begin training moderators for online classes (43 applications received!) The prototype lab is ready, finalizing the production version. 18

19 Measuring Routing Security: MANRS Observatory - Impartial benchmarking of MANRS members to improve reputation and transparency - Provide factual state of security and resilience of Internet routing system over time - Support the problem statement with data - Self-assessment purposes and automating sign-up - How to Measure? - Transparent - Use publicly available data sources and open source code - Passive - No cooperation is required from a network - Metrics - Measure the rate of member (ASN) commitment (0 non-compliant to 100 fully compliant) 19

20 MANRS Member Report and MANRS Observatory 20

21 MANRS Audit Process Actions Checks Tools Filtering Check the description to ensure that prefix filters are generated for the customer cone dynamically, and not only static bogon filters are in place. Usually this is done by using recursive AS-SETs (IRR). Anti-Spoofing Check that the ASN does not announce bogons Check that the ASN was not implicated in recent incidents. If it was - ask for the explanation Check that ASN does not show up in CAIDA spoofer database as an ASN or as a provider Run Spoofer test in two of infrastructure network segments (not behind a NAT) Coordination Check the spoofer results Global Validation Check that contacts are in the whois Check that contact info is registered iin the PeeringDB (arobach/hyferuupu@wi3m) Check that routing information is registered in an IRR If ROAs are registered - it is a plus

22 MANRS increasing adoption I believe only 20 major network operators need to start doing Route Origin Validation in order to greatly improve routing security and achieve big benefits. - Job Snijders, NLNOG

23 Total ASNs versus Stub ASNs Source: 23

24 MANRS Participants as of October Network Operators - 21 R&E networks and institutions Autonomous Systems (ASes) - 24 Internet Exchange Points - Internet2/ESnet community Internet2, ESnet, CAAREN, Connecticut Education Network, DePaul University, GWU, Indiana University & KanREN 24

25 Why Research & Education Networks Should Join MANRS - To show technical leadership and distinguish you from commercial ISPs - Customers increasing willing to pay more for secure services - To add competitive value and enhance operational effectiveness - Growing demand from customers for managed security services - -To show security proficiency and commitment to your customers - Promote MANRS compliance to security-focused customers - To help solve global network problems - NRENs are often early adopters of new developments. Lead by example - Being part of the MANRS community can strengthen enterprise security credentials 25

26 MANRS IXP Programme There is synergy between MANRS and IXPs IXPs form a community with a common operational objective MANRS is a reference point with a global presence useful for building a safe neighborhood How can IXPs contribute? Implement a set of Actions that demonstrate the IXP commitment and also bring significant improvement to the resilience and security of the routing system 26

27 MANRS IXP Program launched on April 23! 27

28 MANRS IXP Actions Action 1 Prevent propagation of incorrect routing information Action 2 Promote MANRS to the IXP membership Action 3 Protect the peering platform Action 4 Facilitate global operational communication and coordination Action 5 Provide monitoring and debugging tools to the members. This mandatory action requires IXPs to implement filtering of route announcements at the Route Server based on routing information data (IRR and/or RPKI). IXPs joining MANRS are expected to provide encouragement or assistance for their members to implement MANRS actions. This action requires that the IXP has a published policy of traffic not allowed on the peering fabric and performs filtering of such traffic. The IXP facilitates communication among members by providing necessary mailing lists and member directories. The IXP provides a looking glass for its members. 28

29 MANRS Community 29

30 MANRS needs to be community driven MANRS should be (and is) a collaborative initiative of Internet operators Internet operators undertaking MANRS principles need to encourage use of best practices MANRS needs to be driven by leaders within their communities who strongly believe that routing security is an essential component for the future well being of the Internet Generate MANRS awareness through word-of-mouth, presentations and social media in their communities + running workshops on routing security Bring forward feedback and recommendations for improving MANRS principles, tools and disseminating best practices, e.g. MANRS observatory, network monitoring tools, and training materials Internet Society can help with presentations, informational materials and merchandise (shirts and stickers) 30

31 Join Us Visit Fill out the sign up form with as much detail as possible. We may ask questions and run tests Get Involved in the Community Members support the initiative and implement the actions in their own networks Members maintain and improve the manifesto and promote MANRS objectives 31

Thank you. Kevin Meynell meynell@isoc.org Visit us at www.internetsociety.

32 Thank you. Kevin Meynell Visit us at Follow Galerie Jean-Malbuisson 15, CH-1204 Geneva, Switzerland Wiehle Avenue, Suite 201, Reston, VA USA

MANRS Mutually Agreed Norms for Routing Security

6 July 2018 MANRS Mutually Agreed Norms for Routing Security Kevin Meynell Manager, Technical & Operational Engagement meynell@isoc.org Presentation title Client name Internet Society 1992 2018 1 The Problem