While the internet itself was first envisioned as a way of enabling robust, fault-tolerant communication, the global routing infrastructure that underlies it is relatively fragile. A simple error like the misconfiguration of routing information in one of the 7,000 to 10,000 networks central to global routing can lead to a widespread outage, and deliberate actions, like preventing traffic with spoofed source IP addresses, can lead to distributed denial of service (DDoS) attacks.
The Internet Society (ISOC), a cause-driven nonprofit organization that seeks to promote the open development, evolution and use of the Internet and the parent organization of the Internet Engineering Task Force (IETF) standards body, is moving to change that. In 2014, ISOC introduced its Mutually Agreed Norms for Routing Security (MANRS) initiative. Today ISOC announced that the initiative membership has more than quadrupled in its first two years, growing from its initial nine network operators to 42 network operators today.
The newest members are SUNET and NORDUnet, two leading research and education networks in Scandinavia. MANRS 42 members now operate autonomous system networks (ASNs) across 21 countries. The MANRS initiative is now established in Asia, North and South America, Africa and Europe.
"We're seeing a lot of uptake and much more awareness," says Andrei Robachevsky, Technology Program Manager for ISOC. "There are more than 50,000 networks participating in global routing. Perhaps 7,000 to 10,000 networks are really defining how global routing works. If we can get 10,000 networks to sign up to MANRS, we'll see significant improvement in global routing."
Pakistan killed the video star
As one example, Robachevsky says that if ISOC can get enough ASNs to support the measures suggested in MANRS, it would prevent incidents like the one in which Pakistan knocked YouTube off the Internet for two-thirds of the globe for several hours in 2008.
In that incident, Pakistan attempted to block access to YouTube within its own borders. Pakistan's telecommunications ministry had ordered 70 ISPs to block access to the site due to anti-Islamic videos. In response, Pakistan Telecom, the leading telecommunictions company in the country, configured its routing information to suggest that it was the legitimate destination for anyone trying to reach YouTube's internet addresses (though it didn't actually point to YouTube at all).
The move was intended only to make YouTube unavailable inside Pakistan, but the routing information propagated outside the country. Soon, not only was YouTube unavailable to two-thirds of the globe, Pakistan Telecom was suffering from a self-inflicted DDoS.
"For more than two hours, YouTube was unavailable to a large amount of the internet," Robachevsky says. "Pakistan Telecom was just buried under this traffic, under a DDoS of its own making. These types of accidents happen on the Internet every day. The majority of these incidents are misconfigurations. Anyone could, in principal, do this misconfiguration and create havoc if additional measures aren't taken."
Robachevsky notes that MANRS consists of a package of four minimum, actionable measures that network security operators should take: filtering, anti-spoofing, coordination and global validation.
"MANRS is very actionable," he says. "This is a minimum baseline that we would like to introduce as a new norm. It's not an aspiration. It's an absolute minimum. We wanted to set the threshold as not too high, so people can join. If it's implemented on a large scale, we'll see significant improvements in the global routing system."
Most operators that have joined have implemented all four measures, Robachevsky says, including Comcast, one of the world's largest broadband operators, which has done so across 33 ASNs. None of the members to date have acted on fewer than three.
Filtering to prevent the propagation of incorrect routing information
The first measure is filtering, which helps prevent the propagation of incorrect routing information. Robachevsky says network operators need to define a clear routing policy and implement a system to ensure the correctness of their own routing announcements and announcements from the customers to adjacent networks with prefix and AS-path granularity.
Network operators need to be able to communicate to their adjacent networks which announcements are correct and to apply due diligence when checking the correctness of their customers' announcements. This, he says, will provide assurance against "fat-finger" errors that can lead to hijacking traffic directed to other networks. It will also mitigate "route leaks" — the propagation of routing announcements beyond their intended scope.
Prevent traffic with spoofed IP addresses
By implementing a system that enables source address validation for at least single-homed stub customer networks, their own-end users and infrastructure, ISOC says network operators can dramatically diminish the prevalence and impact of DDoS attacks. Essentially, network operators should implement anti-spoofing filtering to prevent packets with an incorrect source IP address from entering and leaving the network.
Facilitate global operational communication and coordination between network operators
To grease the wheels, network operators need to maintain globally accessible and up-to-date contact information to facilitate communication and coordination with their peers. This, Robachevsky says, is essential for incident mitigation and better assurance of the technical quality of relationships.
Facilitate validation of routing information on a global scale
Whereas the first three measures are about sweeping your own sidewalk, the fourth is about looking out for your peers. By facilitating the global validation of routing information, you can limit the scope of routing incidents and make the global system as a whole more resilient.
Taken as a whole, Robachevsky says the four measures won't just help improve Internet security and resilience, they'll enable a sustainable business environment that will benefit network operators and their customers alike. They will provide better protection against traffic anomalies caused by misconfigurations, cleaner setups (resulting in easier troubleshooting and lower time-to-resolution (TTR)), improved peering conditions and opportunities for collaboration with other operators through a discussion forum and professional network.
Robachevsky notes that a team of MANRS participants has convened to draft a Best Current Operational Practices (BCOP) document that walks you through the steps to become MANRS-compliant. The team plans to present the document for review by regional communities at the RIPE 73 meeting in Madrid later this month.