A routing prefix

To many of us the Internet is just a resource we plug into, but someone has to manage its provision. Andrei Robachevsky, Senior Technology Program Manager at the Internet Society introduces MANRS

Routing security is vital to Internet stability, which is of course under constant threat. In 2018, there were over 12,000 routing attacks. These incidents have real-world impact and cost, ranging from failing to provide services to customers, to the potentially fatal cost of mitigation and response.

Acknowledging this, a group of companies decided to act. From this, the Mutually Agreed Norms for Routing Security (MANRS) was born. MANRS aims to reduce the most common threats to Internet routing through a program of technical and collaborative action.

ROUTING SECURITY
MANRS offers a set of actions designed to help network operators improve the security of the global routing system. Supported by the Internet Society, MANRS is a global initiative comprised of like-minded network operators, IXP operators, and enterprises, with the goal of preventing route hijacking as well as certain kinds of DoS attacks.

Network operators who are MANRS members agree to perform the following actions, designed to improve routing security:

• Filtering: to ensure the correctness of their own announcements and of those from their customers to adjacent networks with prefix and AS-path granularity.

• Anti-spoofing: to enable source address validation for at least single-homed stub (customer) networks, their end-users, and infrastructure.

• Coordination: to maintain globally accessible, up-to-date contact information.

• Global validation: to publish their data, so others can validate routing information on a global scale.

OBSERVING ADHERENCE
The MANRS Observatory measures a networks adherence to MANRS, their readiness, which is an important indicator of the state of routing security, and resiliency of the Internet.

To measure MANRS readiness for a particular network a set of metrics is deployed, one for each action. For example, to measure to what degree Filtering (Action 1) is being implemented, the number of routing incidents where the network was implicated either as a culprit or an accomplice, the duration is measured. Similar metrics are calculated for their anti-spoofing capabilities (Action 2), presence of contact information (Action 3) and completeness of routing information in public repositories, such as IRRs and RPKI (Action 4). This data is gathered from trusted third-party sources, including BGPStream.com, CIDR report, CAIDA Spoofer and RIPEStat.

All measurements are passive, which means that they don't require cooperation from a measured network. That allows MANRS to measure not only for members of the MANRS initiative, but for all networks in the Internet -and currently there are more than 65,000.

AN ATTACK ACCESSORY
These Internet networks have the ability to defend their prefixes. They can document and claim the prefixes allocated to them for inclusion in other networks' filters, as well as build and apply such filters. One could argue that a network that announces a prefix and doesn't defend it, or that receives and uses or propagates a prefix without verifying it, is a likely accessory to the attack. It's therefore vital that we can assess the strength and security of any network, building transparency and helping the Internet to grow ever stronger.

The Observatory has two views: public (open to everyone) and private (available only to MANRS participants). The public view user can look at the routing security metrics and statistics such as number of incidents, potential culprits and completeness of routing information in the IRR and ROPKI systems on global, regional, and economic levels. MANRS participants can see performance of individual networks and even drill down to a detailed monthly incident report for their networks.

Many say that networking is unnecessarily complex and costly because it isn't protected. As an industry, we are capable of verifiably identifying the prefixes and preventing them from being misused, either in routing or as a source address when accessing a service. It is our responsibility to do so. NC