Making the internet more secure is like assembling a giant puzzle with hundreds of pieces. Leading global networks hope another piece will be snapped into place by having Internet Exchange Points (IXPs) join a three-year-old initiative for improving routing security.
This morning the 56 network operators behind the Mutually Agreed Norms for Routing Security (MANRS) initiative announced they have created a MANRS program for IXPs so they can also help eliminate common threats to the internet’s routing system.
“If we can do it, then there’s no reason the big guys not to be able to do it as well,” Theo de Raadt, YYCIX’s network manager and board member, said in an interview. It only took the exchange two weeks to meet the MANRS requirements for a network operator, he said. It could be easier and faster to meet the new IXP requirements.
He believes TORIX is already compliant because it filters messages network operators send to each other for validity. It’s corrupted messages that cause either accidental or deliberate security issues through misconfigured routers that divert internet traffic from where it is supposed to go. The traffic may be detoured for a number of reasons including surveillance and reconnaissance by criminals or nation-states, spoofing or to create large-scale Denial of Service (DoS) attacks. “If (IPXs) don’t do filtering you’re part of the problem,” said de Raadt.
Other IPXs committed to joining the IXP program are in Frankfurt, Ireland, Moscow, Sweden, Argentina and Costa Rica.
The announcement was made after the conclusion of the Euro-IX Forum in Ireland.
IXPs are used to connect internet network operators/service providers as well as content delivery networks. By exchanging traffic through and IXP, providers reduce the costs of service, shorten latency. A by-product is improved resiliency of the Internet.
Among those backing the MANRS initiative is the Internet Society. Andrei Robchevsky, the society’s technology program manager, said in an interview in joining IPXs would “commit to make internet security a priority by making this a priority.”
“Insecure routing is one of the most common cause of malicious threats like mounting a man-in-the-middle attacks, or creating a denial of service attack,” he said. “A routing system is quite easy tool to use to mount that.”
There are about 60,000 independent networks that comprise the internet. They exchange what is called reachability information among themselves using the BGP (Border Gateway Protocol) standard. Each network builds their own “map” or routing table of the internet they use to decide where to forward packets. Unfortunately, Robchevsky said, this routing system doesn’t have accurate information in databases held by operators. In addition to inadvertent outages, it can cause networks to be hijacked.
One of the most common examples of a problem was the 2008 two-hour outage of YouTube caused when a Pakistan telecom company reportedly sent out instructions worldwide claiming to be the legitimate destination for anyone trying to reach YouTube’s range of internet addresses to comply with an order to block the service.
Last December several high-profile sites including Google, Apple, Facebook, Microsoft, Twitch, NTT Communications and Riot Games were briefly rerouted to a previously unused Russian autonomous system.
The Internet Society estimates that in 2017 alone there were 14,000 routing outages or incidents, including hijacking, leaks, spoofing and large-scale Denial of Service (DoS) attacks. These could have led to stolen data, lost revenue, reputational damage and more.
MANRS addresses these threats through technical and collaborative action.
Network operators who agree to follow MANRS have four obligations to follow: Ensure routing announcements made by them and their customers are correct by using filters; fight spoofing by enabling source address validation; and by publishing data so others can validate routing information.
IPXs are asked to five things (the first two are mandatory, and IPXs have to do at least one of the remaining three):
- Help prevent the spread of incorrect routing information by filtering announcements in their route servers.
- Promote MANRS to the exchange’s internet service providers, which helps MANRS spread around the world
- Protect the peering platform
- Facilitate global operational communication and coordination between network operators
- Provide monitoring and debugging tools to members
Robchevsky said it took two years to reach consensus on the requirements.
If an IPX is mature and has good operational processes, he said, adding one more to comply with MANRS won’t cost much.
Theo de Raadt of Calgary’s YYCIX said the exchange learned about MANRS through a Netherlands-based technical lead of the international network operator NTT.
“The number one [advantage] is we will never be a participant of a global route leak,” he said. “When a global route leak happens next it will be the problem of the operators — the Tier 1s and Tier 2s making mistakes. We will not pass on those routes, because we will only pass on routes for which we have validation that the ownership of the route is correct.” IXPs can also identify a problem before a global network sees it.