View
2
Download
0
Category
Preview:
Citation preview
Internet Society © 1992–2016
https://www.manrs.org/
TwoyearsofgoodMANRSImprovingGlobalRoutingSecurityandResilience
January2017
Isthereaproblem?
• Internetroutinginfrastructureisvulnerable• Trafficcanbehijacked,blackholed ordetoured• Trafficcanbespoofed• Fat-fingersandmaliciousattacks
• BGPisbasedontrust• Nobuilt-invalidationofthelegitimacyof updates
2
Aretheresolutions?
• Yes!• PrefixandAS-PATHfiltering,RPKI,IRR,…• BGPSECunderdevelopmentattheIETF• Whois,RoutingRegistriesandPeeringdatabases
• But…• Lackofdeployment• Lackofreliabledata
3
Itisasocio-economicproblem– atragedyofthecommons• Fromtheroutingperspectivesecuringone’sownnetworkdoesnotmakeitmoresecure.Thenetworksecurityisinsomeoneelse’shands• Themorehands– thebetterthesecurity
• Isthereaclear,visibleandindustrysupportedlinebetweengoodandbad?• Aculturalnorm
4
Aclearlyarticulatedbaseline–aminimumrequirement(MCOP)
+
Visiblesupportwithcommitment
5
MutuallyAgreedNormsforRoutingSecurity(MANRS)
MANRSdefinesfourconcreteactionsthatnetworkoperatorsshouldimplement
• Technology-neutralbaselineforglobaladoption
MANRSbuildsavisiblecommunityofsecurity-mindedoperators
• Promotescultureofcollaborativeresponsibility
6
GoodMANRS
• Filtering – Preventpropagationofincorrectroutinginformation• Ownannouncementsandthecustomercone
• Anti-spoofing – PreventtrafficwithspoofedsourceIPaddresses• Single-homedstubcustomersandowninfra
• Coordination – Facilitateglobaloperationalcommunicationandcoordinationbetweennetworkoperators• Up-to-dateandresponsivepubliccontacts
• Global Validation – Facilitatevalidationofroutinginformationonaglobalscale• Publishyourdata,sootherscanvalidate
7
MANRSusecase:thenetworkandtopology
MANRSisnot(only)adocument– itisacommitment• Thememberssupport thePrinciplesandimplement themajorityoftheActionsintheirnetworks.
• A memberbecomesaParticipantofMANRS,helpingtomaintain and improve thedocumentandtopromote MANRSobjectives
9
Agrowinglistofparticipants
10
0102030405060708090100
2014 2015 2016 2017(sofar)
#ofAS
#ofAS
TwoyearsofMANRS
11
MANRS members by # of AS’es
0
1000
2000
3000
4000
5000
6000
7000
8000
2014 2015 2016 2017 . . . . . . ?
# of AS# of AS
Youmaysaywe’redreamers…
12
MANRS members by # of AS’es
•Howtobridgethisgap?
13
Leveragingmarketforcesandpeerpressure• Developingabetter“businesscase”forMANRS
• MANRSvaluepropositionforyourcustomersandyourownnetwork
• Creatingatrustedcommunity
• Agroupwithasimilarattitudetowardssecurity
14
IncreasinggravitybymakingMANRSaplatformforrelatedactivities• Developingbetterguidance
• MANRSBestCurrentOperationalPractices(BCOP)document:
http://www.routingmanifesto.org/bcop/
• Training/certificationprogramme
• BasedonBCOPdocumentandanonlinemodule
• Bringingnewtypesofmembersonboard
• IXPs
15
MANRStrainingandcertification
16
• Routingsecurityishard• TheMANRSBCOPwasenvisagedasasimpleinstructionset• Insteadwehavea50-pagedocumentthatassumescertainlevelofexpertise• Howcanwemakeitmoreaccessible?
• Asetofonlinetrainingmodules• BasedontheMANRSBCOP• Walksastudentthroughthetutorialwithatestattheend• Workingwithandlookingforpartnersthatareinterestedinintegratingitintheircurricula
• Ahands-onlabtoachieveMANRScertification• CompletinganonlinemoduleasafirststepinMANRScertification• Lookingforpartners
MANRSIXPPartnershipProgramme
17
• ThereissynergybetweenMANRSandIXPsinthisarea• IXPsformacommunitywithacommonoperationalobjective• MANRSisareferencepointwithaglobalpresence– usefulforbuildinga“safeneighborhood”
• HowcanIXPscontribute?• Technicalmeasures:RouteServerwithvalidation,alertingonunwantedtraffic,providingdebuggingandmonitoringtools
• Socialmeasures:MANRSambassadorrole,localauditaspartoftheon-boardingprocess• Adevelopmentteamisworkingonasetofusefulactions
Howtosignup
• Gotohttps://www.manrs.org/signup/• Providerequestedinformation
• PleaseprovideasmuchdetailonhowActionsareimplementedaspossible
• Wemayaskquestionsandaskyoutorunafewtests• Routing“backgroundcheck”
• Spoofer https://www.caida.org/projects/spoofer/
• Youranswerto“Whydidyoudecidetojoin?”maybedisplayedinthetestimonials
• Downloadthelogoanduseit
• BecomeanactiveMANRSparticipant
18
Questions?
Pleasejoinustomakeroutingmoresecure• Feelfreetocontactusifyouareinterestedandwanttolearnmore
• http://www.routingmanifesto.org/contact/
• Mail:routingmanifesto@isoc.org
• Lookingforwardtoyoursign-ups:• http://www.routingmanifesto.org/signup/
19
Recommended