• Home

  • Documents

  • Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect...
18
Internet Society © 1992–2016 https://www.manrs.org/ Two years of good MANRS Improving Global Routing Security and Resilience January 2017

Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

Internet Society © 1992–2016

https://www.manrs.org/

TwoyearsofgoodMANRSImprovingGlobalRoutingSecurityandResilience

January2017

Page 2: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

Isthereaproblem?

• Internetroutinginfrastructureisvulnerable• Trafficcanbehijacked,blackholedordetoured• Trafficcanbespoofed• Fat-fingersandmaliciousattacks

• BGPisbasedontrust• Nobuilt-invalidationofthelegitimacyof updates

2

Page 3: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

Aretheresolutions?

• Yes!• PrefixandAS-PATHfiltering,RPKI,IRR,…• BGPSECunderdevelopmentattheIETF• Whois,RoutingRegistriesandPeeringdatabases

• But…• Lackofdeployment• Lackofreliabledata

3

Page 4: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

Itisasocio-economicproblem– atragedyofthecommons• Fromtheroutingperspectivesecuringone’sownnetworkdoesnotmakeitmoresecure.Thenetworksecurityisinsomeoneelse’shands• Themorehands– thebetterthesecurity

• Isthereaclear,visibleandindustrysupportedlinebetweengoodandbad?• Aculturalnorm

4

Page 5: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

Aclearlyarticulatedbaseline–aminimumrequirement(MCOP)

+

Visiblesupportwithcommitment

5

Page 6: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

MutuallyAgreedNormsforRoutingSecurity(MANRS)

MANRSdefinesfourconcreteactionsthatnetworkoperatorsshouldimplement

• Technology-neutralbaselineforglobaladoption

MANRSbuildsavisiblecommunityofsecurity-mindedoperators

• Promotescultureofcollaborativeresponsibility

6

Page 7: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

GoodMANRS

• Filtering – Preventpropagationofincorrectroutinginformation• Ownannouncementsandthecustomercone

• Anti-spoofing – PreventtrafficwithspoofedsourceIPaddresses• Single-homedstubcustomersandowninfra

• Coordination – Facilitateglobaloperationalcommunicationandcoordinationbetweennetworkoperators• Up-to-dateandresponsivepubliccontacts

• Global Validation – Facilitatevalidationofroutinginformationonaglobalscale• Publishyourdata,sootherscanvalidate

7

Page 8: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

MANRSisnot(only)adocument– itisacommitment• Thememberssupport thePrinciplesandimplement themajorityoftheActionsintheirnetworks.

• A memberbecomesaParticipantofMANRS,helpingtomaintain and improve thedocumentandtopromote MANRSobjectives

8

Page 9: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

Agrowinglistofparticipants

9

Page 10: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

0102030405060708090100

2014 2015 2016 2017(sofar)

#ofAS

#ofAS

TwoyearsofMANRS

10

MANRS members by # of AS’es

Page 11: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

0

1000

2000

3000

4000

5000

6000

7000

8000

2014 2015 2016 2017 . . . . . . ?

# of AS

# of AS

Youmaysaywe’redreamers…

11

MANRS members by # of AS’es

Page 12: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

•Howtobridgethisgap?

12

Page 13: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

Leveragingmarketforcesandpeerpressure• Developingabetter“businesscase”forMANRS

• MANRSvaluepropositionforyourcustomersandyourownnetwork

• Creatingatrustedcommunity

• Agroupwithasimilarattitudetowardssecurity

13

Page 14: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

IncreasinggravitybymakingMANRSaplatformforrelatedactivities• Developingbetterguidance

• MANRSBestCurrentOperationalPractices(BCOP)document:

http://www.routingmanifesto.org/bcop/

• Training/certificationprogramme

• BasedonBCOPdocumentandanonlinemodule

• Bringingnewtypesofmembersonboard

• IXPs

14

Page 15: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

MANRStrainingandcertification

15

• Routingsecurityishard• TheMANRSBCOPwasenvisagedasasimple instructionset• Insteadwehavea50-pagedocumentthatassumes certainlevelofexpertise• Howcanwemakeitmoreaccessible?

• Asetofonlinetrainingmodules• BasedontheMANRSBCOP• Walksastudentthroughthetutorialwithatestattheend• Workingwithandlookingforpartnersthatareinterestedinintegratingitintheircurricula

• Ahands-onlabtoachieveMANRScertification• CompletinganonlinemoduleasafirststepinMANRScertification• Lookingforpartners

Page 16: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

MANRSIXPPartnershipProgramme

16

• ThereissynergybetweenMANRSandIXPsinthisarea• IXPsformacommunitywithacommonoperationalobjective• MANRSisareferencepointwithaglobalpresence– usefulforbuildinga“safeneighborhood”

• HowcanIXPscontribute?• Technicalmeasures:RouteServerwithvalidation,alertingonunwantedtraffic,providingdebuggingandmonitoringtools

• Socialmeasures:MANRSambassadorrole,localauditaspartoftheon-boardingprocess• Adevelopmentteamisworkingonasetofusefulactions

Page 17: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

Howtosignup

• Gotohttps://www.manrs.org/signup/• Providerequestedinformation

• PleaseprovideasmuchdetailonhowActionsareimplementedaspossible

• Wemayaskquestionsandaskyoutorunafewtests• Routing“backgroundcheck”

• Spoofer https://www.caida.org/projects/spoofer/

• Youranswerto“Whydidyoudecidetojoin?”maybedisplayedinthetestimonials

• Downloadthelogoanduseit

• BecomeanactiveMANRSparticipant

17

Page 18: Two years of good MANRS - SINOG · Good MANRS • Filtering–Prevent propagation of incorrect routing information • Own announcements and the customer cone • Anti-spoofing –Prevent

Pleasejoinustomakeroutingmoresecure

https://www.manrs.org/signup

18


Mutually Agreed Norms for Routing Securityasrenorg.net/eage19/sites/default/files/files... · Routing Security (MANRS) 7. Coordination Facilitate global operational communication

Mutually Agreed Norms for Routing Securityasrenorg.net/eage19/sites/default/files/files... · Routing Security (MANRS) 7. Coordination Facilitate global operational communication

Documents
SINOG Behaviourand anomaly detectionRouters Switches 10.1.8.3 Internet 172.168.134.2 Network as Data Source Collecting data: •Collect data across almost every device in your network

SINOG Behaviourand anomaly detectionRouters Switches 10.1.8.3 Internet 172.168.134.2 Network as Data Source Collecting data: •Collect data across almost every device in your network

Documents
Brocade Ethernet Fabrics - SINOG · ESX 2 ESX 1 vCenter Assets Profile Host VLAN VM QoS Vswitch DVswitch Assets Profile Host VLAN VM QoS Vswitch DVswitch Assets Profile Host VLAN

Brocade Ethernet Fabrics - SINOG · ESX 2 ESX 1 vCenter Assets Profile Host VLAN VM QoS Vswitch DVswitch Assets Profile Host VLAN VM QoS Vswitch DVswitch Assets Profile Host VLAN

Documents
Mutually Agreed Norms for Routing Security (MANRS) aka … · 2018-07-27 · The MANRS, in more detail • Principles of addressing issues of routing resilience • Interdependence

Mutually Agreed Norms for Routing Security (MANRS) aka … · 2018-07-27 · The MANRS, in more detail • Principles of addressing issues of routing resilience • Interdependence

Documents
Internet Society - ENOG · 2016-08-22 · Good MANRS 1. Filtering – Prevent propagation of incorrect routing information. 2. Anti-spoofing – Prevent traffic with spoofed source

Internet Society - ENOG · 2016-08-22 · Good MANRS 1. Filtering – Prevent propagation of incorrect routing information. 2. Anti-spoofing – Prevent traffic with spoofed source

Documents
IPv6 Fundamentals in LAN - meetings.ripe.netŒ_Straus_Istenič-IPv6... · Matjaž Straus Istenič Aviat Networks, SINOG matjaz@njetwork.si IPv6 Fundamentals in LAN SEE 3 RIPE NCC

IPv6 Fundamentals in LAN - meetings.ripe.netŒ_Straus_Istenič-IPv6... · Matjaž Straus Istenič Aviat Networks, SINOG [email protected] IPv6 Fundamentals in LAN SEE 3 RIPE NCC

Documents
Segment Routing with IPv6 - SINOG · Segment Routing with IPv6 Eric Vyncke ... (IPv6 addresses) – Next Segment: a pointer to the segment list element identifying the next segment

Segment Routing with IPv6 - SINOG · Segment Routing with IPv6 Eric Vyncke ... (IPv6 addresses) – Next Segment: a pointer to the segment list element identifying the next segment

Documents
RIPE Atlas for Network Operators - SINOG … · Vesna Manojlovic - SINOG 2 - 10 June 2015 Network monitoring •Operators use tools for monitoring network health -For example, Nagios

RIPE Atlas for Network Operators - SINOG … · Vesna Manojlovic - SINOG 2 - 10 June 2015 Network monitoring •Operators use tools for monitoring network health -For example, Nagios

Documents
Deploying BGP Large Communitieslargebgpcommunities.net/presentations/SINOG2017_Snijders_Large... · 5/22/17 SINOG 4.0, Ljubljana ... –Documentation for each implementation ... MikroTik

Deploying BGP Large Communitieslargebgpcommunities.net/presentations/SINOG2017_Snijders_Large... · 5/22/17 SINOG 4.0, Ljubljana ... –Documentation for each implementation ... MikroTik

Documents
Two years of good MANRS - APRICOT 2017 · MANRS training and certification 18 Routing security is hard —The MANRS BCOP was envisaged as a simple instruction set —Instead we have

Two years of good MANRS - APRICOT 2017 · MANRS training and certification 18 Routing security is hard —The MANRS BCOP was envisaged as a simple instruction set —Instead we have

Documents
MANRS - Arab States Research and Education Network (ASREN)asrenorg.net/eage2017/sites/default/files/files/3.pdf · MANRS Actions Filtering –Prevent propagation of incorrect routing

MANRS - Arab States Research and Education Network (ASREN)asrenorg.net/eage2017/sites/default/files/files/3.pdf · MANRS Actions Filtering –Prevent propagation of incorrect routing

Documents
ARM 7 - ISOC: MANRS, Security and resilience of global routing system

ARM 7 - ISOC: MANRS, Security and resilience of global routing system

Internet
MANRS - GRNOG · MANRS is an Important Step 19 Security is a process, not a state. MANRS provides a structure and a consistent approach to solving security issues facing the Internet

MANRS - GRNOG · MANRS is an Important Step 19 Security is a process, not a state. MANRS provides a structure and a consistent approach to solving security issues facing the Internet

Documents
Threat modeling IoT final - SINOG · I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security A1 Injection ... ENTERPRISE TION. Title: Threat

Threat modeling IoT final - SINOG · I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security A1 Injection ... ENTERPRISE TION. Title: Threat

Documents
Mutually Agreed Norms for Routing Security · MANRS should be (and is) a collaborative initiative of Internet operators • Internet operators undertaking MANRS principles need to

Mutually Agreed Norms for Routing Security · MANRS should be (and is) a collaborative initiative of Internet operators • Internet operators undertaking MANRS principles need to

Documents
Model-based Programmable Networks SINOG 2.0. Applications and Networks Routing system players: the Application and the Network. –Different interdependent

Model-based Programmable Networks SINOG 2.0. Applications and Networks Routing system players: the Application and the Network. –Different interdependent

Documents
MANRS: Mutually Agreed Norms for Routing Security · up-to-date contact information in common routing databases Anti-spoofing Prevent traffic with spoofed source IP addresses Enable

MANRS: Mutually Agreed Norms for Routing Security · up-to-date contact information in common routing databases Anti-spoofing Prevent traffic with spoofed source IP addresses Enable

Documents
Wastewater Treatment Processes. To prevent groundwater pollution To prevent sea shore pollution To prevent soil pollution To prevent marine life pollution

Wastewater Treatment Processes. To prevent groundwater pollution To prevent sea shore pollution To prevent soil pollution To prevent marine life pollution

Documents
PREVENT WORLD WAR III...Title: PREVENT WORLD WAR III Subject: PREVENT WORLD WAR III Keywords

PREVENT WORLD WAR III...Title: PREVENT WORLD WAR III Subject: PREVENT WORLD WAR III Keywords

Documents
Prevent Divided poster - Calderdale€¦ · Title: Prevent Divided poster Author: Calderdale Council Subject: Prevent Keywords: calderdale, council, prevent, divided, poster Created

Prevent Divided poster - Calderdale€¦ · Title: Prevent Divided poster Author: Calderdale Council Subject: Prevent Keywords: calderdale, council, prevent, divided, poster Created

Documents
A Proposal to Improve MANRS Global Secure Internet Routing ... · 6/6/2020  · ISOC MANRS Chapter Initiative Project Page 1 For Completion of the The MANRS Secure Global Routing

A Proposal to Improve MANRS Global Secure Internet Routing ... · 6/6/2020  · ISOC MANRS Chapter Initiative Project Page 1 For Completion of the The MANRS Secure Global Routing

Documents
From Prevent to Predict & Prevent (PnP): Optimizing oil

From Prevent to Predict & Prevent (PnP): Optimizing oil

Documents
IXP Partnership: Improving Global Routing Security and ... 2016... · MANRS is not a firewall that will protect your network. MANRS is a commitment – and a community. MANRS is a

IXP Partnership: Improving Global Routing Security and ... 2016... · MANRS is not a firewall that will protect your network. MANRS is a commitment – and a community. MANRS is a

Documents
Scrutiny, counter-extremism and the Prevent duty - Prevent... · • Prevent • Protect • Prepare. Jointly they aim to identify terrorists, prevent people from becoming terrorists,

Scrutiny, counter-extremism and the Prevent duty - Prevent... · • Prevent • Protect • Prepare. Jointly they aim to identify terrorists, prevent people from becoming terrorists,

Documents
Two years of good MANRS

Two years of good MANRS

Internet
Mutually Agreed Norms for Routing Securitypf.jbix.my/wp-content/uploads/2019/11/Kevins-slide.pdf · Routing Security (MANRS) 8 . Coordination Facilitate global operational communication

Mutually Agreed Norms for Routing Securitypf.jbix.my/wp-content/uploads/2019/11/Kevins-slide.pdf · Routing Security (MANRS) 8 . Coordination Facilitate global operational communication

Documents
Smarter Counter Fraud - SINOG · IBM Smarter Counter Fraud 30 . Estudo de Caso FAMS . Revisão e Aprimoramento de processos e critérios internos de pagamento . Após a aplicação

Smarter Counter Fraud - SINOG · IBM Smarter Counter Fraud 30 . Estudo de Caso FAMS . Revisão e Aprimoramento de processos e critérios internos de pagamento . Após a aplicação

Documents
Hands-on MANRS Tutorial · Hands-on MANRS Tutorial 1 Massimiliano Stucchi stucchi@isoc.org RIPE79 Rotterdam, October 2019. There is a problem 2 • 12,600 total incidents (either

Hands-on MANRS Tutorial · Hands-on MANRS Tutorial 1 Massimiliano Stucchi [email protected] RIPE79 Rotterdam, October 2019. There is a problem 2 • 12,600 total incidents (either

Documents
ION Belgrade - MANRS by Serbian Open eXchange (SOX)

ION Belgrade - MANRS by Serbian Open eXchange (SOX)

Technology
Mutually Agreed Norms for Routing Security Presentation - VNIX-… · Mutually Agreed Norms for Routing Security MANRS defines four simple but concrete actions that network operators

Mutually Agreed Norms for Routing Security Presentation - VNIX-… · Mutually Agreed Norms for Routing Security MANRS defines four simple but concrete actions that network operators

Documents