View
140
Download
0
Embed Size (px)
Citation preview
MANRS(Mutually Agreed Norms for Routing
Security)
Dr Nenad Krajnović, [email protected]
Serbian Open Exchange
How Internet works?
• Internet is based on “good will”!!!
• Main protocol for global Internet routing is BGPv4.
• BGPv4 is based on trust :– Announcement is without validity check!
– Mistakes propagate all around the world!
– We do not have valid sources for validity check!
RSNOG/ION conference - 23.11.2017. 3
What cause problems? (1)
• IP prefix hijack
– AS announce prefix that does not belong to them,
– AS announce prefix with shorter as-path (delete some AS’s from the as-path) and take traffic
• Traffic end up on wrong place (blackhole)
• DoS, traffic intercepting
RSNOG/ION conference - 23.11.2017. 5
What cause problems? (2)
• Route leakage – Traffic is routed on “wrong” direction.
– You can not control how upstream provider is handling your prefixes.
• IP address spoofing– Spoofed traffic exit the network without any problem.
– The root cause of reflection DDoS attacks.
RSNOG/ION conference - 23.11.2017. 6
I can protect myself!
• WRONG!!!
• Your safety is in other people’s hand because you can not prevent others mistakes or “mistakes ”!
• Joint action of all Internet providers and IXPs is necessary to achieve stable and reliable traffic routing (MANRS)!
RSNOG/ION conference - 23.11.2017. 7
MANRS define baseline security efforts
• Filtering – Ensure the correctness of your own announcements and of announcements from your customers to adjacent networks with prefix and AS-path granularity
• Anti-spoofing – Enable source address validation for at least single-homed stub customer networks, your own end-users, and infrastructure
• Coordination – Maintain globally accessible up-to-date contact information
• Global Validation – Publish your data, so others can validate routing information on a global scale
RSNOG/ION conference - 23.11.2017. 8
Route-filtering
• All BGP sessions should have import filter which should be in accordance with data in IRR (Internet Routing Register).
• But, IRR data must be up-to-date!
• Filtering must be AS and prefix based!
RSNOG/ION conference - 23.11.2017. 9
Anti-spoofing
• Operator should check all incoming traffic for source IP address validation.
• Source IP address MUST belongs to the customer who is sending it!
• It can be done properly only on edge network.
• On IXP, RPF is not possible to achieve every time and anti-spoofing protection is very difficult.
RSNOG/ION conference - 23.11.2017. 10
Coordination
• How to solve the problem if you do not have proper contact for problematic network?
• And what to do if admins of remote network do not respond on your complain?
• Operators must be aware of importance of cooperation and coordination!
RSNOG/ION conference - 23.11.2017. 11
Global Validation
• Network operators should have publicly documented routing policy, ASNs and prefixes that are intended to be advertised to external parties.
• This is basement for global validation of prefixes.
RSNOG/ION conference - 23.11.2017. 12
SOX and MANRS
• SOX is filtering BGP announcement on route-servers based on RIPE IRR data.
• Since SOX is L2 network, we do NOT filter traffic!
• Plans to be fully compliant with MANRS recommendations.
RSNOG/ION conference - 23.11.2017. 13
Literature
• www.manrs.org
• Mutually Agreed Norms for Routing Security (MANRS), september 2016.
• MANRS Implementation Guide, version 1.0, january 2017.
• MANRS Project Study Report, ISOC, august 2017.
RSNOG/ION conference - 23.11.2017. 14