mutually agreed norms for routing security
play

Mutually Agreed Norms for Routing Security manrs@isoc.org - PowerPoint PPT Presentation

Oct 07, 2022 •366 likes •791 views

Mutually Agreed Norms for Routing Security manrs@isoc.org Insecurity by Design When the Internet was developed, they didnt build in security by design. The objective was resilience, simplicity and ease of deployment That created the Internet

  1. Mutually Agreed Norms for Routing Security manrs@isoc.org

  2. Insecurity by Design When the Internet was developed, they didn’t build in security by design. The objective was resilience, simplicity and ease of deployment That created the Internet as the best effort, interdependent, general purpose network of networks supporting permission-less innovation. While these qualities have made the Internet so successful, they also contribute to many of its security issues. 2

  3. Familiar headlines

  4. No Day Without an Incident 6 month of suspicious activity 120 100 80 60 Hijack Leak 40 20 0 1/1/17 2/1/17 3/1/17 4/1/17 5/1/17 6/1/17 7/1/17 8/1/17 http://bgpstream.com/ 4

  5. The routing system is constantly under attack • 13,935 total incidents (either outages or attacks like route leaks and hijacks) • Over 10% of all Autonomous Systems on the Internet were affected • 3,106 Autonomous Systems were a victim of at least one routing incident • 1,546 networks caused at least one incident 5 Source: https://www.bgpstream.com/

  6. Routing Incidents Cause Real World Problems Event Explanation Repercussions Example Prefix/Route A network operator or attacker Packets are forwarded to The 2008 YouTube hijack Hijacking impersonates another network the wrong place, and can operator, pretending that a server cause Denial of Service or network is their client. (DoS) attacks or traffic interception. Route Leak A network operator with multiple Can be used for traffic September 2014. VolumeDrive upstream providers (often due to inspection and began announcing to Atrato accidental misconfiguration) reconnaissance. nearly all the BGP routes it announces to one upstream learned from Cogent causing provider that is has a route to a disruptions to traffic in places destination through the other as far-flung from the USA as upstream provider. Pakistan and Bulgaria. IP Address Someone creates IP packets with a The root cause of March 1, 2018. Memcached Spoofing false source IP address to hide the reflection DDoS attacks 1.3Tb/s reflection- identity of the sender or to amplificationattack reported by impersonate another computing Akamai 6 system.

  7. The Basics: How Routing Works There are ~60,000 networks (Autonomous Systems) across the Internet, each using a unique Autonomous System Number (ASN) to identify itself to other networks. Routers use Border Gateway Protocol (BGP) to exchange “reachability information” - networks they know how to reach. Routers build a “routing table” and pick the best route when sending a packet, typically based on the shortest path. 7

  8. The Honor System: Routing Issues Border Gateway Protocol (BGP) is based entirely on trust between networks • No built-in validation that updates are legitimate • The chain of trust spans continents • Lack of reliable resource data 8

  9. Route Hijacking Route hijacking, also known as “BGP hijacking” when a network operator or attacker (accidentally or deliberately) impersonates another network operator or pretends that the network is their client. This routes traffic to the attacker, while the victim suffers an outage. Example: The 2008 YouTube hijack; an attempt to block Youtube through route hijacking led to much of the traffic to Youtube being dropped around the world (https://www.ripe.net/publications/news/industry- developments/youtube-hijacking-a-ripe-ncc-ris-case-study) 9

  10. Route Leak A Route leak is a problem where a network operator with multiple upstream providers accidentally announces to one of its upstream providers that is has a route to a destination through the other upstream provider. This makes the network an intermediary network between the two upstream providers. With one sending traffic now through it to get to the other. Example: September 2014. VolumeDrive (AS46664) is a Pennsylvania-based hosting company that uses Cogent (AS174) and Atrato (AS5580) for Internet transit. VolumeDrive began announcing to Atrato nearly all the BGP routes it learned from Cogent causing disruptions to traffic in places as far-flung from the USA as Pakistan and Bulgaria. (https://dyn.com/blog/why-the-internet-broke-today/) 10

  11. IP Address Spoofing IP address spoofing is used to hide the true identity of the server or to impersonate another server. This technique can be used to amplify an attack. Example: DNS amplification attack. By sending multiple spoofed requests to different DNS resolvers, an attacker can prompt many responses from the DNS resolver to be sent to a target, while only using one system to attack. Fix: Source address validation: systems for source address validation can help tell if the end users and customer networks have correct source IP addresses (combined with filtering). 11

  12. Tools to Help • Prefix and AS-PATH filtering • RPKI validator, IRR toolset, IRRPT, BGPQ3 • BGPSEC is standardized But… • Not enough deployment • Lack of reliable data We need a systemic approach to improving routing security 12

  13. We Are In This Together Network operators have a responsibility to ensure a globally robust and secure routing infrastructure. Your network’s safety depends on a routing infrastructure that weeds out bad actors and accidental misconfigurations that wreak havoc on the Internet. The more network operators work together, the fewer incidents there will be, and the less damage they can do. 13

  14. Mutually Agreed Norms for Routing Security (MANRS) Provides crucial fixes to reduce the most common routing threats 14

  15. MANRS improves the security and reliability of the global Internet routing system, based on collaboration among participants and shared responsibility for the Internet infrastructure. MANRS sets a new norm in routing hygiene 15

  16. Mutually Agreed Norms for Routing Security MANRS defines four simple but concrete actions that network operators must implement to improve Internet security and reliability. • The first two operational improvements eliminate the root causes of common routing issues and attacks, while the second two procedural steps improve mitigation and decrease the likelihood of future incidents. MANRS builds a visible community of security minded network operators and IXPs 16

  17. MANRS Actions Filtering Anti-spoofing Coordination Global Prevent propagation of Prevent traffic with Facilitate global Validation incorrect routing spoofed source IP operational Facilitate validation of information addresses communication and routing information on a coordination between global scale network operators Ensure the correctness of Enable source address your own announcements validation for at least Publish your data, so and announcements from single-homed stub Maintain globally others can validate your customers to adjacent customer networks, their accessible up-to-date networks with prefix and own end-users, and contact information in AS-path granularity infrastructure common routing databases 17

  18. Implementing MANRS Actions: Signals an organization’s security-forward posture and can eliminate SLA violations that reduce profitability or cost customer relationships. Heads off routing incidents, helping networks readily identify and address problems with customers or peers. Improves a network’s operational efficiency by establishing better and cleaner peering communication pathways, while also providing granular insight for troubleshooting. Addresses many concerns of security-focused enterprises and other customers. 18

  19. Everyone Benefits Joining MANRS means joining a community of security-minded network operators committed to making the global routing infrastructure more robust and secure. Consistent MANRS adoption yields steady improvement, but we need more networks to implement the actions and more customers to demand routing security best practices. The more network operators apply MANRS actions, the fewer incidents there will be, and the less damage they can do. 19

  20. MANRS is an Important Step Security is a process, not a state. MANRS provides a structure and a consistent approach to solving security issues facing the Internet. MANRS is the minimum an operator should consider, with low risk and cost-effective actions. MANRS is not a one-stop solution to all of the Internet’s routing woes, but it is an important step toward a globally robust and secure routing infrastructure. 20

  21. Why join MANRS? • Improve your security posture and reduce the number and impact of routing incidents • Join a community of security-minded operators working together to make the Internet better • Use MANRS as a competitive differentiator 21

  22. MANRS – increasing adoption 22

  23. MANRS IXP Programme There is synergy between MANRS and IXPs • IXPs form a community with a common operational objective • MANRS is a reference point with a global presence – useful for building a “safe neighborhood” How can IXPs contribute? • A set of Actions that demonstrate the IXP commitment and also bring significant improvement to the resilience and security of the routing system 23

  24. MANRS IXP Programme – launched on April 23! 24

  25. MANRS Implementation Guide If you’re not ready to join yet, implementation guidance is available to help you. • Based on Best Current Operational Practices deployed by network operators around the world • https://www.manrs.org/bcop/ 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Elementary Does your PLC have 12-13 13-14 14-15 15-16 16-17 17-18 18-19 Norms? 95 98

Elementary Does your PLC have 12-13 13-14 14-15 15-16 16-17 17-18 18-19 Norms? 95 98

Elementary Does your PLC have 12-13 13-14 14-15 15-16 16-17 17-18 18-19 Norms? 95 98 98 95 98 98 98 A process for what to do if norms are broken? 91 93 93 88 92 94 94 Agreed on and taught essential standards? 89 93 91

623 views • 44 slides
What is the difference between routing and forwarding? Routing protocols: Implemented

What is the difference between routing and forwarding? Routing protocols: Implemented

Routing What is the difference between routing and forwarding? Routing protocols: Implemented distributed algorithms (scalability) Routers should have mutually consistent view of the network. Can be classified into: Intradomain

510 views • 5 slides
NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security Required: authenticity and integrity of routing information o Link state routing: LSAs are originated by the routing process authorized to do so

345 views • 10 slides
Improving BGP routing security Job Job S Snijders NTT / / AS AS 2 2914 job ob@ntt.net

Improving BGP routing security Job Job S Snijders NTT / / AS AS 2 2914 job ob@ntt.net

Improving BGP routing security Job Job S Snijders NTT / / AS AS 2 2914 job ob@ntt.net http tps:// //tw twitter.com/ om/Job JobSnijders Why are we doing any of this routing security? Creating EBGP routing filters based on

906 views • 44 slides
Routing Security Economics Steven M. Bellovin http://www.cs.columbia.edu/~smb Columbia

Routing Security Economics Steven M. Bellovin http://www.cs.columbia.edu/~smb Columbia

Routing Security Economics Steven M. Bellovin http://www.cs.columbia.edu/~smb Columbia University January 18, 2007 1 / 9 What is Routing Security? Bad guys play games with routing protocols. What is Routing Security? How is it

95 views • 9 slides
Norms of Navigation 8th ARF ISM on Maritime Security SUBTITLE LINE CAPT Michael McArthur, RAN

Norms of Navigation 8th ARF ISM on Maritime Security SUBTITLE LINE CAPT Michael McArthur, RAN

Norms of Navigation 8th ARF ISM on Maritime Security SUBTITLE LINE CAPT Michael McArthur, RAN Director Sea Power Centre - Australia 7 April 2016 Scope of Presentation Maritime Security and The International System Norms of navigation

305 views • 19 slides
RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) RPKI and Routing

422 views • 31 slides
Interdomain Routing Two types of Routing Intradomain routing Security Accomplished via

Interdomain Routing Two types of Routing Intradomain routing Security Accomplished via

253 views • 10 slides
MUTUALLY REINFORCING INSTITUTIONS MUTUALLY REINFORCING INSTITUTIONS EAPC/PFP MONACO THE

MUTUALLY REINFORCING INSTITUTIONS MUTUALLY REINFORCING INSTITUTIONS EAPC/PFP MONACO THE

NATO HQ - POLITICAL AFFAIRS DIVISION MUTUALLY REINFORCING INSTITUTIONS MUTUALLY REINFORCING INSTITUTIONS EAPC/PFP MONACO THE HOLY SEE BELARUS NATO KAZAKHSTAN CANADA KYRGYZSTAN UNITED STATES TAJIKISTAN 2) TURKMENISTAN UZBEKISTAN

529 views • 5 slides
Constructivist Security: Norms, Identities & Narratives Week 6 - 01 November 2017 The

Constructivist Security: Norms, Identities & Narratives Week 6 - 01 November 2017 The

PSI 330 International Security Constructivist Security: Norms, Identities & Narratives Week 6 - 01 November 2017 The Critique of Positivist Approaches Structural Realism Balance of Power Balance of Threats Neoliberalism

574 views • 19 slides
Inversion of Mutually Orthogonal CA Luca Mariot, Alberto Leporati Bicocca Security Lab (BiSLab)

Inversion of Mutually Orthogonal CA Luca Mariot, Alberto Leporati Bicocca Security Lab (BiSLab)

Inversion of Mutually Orthogonal CA Luca Mariot, Alberto Leporati Bicocca Security Lab (BiSLab) Dipartimento di Informatica, Sistemistica e Comunicazione (DISCo) Universit degli Studi Milano - Bicocca ACRI 2018 Como, September 17-21, 2018

508 views • 19 slides
Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior

Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior

February 2019 Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior Manager, Internet Technology siddiqui@isoc.org Lets understand the problem.. What is the connection between routing security

346 views • 19 slides
Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route Hijacking~ Mar 1 2007 in APRICOT 2007 NTT Communications Corp. Taka Mizuguchi Tomoya Yoshida What s BGP Route Hijacking? s BGP Route

583 views • 40 slides
Chapter 20 Intruders Cryptography and Network Security They agreed that Graham should set the

Chapter 20 Intruders Cryptography and Network Security They agreed that Graham should set the

4/19/2010 Chapter 20 Intruders Cryptography and Network Security They agreed that Graham should set the test for Chapter 20 Charles Mabledene. It was neither more nor less than that Dragon should get Stern's code. If he had the 'in' at Utting

418 views • 6 slides
Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell

Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell

3/28/19 Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell at me if I dont notice?) Profs Peter Steenkiste & Justine Sherry & (Guest Lecturer) Sannan Slides almost entirely copied from

288 views • 18 slides
RECALIBRATING NORMS: EUROPE, ASIA AND NON-TRADITIONAL SECURITY CHALLENGES Katja Weber Sam Nunn

RECALIBRATING NORMS: EUROPE, ASIA AND NON-TRADITIONAL SECURITY CHALLENGES Katja Weber Sam Nunn

RECALIBRATING NORMS: EUROPE, ASIA AND NON-TRADITIONAL SECURITY CHALLENGES Katja Weber Sam Nunn School of International Affairs Georgia Institute of Technology Prepared for the Center for Non-Traditional Security Studies, Rajaratnam School of

466 views • 24 slides
2019-2021 Budget Request Presented to the Education and Environment Division of the House

2019-2021 Budget Request Presented to the Education and Environment Division of the House

Upper Great Plains Transportation Institute 2019-2021 Budget Request Presented to the Education and Environment Division of the House Appropriations Committee by Denver Tolliver, Director UGPTI Contents Major components comprising the

511 views • 33 slides
Opening Remarks Cybersecurity in Cyber-Physical Systems Workshop hosted by NIST Information

Opening Remarks Cybersecurity in Cyber-Physical Systems Workshop hosted by NIST Information

Opening Remarks Cybersecurity in Cyber-Physical Systems Workshop hosted by NIST Information Technology Laboratory April 23-24, 2012 George W. Arnold, Eng.Sc.D. Director, Smart Grid and Cyber-Physical Systems Program Office Engineering

534 views • 12 slides
Autonomous People Mover Phase II - Sensory System P15242 - MSD 1 - SYSTEM DESIGN REVIEW Member

Autonomous People Mover Phase II - Sensory System P15242 - MSD 1 - SYSTEM DESIGN REVIEW Member

Autonomous People Mover Phase II - Sensory System P15242 - MSD 1 - SYSTEM DESIGN REVIEW Member Role Program The Team Nathan Biviano Project Manager & IE Integration Madeleine Software & CE Daigneau Communication James Danko

673 views • 35 slides
Self-driving vehicles in the refuse business: some future scenarios Volvo Group Trucks Technology

Self-driving vehicles in the refuse business: some future scenarios Volvo Group Trucks Technology

Self-driving vehicles in the refuse business: some future scenarios Volvo Group Trucks Technology 1 2016 Fredrik Cederstav AGENDA: 10.30 Introduction: Fredrik Cederstav (Volvo Advanced Technology & Research) incl. workshop questions

511 views • 28 slides
DoD Priorities for Autonomy Research and Development MORLEY O. STONE, ST, PhD Autonomy PSC Lead

DoD Priorities for Autonomy Research and Development MORLEY O. STONE, ST, PhD Autonomy PSC Lead

DoD Priorities for Autonomy Research and Development MORLEY O. STONE, ST, PhD Autonomy PSC Lead 21 October 2011 NDIA Disruptive Technologies Conference November 8-9, 2011 Washington, DC Title Distribution Statement A: Approved for public

362 views • 11 slides
MANTA Summary Report External Stuart Rowell Principal Technologist Systems (Automation

MANTA Summary Report External Stuart Rowell Principal Technologist Systems (Automation

MANTA Summary Report External Stuart Rowell Principal Technologist Systems (Automation & Safety) Outline Connected Places Urban cities face growing mobility challenges through increased density of land use and higher levels of

548 views • 32 slides
Investigating Internet Controls with OONI Internet Freedom Festival, 7 th March 2017 Arturo

Investigating Internet Controls with OONI Internet Freedom Festival, 7 th March 2017 Arturo

Investigating Internet Controls with OONI Internet Freedom Festival, 7 th March 2017 Arturo Filast & Maria Xynou Free software project (under the Tor Project) aimed at empowering decentralized efforts in increasing transparency of

440 views • 29 slides
Technology Workshops Management presentation Ladies and Gentlemen, The world as we know it is

Technology Workshops Management presentation Ladies and Gentlemen, The world as we know it is

Corporate Communications Investor Relations 2 December 2016 - Check against delivery - Technology Workshops Management presentation Ladies and Gentlemen, The world as we know it is currently undergoing a dramatic transformation. Many of the

522 views • 5 slides

More recommend