Internet Society wants to fill in the Great Routing Black Hole
Operators to show their MANRS, aka Mutually Agreed Norms for Routing Security
For all its robustness, the Internet is built on remarkably fragile systems.
A great example is the worldwide routing infrastructure, which can be fat-thumbed into confusion or exploited by malefactors.
The Internet Society – ISOC – has been working on this since November 2014 under an initiative called MANRS – Mutually Agreed Norms for Routing Security – and spoke to The Register last week about the initiative.
Two particular targets of MANRS are accidental or deliberate black-holing of traffic; and exploitation of routing infrastructure in Distributed Denial-of-Service (DDoS) attacks by spoofed route information.
The initiative now has 42 members, with ISOC announcing Scandinavia's SUNET and NORDUnet as the latest network operators to sign on – but since there are roughly 50,000 networks (autonomous systems, ASs, in Internet nomenclature), it needs a lot more reach.
Vulture South talked to ISOC technology program manager Andrei Robachevsky about what MANRS is, and why ISOC wants it to be ubiquitous.
“One of the strategic objectives is restoring trust in the Internet," Robachevsky said, and since it's so easy to “cause havoc” in the routing infrastructure, that's what the operators who asked ISOC to coordinate MANRS are working on.
MANRS, he explained, defines minimum baselines by calling on specific actions to protect route announcements, DDoS vulnerabilities, response coordination, and network information publication.
For those who don't know why Pakistan could send YouTube dark around the world, it's because for a packet to reach its destination, every router in the world needs to know where it should send that packet.
That information comes from “route advertisements”: the owner of a network (AS 1234 for example) says “if you want to send packets to AS 3456, send them to me”. If a network advertises itself as the go-to for a network it can't reach, the traffic is lost.
It's more complex than that, of course, because small networks advertise their routes to large networks, who might have a yet-larger network upstream announcing its routes, and so on.
However, the action that MANRS asks for isn't so complex: networks joining the initiative commit to filtering their route advertisements to catch mistakes.
Robachevsky says it's a “clean your own side of the street” commitment: networks make sure the announcements they and their customers make are correct.
“It's something you are in a position to do: you know your customers, and you know your networks.”
So why doesn't that happen already? Partly it expresses an old security conundrum, that it's seen as a cost without commensurate benefit, but there's more than that.
Making sure you only make announcements about networks you know means checking information not via BGP (the Border Gateway Protocol that communicates route announcements), but an out-of-band channel.
In other words, put a business process in place, so that when the small network sends a routing table to an upstream network, it gets checked – and the prefixes go into a filtering database that catches mistakes in announcements before they lay claim to a whole country's traffic.
There is a financial benefit here, even if it's hard to quantify: if you're a small network laying accidental claim to Comcast or Level 3, then after you've hosed yourself, you're going to have a serious case of buyer's remorse.
Address spoofing is a big part of volumetric denial-of-service attacks, because it makes it harder to trace and block the networks originating the attacks (that is, the attack packets say they come from Vanuatu instead of somewhere large, like China or Comcast).
Blocking spoofed traffic doesn't end the risk of DDoS, Robachevsky said, but it makes a protected network more expensive to the attacker – “it creates a difference between the cost of launching an attack, and the devastation it causes,” he noted.
Like route announcement filtering, this is protecting against outward risks: you're agreeing to protect the rest of the Internet against bad things that might start on your network. The participant in MANRS agrees to check packets leaving its network, and block traffic that give the wrong source IP address.
This, at least is simple: everybody agrees that other networks can find their NOC contact information – and that someone's there to answer the phones if there's an incident.
Networks agree to publish enough information about their networks so other operators can catch mistakes.
Robachevsky: “One of the big problems here is lack of data, and lack of confidence in this data, of the announcements networks are emitting.
“On the global scale, you don't know if this announcement is correct. So operators agree to publish some information about their networks, so that someone in the other 50,000 networks can say 'this announcement is not correct – this prefix belongs to YouTube, not Pakistan Telecom'.”
If MANRS manages to get traction, Robachevsky said, there's a hope that it'll form a strong social aspect.
Take, for example, an Internet exchange point – where sysadmins for different networks “have eye contact – they know each other.
“If you're in an IXP where 80 per cent of the networks are MANRS members, there will be pressure on the other 20 per cent to behave well.”
The same, he hopes, can apply to peering: that networks will be more likely to setup high-bandwidth peering with MANRS members.
ISOC wants it to help drew the line between good and bad, Robachevsky added: “if you don't have a norm, then peer pressure doesn't really exist”.
As well as announcing the latest MANRS members, ISOC has convened a group to put together a Best Current Operational Practices document, which is going to be put to RIPE 73 (Madrid, 24-28 October 2016) for review. ®