The Value of MANRS
For the Improvement of Your Security Stance
Route leaks and Distributed Denial of Service (DDoS) attacks have been in the news a good deal over the last several years; but the average non-transit network operator might generally feel pretty helpless in the face of the onslaught. Perhaps you can buy a DDoS mitigation service or appliance, and deploy the ubiquitous firewall at the edge of your network, but there is not much else to be done, right? Or maybe wait on the Internet at large to "do something" about these problems by deploying some sort of BGP security. But will adopting a "secure edge," and waiting for someone else to solve the problem, really help?
In reality, the edge customer is where the real power is in the Internet for at least two reasons. First, the end customer decides what to advertise and what to accept, what to transmit and what to receive. On both the routing and the traffic sides, the end customer has a lot more power to secure the 'net than they might believe. For instance, by filtering inbound and outbound spam on their edge, end users can both reduce the amount of spam that might be originated from within their organizations, as well as reducing the profitability of spam by blocking their users from even having the chance to respond to spam. By refusing to send or receive traffic to or from hijacked destinations, the edge user can have a significant impact on the effectiveness of route hijacking.
Second, the end customer chooses what sort of service to buy, thus guiding the security posture of their upstream providers. In fact, security on the global 'net if those who pay the bills ask for it. If edge customers starting asking for more information on which to base rational security decisions, and started asking their providers to put routing security in place, providers will listen. If you think of the 'net as a modern version of the village green, the problem of security is much like the problem of maintaining the green. So long as everyone assumes someone else is responsible, no-one will actually work to protect the common resource, and the problem will never truly be solved.
But isn't global scale security going to be difficult to design and deploy? The answer to this question is, as with all engineering questions, "it depends." If the community tries to build out and deploy a perfect solution that will solve all problems, no matter what the cost, then the answer to the question is definitely "yes." On the other hand, if the community decides to take the "acceptable engineering tradeoffs" path, and implement simple solutions that can solve 80% of the problem, then the answer is definitely "no." What sorts of simple things are we talking about here? For edge customers:
- Ensure that you are only advertising routes you own to your provider. For instance, make certain you do not leak routes learned from other networks, and make certain you have controls in place to prevent such leakage.
- Ensure you have packet filters in place to never allow a packet sourced from an address you are not advertising to be sent to your provider or any other peer (such as a private peer at an Internet exchange).
- Ensure you have updated your records in whois, and other network operators know who to call in case there is a problem with some traffic originating from your network.
- Ensure you have procedures in place for security incidents, including up to date information about who to call in your upstream provider, and how to react to incidents.
- Request information that will allow you to filter inbound route advertisements to ignore hijacked prefixes.
For a provider, the kinds of actions available are similar:
- Ensure you are only accepting routes from customers as agreed on by contract, or through pre-arranged means; don’t just accept whatever a customer sends.
- Configure unicast reverse path forwarding checks where it makes sense, particularly for single homed customers.
- Ensure you have updated security contact information in whois and other sources.
- Work to provide your customers with the information they need to detect and filter hijacked routes.
- Work to provide customers with information about when their routes have been hijacked, when they are under various forms of attack, and other security incidents.
These goals and actions have all been conveniently drawn together and put into a single document by the Internet Society called MANRS, which can be found at http://manrs.org This makes it simpler to at least discover some basics about your provider’s security stance—just ask them if they support, or have signed up for, MANRS. Note this is just a baseline, however; the actions suggested as a part of MANRS might not all work in every situation. Some of these technologies (such as the RPKI system) will probably never be fully deployed.
But by being aware, and guarding your little bit of the “village green,” you can do a lot to help the global Internet to be more secure, and hence a better place to do business..
Topics: Cyber Security