Improving BGP routing security by minding your MANRS
- 27 August, 2019 20:00
Finding out after the fact that a big chunk of your internet traffic has been incorrectly routed through a server in China due to Border Gateway Protocol (BGP) routing security issues is....not great. Want to stop that from happening? Tough one. It's an age-old — or rather, internet-old — problem, and no single enterprise can prevent this on its own.
How do you solve a collective action problem? By acting collectively.
That's the idea behind the Mutually Agreed Norms for Routing Security (MANRS) project. Developed by the Internet Society (ISOC), and listing 204 network operators (ISPs) and 35 internet exchange points (IXPs) as members so far, plus newcomers Google and Microsoft, this coalition of the willing seeks to prevent BGP security issues that affect interdomain routing among autonomous systems.
Enterprises can increase their routing security at modest cost by choosing to work with ISPs and IXPs who implement stronger BGP security controls such as those recommended by MANRS.
"By selecting a provider that is MANRS compliant, enterprise security managers know that their provider is following best practices in securing their networks," Andrei Robachevsky, senior technology program manager, ISOC, which runs MANRS, tells CSO. "Enterprises can take advantage of MANRS by joining themselves or by working with service providers that are MANRS members.... Providers that participate are sending a clear message to their customers – that they care about security."
Just how big is this routing security mess, anyway?
Measuring routing security
Turns out building the internet on the assumption that everyone who uses it is trustworthy was a really bad idea. You wonder what they were thinking back in the '70s.
To better quantify the extent of the routing security problem, last week MANRS launched its MANRS Observatory, "a new online tool that measures the level of networks’ compliance to MANRS, a key indicator of the state of routing security and resiliency of the internet."
According to ISOC, routing security issues continue to plague the internet. "Not a single day passed without an incident," they wrote in 2018. "While none of the incidents was catastrophic, all of them continue to demonstrate the lack of routing controls like those called for in MANRS that could have prevented them from happening."
This is a big deal. NIST SP 1800-14, published in June 2019, hammers home the point. "Attacks against the internet routing functions are probably one of the greatest current threats to today’s internet. Routing attacks can have regional, or even global, impact."
"BGP was not designed with security in mind," the NIST authors wrote, making the understatement of the decade. "Traffic typically traverses multiple networks to get from its source to its destination. Networks implicitly trust the BGP information that they receive from each other, making BGP vulnerable to route hijacks. A route hijack attack can deny access to internet services, misdeliver traffic to malicious endpoints, and cause routing instability."
MANRS wants to convince ISPs around the world that it's in their best interest to agree to BGP secure routing standards. MANRS also hopes to drive home the point with its snazzy new MANRS Observatory to visually demonstrate the daily impact of BGP routing security failures — and to keep their members honest.
What do good MANRS look like?
MANRS-compliant ISPs agree to work together to prevent propagation of incorrect routing information, both accidental and deliberate spoofing. Specific actions network operators agree to include "checking the correctness of their customer's announcements, specifically that the customer legitimately holds the ASN and the address space it announces," and implementing "anti-spoofing filtering to prevent packets with incorrect source IP address from entering and leaving the network."
None of these efforts are especially time- or resource-hungry, and when agreed upon collectively and monitored by a neutral watcher like the MANRS Observatory, these efforts can significantly increase routing security.
Enterprises that want a quick and easy security win can ask if their ISP deploys these kinds of BGP routing security features. As ISPs jostle for Fortune 2000 business, it's plausible better security becomes a marketable feature, with a small premium attached.
Good MANRS have made a dent, however small, in routing security so far, enough to give ISOC hope for the future. In 2018 there were 12,600 routing incidents, according to MANRS research, a measurable drop compared to 2017.
Solving collective action problems, especially problems where there is little to no profit to be had from the solution, have to start somewhere. Routing security is one of the internet's many Achilles' heels. (How many feet does the internet have in this metaphor? We're not sure). Enterprises looking to secure themselves and their customers need to think not only about their own interests, but about the security of the digital environment in which everyone now lives and does business.
Sometimes being selfish means thinking about other people.