Jul 22, 2019

CENIC to Explore Adoption of MANRS Global Initiative to Improve Routing Security

CENIC is initiating a pilot project to explore regional adoption of Mutually Agreed Norms for Routing Security (MANRS), a global initiative to make the Internet more secure. Those who join MANRS agree to apply best practices, that when taken by all users, dramatically improve the resilience and security of the Internet routing infrastructure.

MANRS is supported by the Internet Society, an international nonprofit dedicated to the open development, use, and evolution of the Internet. More than 30 research and education networks worldwide have already adopted MANRS, including Internet2, the US research and education (R&E) consortium. Industry giants such as Google and Microsoft also participate.

This voluntary pilot project will start with select research institutions, and with success, could be expanded to include all of CENIC’s more than 12,000 member sites. While other R&E networks in the United States have adopted MANRS, CENIC would be the first to do so on such a large scale. Facilitating adoption of MANRS across CENIC’s membership would better secure the network routing infrastructure that all members rely on, thereby preventing outages caused by routing incidents and creating a more reliable connection for everyone.

The pilot is a collaborative effort involving experts from CENIC and its member research institutions, the University of Oregon’s Network Startup Research Center (NSRC), the US Department of Energy’s Energy Sciences Network (ESnet), and the American Registry for Internet Numbers (ARIN), as well as from collaborating institutions and organizations from the larger US R&E network community.

Applying MANRS’ Collaborative Approach to Security

Routing security is vital to the stability of the Internet. The global routing system is the backbone of the Internet. It determines how all data — from email messages to videoconferences to website content — moves from network to network. Networks use Border Gateway Protocol (BGP) to connect with one another, but BGP was designed long before security was such a large concern.

In 2018, more than 12,000 routing incidents, such as route hijacking and leaks, led to large-scale Distributed Denial of Service (DDoS) attacks, stolen data, lost revenue, reputational damage, and more. Routing incidents have a global impact and are difficult to detect. In 2018, a routing leak by a Nigerian Internet service provider caused some of Google’s traffic to be re-routed through China, causing outages in many parts of the world, and an ISP from Indonesia hijacked prefixes of multiple US payment processing companies causing re-routing of sensitive data for 30 minutes.

Routing incidents can be prevented with MANRS’s collaborative approach to security. The MANRS acronym is no accident; certain routing measures are simply good etiquette. The four MANRS safeguards are minimum standards for routing security that every network operator should establish:

• Filtering makes sure routing announcements are correct.
• Anti-spoofing enables source address validation to prevent packets with false information.
• Coordination ensures globally accessible contact information is available in places such as Regional Internet Registries (RIRs).
• Global validation enables network operators to publish routing data so all routing information can be validated by third parties.

Under the leadership of Network Engineer John Hess and Core Engineer Sana Bellamine, CENIC’s pilot will provide support for participants to adopt the first three measures and guide participants through the last measure, global validation, by deploying Resource Public Key Infrastructure (RPKI).

RPKI provides a way to connect Internet number resource information, such as the network provider’s identifier, Autonomous System Number and Internet Protocol addresses, which uniquely identify a computer or a network on the Internet, to a trust anchor. Routers use these Internet number resources much like the post office uses addresses to help route mail to recipients. Network operators obtain RPKI certificates from five Regional Internet Registries (RIRs) and publish Route Origin Authorizations (ROAs). CENIC will explore taking on the role of intra-regional trust anchor for its members.

CENIC recognizes that with such an important project, there will come challenges. To help pilot participants implement RPKI, CENIC will build the infrastructure to support routing validation and adopt new routing policies. CENIC and NSRC will develop curriculum for RPKI deployathons to help participants establish the specific architecture. Deployathon participants will create ROAs and experiment with modeling tools, such as ARIN's Operational Test and Evaluation Environment (OT&E). A 12-member advisory committee to the pilot, composed of networking experts, is engaged in addressing technical challenges, as well as concerns that the infrastructure would add complexity to the network.

How to Get Involved

Joining MANRS means joining a community of security-minded network operators committed to making the global routing infrastructure more robust and secure. The more network operators that apply MANRS, the fewer routing incidents there will be, and the less damage they can do.

In the first phase of the pilot, CENIC is seeking participation from California research institutions, including University of California campuses, private research universities, and research-intensive California State Universities. CENIC also invites participation from Pacific Wave collaborators outside of California.

The second phase of the pilot will seek to expand participation to include Western Regional Network members such as University of Hawai’i, Front Range Gigapop, New Mexico Gigapop, other key partners such as Oregon Fiber Partnership, LEARN, OneNet, Great Plains Network, and the respective research universities of all such networks.

Those interested in participating may add their institution to the pilot consideration list. An RPKI deployathon workshop will be held October 10-11, 2019, with ARIN staff available on site. Further details will be released in the coming months. For more information, contact manrs-rpki-pilot-interest@lists.cenic.org.

Watch the panel discussion, “Mitigating Threats to Security Using Origin Validation,” and check out more content from the 2019 CENIC Conference.

Related blog posts

Three Quick Guidelines to Help Your Organization Stay Safe from RPKI-Related Hacking

Using secure passwords, enabling MFA, and defining those authorized to make changes to your ARIN account can help your institution avoid RPKI-related hacking.

From the Ground to the Stars: Critical Big-Data Research in Africa

Learn about critical data-dependent research collaborations currently taking place in the nations of Africa, all of which require integration into the global high-performance network and cyberinfrastructure environments.