Mind your MANRS: Internet Society names and shames network operators that bungle their routing security

The Internet Society has stepped up its long-running effort to improve routing security with a new online stats engine.

The MANRS Observatory – named after the industry group Mutually Agreed Norms for Routing Security – combines stats from a number of different sources to rate and reveal operator compliance with systems designed to make the internet more secure.

The issue of routing security and Border Gateway Protocol (BGP) leaks has become increasingly important in the past few years as the number (and size) of outages and attacks have grown. Criminal and possibly state actors have realized the potential that exists in grabbing internet traffic, including surveillance, disruption, and theft.

An analysis of routing errors in 2017 revealed that 38 per cent of the 14,000 reported incidents were due to leaks or hijacks. Thanks in large part to MANRS, that number fell in 2018 to 12,000 incidents – but it is still far too high and responsible network operators have been implementing fixes such as filtering, anti-spoofing, global validation, and coordination to beat back the tide.

But there is a cost associated with adding new checks to an existing system: one that comes with little immediate benefit to the operator implementing it. One of the ironies with BGP leaks is that they tend not to impact the network that made the mistake but the networks that connect to them.

As such, the MANRS Observatory is hoping to pressure more operators to go to the trouble to tighten up their security. The public-facing part of the observatory breaks compliance down by country, showing what percentage of operators have implemented technical fixes such as filtering, anti-spoofing, global validation and coordination.

Peer pressure

Those country wide stats comes from consolidated reports on individual operators, but only MANRS participants are allowed to access the individual reports. The idea is to use industry peer pressure to force more operators to implement the various fixes without publicly shaming them.

The Internet Society says that its new observatory will help in a number of ways: it will allow operators to monitor their own compliance as well as how their peers are doing. It notes pointedly that they can then "leverage the MANRS Observatory to determine whether potential partners’ security practices are up to par" – or, in other words, threaten to drop partners if they don't up their game.

There is also a clear implication that governments have started worrying about the security implications – no doubt in response to China Telecom's repeat "errors" that result in vast traffic redirection going through its servers.

The Internet Society notes that the new stats engine will help policymakers "better understand the state of routing security and resilience and help improve it by calling for MANRS best practices."

As for how the disparate and diverse internet community is doing overall with routing security, among those that are participants within MANRS, there is a 100 per cent compliance rate with filtering, which should limit the impact of routing errors, but only a 60 per cent compliance rate with anti-spoofing, presumably because it is harder to implement.

Likewise, an encouraging 89 per cent of MANRS participants are actively coordinating with others to improve security and share information – something that network operators have long done across the whole range of internet security issues.

But there is still plenty of work to be done. So while a healthy 85 per cent of MANRS participants are validating routing information through the Internet Routing Registry (IRR) system, only 10 per cent of them are doing it through the more secure Resource Public Key Infrastructure (RPKI) approach.

Insecure? Moi?

That is basically the difference between secure and insecure web browsing, but for routing tables. There are over 40 IRR sources and someone determined to reroute internet traffic could relatively easily create invalid data and have it accepted as true if operators are only using IRR route validation.

Network operators have been going on about this for nearly a year: here's a post by Martin Levy of Cloudflare walking through the issue and a video by NTT's Job Snijders explaining why RPKI needs to be adopted.

Interestingly, looking at the country-by-country stats, there are few significant variations in the degree to which the different technical fixes are being implemented.

It's not clear whether that it because the datasets the Internet Society are using are themselves limited, or if the issues that operators face are effectively the same across the world. Either way, having the stats should allow the industry to start asking the right questions and so hopefully figure out how to pull everybody toward a more secure routing system.

"Routing security is based almost entirely on trust between networks," noted the Internet Society's senior technology program managr Andrei Robachevsky. "One of the advantages of the MANRS Observatory is that it adds an element of accountability. MANRS is seeing steady adoption, but we need more networks to implement the actions and more customers to demand routing security best practices."

Currently there are just over 200 ISPs signed up to MANRS, as well as 34 Internet Exchange Points. Microsoft and Google recently joined, suggesting that there is growing industry acceptance of the group. ®