UK internet providers told to mind their MANRS and start following Border Gateway Protocol best practices
Advice is nice. But what it isn't is binding, says Akamai
Britain's National Cyber Security Centre has urged internet service providers to adopt its Border Gateway Protocol best practice guide following a number of routing blunders over the past few years.
The guide, published in late January, is a short and straightforward document advising internet service providers (ISPs) on security and integrity.
Building on a previous guide issued in 2011 by the Centre for the Protection of National Infrastructure, the National Cyber Security Centre's (NCSC) technical report on "responsible use of the Border Gateway Protocol (BGP) for ISP interworking" is more of an aide-memoire than a technical manual.
Written "in collaboration with major UK operators", the guide comes as the Telecoms Security Bill, aimed squarely at UK ISPs, works its way through Parliament – and after a number of inevitably high-profile BGP blunders by providers and major companies alike.
NCSC said in its report: "As the importance of 'trusted' BGP services has increased, several industry-wide initiatives and recommendations have been developed. These 'best practices' are continually refined and updated by the various members of the communities as issues are discovered and resolved."
UK proposes new powers for comms regulator to legally unleash avenging hordes on security-breached telcosREAD MORE
Those best practice docs, as referenced by NCSC, include RFC7454 ("BGP Operations and Security"), the MANRS initiative (more below) and the US National Institute of Standards and Technology's technical note on BGP security – though NCSC referred to a withdrawn 2007 version of the latter rather than the latest one issued in December 2019.
Steven Schecter, director of network architecture at Akamai, cautiously welcomed the new NCSC document but warned that laggards are going to lag until there's transnational enforcement of norms.
"Guidance like this is always welcome," Schechter told The Register, "but it is only advice at the end of the day.
"Until there is accountability, and we have full agreement of protocols, with the backing of the whole community and enforceable by law, some companies will continue to shirk responsibility when it comes to data protection. In order to get to that position, though, there needs to be common agreement on one set of protocols, not just in the UK, but globally, given the type of data being sent on these networks and how far it can travel."
He continued: "Akamai has long advocated the MANRS (Mutually Agreed Norms for Routing Security) initiative be held up as the gold standard with its focus on implementing BGP prefix filtering, cryptographic validation of routes received from peers using RPKI. Until one set of standards is created and enforced, we'll continue to see providers and consumers at risk."
BGP routing snarl-ups tend to be very high profile due either to significant websites or web-facing services going TITSUP or curious folk noticing weird things going on with traffic routing. Two years ago US ISP Verizon managed to make Cloudflare, Facebook, and Amazon all disappear for its customers after wrongly accepting an illegitimate announcement of new internet routes for more than 20,000 IP address prefixes from a regional ISP. In December, an internal Google service put its feet up on the virtual table and lit a cigarette, causing routes between major Google servers to go down, taking large chunks of Google Cloud with them.
Meanwhile, again in 2019, Indian ISP Airtel misrouted 83 decillion IP addresses for a whole week – though nobody noticed because they were IPv6. ®