Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Fixing the Internet's routing security is urgent and requires collaboration

Lucian Constantin | Feb. 29, 2016
A volunteer participation program for ISPs to prevent route hijacks and IP spoofing is gaining some traction.

Network operators who choose to participate in the MANRS program commit to implementing various security controls in order to prevent the propagation of incorrect routing information through their networks, prevent traffic with spoofed source IP addresses and facilitate the validation of routing information globally.

Over the past year, the program has grown steadily, the number of participants now reaching 40. ISOC hopes that MANRS membership will become a badge of honor or a quality mark that networks operators will strive to obtain in order to differentiate themselves from the competition.

Whether the volunteer-based approach is enough for the program to continue growing remains to be seen. But if it gains enough traction and becomes large enough, ISPs who are not interested in joining now might be pushed by market forces in the future. For example if three Internet providers compete for a project, and only one of them is MANRS-compliant, the customer might choose the MANRS member because it ostensibly cares more about security.

There are network operators in countries like China or Russia that do a fair amount of business by offering services to cybercriminals. Such companies would probably not want to implement these security measures, but if MANRS grows large enough, they might find themselves isolated and unable to find uplink providers to carry their traffic internationally.

Implementing the MANRS recommendations, which are based on existing industry best practices, can have some short-term costs for ISPs, but according to ISOC, that's probably not the reason why many of them have failed to implement them. The bigger problem, the organization believes, is a lack of awareness about these problems or not having the expertise to fix them.

The methods through which routing leaks and IP address spoofing can be dealt with are diverse and currently documented in different places across the Internet. That's why ISOC and the MANRS members are working on a Best Current Operational Practices (BCOP) document that will bring those recommendations together and provide clear guidance for their implementation.

The goal is to assist the small, regional ISPs with adopting these measures, because they make up around 80 percent of the Internet, said Andrei Robachevsky, ISOC’s technology program manager.

If these ISPs were to start validating the routing announcements of their own customers, there would be a much smaller chance that rogue announcements would reach the global routing system.

Another thing that the MANRS members will be working on in 2016 is a set of compliance tests to ensure that new potential members have indeed achieved the program's goals and that they remain compliant over time. One example of such a test is with a tool called Spoofer that checks if a network allows IP spoofing or not. MANRS participants could run this tool inside their networks periodically and report the results back.

 

Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.