Internet Society Expands Program for Secure Internet Routing Framework
CDNs and Cloud Providers Join Initiative to Improve Security of Internet’s Routing System
Failure in internet routing security leads to major outages, stolen data, hijacking, lost revenue and more, with more than 12,000 routing outages in 2018 alone. The Mutually Agreed Norms for Routing Security (MANRS) seeks to solve this.
Supported by the Internet Society, the MANRS program is being expanded to include content delivery networks (CDNs) and cloud providers. The reason is simple — the more network operators that adhere to MANRS, the more secure is the internet. The cascading nature of internet routing means not only that major network players like Cloudflare, Akamai, Facebook and Netflix (who have joined with the new expansion) are committed to secure routing, they are also committed to encouraging adoption by all of the many thousands of networks that peer with them.
There are three categories of network operators within the MANRS program: networks (almost 300 members); IXPs (48 members); and now CDNs and cloud providers. While each category has a slightly different set of commitments, the purpose in each case is the same: to prevent the thousands of small and largely media-unnoticed outages and the few major catastrophes that occur all the time.
Major incidents include the infamous 2008 YouTube hijack by Pakistan Telecom (PT). Following a YouTube censorship instruction from the government, PT effectively claimed ownership of YouTube traffic. It told its own provider this, which cascaded the instruction around the world until PT did in fact own all YouTube traffic and YouTube was effectively off-line everywhere.
In 2010, a routing prefix error diverted all traffic for domains including dell.com, cnn.com and amazon.de via China Telecom. IP prefixes in routing (also known as ‘more-specifics’) can fine-tune the internet in specific circumstances — but if these more-specific instructions are leaked to the wider internet, then havoc can follow.
More recently in 2018, a leak by a Nigerian ISP caused various Google services to be directed through TransTelecom in Russia, Nigerian ISP MainOne, and China Telecom, where the traffic was dropped.
In 2019, a leak from a Verizon customer diverted traffic from major organizations, including Cloudflare that should have gone via Verizon but instead was routed via a metal maker’s system and a Pennsylvania-based ISP. These organizations couldn’t handle the spike in traffic, and a large amount of data was dropped (at its worst point, 15% of Cloudflare’s traffic), and Cloudflare’s customers suffered.
“Route leaks have a cascading negative impact on businesses, and coordinated action is needed by the Internet infrastructure community to improve the security, resilience, and reliability of networks,” explains John Graham-Cumming, CTO at Cloudflare.
While all these incidents — and more — could be considered accidents, it is difficult to tell between accidental and malicious activity — making routing attacks attractive to state-sponsored activity. This will change if the internet adopts MANRS, since accidents would be prevented and what remains would be malicious.
MANRS commits its members to a range of basic rules: four for networks, five for IXPs, and six for CDNs and cloud providers. “The goal of MANRS,” Andrei Robachevsky, senior technology program manager at the Internet Society, told SecurityWeek, “is to reduce the most common threats to the internet routing system. It does this in two ways. First, MANRS defines a baseline of minimum security practices that every operator should implement before they start routing operations. Those who join MANRS must implement — and demonstrate they have implemented — those specific measures. Second, by joining MANRS, we are growing the community of security-minded operators that support this baseline. Not being security-minded becomes socially unacceptable, where such behavior — which still happens — is considered antisocial.”
There are two points to note. Firstly, MANRS is not a standard. It is a distillation of best practices that have existed for years. However, it can be affected by the regulatory compliance tendency that treats rules as a target to be achieved, rather than a baseline to be exceeded. Robachevsky accepts this, but believes the absence of a pre-existing target line has been a problem. “You need that clear line for everyone to achieve,” he said. “You can improve security later, but first we have to get as many networks as possible on board with the idea of secure routing.”
This introduces the second point to note: the success of MANRS in improving internet security is a numbers game. The more network operators that sign up to the MANRS rules, the less likely, and smaller in scope, will future incidents become. Achieving enough members to make a difference is a priority and is the driver behind recruiting CDNs and cloud providers. These are important hubs in their own right, but also have their own networks of thousands of other networks they can influence.
One of the rules for membership for both IXPs and CDNs/cloud providers is that they actively encourage MANRS adoption among their peers. It may be that MANRS never achieves 100% adoption, but it remains a target worth chasing. Already, with the relatively small adoption by operators, graphs show that as the number of MANRS networks is growing, so the number of routing incidents is declining.
One hundred percent adoption may not be necessary. Just as no single operator can solve the routing problem, no single operator can create a routing incident on its own. The issue requires ‘bad routes’ to cascade as far as possible around the internet — but as soon as that process reaches a MANRS operator, the required filtering should detect the error and prevent further progress. Another requirement is to maintain the internet’s out-of-band routing validation capability (the Internet Routing Registry, IRR; and the Resource Public Key Infrastructure, RPKI) which further facilitates the detection of routing errors.
It remains true, however, that the more networks that join and abide by MANRS, the more secure will be the internet. The importance of this has never been more clearly demonstrated than by the current coronavirus pandemic. The internet itself is robust and can handle the increased traffic from businesses switching to a home-working distributed model. But with the increased traffic comes an even greater reliance on the internet for general economic well-being, both for individual organizations and entire nations. Downtime caused by major routing errors will be more damaging than ever — and if the current health crisis continues for several months, remote working and increased dependence on a reliable internet may be here to stay.
Persuading CDNs and cloud providers to join MANRS is an important step in increasing membership and improving internet security. Akamai, Amazon Web Services, Azion, Cloudflare, Facebook, Google, Microsoft, and Netflix have already joined, with a number of other companies in process.
“Being MANRS compliant not only improves our routing security capabilities,” explains Christian Kaufmann, VP network technology at Akamai, “but has the potential to help other networks to improve theirs and is an opportunity for Akamai to make a significant contribution to the improvement of global routing security.”
“We believe it is in the best interest of Netflix to be a good internet citizen and join the internet industry to address routing security issues,” adds Gina Haspilaire, VP global partner engagement at Netflix Open Connect. “A secure routing framework is essential to maintaining the ongoing health and stability of the global Internet, and MANRS provides the resources to develop, foster, and promote this framework.”