Microsoft Details Plans to Improve Security of Internet Routing
Microsoft this week shared details on the steps it will take in an effort to ensure improved security for Internet routing.
The Border Gateway Protocol (BGP) routing protocol, on which the Internet runs, relies on autonomous systems (AS) to exchange routing and reachability information. This allows for fast updates, but misconfigurations or malicious intent could lead to outages or traffic interception.
Over the past couple of years, numerous routing incidents, including route hijacking and leaks, have resulted in large-scale distributed denial of service (DDoS), data theft, reputational damage, financial loss, and more.
To help improve routing security, Microsoft last year joined the Mutually Agreed Norms for Routing Security (MANRS) initiative. The company now says it has already implemented the existing MANRS framework in its operations, and has been working with the Internet Society, the Cybersecurity Tech Accord, and others to find ways to improve routing security.
One of the first actions the company takes in strengthening routing security is RPKI (Resource Public Key Infrastructure) origin validation. Used to secure BGP route origin information, the RPKI is public key infrastructure framework that has enjoyed wide adoption recently.
With BGP routes announced by its Autonomous System Number (ASN) already signed, Microsoft is now working on implementing RPKI filtering, which should be completed by mid-2021.
The company also says it will use the public Internet Routing Registries (IRR) databases for route validation, and revealed that it has already built a global Route Anomaly Detection and Remediation (RADAR) system, an internal tool meant to detect route hijacks and route leaks in its own network. Route leaks on the Internet are detected as well.
RADAR, the tech giant says, ensures that traffic is routed via preferred paths even when signs of malicious activity are identified.
Customers working with internet exchange partners (IXPs), internet service providers (ISPs), and software-defined cloud interconnect (SDCI) providers enrolled in the Azure Peering Service, Microsoft says, can register to RADAR and receive data on detected route anomalies.
“Microsoft interconnects with thousands of networks via more than 170 edge points of presence locations. We will work with all peer networks to protect traffic over the Internet,” the company announced.
RPKI and route object information is already included in Microsoft’s peering portal, allowing peer networks to access RPKI, route object, and network path information and address routes in respective registries, and the company plans on making it easier for its peers and for ISPs to manage route objects.
“Internet routing security will require constant updates to standards. There is no single standard which can address the issues faced on the Internet today and we need to update routing security standards as and when we see new threats emerging,” Microsoft notes.