Spreading bad routing information to your neighbors on the internet isn’t just bad manners, it could be bad for business.
That, at least, is the message that the Internet Society (ISOC) wants to spread, as it calls on internet exchange points (IXPs) to help eliminate the most common threats to the internet’s routing system.
If they do so, then it’s good news for their members, the ISPs that interconnect there, and for those ISPs’ customers, who will benefit from more secure and robust internet access.
In 2016, ISOC invited network operators to join its MANRS (Mutually Agreed Norms for Routing Security) Initiative, and over 50 have already done so.
Now it’s asking IXPs to sign up too, in a bid to reduce the 14,000 or so routing outages or incidences of hijacking, leaks, spoofing and large-scale denial of service (DoS) attacks that led to stolen data, lost revenue and reputational damage for internet-connected businesses last year.
Three things contribute to routing insecurity that MANRS aims to prevent, said Andrei Robachevsky, ISOC’s technology program manager. They are prefix or route hijacking, route leaks, and IP address spoofing. The last of those is what makes many amplification or reflection DDoS attacks possible.
IXPs are a key link in the chain because the route servers they operate can propagate routing errors among ISPs in a region, quickly affecting a great many internet users, both consumers and businesses.
Filtering of customer announcements is becoming more common at IXPs, but peering relationships are mostly unfiltered.
“This is mainly a scalability issue,” Robachevsky said. “At the same time, mistakes in announcing incorrect prefixes to a peer are amplified by the number of peers directly accepting them, especially if a Route Server is used. and can cause significant outages.”
If an IXP implements filtering, it saves on routing outages to the IXP and its members, turning Route Servers from a scalability tool into a security amplifier, he said.
To participate in the MANRS IXP program, an IXP must commit to facilitating the prevention of propagation of incorrect routing information, promote MANRS to its members, and implement one of three other actions: protect the peering platform, facilitate global operational communication between network operators, or provide monitoring and debugging tools to its members.
The program is opening with ten participants:
- DE-CIX, in Frankfurt, Germany
- MSK-IX, in Russia
- Netnod, in Sweden
- TorIX (Toronto Internet Exchange Community)
- CABASE, in Argentina
- INEX (Internet Neutral Exchange Association, in Dublin)
- CRIX, in Costa Rica
- RINEX (Rwanda Internet Exchange)
- YYCIX, in Calgary, Canada
- Asteroid International, which operates an IXP in Amsterdam
PeeringDB.com reckons there are about 614 IXPs around the world, so MANRS still has some way to go to cover all of them — but with DE-CIX, MSK-IX and Netnod, it has already signed up some of the largest in the world.
The launch of the IXP program is a welcome boost for the MANRS Initiative. ISOC has had to revise its ambitions for network operator support downwards, and is now hoping to sign up 100 operators by the end of the 2018. Last fall, it had been targeting 150 by that date.
The motivation for operators is different than for IXPs: Their network safety depends on the actions of others, so if they implement the MANRS measures, they are contributing to the safety of others, but don’t benefit directly themselves.