Abdelbasit Ali
01/06/2020
Insecure routing is one of the most common paths for malicious threats. Attacks can take anywhere from
hours to months to recognize. Inadvertent errors can take entire countries offline, while attackers can steal
an individual’s data or hold an organization’s network hostage.
The routing system of the Internet is vulnerable to many security threats such as: Prefix Hijacks, Route Leaks,
and IP Address Spoofing.
MANRS:
MANRS (Mutually Agreed Norms for Routing Security) is a global initiative to implement crucial fixes needed
to eliminate the most common routing threats. MANARS address these security threats through technical and
collaborative actions from many players across the Internet and defines four concrete actions that network
operators should implement. They are a technology‐neutral baseline so that they can globally adopted.
‐ Global Validation:
In order to facilitate validation of routing information on a global scale, network operators must
publish their routing information so that other parties can validate it.
‐ Filtering:
In order to prevent propagation of incorrect routing information, network operators must ensure the
correctness of their own announcements, and announcements from their customers to adjacent
networks with prefix and AS‐path granularity.
‐ Anti‐Spoofing:
In order to prevent traffic with spoofed source IP addresses, network operators must enable source
address validation for at least single‐homed stub customer networks, their own end‐users, and
infrastructure.
‐ Coordination:
In order to facilitate global operational communication and coordination between network operators,
they must maintain globally accessible and up‐to‐date contact information.
Global Validation:
In order to validate routing announcements on a global scale, your organization’s Network Routing Policy
should be made available to other networks, to enable others to validate route announcements originating
from your network by documenting a Network Routing Policy.
Since any network that participates in BGP (Border Gateway Protocol) routing could require this information,
it needs to be published to a well‐known place using a standard format.
This includes the announcements that the network originates as well as the routing policy describing how
reachability information exchanged with other networks is handled. That specifically covers routes that are:
Announced to other networks.
Why is Validation Routing Information Important?
ASes communicate routing information using BGP; BGP lacks mechanisms to authenticate allocation of IP
prefixes which can be exploited by a bad actor to carry out an attack using BGP Hijacking. BGP is mostly relying
on trust. This contributes to various incidents due to operator errors, like the one that affected Cloudflare, or
to malicious attackers, like the hijack of Amazon DNS.
What is BGP Hijacking?
BGP hijacking is when an attacker disguises itself as another network; it announces network prefixes belonging
to another network as if those prefixes are theirs. If this false information is accepted by neighboring networks
and propagated further using BGP, it distorts the “roadmap” of the Internet. As a result, traffic is forwarded
to the attacker instead of its legitimate destination. Like Insecure routing redirects YouTube to Pakistan.
Documentation of Expected Announcements:
In order to facilitate Origin Validation, MANRS participants are required to publish their Network Routing
Policy and other associated routing information to an IRR database and RPKI repository.
Now we will look at how to do this:
1. Register their Network Routing Policy (aut‐num object), and their expected announcements (route
object).
2. Document their customer cone (as‐set object).
3. Ensure their customers register their expected announcements (route object).
4. Register their expected announcements (ROA object) to an RPKI repository and ensure their
customers do the same.
IRR database:
IRR stands for Internet Routing Registry and is a public database of Internet route objects. IRRs are used for
determining and sharing route and other related information used for configuring routers. If RIR (Regional
Internet Registry) in your region operates an Internet Routing Registry (IRR), you should use it to document
your network Routing Policy and related route announcements, using RPSL (Routing Policy Specification
Language). Information related to an Internet resource or supporting functions, are contained within RPSL
objects, and stored in an IRR. Some of these objects include: AUT‐NUM, ROUTE/ROUTE6, and AS‐SET
AUT‐NUM:
aut‐num autonomous system number object, which will be used to tag each prefix for which Autonomous
System it comes from, and specifies what sets of prefixes are exported from this AS to any of its peers.
ROUTE/ROUTE6:
route/route6 object is used to document which address prefix an ASN is allowed to announce. You will need
to create one for each exact address prefix and AS that you want to see in the routing table.
AS‐SET:
as‐set object is used to document which ASes your customers own and is known as your customer cone.
RPKI repository:
The global routing system of the Internet consists of a number of functionally independent actors
(Autonomous Systems) which use BGP to exchange routing information. The system is very dynamic and
flexible by design. Connectivity and routing topologies are subject to change. Changes easily propagate
globally within a few minutes. One weakness of this system is that these changes cannot be validated against
information existing outside of the BGP protocol itself.
RPKI (Resource Public Key Infrastructure) is a way to define data in an out‐of‐band system such that the
information that are exchanged by BGP can be validated to be correct. The RPKI standards were developed by
the IETF (Internet Engineering Task Force) to describe some of the resources of the Internet’s routing and
addressing scheme in a cryptographic system. These information are public, and anyone can get access to
validate their integrity using cryptographic methods.
RPKI is used to let the legitimate holder of a block of IP addresses make an authoritative statement about
which AS is authorized to originate their prefix in the BGP. In turn, other network operators can download and
validate these statements and make routing decisions based on them.
Why is RPKI Important?
The main weakness of the IRR is that it is not a globally deployed system and it lacks the authorization model
to make the system water tight. The result is that out of all the information on routing intent that is published,
it is difficult to determine what legitimate, authentic data is and what isn’t. RPKI solves these two problems,
as you can be absolutely sure that an authoritative, cryptographically verifiable statement can be made by any
legitimate IP resource holder in the world.
So in addition to providing information to the IRR system, you also need to document your network’s expected
announcements which will be stored within a ROA object on an RPKI repository.
What is a ROA?
ROA (Route Origin Authorization) objects are an attestation of a BGP route announcement. It cryptographically
signed objects that state which prefixes (not the full path) an AS is authorized to originate. The attestation can
be verified cryptographically using RPKI.
Global Validation and RPKI situation on Sudan:
To measure MANRS readiness for a particular network a set of metrics has been proposed, one for each action,
by MANRS Observatory to provide a factual state of security and resilience of the Internet routing system and
track it over time.
MANRS readiness indicates the level a network implements MANRS Actions. MANRS readiness index is
measured per Action using the MANRS Measurement Framework.
Facilitate Global Validation Metrics are:
M7IRR (Not registered routes):
Calculates the percentage of routes originated by the AS that are not registered in an IRR as route objects.
More specific routes that are advertised and covered by a less specific route object are also considered
registered.
M7RPKI (Not registered ROAs):
Calculates the percentage of the routes originated by the AS that are not covered by any ROA in RPKI.
M7RPKIN (Invalid routes):
Calculates the percentage of the routes originated by the AS that are invalidated by a corresponding ROA.
Situation in Sudan based on this Measurement Framework, M7IRR reference 98%, M7RPKIN reference 100%,
and M7RPKI reference 0%.
The level a networks implements Global Validation and RPKI Actions in Sudan are:
‐ Global Validation IRR database readiness indicates the level a networks facilitates validation of routing
information, by maintaining it in the IRR, is 85.71% Ready and 14.29% Aspiring.
‐ Global Validation RPKI repository readiness indicates the level a networks facilitates validation of
routing information, by maintaining it in the RPKI, is 100% Lagging.