The Internet routing security challenge

If asked how traffic makes its way across the Internet, most IT professionals would explain how the Internet is made up of thousands of networks that are connected, and that traffic is routed through those networks to its final destination.

In its simplest form, there is nothing wrong with the description and, for many, it is all they feel they need to know in terms of the technical aspects of what is involved, or technologies on which Internet functionality are founded.  In most cases, they are relying on a third party to move their traffic, and usually performance, capacity, reliability and cost are much more important to them.

We recently held a webinar with global non-profit organization Internet Society that looked at routing in more detail. It examined how some of the decisions made early in the development of the Internet mean that there are security risks and, more importantly, how – with a little understanding of what is happening at the routing level – these risks can be mitigated.  The webinar, which was split into two parts, also talked about developments such as MANRS – more on that in a bit!

In a nutshell, there are over 71,000 advertised Autonomous Systems (AS) connected to the Internet, and about 10,000 of them are connected to two or more other networks.  BGP (Border Gateway Protocol) is used by routers between networks to exchange information about the networks each network can reach.  This information, which is collected into ‘routing tables’, creates the map used to determine where traffic is sent.  In February 2021, approximately 71,000 AS networks were publishing over 866,000 routes.

But, all is not well with Internet routing, and every enterprise needs to understand the issues if they are to keep themselves secure.

Everything hinges on the router routing tables, yet BGP – which was first developed in 1989 – has a flaw which in its early days was not an issue, but today needs to be understood and managed. BGP, assumes that networks trust one another, and does not verify the data that networks advertise.  This means that it assumes all updates are valid, a network can announce anything it likes, and the resources available cannot be checked

Routing issues can be the result of human error, creating traffic ‘black holes’ or leading to route leaks where a provider accidentally announces itself as an intermediary between two upstream providers.  These problems occur in part because all BGP announcements are trusted, and this can also be used by hackers for malicious activity. This could include IP spoofing or route hijacking, enabling them to see all packets transmitted on a route.

The webinar talks in detail about how some of these attacks can be used and the effects, but importantly it pointed out there are things that every part of the Internet infrastructure – from transit provider to CDNs, IXPs and enterprises – can do.  Independent repositories such as the Internet Routing Registry (IRR) and Resource Public Key Infrastructure (RPKI) act as stores for route information enabling a degree of validation, but at this point in time there is no such validation within BGP.

This is why MANRS was created – Mutually Agreed Norms for Routing Security.  This set of actions brings together the finest of industry best practice that eliminates the most common threats that exist in the routing system.  Through collaboration between network operators, IXPs and CDN/Cloud providers, everyone online benefits from improved routing security.  The number of networks participating is continually growing resulting in fewer routing incidents over time, each with more limited effects.  Another benefit of MANRS is that it provides a mechanism for networks to identify and address problems with both customer and peers.

It is exciting to see so much effort being placed by the community on addressing routing security, and at Telia Carrier we’re pleased to be participating in MANRS too.  If you would like to learn more about routing, routing security and how it can impact your network, then definitely take a look at our two-part webinar!

Part 1: INTRODUCTION TO ROUTING SECURITY & MANRS
Part 2: A DEEP-DIVE INTO ROUTING SECURITY AND MANRS

Jorg Dekker, Head of Internet Services