The Internet routing security challenge

If asked how traffic makes its way across the Internet, most IT professionals would explain how the Internet is made up of thousands of networks that are connected, and that traffic is routed through those networks to its final destination.

In its simplest form, there is nothing wrong with the description and, for many, it is all they feel they need to know in terms of the technical aspects of what is involved, or technologies on which Internet functionality are founded.  In most cases, they are relying on a third party to move their traffic, and usually performance, capacity, reliability and cost are much more important to them.

We recently held a webinar with global non-profit organization Internet Society that looked at routing in more detail. It examined how some of the decisions made early in the development of the Internet mean that there are security risks and, more importantly, how – with a little understanding of what is happening at the routing level – these risks can be mitigated.  The webinar, which was split into two parts, also talked about developments such as MANRS – more on that in a bit!

In a nutshell, there are over 71,000 advertised Autonomous Systems (AS) connected to the Internet, and about 10,000 of them are connected to two or more other networks.  BGP (Border Gateway Protocol) is used by routers between networks to exchange information about the networks each network can reach.  This information, which is collected into ‘routing tables’, creates the map used to determine where traffic is sent.  In February 2021, approximately 71,000 AS networks were publishing over 866,000 routes.

But, all is not well with Internet routing, and every enterprise needs to understand the issues if they are to keep themselves secure.

Everything hinges on the router routing tables, yet BGP – which was first developed in 1989 – has a flaw which in its early days was not an issue, but today needs to be understood and managed. BGP, assumes that networks trust one another, and does not verify the data that networks advertise.  This means that it assumes all updates are valid, a network can announce anything it likes, and the resources available cannot be checked

Routing issues can be the result of human error, creating traffic ‘black holes’ or leading to route leaks where a provider accidentally announces itself as an intermediary between two upstream providers.  These problems occur in part because all BGP announcements are trusted, and this can also be used by hackers for malicious activity. This could include IP spoofing or route hijacking, enabling them to see all packets transmitted on a route.

The webinar talks in detail about how some of these attacks can be used and the effects, but importantly it pointed out there are things that every part of the Internet infrastructure – from transit provider to CDNs, IXPs and enterprises – can do.  Independent repositories such as the Internet Routing Registry (IRR) and Resource Public Key Infrastructure (RPKI) act as stores for route information enabling a degree of validation, but at this point in time there is no such validation within BGP.

This is why MANRS was created – Mutually Agreed Norms for Routing Security.  This set of actions brings together the finest of industry best practice that eliminates the most common threats that exist in the routing system.  Through collaboration between network operators, IXPs and CDN/Cloud providers, everyone online benefits from improved routing security.  The number of networks participating is continually growing resulting in fewer routing incidents over time, each with more limited effects.  Another benefit of MANRS is that it provides a mechanism for networks to identify and address problems with both customer and peers.

It is exciting to see so much effort being placed by the community on addressing routing security, and at Telia Carrier we’re pleased to be participating in MANRS too.  If you would like to learn more about routing, routing security and how it can impact your network, then definitely take a look at our two-part webinar!

Part 1: INTRODUCTION TO ROUTING SECURITY & MANRS
Part 2: A DEEP-DIVE INTO ROUTING SECURITY AND MANRS

Jorg Dekker, Head of Internet Services

 

Written by Jorg Dekker

Read more posts by

Related articles

Rethinking Internet Backbone Architectures

During the past couple of years, we’ve made several public ad-hoc announcements on technology transitions that keep us busy building and operating the world’s #1 Internet Backbone. This has been done without ever providing a context or connection to the trends believed to be fueling the industry going forward and the path we’ve taken to […]

Internet as the underlay for enterprise networking

In 2020, Covid-19 drove remote working and cloud adoption, overhauling traffic patterns in the WAN. In parallel, SD-WAN enabled network buyers to source their WANs differently. With MPLS connectivity contracts coming due, many CIOs are looking at transitioning from MPLS WANs to hybrid or Internet-based underlays for WAN services. Having the right Internet underlay is […]

Routing Security: RPKI Update Q2/20

The Current State of RPKI It’s been three months since we announced that AS1299, as the first Tier-1 transit network in the world, successfully is filtering RPKI invalid announcements from all external BGP sessions. As this is a fast-evolving topic with high interest from the industry at large, we feel this is a good time […]
Cookies

Cookies allow us to optimize your use of our website. We also use third-parties cookies for advertising and analytics. Please read our Cookie Policy for more information.

I accept all cookies Settings
×
Cookies settings

You can enable and then at any time disable optional cookies by clicking the relevant cookie category you accept or reject. All categories contain cookies which imply data transfer to third parties who may combine it with other information that you've provided to them or that they've collected when you use their services. Further information about this processing can be found in the third party's privacy notice. A detailed description of the cookies we use can be found here. More information about our use of cookies please find in our cookie policy.


These cookies are needed for our website to work in a secure and correct way. These cookies enable you to browse in our website and to provide the service you request. Necessary cookies make basic functions of the website possible, for example, identifying you when you log into My Carrier, detecting repeated failed login attempts, identifying where you are in the buying process and remembering the items put into your shopping basket. Your consent is not required for us to set these cookies however, you may disable them by changing your browser settings, but this will affect how the website functions and some essential functionality may not work.



These cookies provide us with information about how our sites are used and allow us to improve the user experience. There are also features that allow us to remember your settings, such as language selection, addresses, etc.



These cookies help us and our preferred partners to display personalized and relevant ads based on your browsing behavior on our website, even when you later visit other (third parties’) websites. Cookies in this category are used to evaluate the effectiveness of our marketing campaigns, as well as for targeted marketing and profiling, regardless of which device(s) you have used. Information collected for this purpose may also be combined with other customer and traffic data we have about you, if you have given your consent that we may use your traffic data for marketing purpose and have not objected to the use of your customer data for marketing purposes.


Approve and save Go back