Getting thousands of ISPs around the world to voluntarily implement routing security is no small task, but organizers of an effort to do just that say they're making headway.
The global nonprofit Internet Society launched the Mutually Agreed Norms for Routing Security (MANRS) two years ago with nine network operators. Today, the routing security initiative counts 42 participants that run autonomous system networks across 21 countries. Operators that sign agree to take steps specified in the MANRS framework, including preventing traffic with spoofed source IP addresses to reduce distributed denial-of-service attacks.
"We're seeing more interest from operators and much more awareness of this initiative," Andrei Robachevsky, technology program manager at the Internet Society, told me in an interview.
But he's realistic about the huge undertaking, adding that it has a long way to go. "There are more than 50,000 networks on the internet. About 7,000 to 10,000 of them play a role in global routing," Robachevsky said. "So if you take this as a goal, it's a long way to go from 42 operators to 7,000."
The problem MANRS is trying to solve, he said, is that there's no built-in mechanism for verifying the routing information advertised between networks, which all have their own maps of the internet. "Many operators don't do additional checks. They take it for granted that whatever they get from their peers is truthful," Robachevsky said. A simple router misconfiguration that's announced to other ISPs can lead to widespread Internet outages.
A 2008 incident highlighted this major flaw in Internet security. Pakistan Telecom --- trying to enforce government censorship -- advertised itself worldwide as the destination for those trying to reach YouTube. Many ISPs believed them, and YouTube was cut from the internet, along with Pakistan Telecom after the self-inflicted DoS attack.
"That raised awareness of how fragile the routing system is, and how important it is to have checks and security in a global routing system," he said.
The Internet Society says securing the global routing system requires collaboration, which led to the creation of MANRS. "When You Tube was hijacked, it was up to other operators to reject that information from Pakistan Telecom. That requires a collaborative effort," Robachevsky said.
MANRS defines four actions for network operators: Filtering to prevent propagation of incorrect routing information; anti-spoofing; communication and coordination among peers; and facilitating global validation of routing information.
Operators that join MANRS -- which is a pretty clever acronym, I have to say -- must certify that they've taken action in at least one of the four areas. The Internet Society says most have implemented all four. Broadband giant Comcast has implemented all four across 33 ASNs.
New members include Scandinavian research and education networks SUNET and NORDUnet and Internet Initiative Japan (IIJ).
To help other network operators implement the MANRS framework, a group of participating operators has drafted a best practices document. There also are plans for a training and certification program to train network engineers on routing security.
The biggest challenge to getting more operators to participate is convincing them it will help their business, Robachevsky said. "If you clean your side of the street, it will not only benefit the overall environment, but also you and your customers." For example, both an ISP and its customers will benefit with better protection from traffic anomalies caused by router misconfigurations.
Ultimately, Robachevsky hopes peer pressure will kick in. "Peer pressure is very important on the internet. MANRS communicates your attitude toward security," he said. "It will become more visible who doesn't do it."