Category Archives: URSA

Mind Your MANRS!

The Internet Society has been working on Mutually Agreed Norms for Routing Security (MANRS) for a few years, and they recently funded some industry research to gain insights into network operators’ and enterprises’ requirements and plans around routing security.

MANRS

The report itself is definitely worth a read (see references below).  Particular results that I think are of interest for both MANRS and URSA are:

  • that enterprises are also concerned about address spoofing and route hijacking; and
  • the apparent disconnect between operators’ expectations of customers’ routing security interests and the enterprises expressed willingness to prefer network services that provide better security.

The first should be a really important driver for getting operators to step up and implement the best practices that are at the heart of MANRS.  Also, it should help focus attention and interest in URSA’s efforts to get agreement on rational next steps in selecting and deploying routing security technologies.

The second is a bit of a puzzle, but perhaps best interpreted as an opportunity for operators to understand that customers are interested and willing to pay to support the right thing being done.

The Internet Society overview of the report is here: https://www.routingmanifesto.org/resources/research/

The full report itself is available here: https://www.routingmanifesto.org/wp-content/uploads/sites/14/2017/09/451_Advisory_BW_MANRS_InternetSociety_10375.pdf

 

Routing security: work with what you’ve got!

It seemed like there would be little appetite for discussing next steps in routing infrastructure authentication and verification after the DDoS attack on Dyn (October 2016), when it became clear that large scale attacks are feasible without spoofing IP addresses, hijacking prefixes, or otherwise falsifying Internet infrastructure numbers and routing. Already a tough sell to get operators to consider incremental (let alone architectural) updates to do origin authentication and some manner of routing announcement verification, the Dyn attack provided a clear and present danger that would not be addressed by such updates, so why bother with them?

Continue reading

Necessary… but not sufficient: Are we on the right track for Internet security?

Last Wednesday,  in the hallways of the NANOG 68 meetings in Dallas, I started asking a question that goes to the heart of prioritizing work to improve Internet security; on Friday, with the DDoS attack on Dyn’s infrastructure, we got some searing insight into why it is quite possibly an urgent question.

Continue reading

Routing Security — why trust information?

Trust is in the eye of the beholder – but it has to be based on something.   In different contexts, crypto may be more relevant than heuristics, and vice versa.  Traditionally, in Internetworking, business relationships have had a big role in determining whether or not to trust information being offered by another part, whether for routing information or for other network operations.

Continue reading