At a workshop in October, network engineers from CENIC member institutions engaged in technical, hands-on labs and now have the ability to assess their own environments for implementing guidelines for Mutually Agreed Norms for Routing Security (MANRS) and Resource Public Key Infrastructure (RPKI) technology.
“By implementing MANRS guidelines as part of a comprehensive security strategy, these engineers can greatly reduce the vulnerability of their institutions’ networks to common threats, and by doing so, are helping to make the routing ecosystem in California, the nation, and across the globe more robust and secure,” said CENIC Network Engineer John Hess. “Improving the Internet’s routing security requires collaboration.”
MANRS is an initiative, supported by the Internet Society, focused on reducing the most common threats to the global routing ecosystem through a variety of localized implementation methods. RPKI is a technology that enables network operators to verify the integrity of routing information. Many research and education networks worldwide have already adopted MANRS, including Internet2, the US research and education consortium. Industry giants such as Google and Microsoft also participate.
The workshop was part of a CENIC-initiated pilot to facilitate MANRS adoption and implement RPKI deployment on a regional scale among CENIC and Pacific Wave research universities. The workshop and pilot are collaborative efforts involving contributors from American Registry for Internet Numbers (ARIN), Network Startup Resource Center (NSRC), ESnet, and CENIC, as well as from the research university community.
Workshop Highlights, Next Steps
NSRC and ARIN sent representatives to the workshop and made significant contributions. NSRC, which helps provide technical training to R&E networks around the world, played an integral role in developing the workshop content, distilling five days worth of material into two full, engaging, and instructional days. Labs at the workshop included working with ARIN’s Operational Test and Evaluation (OT&E) environment to create ROAs; setting up RPKI validators; configuring routers with sessions to the RPKI validators; and setting up Border Gateway Protocol (BGP) policy based on ROA validation status.
“CENIC’s initiative to improve routing security is vitally important and provides good leadership for our research and education communities in the US,” said NSRC Director Steve Huter.
Partners in the pilot are continuing engagement with ARIN on Legacy IPv4 assignments. ARIN will modify Registration Services Agreements (RSAs) for governmental entities in indemnification cases. In addition, ARIN recently updated the terms of the Relying Party Agreement (RPA) for RPKI — including to allow direct downloads of the ARIN Trust Anchor Locator (TAL) to ease the path to deploying RPKI validators as part of RPKI deployments.
Participants in the workshop reached a consensus for next steps in voluntary RPKI deployment:
- Campus participants will work toward creating Route Origin Authorizations (ROAs) for IPv6 assignments.
- CENIC will stand up an initial set of RPKI validators to establish a baseline for signed ROAs among community members and track progress moving forward.
- CENIC will explore options for establishing Looking Glass functionality to view and diagnose ROA validation status in routing tables. During the workshop, participants were able to observe ROA status in the UOregon RouteViews project.
- CENIC plans to provide updates on these activities to upcoming CalREN-HPR and CalREN-SEC Technical Advisory Council meetings.
Register for the March Workshop
A similar free, two-day MANRS RPKI workshop will be held in Monterey, California, on March 14-15 — the weekend preceding the CENIC 2020 Annual Conference. Register for the workshop on the CENIC conference website.
“Entities that have IPv4 legacy addresses may also be holders of IPv6 addresses for which they have a current registration services agreement (RSA) that would allow them to sign ROAs,” Hess said. “We hope that would be sufficient for them to send staff to the March workshop.”
The agenda and instructors for the workshop are expected to mirror the October workshop, including experts from ARIN, NSRC, and CENIC. Basic network engineering, BGP policy design and implementation, and UNIX/Linux command line (shell) skills are assumed of all participants.
The more networks who apply MANRS, the fewer routing incidents there will be, and the less damage can be inflicted. MANRS identifies four actions that every network operator should implement to increase routing security. Routing incidents can be prevented with MANRS’s collaborative approach to security.
Related Content:
Related blog posts
