Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a...
Transcript of Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a...
![Page 1: Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a major upgrade Ad Bresser Ad.Bresser@gmail.com +31 6 20 39 56 98 Internet routing is](https://reader033.fdocuments.us/reader033/viewer/2022042302/5ecd97ab04b50f0d86396834/html5/thumbnails/1.jpg)
Internet routing ecosystem needs a major upgrade
Ad Bresser
+31 6 20 39 56 98
Internet routing is the basis
for all Internet services
![Page 2: Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a major upgrade Ad Bresser Ad.Bresser@gmail.com +31 6 20 39 56 98 Internet routing is](https://reader033.fdocuments.us/reader033/viewer/2022042302/5ecd97ab04b50f0d86396834/html5/thumbnails/2.jpg)
In a Quickscan* >100 measures to improve the Internet routing security were identified
*Original: http://startupinc.nl/wp-content/uploads/2017/10/20171027-Quickscan-on-routing-measures-to-increase-the-security-of-the-Internet.pdfLinkedIN: https://www.linkedin.com/pulse/measures-increase-routing-security-internet-ad-bresser/Github: https://github.com/AdBresser/measures-to-increase-IP-security
Issues and solutions are mainly discussed in engineering fora
Fora are for discussions & info exchange, no Internet routing coordination / governance
![Page 3: Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a major upgrade Ad Bresser Ad.Bresser@gmail.com +31 6 20 39 56 98 Internet routing is](https://reader033.fdocuments.us/reader033/viewer/2022042302/5ecd97ab04b50f0d86396834/html5/thumbnails/3.jpg)
Internet routing ecosystem needs a major upgrade
There is a coordination / governance challenge
Self regulation before government regulation
There are at least 3 fundamental issues
![Page 4: Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a major upgrade Ad Bresser Ad.Bresser@gmail.com +31 6 20 39 56 98 Internet routing is](https://reader033.fdocuments.us/reader033/viewer/2022042302/5ecd97ab04b50f0d86396834/html5/thumbnails/4.jpg)
4
We all
have the
obligation
for an ID
![Page 5: Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a major upgrade Ad Bresser Ad.Bresser@gmail.com +31 6 20 39 56 98 Internet routing is](https://reader033.fdocuments.us/reader033/viewer/2022042302/5ecd97ab04b50f0d86396834/html5/thumbnails/5.jpg)
IP packets don’t have an ID obligation:Source address spoofing
• Cybersecurity attacks:
– DDOS (on B & C)
– Amplification (on C)
– Masquerade (on B)
• There are solutions (RFC’s).
• Application is not enforced!
• (IPv6 doesn’t solve this.)
A
B
CDestination C
Source B
Destination B
Source C
![Page 6: Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a major upgrade Ad Bresser Ad.Bresser@gmail.com +31 6 20 39 56 98 Internet routing is](https://reader033.fdocuments.us/reader033/viewer/2022042302/5ecd97ab04b50f0d86396834/html5/thumbnails/6.jpg)
Route injection:Traffic monitoring & manipulation
• Cybersecurity attacks:
– Sniffing / profiling
– Blackhole / overload
– Man in the middle
• There are solutions (RFC’s).
• Application is not enforced!
• 2017: 5304 BGP Hijacks*
*https://www.internetsociety.org/blog/2018/01/14000-incidents-2017-routing-security-year-review/
![Page 7: Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a major upgrade Ad Bresser Ad.Bresser@gmail.com +31 6 20 39 56 98 Internet routing is](https://reader033.fdocuments.us/reader033/viewer/2022042302/5ecd97ab04b50f0d86396834/html5/thumbnails/7.jpg)
No reliable contact information
• Documented at registration.
• Information is publisher driven.
• Quality for cybersecurity?
– 7 * 24, technical contact
![Page 8: Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a major upgrade Ad Bresser Ad.Bresser@gmail.com +31 6 20 39 56 98 Internet routing is](https://reader033.fdocuments.us/reader033/viewer/2022042302/5ecd97ab04b50f0d86396834/html5/thumbnails/8.jpg)
There are at least 3 fundamental issues
Route injection
No reliable contact information
Source address spoofing
![Page 9: Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a major upgrade Ad Bresser Ad.Bresser@gmail.com +31 6 20 39 56 98 Internet routing is](https://reader033.fdocuments.us/reader033/viewer/2022042302/5ecd97ab04b50f0d86396834/html5/thumbnails/9.jpg)
There are no direct benefits of implementing
• Internet is / was build on trust.
• Different types of IP providers.
• Implementing best practices (by an IP provider) hardly improves security for customers.
![Page 10: Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a major upgrade Ad Bresser Ad.Bresser@gmail.com +31 6 20 39 56 98 Internet routing is](https://reader033.fdocuments.us/reader033/viewer/2022042302/5ecd97ab04b50f0d86396834/html5/thumbnails/10.jpg)
Uptake of self regulation is slow:Limited impact of Routing Manifesto / MANRS
Source: Ben Maddison, at NL-ix Neutral Peering Days 2017, September 2017, The Hague, The Netherlands
![Page 11: Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a major upgrade Ad Bresser Ad.Bresser@gmail.com +31 6 20 39 56 98 Internet routing is](https://reader033.fdocuments.us/reader033/viewer/2022042302/5ecd97ab04b50f0d86396834/html5/thumbnails/11.jpg)
Internet routing is not yet in scope regulators EU NIS (Network and Information Security) Directive:
– IP only found irt DNS & TLD’s
➢ENISA (European Agency for Network and Information Security) No IP in: "Baseline Security Recommendations for IoT in the context of CII“
➢Internet Infrastructure Security and Resilience Reference Group: ➢overview of good practices
EU telecom regulation review
➢Global Commission on the Stability of Cyberspace (GCSC)– Call to Protect the Public Core of the Internet; very high level
Global Forum on Cyber Expertise; Internet infrastructure initiative– Only IPv6 is mentioned
![Page 12: Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a major upgrade Ad Bresser Ad.Bresser@gmail.com +31 6 20 39 56 98 Internet routing is](https://reader033.fdocuments.us/reader033/viewer/2022042302/5ecd97ab04b50f0d86396834/html5/thumbnails/12.jpg)
There is a coordination / governance challenge
Uptake of self regulation is slow
Internet routing is not yet in scope regulators
There are no direct benefits of implementing
![Page 13: Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a major upgrade Ad Bresser Ad.Bresser@gmail.com +31 6 20 39 56 98 Internet routing is](https://reader033.fdocuments.us/reader033/viewer/2022042302/5ecd97ab04b50f0d86396834/html5/thumbnails/13.jpg)
With commitment results can be achieved
• There are cases were operator group cooperation, results in a good practice:
– In content: Notice & take down.
– (In access: Notice & take off-line, could be handy to mitigate DDOS attacks)
• In aviation (global operation with a multitude of operators), self regulation with Smarter Regulation (IATA) works.
![Page 14: Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a major upgrade Ad Bresser Ad.Bresser@gmail.com +31 6 20 39 56 98 Internet routing is](https://reader033.fdocuments.us/reader033/viewer/2022042302/5ecd97ab04b50f0d86396834/html5/thumbnails/14.jpg)
Build on xx-NOG, RIR & community initiatives
• There are around 75 Network Operators Groups:
– NANOG (North America) was the first.
– Albanian Network Operators Group the latest (so far).
• 5 Regional Internet Registries (RIRs), with active network operators participation.
• BGP Large communities initiative:
– Operational demand for BGP large community standard.
– An IP operator group accelerated the standardization by cooperation.
![Page 15: Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a major upgrade Ad Bresser Ad.Bresser@gmail.com +31 6 20 39 56 98 Internet routing is](https://reader033.fdocuments.us/reader033/viewer/2022042302/5ecd97ab04b50f0d86396834/html5/thumbnails/15.jpg)
Start with small steps to create traction
• Use MANRS as technical starting point.
Get out of the building:
• Understand why IP operators don’t implement & solve.
• Identify and manage issues that are relevant for IP operators.
Dark / Bright future:Continuous improvement of the Internet routing system.
IP Operators driving standardization & implementation.
License to operate.
![Page 16: Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a major upgrade Ad Bresser Ad.Bresser@gmail.com +31 6 20 39 56 98 Internet routing is](https://reader033.fdocuments.us/reader033/viewer/2022042302/5ecd97ab04b50f0d86396834/html5/thumbnails/16.jpg)
Self regulation before government regulation
With commitment results can be achieved
Start with small steps to create traction
Build on xx-NOG, RIR & community initiatives
![Page 17: Internet routing ecosystem needs a major upgrade - ISOC.nl · Internet routing ecosystem needs a major upgrade Ad Bresser Ad.Bresser@gmail.com +31 6 20 39 56 98 Internet routing is](https://reader033.fdocuments.us/reader033/viewer/2022042302/5ecd97ab04b50f0d86396834/html5/thumbnails/17.jpg)
Upgrade of Internet routing ecosystem is needed and possible with limited effort.
But who takes ownership?
Ad Bresser
+31 6 20 39 56 98
Let’s talk: