More episodes
Telemetry Now  |  Season 1 - Episode 13  |  May 2, 2023

The MANRS initiative to secure global internet routing

Play now

 

For years, routing on the global internet has been built mainly on trust relationships. There has been little to protect the entire internet community from accidental or intentional spoofing of IP address spaces and autonomous systems, and there was very little governance protecting the security of routing among providers other organizations with an internet presence. 


In this episode of Telemetry Now, Aftab Siddiqui, Senior Manager of Internet Technology for the Internet Society, joins us to discuss MANRS, or the mutually agreed norms for routing security, which was started specifically to set forth security principles and guidelines for routing security on the global internet.

Transcript

Many people might be surprised, maybe, unpleasantly surprised that routing on the global internet has, for many years, been built pretty much on trust relationships.

So in years past, and to an extent today, there was very little to protect the entire internet community from malicious people spoofing IP address spaces and entire autonomous systems. And there was very little governance protecting the security of routing among providers and all manner of other organizations with an internet presence.

Relationships that the rest of us actually using the internet every day rely on without even realizing it.

Manners or the mutually agreed norms for routing security was started specifically to set forth security principles and guidelines for routing security on the global internet.

So with us today is AFtab Sadiqi with the internet society and a key person in the mannerist initiative.

And we'll be discussing manners and what he and his organization are doing to protect internet routing for all of us around the world.

My name is Philip Jirvasse, and this is telemetry now.

AfterAP, thanks so much for joining today. I've been looking forward to this for a long time, especially, after doing so much research, So I have a lot of questions for you. Looking forward to picking your brain on some things. But before we get into that, would you mind giving our audience just a little bit of background of yourself? Your experience in the networking industry, and, of course, the manners initiative.

Right. Thank you, Phil. Thank you for the invite.

Yes. So I'm a master of Siddhiki, working for internal society.

I have spent close to fifteen years in the in this industry, spend most of my time, in the service provider sector, ISPs, running, routing protocols most of my life.

And then looking at how they are behaving on the global learning table. Then, I end up with internet society.

And it's been more than five years now.

And I have been working on mostly on the manner's initiative, an initiative which is supported by internet society, since the very beginning.

And I've been part of this, initiative since then.

Great. Thank you. And I would like to get into, what the internet society's all about a little bit more. But first, I'd also like to introduce our cohost for the day. Doug Madery, no no stranger to telemetry now, and I'm sure to our audience as also, Doug Welcome. And if you wouldn't mind introducing yourself to our audience.

Yeah. Sure. So, yes, I'm, Doug Madore, the director of internet analysis for Kentech. And, I have been, doing BGP analysis in one way or another for the last twelve and a half years or something when I started at a company called Rentesys.

And I started in that job, doing data QA, just finding errors and stuff in our our products that were based on BGP. I kinda got into the subject.

Felt like I could find a lot of noble, novel interesting things. And, the rest is history. I've been doing that as a main part of my job. Every day for, over a decade. And so some of the issues in BGP are routing security. That's probably one of the biggest issues that people grapple with in this space. And so I've had since manners began a number of years ago, I've always had overlapping interests with, that group and the folks involved, starting with Andre Robichevsky.

And and we would be in, there'd be a lot of, back channel discussions of, like, if we're seeing something, we would have a conversation or something we can help them with. So we've we've always had a a com some common interests and, and tried to be supportive, of each other, our, ourselves as, BGP analysts and, subject matter experts, and then their, their effort at trying to advocate for routing hygiene is what we, like to call it of just, best practices in BGP routing.

Great. Thanks, Doug. And so to get us started, after that, would you give us a explanation of what the internet society is all about Yeah.

Why not?

Well, internet society is a, not for profit, organization based in, Virginia, in the US. It's a five zero one z three organization, but its main purpose is, I mean, if you go into the, vision, it's a very it's a broader vision which is interest is for everyone.

But what they have been doing for, more than twenty five years, is to make sure that the internet is available to everyone. It's been, it remains open.

And the statement we use is globally connected secure and trustworthy.

A secure part is where, the manners comes in. We have multiple other initiatives, which is, related to supporting the internet exchange point development, making sure the, the technical community, most importantly, is, very well connected, with each other So sustainability of these, technical communities, making sure that, as I said, the globally connected, to provide, community networks where, there is no service and internet connectivity help them, with the connectivity as well. And, of course, making sure that the policy work is in line with our mission and vision, so provide the policy support, to different aspects, in in different aspects as well. So in in general, this is what internet society has been doing for more than twenty five years.

So is manners an initiative of the internet society, or is it something that's more broad?

It is, an initiative, I would call it an initiative supported by the internet society because, if you look at, the history of the manners.

As as Doug mentioned a moment ago, that, it, it started early, in twenty fourteen.

It wasn't called, manners at that time. It was called routing resiliency.

So it was more of a, okay, fine. Let's sit together.

And wanna, and discuss how routing is important, what are the issues in the routing, and how can we all resolve it together? So it was more of a, round table or we what we call it these days, a fireside chat.

Which started with some of the industry leaders, and who were very much interested in the routing security at that time. And then it started rolling from there, and then it became a, an initiative which ISOC, internal society said we will support them wholeheartedly.

So the support is, mostly comes from the staff member as, as myself, another staff member who make sure that, there is a consist consistent support available to the community, but of course it is, run and managed by most of the community members. So, for example, if I can quickly explain the structure of the, manners, we do have a it's steering steering committee.

A steering committee, has elected, members from the community.

And They have multiple tenures, and we have done two elections so far.

And, we have a chair.

Who's Warwick Mitchell based out of both Australia.

We have a, coach here who is, in the University of Washington.

As well, Andrew Gallo. So, they are the people who make, the strategic decisions about the manners. Of course, the operational and secretariat work is done by the staff, including myself. So, but we have made sure that the overall, strategy is always, made by the community themselves rather than internet society.

Routing security is certainly a poignant name, but, manners, I mean, that that really works. So I get it. That's that's great. But I wanna ask why is it routing security, global routing security, that is your main concern. What is the specific problem that you've identified that you're trying to solve?

Yeah. That's interesting. Okay. So, as we were discussing this morning, as I'm attending Afrika in Philippines Manila. And this is what we're discussing that wire item security.

And the point is, and I I I raise this point quite, quite often that whenever we talk about cybersecurity and whenever you read about the cybersecurity, paper or anything. Most of the time, they are trying to address anything above layer three. So nobody talks about, what is happening on the underlying layer.

And that is the biggest problem at the moment that, you need to send packet from one point to another. You need to transfer your data from one point to another.

That require security as well. Why nobody's concerned about that? And, we have seen in the past that so many incidents have happened in the past. And, it is actually the baseline of how the data is transferred from one place to another.

Same is the case with the physical security. I mean, people put, armed guards in front of the data center But then they are not putting any security in the routing, layer then, well, there is a problem somewhere. So, yeah, that's that's that's why we believe that it is very important to for at least someone to pay attention to that. There are a lot of people who do pay attention.

So what we are doing is making sure that we gather them all around. So we make sure that, everybody is equally interested in that.

Yeah. And from a technical perspective, there really is very little that that we can do to prevent an individual and or or an organization from advertising routes and pre us out into the global routing table. So are we trying to prevent now, security vulnerabilities that will ultimately lead to sections of the global internet being taken down, or maybe even, rerouting of traffic for malicious purposes. What are we actually trying to prevent from happening here?

We have seen all three of them, all three of the categories which you which you have mentioned, and we see them on at times daily basis. I mean, I do not remember any single day when you do not see a single event not happening at all. Yes, we we can always debate, whether they were malicious or not, and I, in my, in my opinion, they're they're in in many cases. These are just mistakes.

Sometimes just honest mistakes people do make on the internet, well, because it's, the problem is, the best thing about the internet is, of course, it's, it's a network of networks. It means if one network make a mistake, well, it will be, propagated quite quickly.

So that is one problem. But, of course, when there's so many incidents happening, it is we cannot disclose our eyes and say, while everything is just a mistake. Of course, there are, bad actors, on the internet, and running some networks. And they do want to exploit these, mistakes people make.

And that's why we have seen, the some bad actors trying to hijack some ether wallet. It was, back in, I think, two thousand eighteen or nineteen. When this happened, and then, there was a recent case in, South Korea, when another crypto exchange war exchange was, attacked in the similar manner. And then rerouting the traffic is is also very common.

Again, it can happen because of a mistake, but you can we have seen that, some state actors and malicious entities have rerouted traffic to jeopardize the, traffic plus make sure that the, there is an outage in some part of the world or some in some countries. So it's everywhere. It's it's hard to say. It's hard to pinpoint that it was malicious or not, but it is happening. So we have to treat it as, a a problem to resolve.

Okay. Interesting. So it's not just about security in the classic sense like bad guys trying to do bad things, but it's also about routing hygiene or in other words how people do routing on this interrelated global internet thing that we have. And ultimately, propagating best practices among engineers and organizations to do routing correctly.

Yes. It is.

The, the, the most important thing we, we are trying to convince every operator. Number one, manages technology agnostic. We are not hell bent on one form of technology. Oh, you have to do this only. We are saying we would like to achieve this target.

No matter how you want to do it, that's fine. There are best practices to achieve these things, let's follow the best practices. Best practices designed by the people who have been operating networks for decades.

Best practices, which are, very well understood by the ITF, as part of the BCPs and the RFCs. So follow those, to make sure that the, reliability and resiliency in the internet remains as it is. Yes.

Yeah. That makes a lot of sense, considering that the internet, the global internet is the mechanism that we use to deliver services and applications all over the world. And a lot of those applications and services are mission critical. I mean, there there's governments relying on it. Health care, our businesses, educational systems, Now, what you mentioned though is that you're seeing issues occur almost every single day. So I have to imagine that there is some sense of urgency in what you and what your organization does?

Yes. Absolutely. I mean, it's it's a famous thing that we only Mostly, we are concerned about things which, which are newsworthy.

But it it doesn't mean that it is not happening. And again, another point we mentioned most of the time is, that just because it did not impact you doesn't mean it did not happen.

So, yeah, so if it is happening in one part of the world, most likely, you will not be impacted on the other side of the world.

Or if it is, if, for example, if something happened in Australia, where I'm residing, I'm pretty sure off of the US will be sleeping at that time. So if something happens, yes, the impact will be, very small, but of course, we need, the the network reliability is, is more reported at that time now that we have to make sure that something if something happens, It is as addressed properly. So, yes, things are happening. It's just we are not aware of them on daily basis.

Okay. So so we did discuss very briefly that pretty much anyone can advertise whatever network they want into the global routing table. What what is manners specifically addressing, with regard to routing security, routing hygiene. I have to imagine that the ability to advertise whatever you want is one of those things. Right?

Yes. Absolutely. It is one of them.

For, so let me go through, the actions, what we call it.

In manners initiative.

For example, the first action, is that you make sure that you only announce what you are, what you should be announcing only. Nothing less. Nothing more. Of course, you can do less, but please do not announce anything more than that.

And based on certain rules a regulation. For example, what you can announce.

We are talking about IP address resources. So, IPV four or IPV six addresses.

And you only announce that because you have been delegated from your respective RIR, which is a regional internal registry.

So if you if your IRR has allocated certain resources to you, well, you can only announce that. So make sure that you do that. Plus, if you're a service provider, you have downstream customers.

So you it's your responsibility to make sure that what you are receiving from your down downstream customers is also authentic. It's also verifiable.

Before you send it to the internet. So that the, your whole customer cone is your responsibility.

So this is the most important action. What we believe is the BGP filtering. Do not announce anything you are not supposed to announce.

So, yes, as you mentioned, this is one of the biggest issue, that, and in the past, it was, okay, just open to everything. You will announce everything, which is possible you can.

But now in the in in today's world, it is much more important to make sure that, the right filters are in place, for any announcement.

Now moving into the, second action, which is entice spoofing, where the where networks can, change the source address, or, when and when the traffic goes out on the internet, of course, they will not come they will not come back to the same network because someone has changed the source address. So it will go to the, address I mean, it will go to the specific source address. That creates amplification attacks, and more than twenty five years ago, if not, if I'm not mistake mistaken, had the, DCP thirty eight, was released And since then, everybody is trying to convince the operators to implement that, but it's still not there yet. It's it's far away because, of course, there are some technical limitations in the operator CIDR, but, of course, that's not being implemented yet.

After that, if I could just interrupt you, can you quickly explain what BCP thirty eight is?

Yes. BCP thirty eight is, for example, as I mentioned, it is the source address validation.

For example, you have a do you have a customer?

Which is, using certain IP addresses.

It could be anything. I'm just for the example, I'm giving a private address example. For example, one ninety two one sixty eight dot zero dot zero slash twenty four. Right? It's a slash twenty four address and they are using it in their network. Well, it is their down it is your downstream customer.

And when they when they send traffic, Whenever you receive traffic, you're you're always interested in destination because you need to send it towards the destination.

Enormous circumstances, you do not look at what, from where it is coming in from because it is coming from your, your customers, so you just believe in that. But you do not look at that what is the source address of that? In routing, it's always the destination.

If you do not look at the source address, what will happen if I change the source address?

Of course, you will send the traffic out but will it will not come back because the source address has changed. It will go to the address where it is pointing it to now, which is the new source address. And if one hundred networks do the same thing, you create an amplification attack towards one destination.

Every source address belongs to, for example, network a And every response coming back will go to Netra K, and then they will receive a distributed denial of service attack, which is the DDoS.

Data, not implementing source address validation is one of the causes of the, reduce attack. Not the only one, of course, but, one of the, causes. Yes.

But in a in a in a nutshell, BCB thirty eight is just saying You shouldn't be sending out traffic with a source, source address or return address that's not, address, address hand, destined for the the the customer or where you're getting that traffic from. I'm I'm bungling that, but, You should be checking the source address on outbound traffic, to make sure that the person who's sending it is actually can receive Otherwise, yeah, you you create this scenario where you can launch amplification of attacks, and this is Yeah. This is something gets talked about, quite a bit, in the space, and it's the source of a lot of, DDoS attacks.

Yeah. And and honestly, these two actions that we've been discussing thus far, route filtering, and then the anti spoofing mechanisms they probably prevent a lot of the issues that could potentially happen with global routing. So what else is manners doing specifically to address this issue.

Yep. And it goes directly into our action number three. Which is the coordination part, which is the human part.

And that is really very important. And what we have seen in the past that, again, as as we have said it so many times, whether malicious or not, Things do happen. Right? So incidents do happen.

If something is happening, for example, how do I reach out to the network operator How do I reach out to the person who's responsible, for that network, which is generating a problem?

Which is generating an attack, which is generating, my resources from their network, which we call it misorigination or, the normal term some people use is hijack.

Is so how do we how do we contact them? And this is where the action three is most important where we say, well, make sure that your network is contactable.

Make sure that there in there's enough information available, which is publicly verifiable, that anyone con can contact you. I mean, you don't have to put your personal numbers on the internet, but, of course, your network I mean, you should be reachable via email, an email which belongs to a team which is monitoring it. A phone number in case, just in case there is a knock phone number or service or help desk phone number is there. So we request all the operators, and we it's mandatory in actions that you have to have an email address available.

Through the RIR, who is databases and through peering DB, which is, again, peering DB is one of the most important, I would call it a portal for, network operators across the globe. Which they use to make sure that, the relevant information is there. So we encourage everybody to every operator, whoever joins us with if even they don't join us, it's okay. Please do the best thing. So, yes, this is the, this is the, human factor, embedded in the action three.

Yeah. The the people part makes a lot of sense to me. Those open lines of communication are gonna do a lot I have to imagine to securing those relationships between providers and other providers, providers and customers, on the global internet.

In fact, it reminds me of that example when you get a phishing email, and you see that it's from somebody you know, perhaps an executive at the company. All you might need to do is call up that executive if you can. And ask, did you send this email and then verify again, just an open line of communication to help secure, your, your network infrastructure?

Now that aside, I know that there are some somewhat technical mechanisms that we can use to secure global routing such as RPKI and ROA.

Is manners involved with that Absolutely.

Well, let me share you some some insight. Right?

And I mentioned, the best thing about manners is, of course, I'm associated with it. So, of course, I will call it. It's the best thing. But, managers technology agnostic.

So when when RPCI was, is still in the works at IETF.

The the global validation part was still there. So how we were encouraging operators to do the global validation. Well, through the historical system, now we can call it is the IRR, which is the internet routing registry.

So we're encouraging everyone to make sure that, they create route objects, and make sure the that information is up to date, so that everybody else can verify this information.

That was going so far, of course, and if anyone who's listening, and do understand IRR, then they can I mean, they must be smiling right now that how bad the IRR ecosystem is so, yes? But that was the only solution at that time. Fast forward a little, couple of more years, since twenty fourteen.

RBKI started taking really good shape.

The, the relying party software were getting better.

RIRs were getting better in terms of providing services.

The vendors were getting, were getting better in terms of providing the support for the So things were getting really, really good. So then at that time, it was of course, being, technology agnostic, it was, added that now it is much more important to have our PKI, support in the global validation as well. So we now encourage every operator who, who has already joined or who is applying to join as a participant that do create Roa as well, which is route origin authorization, which is an equivalent of the route object, but, of course, it is verifiable, through a PKI, infrastructure. And it is much more secure You do not have to, update it on, daily basis. Of course, it's it's a renewable certificate. It will be updated.

Automatically.

So these are the things which helps us, secure it much better. And, and, of course, we do support RPI in the best possible manner. And, just, FYI, I did a, routing security to tutorial just today at Appricort, and the focus of that, manner tutorial was only RPKI. So we are pushing RPCI to the fullest. Yes.

So here's some of the, advantages, the RPI when we talk about RPI, we're really talking about RPI ROV route origin validation as one particular application that sits on the RPI infrastructure.

The hope is there'll be future, applications like ASPA and PGP sec, which we won't get into probably here. But, those will also rely on RPI. It's been us, I think synonymous, where we use RPI the standard for the one application that we've got built, which is ROV.

But the, just in a nutshell, the the advantages is that, especially as somebody as an, as an analyst who's trying to understand what's going on in, in, in internet routing. I think I have to probably agree with this that, you know, at least RBI ROV. There's one correct answer, internet wide. You know, that that there's there's one, ground truth it may not cover every AS or every route, but because not everybody's made roads for all their routes. But, it is a reliable way to validate something in the in contrast to the ir the previous IRR based, solutions you had a numerous sources, of, information.

And some of them were of different levels of quality. And in fact, there are, a couple that are, of low level, low level of security, as we found out in recent, recent years. Where bad actors have been able to input, entries, to white list their bad, bad routes And, that's not something that's possible in the RPI ROV. The other issue is that, each network ultimately, if they're gonna do route filtering is gonna implement their own solution.

And those solutions can kinda differ, depending on how they, you know, their design choices, engineering choices. So it becomes a little bit unpredictable as to how what's expected of any network they you could have two different big networks both doing IRR based filtering, and they could behave a little differently from one to the other. And, that unpredictability, and that that's not great, for the for the system. We don't have that with the RPI ROV. It is, it is a uniform, thing. And, yeah, we the fact that we've had a lot of adoption in the last couple of years is a really great step forward on this topic.

Oh, yeah. Absolutely. I completely agree with you, Doug. I mean, the fact is we are making incremental steps forward to secure global routing.

It's it's an iterative process like everything else. Right? And it's very interesting to me that these four actions that we've been talking about, to me, they don't seem standalone what so ever. They really all just seem to be so intertwined that it's kinda like they're kinda like four components of one big action.

Right? I mean, routing, of course filtering has to do with the routing. There's people involved with these relationships and with the configurations and all these processes. So they all go together in my mind.

Now Avtab, You mentioned several key words here that I wanna call out. You said the word join. You said the word member. You said the word encourage.

What do you mean by that? What do it mean to join manners? What does it mean to be a member? And when you say encourage, I have to assume that you are not spelling out explicit configuration, but encouraging best practices and and more outcomes, and then encouraging folks to do what they need to do to get to that specific outcome.

And, just to piggyback on that, What what is a member? What does it mean to be a member of manners?

Well, yes. These are really very important, words. So for example, one thing, which is, we we call, the networks who are part of the manner's initiative.

We call them participants.

Because they are participant in a, in a, in an initiative.

So, so so so They are not, joining an exclusive club, of course. So they we call we don't we don't call them members. We call them participant in this initiative.

So that is a slightly unique thing, in the managed initiative.

Number two is we do have an implementation guide.

We do have implementation guide, and it has snippets of configuration.

From different vendors. We have it from Cisco, from Jennifer, from Arista, from Nokia, from Microtech, It is all it's all crowdsourced.

It it is done by the community, and it's it resides in a, publicly available, GitHub repository, and anybody can go and, update it and send a pull request. And we review it every quarter that we have received any request or not. So, yes, we do have an implementation guide. We do, provide the guideline but our focus is on the outcome. As you mentioned, we would like you to do we would like you to achieve this. If you want to achieve it, with a different set of configurations, that's up to you. We are not forcing you to do this exactly.

Implementation guide is just a guide.

If you are not familiar with this, well, you can simply copy paste, and it will work. But if you know your platform if you know your, business requirement, a technical requirement, better than anybody else, of course, then you should implement the way you are running your network. So but we provide the guideline, but, of course, you do it yourself.

We are more concerned about the outcome.

Okay. So a participant isn't required to use your configuration examples. I mean, I get it. They're encouraged to do so because they are best practices.

Ultimately, there isn't, like, an audit or anything. Is there?

No. There is no specific configuration audit. The audit we do is for the outcome again. So once someone, apply to join, We look at all the globally, global publicly available data sources, and see if they have done something wrong in last six to three months time period. Right?

Thankfully, so now we do have a data source since two thousand nineteen since we have started collecting, the data from all the public sources.

We can go back up to twenty nineteen easily. But, our focus usually is that, in the last three to six months, what have they done? If they have done something wrong, So we go back to them and say, well, can you explain why this happened and what measures you have taken since then? To rectify this problem, and things like that. So, the audit usually is from each outside, not from the inside.

Manors is a technical community. That service providers, well, really any any kind of organization with a public internet presence can join and then undergo an audit from your folks that look at their peering and routing and advertising activity over the last few years to determine if they are following best practices and therefore trustworthy with regard to global routing. And so far as any organization is going to make a mistake here and there because we are people.

And then that organization can in turn go to the rest of the world and say we are a participant of manners and therefore are trustworthy.

Hundred and one person. Yes. We do believe. One percent. I'm I'm flattered. Yes. We do believe.

I mean, that one person was for the last statement, where you said, well, technology is gonna break. Yes. That is the most important point. It is it is things will go bad.

No matter how good your network is, and we have seen it several times. It is the most important bit is how quickly you identify the problem and you resolve it.

And initially, we used to say, well, you have to make sure that what you are doing on the internet, but now we also recommend network operators that please make sure that you have some visibility of your network from outside as well.

So use some tools which can give you what is what what your network is doing from the outside perspective rather than just from the inside. So please have some eyes and ears, looking at the routing table, or using some tools, which can help you provide this information.

Oh, yeah. It it's very clear to me that manners is is certainly concerned with the technical, but is also very much concerned with the people part of this entire things. So people processes, workflows, team culture, of a network operations team, and I guess a network security team as well. Now does manners provide any internet resources, any actual infrastructure to help their participants in securing their networks and then securing their global routing footprint.

Of course, we do, rely on the infrastructure support from the internet society, which is provided by them So the infrastructure is provided by inter society. We do have our, training labs.

One is in, Sydney, another one is in Zurich. Suzilent.

So, and the the labs we provide to our participant just for the training purposes, if they have any, gaps, if they have, if they want to test something. Of course, we cannot replicate the, network of anybody else. But we do have, we do have live internet feed. We do have pairing.

So they can test, I mean, if you if they're gonna break it, break they're gonna break our lab infrastructure. So they are more than happy to do that. So, we do provide that kind of support, just to give them some, some level of confidence that, if you do this, it this will be the outcome. So they can test. They can try. We provide the training. We provide tutorials, live demos to help them, to help them understand better before they go back and implement it into their own networks.

I mean, a lot of this conversation has kinda felt like it lent itself. It was oriented towards service providers, but, I mean, I know from my own experience as an engineer. I've worked with some enterprise organizations, so not service providers but that were so large global and with so many locations and so many end users that it really felt like we were running a service provider net in a lot of ways.

So would you say that manners is really more oriented toward the service provider space, or are you also trying to accommodate folks in the enterprise world as well.

Well, initially, it was, we tag we we target, the network operators or the ISPs, which you call it.

Because our our point of view was, and to some extent still is that if you secur secure the bigger transits, you you secure the blast radius, you reduce the blast radius. Right? So that was in was our initial target. So I'll make sure, well, the top ten or top, hundred or whatever numbers we can come up with, make sure that we can target them first, bring them on board, and make sure the trans the the most of the transit provider across the globe are part of this initiative.

And, we have to be very honest, we are very successful in that. We do have some of the largest operators joining, they have already joined us. And some are already, in discussion for quite some time to join us, as well. So that is going really very well.

But your point is absolutely correct. Some of the enterprises are, I mean, they some of them have more routers and more nodes in their network than some of the large network operators. So, yes, that is important to to have them on board is more important, and that's why we are renewing our efforts toward the enterprises.

We are trying to reach out to them.

Of course, what happens is most of the enterprises do not come to these network operators group. Events or other events. So now we are trying to reach out to them through, different associations.

We we are partnering with FSI sec, or HSI sec for the, health industry and the financial industry, and working with Osaka to make sure that other cybersecurity folks, who are from the enterprise sector, do, know that what what we are doing, what we are trying to achieve achieve so that, they can participate as well. So, yes, we are trying to, to reach out to them, but, yes, the network is growing. The internet is growing pretty fast.

Yeah. That's an understatement. So, so, so after I've been dug, would you gentlemen say that we are in the adoption of these technologies in the greater community?

And I'm I'm specifically thinking about ROA and RPKI Oh, I mean, you summed it so nicely.

The, and I I was just looking at, the data while you were talking about it, And I I just looked at it, like, for example, Facebook, Google, and, Netflix, they they, if if you just look at, the and even Amazon, if you just look at the, raw uptake of these organization, it is close to one hundred per Yeah.

I I guess, I have a, a glass half full, perspective on this given that this is, you know, trying to improve global routing security is a really difficult thing. You have to have thousands of entities around the world. All do something. And, and, and also a lot of times, the motivation, they're, they're, for them to implement RPI ROV to reject invalid, they're doing things that are going to benefit others. And so, that's even a harder sell sometimes, for them to, allocate resources to just that's not gonna necessarily benefit them directly or at least, initially.

But, I guess there's been a lot of progress made in the ROE, world in the last couple of years. And so I wrote a couple of blog posts around that, the, I did with, Joe Snyder, fastly, looking at, you know, there's two steps to, RPI ROV doing its job step one is are there, Roas created. So, basically, people who have created some sort of out of station that says that this is the correct state of the route, of the routes.

By the numbers, they're very low. Like, it's, maybe a third of the routes in the global routing table have roas, that are valid.

The analysis that we did combining with some of the net flow from Kentech was that, you know, we could show that even if those were just a third of the routes, they actually are a lot there's a lot of important companies that are doing this. And so it ends up being you know, over half of the traffic, because not every route pushes the same amount of traffic. And so that was, whole, like a hopeful message that we, you know, we are, maybe you're further along than we thought if we're just counting routes cause not every route pushes the same amount of traffic. And then the flip side is, you know, if a route becomes invalid, are we, is it getting filtered?

And so then we can take, you know, at any given moment, there's a bunch of persistent, misconfigured routes that are our PI invalid and therefore getting filtered. And we can use those study, like, what, what is the effect of, filtering at the moment. And, again, you have a lot of, benefit created by the global backbone carriers, Relay Relayon, a cogent, entity who are who are filtering invalid routes really for the benefit of the rest of the internet, they don't necessarily benefit themselves. But, we should appreciate the effort in engineering that went into this But because of those black backbone providers are dropping invalid, that means that when somebody, there's a routing leak, a big origination leak, any of those routes that had rows, will be protected to some extent, and to use the phrase that AFtab used a minute ago about reducing the blast radius, you the propagation of those bad routes gets, dramatically, reduced.

That's that's present day.

So it's not a solved problem, but we do have to take a moment and appreciate that we've we've come a long way, but there's plenty still to do. After that, do you have any, anything to add on that?

Yeah. It has changed a lot in last couple of air, ears or maybe I would say in a few months, it has changed a lot. The only problem is IC, while looking at the data is, we are missing out on, on a lot of financial sector. So if they just jump on this one, well, we have most of the problems are resolved. So because most of the incident we see which with mostly are of malicious intent are towards the financial institutions.

But unfortunately, they are not looking at it So that is the only missing point. Otherwise, the big operators, network operators are implementing the router origin validation.

And the, the eyeball networks are implementing the, creating the ROAs.

So it is a really good match. But it's just the, the player in the middle, which are the health sector and the financial sector. Unfortunately, they are not looking at it at the moment in in a nice manner, I would say.

These are the companies that push most traffic. So that's that's what that's what creates that.

If you look just bits per second, going to where are they going? They're going to routes with valid roas. That's a good thing because that means that there's a potential for the RPK system to protect the traffic that's going there. We didn't have that just a couple years ago. So this is like a a relatively new phenomenon.

So gentlemen, I'm gonna stop us here. We're getting close to an hour, and, this has been a thoroughly enjoyable conversation, FTAP. Thank you so much for joining.

It's been really interesting to me, as a as a former engineer, from the technical side, of course, but all to learn about how the people side of securing global routing is just so important and a focus for manners and that the organization exists in the first place address this problem. So, again, Afab, thank you so much for joining.

My pleasure. Thank you for the invite. Thank you. Thank you, Doug.

Great. And so, Afab, the folks would like to reach out to you online to ask a question or maybe if they have a comment, how can they do that?

Well, I am, mostly available on Twitter.

So they can reach out to me at, at, after opsidiki.

Or, you can find my details on the internet society website, which is siddiqui at isoc dot org. So you can send me an email if you want to reach out.

Great. Thanks. And, Doug, always a pleasure. How can folks reach out to you online again with a question or a comment?

I am still on Twitter, and, LinkedIn. Those are good ways to reach me. I'm also have an account on, mastodon. Just look up Doug Madore. I don't have any clever, Twitter handle, just my name.

Great. Thanks, Doug. And you can find me on Twitter at network underscore fill on still active there. You can search my name in LinkedIn.

Philip Jervasi. I'm all over the internet and my blog network fill dot com. And if you are interested in being a guest on the show or if you have an idea for an episode, please reach out to us. We'd love to hear from you.

You can email us at telemetry now at pentic dot com. So until next time, thanks for listening. Bye bye.

About Telemetry Now

Do you dread forgetting to use the “add” command on a trunk port? Do you grit your teeth when the coffee maker isn't working, and everyone says, “It’s the network’s fault?” Do you like to blame DNS for everything because you know deep down, in the bottom of your heart, it probably is DNS? Well, you're in the right place! Telemetry Now is the podcast for you! Tune in and let the packets wash over you as host Phil Gervasi and his expert guests talk networking, network engineering and related careers, emerging technologies, and more.
We use cookies to deliver our services.
By using our website, you agree to the use of cookies as described in our Privacy Policy.