Internet Task Force Pushes CDN Routing Security Measures

The Internet’s Border Gateway Protocol (BGP), its universal routing system, has always had design weaknesses. Now, a global initiative known as Mutually Agreed Norms for Routing Security (MANRS) — supported by the Internet Society and a consortium of Internet infrastructure companies — has established a task force to assist content delivery networks (CDNs) and other cloud services in hardening security. Although MANRS already focused on improving security for network operators and their physical hardware, this task force focuses on bringing the process to the cloud.

Wired reports that MANRS project lead Aftab Siddiqui, who is also senior manager of Internet technology for the Internet Society, said, “with nearly 600 total participants in MANRS so far, we believe the enthusiasm and hard work of the CDN and cloud providers will encourage other network operators around the globe to improve routing security for us all.”

BGP, often compared to a GPS navigation system for the Internet, similarly “has quirks and flaws that don’t usually cause problems, but can occasionally land you in major bridge traffic” when ISPs “advertise a bad route.” In addition to potential service disruptions, BGP’s weaknesses can cause it to be exploited by bad actors, who “reroute data over networks they control for interception.”

Some major CDNs have already “been vocal about implementing BGP best practices and safeguards in their own systems and promoting them to others,” including Cloudflare and Google, the latter of which “published an update on its efforts with MANRS to overhaul its own BGP infrastructure and convince industry contacts to do the same.”

These large organizations “are increasingly motivated to back this change … because BGP route leaks that result in outages reflect poorly on them regardless of where the issue actually originates.” They can also be influential in driving adoption of technical changes.

MANRS promotes one major BGP safeguard: Resource Public Key Infrastructure (RPKI), “a public database of routes that have been cryptographically signed as a testament of their validity.” Success of RPKI requires widespread adoption; AT&T, Telia, NTT, and Cogent are some of the ISPs currently using it, and European network service provider RETN began implementing it.

Google also completed RPKI registration for 99+ percent of its routes in November. “There is quite a bit of work that is involved in implementing all of this,” said Google Cloud vice president of global networking Bikash Koley. “And once you have all of that information you have to create ways of utilizing it to apply to your BGP policies in the form of filters, etc. It takes significant engineering work and if you do it wrong then you actually can significantly impact users. So with MANRS we’re trying to make this as easy a lift as possible for organizations.”

Koley added that Google is also stressing the importance of “peering,” a “connection between two networks to let web traffic flow in a more efficient and stable way … [that] includes exchange of BGP routing information.” Google’s extensive, global peering portal is a way for the company to “give its peers a nudge for how they’re doing on BGP best practices” by flagging non-adherence to filtering and other safeguards. Next year, Google’s portal will also “show peers their RPKI status.”