PacNOG 24: Trust, rumours and routing security

By on 21 Jun 2019

Categories: Events Tech matters

Tags: , , , , , ,

Blog home

If for no other reason than personal motivations, we should all be interested in securing Internet routing to keep our and our employers’ names out of the tech news websites, case studies and newspapers. If you need further convincing, a more secure and robust network will minimize the likelihood of having to take an emergency phone call at 3am or while on vacation.

Why do we continue to see these headlines about Internet routing leaks and hijacks? Well, the answer, much like the Internet, is complicated and multi-faceted.

For a start, it’s the nature of the Internet. There is no single authority over this global, distributed network, so there’s no extract reference for which routes are ‘right’ or ‘wrong’. Routing is more or less a chain of rumours — your neighbors tell you what they know, and you tell your neighbors what you know. The only reason we have to believe our neighbors is trust! We assume that our neighbors are honest, have not been compromised, and are the rightful owners of the prefixes they are routing.

Routing is also variable. Your view of the network depends on where you are, and your routing outcomes will be different as well. There is no reference for comparison, since everyone’s view is different.

Routing also works in reverse. Your outbound advertisements affect inbound traffic, and the inbound advertisements that you accept, influence your outbound traffic.

And as much as we would wish RFC 3514 to be true, there is no evil bit in packet headers, and no routing updates will self-identify themselves as good or bad.

So as you can see, it’s very easy to do bad in routing. But there are things we can do, including using Resource Public Key Infrastructure (RPKI) to validate who has the authority to route which resources via a Route Origin Authorization (ROA). Unlike routing, RPKI does have a single authority model, so trust can be established, which is the first step towards being able to reliably identify good routing updates.

But are ROAs enough? What about BGPSec? And MANRS? At PacNOG 24, Tashi Phuntsho, will be diving into all these details in his presentation, Securing Internet Routing.

The meeting will also see Elly Tawhai talk about recent developments in APNIC policy relating to IPv4, as well as work in progress at APNIC to help make IPv4 transfers easier.

In addition, Che-Hoo Cheng will give a presentation about the role of Internet Exchanges in enabling faster and cheaper Internet access by keeping local traffic local. He will introduce the benefits and value of an IXP and different models for deploying them, using specific examples from Pacific economies.

Shane Hermoso will also be running an Intro to DNS Privacy tutorial, covering DNS over TLS (DoT) and DNS over HTTPS (DoH), comparing their benefits, implementation and challenges.

With the Plenary Conference and Tutorials sessions taking place on day one of the meeting, days two through to five will feature workshops. Arth Paulite and Shane Hermoso will run a DNS workshop, and Tashi Phuntso will run a BGP, Peering & Routing Security workshop with APNIC Community Trainer, Etuate Cocker.

PacNOG 24 takes place between 24 and 28 June in Apia, Samoa. For more details, see the PacNOG website.

Contributor: Tashi Phuntsho

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *