1 of 13

Routing Integrity

Steven Wallace Director of Routing Integrity

ssw@internet2.edu

March 5, 2024

2 of 13

Over 300 ARIN agreements signed (since the start of 2023)!

76% of routes can now be protected by ARIN’s security services!

Over $1M/yr in ARIN fees avoided.

3 of 13

4 of 13

Routing Security - Greater Government Involvement is Inevitable

Highly recommend watching John Curran’s NANOG89 Keynote:

The Expanding Landscape of Internet Governance:​ Why Network Operators Need a Global View

TL;DR

  • The Internet is critical infrastructure for nearly all aspects of society.
  • Governments are increasingly taking an active role in its governance.
  • If we adopt effective norms and standards, government requirements are more likely to follow our lead.

~ 4 ~

5 of 13

MANRS

RPKI-ROV

DNSSEC

ASPA

BGPsec

Improves Resilience & Safety

Do these!

6 of 13

Routing Security “Easy Button”

Resource Public Key Infrastructure - Route Origin Authorization (RPKI-ROA)

  • The routing security “Easy Button”
  • Allows the registered user of IP addresses to specify the valid networks (origin ANS) authorized to announce their route
  • Network operators can use this information to identity invalid routes due to misconfiguration or hijacking (many RENs do this today)
  • Think of hijacking as stealing IP addresses
    • Most will never be aware they are being stolen
    • Consequences include man-in-the-middle attacks, to reputational damage due to hosting a email phishing campaign

7 of 13

Creating a RPKI-ROA is Easy

8 of 13

Routing Security - the Emerging Role of Authenticated IRRs

Authenticated Internet Routing Registries (IRRs)

  • Routing Registries are used to publish routing information
  • Networks use this information to filter routes they accept
  • Authenticated IRRs only allow resource owners to create their records
  • Non-authenticated IRRs are sometimes used to by bad actors to subvert route filters
  • Only 13% of US R&E routes have authenticated IRR records
  • Networks without authenticated IRR records may soon experience a less robust Internet

9 of 13

Community of IXPs that may consider an authenticated IRR policy

10 of 13

11 of 13

ssw@internet2.edu

12 of 13

Thanks!

(remember, press that easy button)

If you need any assistance with your routing security, I’m here to help - ssw@internet2.edu

13 of 13

One More Thing - About ARIN Participation (next presentation)

  • As a community, we hold ~$3.4B in IP addresses
  • ARIN is the organization through which registry policies and routing security services are developed and established (this includes things like IP address transfers (i.e., sales)
  • Less than 1,000 votes were cast in ARIN’s last election
  • Only 100 Internet2-connected organizations are setup to vote in the next election
  • ~ 900 additional I2-connected organizations could vote if they selected to be General Members