ABCDEFGH
1
Security Control Information
2
R&E Routing Integrity Control GroupSecurity Control NameMANRSSecurity ControlAssessed Security Control Implementation
(select one of the following)
ScoreIf partially implemented or not implemented, please describe what's deficient and why.Utility of Control
3
Operations Capability
4
OC17 * 24 accessible NOCThe Network Operations Center is accessible 7 * 24Not Yet AnsweredFrequently, troubleshooting network outages or impairments requires coordination of administrative domains. Network services in support of research and education are in use every hour of every day; therefore, there needs to be a 7 by 24 accessible NOC so that users can report problems and other networks can coordinate the troubleshooting.
5
OC2Technical community engagementThe network engineers regularly engage the broader Internet2 community to exchange best practices, relevant experience, ask questions, etc.Not Yet AnsweredNetwork operators within the Internet2 community are some of the best resources for solving technical problems, understanding best practices, and gaining insight into new network technologies. Network staff is encouraged to engage and participate in the community. You can send a note to Linda Roos (lroos@internet2.edu) to inquire about participating in various technical groups within the Internet2 community.
6
OC3Ability to check for route missing due to ROA InvalidIf the network is used as transit (e.g., a RON), the NOC has procedures for checking for routing problem due to a route being dropped via an Invalid ROANot Yet AnsweredMost implementations of RPKI Routing Origin Validation drop routes that fail before including them in the routing information base. Unlike prefix filtering, there's no router configuration (such as the prefix filtering configuration) for an operator to inspect when determining if a route was dropped. There should be a method for the network operator to quickly identify routes that aren't accepted due to RPKI ROV invalid status.
7
OC4Maintain Internet number resource allocations (e.g., how prefixes/subnets and ASNs are assigned)The Network Operations Center maintains detailed records of the use and assignment of IP number resources. For example: the assignment of subnets, ASNs, etc.Not Yet AnsweredMany R&E network operators have large networks that can span multiple buildings or even multiple campuses. To ensure effective troubleshooting, it can be important to have detailed records that associate IP addresses with specific sections of the network.
8
Resource Management RIR
9
RMR1Maintain Whois RecordsXWhois records for number resources are currentNot Yet AnsweredMaintaining RIR whois records ensures that other networks are able to identify the relevant contacts when troubleshooting issues that relate to your network resources. Maintaining these records also helps fulfill MANRS Action 3, "Facilitate global operational communication and coordination."
10
RMR2Resources covered by current L/RSAAll numbered resources assigned by ARIN are covered by an L/RSANot Yet AnsweredWhile ARIN provides basic whois services to legacy resources (not under an ARIN agreement), an agreement IS required to use ARIN's routing security services, including RPKI ROAs, authenticated IRR, and reverse DNSSEC.
11
RMR3ARIN authentication protected by MFA?All authorized users of the ARIN portal use Multi Factor AuthenticationNot Yet AnsweredBy default, ARIN's web portal doesn't require multi-factor authentication. Given the critical nature of the resources managed under ARIN, it's highly recommended that ARIN users enable MFA for their web portal access. It's also recommended that organizations adopt a policy that requires all Points of Contact (POCs) for their resources to enable MFA.
12
RMR4Create/Maintain ROAs for IP networksAll IP networks have supporting RPKI ROA recordsNot Yet AnsweredRPKI ROAs mitigate the risk of route hijacking by publishing the route's authorized origin ASN.
13
Resource Management IRR
14
RMI1Maintain IRR records for all Internet number resourcesXIRR objects for all Internet number resources are currentNot Yet AnsweredKeeping IRR route, IRR as-set objects, and PeeringDB as-set current ensures that your network's intended routing announcement policy is published, so that other networks can use this information to determine if routes to your network are valid. This provides a level of protection from route leaks and route hijacks, which can cause outages for your networks. It also helps fulfill MANRS Action 4, "Facilitate routing information on a global scale."
15
RMI2Maintain Maintainer Objects for OrganizationXIRR maintainer objects are currentNot Yet Answered
16
RMI3Create/Maintain as-set that depicts routing intentionXIRR as-set objects are currentNot Yet Answered
17
RMI4Create/Maintain PeeringDB network records, including as-setXThe network's peeringDB record includes an as-setNot Yet Answered
18
Information System Capabilities
19
IS1Route Hijack MonitoringThe Information System monitors for potential route hijacksNot Yet AnsweredRouting hijack monitoring (e.g., BGPalerter, BGPmon, etc.) ensures you can detect when another network is leaking or hijacking your network. Route leaks and hijacks don't always lead to a full network outage, and may therefore be difficult to detect. They can cause network performance problems, and even lead to reputational issues if the hijacker is "borrowing" part of your network for nefarious purposes. Without active monitoring, the effect of these activities can be difficult to detect and diagnose.
20
IS2DDoS DetectionThe Information System monitors for DDoS attacksNot Yet AnsweredDDoS attacks, particularly against a large university or regional networks, can be difficult for the network operator to detect without systems in place to specifically detect them. It's common for DDoS attacks to go under the radar by being small or brief enough to not interfere with campus-wide access, while still being enough to impact a specific system or network block. Without DDoS detection capabilities, these attacks can continue to impact systems, sometimes seemingly randomly. Having DDoS detection capabilities also provides critical information that may be used to defend against the attack.
21
IS3PerfSONAR testingThe Information System includes well placed PerfSONAR performance testing nodesNot Yet AnsweredThe international R&E community relies on perfSONAR node placement for diagnosing data transfer performance problems. Without strategic hosting and placement of perfSONAR nodes within an organization's network, there is limited ability to support users that require high-performance network service.
22
IS4DDoS mitigationThe Information System can mitigate a DDoS attack via scrubbingNot Yet AnsweredDDoS attacks can be crippling. To prevent outages due to DDoS attacks requires the ability to both detect and mitigate the attack. If the DDoS attack is broadly targeted, or if its volume is sufficient to cause outages beyond its target, then RTBH can be used to protect access to the non-targeted resources. Protecting targeted resources may require Flowspec or a DDoS scrubbing service.
23
IS5RTBH signalingThe Information System can mitigate a DDoS attack via blackhole routingNot Yet Answered
24
IS6Flowspec signalingThe Information System can mitigate a DDoS attack via BGP flowspec blackholingNot Yet Answered
25
IS7Looking GlassThe Information System allows interrogation of basic routing information to its downstream usersNot Yet AnsweredLooking glass servers or router proxies allow other networks to troubleshoot and better understand network behaviors along the end-to-end path. These servers are encouraged to be listed in an organization's PeeringDB page, under MANRS Action 3.
26
Network Configuration
27
NC1ANTI-SpoofingX*The network filters/prevents spoofed source packets from egressing the networkNot Yet AnsweredEnsuring your network won't accept or forward IP packets with spoofed source addresses is critical to ensuring your network won't be used to attack other networks. While preventing IP source spoofing can be more challenging for transit providers (e.g., backbones such as Internet2 or other ISPs), it's straightforward for campus operators to ensure their end-system networks are unable to spoof IP source addresses. This supports MANRS's Action 2 and is detailed in BCP38 and BCP84.
28
NC2CAIDAX*The network hosts an CAIDA Spoofer client on at least two network segmentsNot Yet AnsweredUsing the CAIDA spoofing tester can assist in validating that anti-spoofing configurations and measures are effective. This supports MANRS's Action 2
29
NC3Multi-factor authentication for device accessConfiguration of network devices requires Multi Factor Authentication (MFA)Not Yet AnsweredIt's critical to ensure that only authorized individuals are able to configure network equipment. Given the inherent weakness of simple username & password credentials, it's highly recommended that MFA be required to configure these devices.
30
NC4BOGON filteringXThe network filters BOGON routesNot Yet AnsweredBOGONs are considered IP networks that have no legitimate use over the Internet. Not filtering BOGONs can lead to being the source of unattributable attacks (similar risk to source address IP spoofing), as well as providing unintended access to local private networks from external networks.
31
NC5Multi-homed route leak preventionXThe network filters/prevents route leaks among network peersNot Yet AnsweredMany default BGP configurations can easily lead to route leaks among a network's peers. The best practice is to tag all routes on ingress and use those tags to filter routes on egress. Good information can be found in BCP84.
32
NC6Mult-ihomed route optimizationThe network selects the optimal path (e.g., local peering, regional peering, R&E national backbone, transit provider, or other selection criteria)Not Yet AnsweredWithin the R&E network community, it's considered best practice to use BGP local preference to ensure traffic prefers routes that transit R&E infrastructure end-to-end. For example, it may be the case that two universities use the same full transit provider, resulting in the transit provider being the normally preferred path between these two universities due to the shorter length of the AS-PATH. Using local pref to override a shorter AS-PATH to keep the traffic on the higher-speed, less congested path is preferable.
33
NC7Customer Routes AuthenticatedXRoutes from customer are checked for ownership and registrationNot Yet AnsweredBefore accepting customer routes, the network operator should verify the customer is the registered user of the route and origin ASN (via RIR), and that the customer is authorized to use the network. This is in support of MANRS Action 1
34
NC8Route Origin ValidationX*If performing Route Origin Validation checking, routes that fail are droppedNot Yet AnsweredIf performing RPKI Routing Origin Validation, best practice is to drop routes in ingress that fail ROV, rather than mark these routes for later policy action.
35
Network Device Hardening
36
NDH1maintain software versionNetwork device software/firmware is periodically reviewed, and update when neededNot Yet AnsweredNetwork devices frequently require firmware/software updates to ensure they continue to address evolving vulnerabilities. The best practice is to review firmware versions periodically and when notified of a new vulnerability.
37
NDH2Log analysis/SIEMNetwork device logs are collected and periodically analyzed Not Yet AnsweredNetwork device logs can capture instances of hardware failing, attacks against the hardware, new unusual activity, etc. Periodically reviewing logs is recommended to detect these attacks or other anomalies.
38
NDH3configuration managementNetwork device configuration changes are recorded and can be reviewedNot Yet AnsweredNetwork device configuration changes should be captured for review and future audits.
39
NDH4secure management planeAccess to network devices for configuration and monitoring is via a secure management planeNot Yet AnsweredRegardless of a secure management networks, best practice is to use authenticated and secure transports when configuring and monitoring network gear using protocols such as ssh and SNMPv3.
40
Cloud Access
41
CA1on-prem-like cloud connectivityThe network facilitates the accessibility of cloud resources by ensuring access is similar to on-premise resourcesNot Yet AnsweredAs users migrate infrastructure to cloud-based platforms, it can be beneficial to preserve the local campus data center model by extending the data center into the cloud provider's infrastructure via services like Internet2's Cloud Connect service.
42
CA2resilienceThe network provides resilient cloud connectivity in the event of the failure of one service providerNot Yet AnsweredR&E organizations are typically provisioned with multiple resilient paths to the Internet. However, in many cases, applications that rely on Internet2's Cloud Connect service may not have resilient paths. It's important that the application owners and local network operators understand this limitation and ensure they are able to provide the resiliency required by the applications.
43
IPv6 Deployment
44
IPv6-1IPv6 DHCP or SLAACThe network can automatically assigns IPv6 addresses to client devices via DHCP and/or SLAACNot Yet AnsweredNearly every contemporary end-user device implements IPv6 by default. While campuses may have sufficient IPv4 addresses today to accommodate their basic needs, there is value in supporting IPv6 today.
45
IPv6-2services are assigned IPv6 addressesServices (e.g., email, web, etc.) are accessible via IPv6 (must include AAAA DNS records)Not Yet Answered
46
* denotes MANRS recommended action, not MANRS required action
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100