Most operators that have joined have implemented all four measures, Robachevsky says, including Comcast, one of the world’s largest broadband operators, which has done so across 33 ASNs. None of the members to date have acted on fewer than three.
Filtering incorrect routing information
The first measure is filtering, which helps prevent the propagation of incorrect routing information. Robachevsky says network operators need to define a clear routing policy and implement a system to ensure the correctness of their own routing announcements and announcements from the customers to adjacent networks with prefix and AS-path granularity.
Network operators need to be able to communicate to their adjacent networks which announcements are correct and to apply due diligence when checking the correctness of their customers’ announcements. This, he says, will provide assurance against “fat-finger” errors that can lead to hijacking traffic directed to other networks. It will also mitigate “route leaks” — the propagation of routing announcements beyond their intended scope.
Preventing spoofed-IP traffic
By implementing a system that enables source address validation for at least single-homed stub customer networks, their own-end users and infrastructure, ISOC says network operators can dramatically diminish the prevalence and impact of DDoS attacks. Essentially, network operators should implement anti-spoofing filtering to prevent packets with an incorrect source IP address from entering and leaving the network.
Facilitate global operational communication and coordination between network operators
To grease the wheels, network operators need to maintain globally accessible and up-to-date contact information to facilitate communication and coordination with their peers. This, Robachevsky says, is essential for incident mitigation and better assurance of the technical quality of relationships.
Validating routing information
Whereas the first three measures are about sweeping your own sidewalk, the fourth is about looking out for your peers. By facilitating the global validation of routing information, you can limit the scope of routing incidents and make the global system as a whole more resilient.
Taken as a whole, Robachevsky says the four measures will not just help improve Internet security and resilience, they will enable a sustainable business environment that will benefit network operators and their customers alike. They will provide better protection against traffic anomalies caused by misconfigurations, cleaner setups (resulting in easier troubleshooting and lower time-to-resolution (TTR)), improved peering conditions and opportunities for collaboration with other operators through a discussion forum and professional network.
Robachevsky notes that a team of MANRS participants has convened to draft a Best Current Operational Practices (BCOP) document that walks you through the steps to become MANRS-compliant. The team plans to present the document for review by regional communities at the RIPE 73 meeting in Madrid later this month.
IDG News Service
Subscribers 0
Fans 0
Followers 0
Followers