Enhancing Routing Security in South Asia

Routing Security session at MMNOG-3 held in Yangon, Myanmar - January 13-17, 2020

Contributed by Mohammad Abdul Awal, NSRC Engineer and Trainer and Mozilla Open Internet Engineering Fellow

June 11, 2020

The Internet’s global routing system is often affected by route leaks, prefix hijacking, Internet address spoofing and other incidents which can lead to Distributed Denial-of-Service (DDoS) attacks, traffic inspection, Internet outage, malicious activities, financial and reputational damage. The Mutually Agreed Norms for Routing Security (MANRS) initiative, supported by the Internet Society, recommends prefix filtering, BCP38 and RPKI (Resource Public Key Infrastructure) deployment to fight against those threats but there has been very limited progress in RPKI deployment in the South Asian region.

Since October 2019, I have been working on my project to enhance the routing infrastructure security and RPKI deployment in the South Asian region. The project is supported by the Network Startup Resource Center (NSRC) and Mozilla Open Internet Engineering Fellowship program. I am working under the supervision of Dr. Philip Smith of the NSRC, with additional guidance from others in the NSRC team. The goal of my project is to enhance global routing security by:

  1. Providing hands-on training to the network engineers on routing security best practices at the regional Network Operators Group (NOG) conferences across the Asia Pacific region.
  2. Carrying out awareness campaigns and assist network operators to fix their RPKI ROAs (Route Origin Authorizations) during and after the conference days.
  3. Conducting RPKI Deployathons where the participants get the facilities to practice RPKI Deployment, figure out the issues and challenges of tools and technology, and safely simulate what they need to do in real life to improve routing security.
  4. Research about the routing issues of individual network operators in the region, informing them by email and helping them fix the issues.

In order to accomplish the goals, I needed some good training materials (slides and lab manuals) as well as a workshop kit to run virtual labs for the hands-on workshops. Thanks to the NSRC group for providing me all these resources. With direct supervision of Dr. Philip Smith and other NSRC colleagues, I have conducted a routing security workshop at the APRICOT2020 summit, one of the largest regional Internet conferences in the world. I have been a member of the facilitators team to organize the RPKI Deployathon at APRICOT2020 where 41 network engineers from 20 countries have installed and configured different open source implementations of RPKI Validators.

RPKI Deployathon at APRICOT 2020 in Melbourne, Australia

Moreover, I have conducted sessions on routing security at bdNOG11 in Bangladesh, MMNOG3 in Myanmar and npNOG5 in Nepal; Philip Smith presented at SANOG35 in Pakistan on my behalf. I have provided hands-on training and delivered lectures to more than 500 on-site participants during those events. NSRC also helped me coordinate with several NOGs in the region.

During my fellowship period, I have reached out to more than 3,000 network operators in South Asia and Myanmar to notify their routing issues. I directly helped more than 500 of them to fix RPKI ROAs for their 4600+ IPv4 and IPv6 prefixes.

Working in close cooperation with the NSRC’s experienced trainers helped with my professional development as a network engineer and a facilitator of Internet education in the South Asian region. It also gave me the opportunity to help the local and regional operators in South Asia and create a good human network within the region to help each other in dealing with the Internet’s routing security issues.

Impact of RPKI validation in Bangladesh:

I have helped the National Data Center in Bangladesh to deploy RPKI validator in their network. Before the deployment, I carried out an extensive awareness campaign to make sure that everyone understood the impact of NDC’s RPKI validation and how it affects them.

This included:

  1. Publishing a blog post in the local language (Bengali) explaining the basic information and benefits of RPKI and ROA, why NDC is going to do the validation, who and how it will affect the ISPs and users in Bangladesh, and how ROAs can be created and verified.
  2. Sending emails to the bdNOG Mailing List mentioning the key dates of NDC’s RPKI deployment plan.
  3. Posting similar articles on different social media, including bdNOG’s Facebook page and BGD e-GOV CIRT’s Facebook and Twitter pages.
  4. Providing detailed steps on creating ROAs and several ways to verify them. I also shared my contacts so that anyone can reach out to me if they faced any issues.
  5. Creating a list of all ASNs in Bangladesh that include the number of IPv4 and IPv6 prefixes of each ASN, and the number of valid, invalid and not-found ROAs. I contacted each of the ASN contacts via email, phone, SMS, and online messages and informed them of the ROA status of their prefixes.

Tweet about ASN and Routing Security in SE Asia

I have reached out to more than 800 ASNs (Autonomous System Numbers) and helped them create new ROAs for more than 3,500 unknown BGP (Border Gateway Protocol) prefixes and fix about 100 invalids BGP route advertisements. That was a significant improvement in RPKI deployment in the country. Starting with 29% in Sep 2019, the valid RPKI ROAs in Bangladesh is now 83%. Studying, analyzing and understanding BGP routing dynamics is tremendously important in order to: understand and improve routing infrastructure in research and education environments as well as the commodity Internet; develop solutions to route hijacks and man-in-the-middle attacks; detect and respond to network outages rapidly; avoid routing paths through certain locations; obey privacy laws, and more.

Bhutan is the first country to have 100% valid prefixes

In my project, I have done research on each network operators in the South Asian countries and reached out to those who had issues with their RPKI ROA. I consistently followed up the progress of the deployment and after several months of my efforts in the region, Bhutan became the first country in the world to have a 100% valid ROAs. I am happy that I had the opportunity to work with some of their network operators in fixing couple of ROAs

ROA/RPKI uptake in SE Asia improvements

RPKI adoption in South Asia

The project has a significant impact in adoption of RPKI in the South Asian region. The awareness campaigns and hands-on workshops helped network operators realize the importance of global routing security and RPKI deployment. Each ASN with Invalid and/or Not-found ROAs in the South Asian countries has been contacted explaining the issues so that they can identify it and can create Valid ROAs. All these activities helped to reduce the number of Not-found and Invalid ROAs resulting the significant increase of Valid ROAs over times during the project period. Knowledge and actionable results ultimately help improve routing security in the region.

Status of RPKI ROA in AF, BD, BT, IN, LK, MM, MV, NP and PK
Figure: Status of RPKI ROA in AF, BD, BT, IN, LK, MM, MV, NP and PK.

Communities need to take a lead to help their economies

The main reason behind missing ROAs seems to have been a lack of awareness. Despite lots of discussions globally about RPKI deployment, almost no effort had been made to reach out to the individual ASNs in the region. While many of them were aware of RPKI and were able to create ROAs using MyAPNIC, they just simply didn’t feel it necessary to enable it. Some admins didn’t know the procedures of creating ROAs and some even didn’t know about RPKI ROA in general.

I think there is a significant knowledge gap and a lack of awareness about RPKI, and other routing security codes of conduct. While the discussion is happening globally, we need to discuss more about RPKI in local NOGs and help each other within our community to be successful in a wider deployment of RPKI. And, that is exactly what I am doing with my project.

I am so happy that my project is actively contributing in minimizing prefix hijacking, route leaks, IP address spoofing and other harmful incidents. Hands-on trainings on RPKI, ROA, BCP38, uRPF, prefix-filtering, IPv6 security and routing protocol security for the South Asian network operators can make a positive impact for the global routing security. This will eventually reduce DDoS attacks and traffic inspection that use the South Asian prefixes. And, the most exciting thing to me is the opportunity to contribute to enhance the security of the Internet’s routing infrastructure.

 

Category