Mutually Agreed Norms for Routing Security (MANRS): An Introduction
3:44AM Feb 13, 2021
Speakers:
(Participant)
Aftab Siddiqui
Shveta Kokash
Mohammad Pervaiz
Nandita Koshal
Dr G Radhamani
Sherrin Viji
Ashish Agarwal
Keywords:
isp
internet
called
routing
implement
works
people
service provider
bgp
questions
chapter
spoofing
network
verify
problem
session
isps
india
ip address
hijack
Good morning, good afternoon and good evening to you all as for whichever timezone you're attending today's event, on behalf of ISOC India Mumbai chapter. It gives me immense pleasure to welcome each one of you for our today's webinar on MANRS, Mutually Agreed Norms for Routing Security: An Introduction.
Before we start with the actual event, let me tell you briefly about ISOC Internet Society, as many of our registered participants are not aware about ISOC and are keen to know about us. We are a global not for profit USA chartered organization, empowering people to keep Internet a force for good that is open, globally connected, secure, and trustworthy. The Internet Society was formed in 1992 by Vint Cerf and Bob Kahn, two of the fathers of the Internet. There are more than 110 active chapters and 10 SIGs, that are Special Interest Groups, spread across six continents. Our chapters do incredible work in their local communities that help in bringing benefits of Internet to all of humanity. ISOC India Mumbai, which is hosting today's event is a very young, four year old, chapter of ISOC that works in alignment with the vision and mission of Internet Society. We are proud to be a Gigabit Chapter, the highest end badge awarded by Internet Society global. Our chapter comprises members from different walks of life, coders, lecturers, consultants, bankers, lawyers, entrepreneurs, students, social activists, teachers, government officials, retired professionals, etc. Majority belong to different parts of Mumbai, few reside in different states of India and abroad. We belong to different age groups, religion, and speak different languages, but we are bonded together by the Internet. We continuously strive to achieve our chapter's vision in making Internet relevant for everyone. For more information about the kind of work we do, you can visit our website www.isocindiamumbai.org.
Coming back to our today's event, routing security is vital to the future and stability of the Internet. MANRS is a global initiative, supported by Internet Society, to work with operators, enterprises, and policy makers, to implement crucial fixes needed to eliminate the most common routing threats. I heartily welcome our today's distinguished speaker, Mr Aftab Siddiqui, who's leading MANRS in ISOC, to talk more about this very soon.
Before I pass the baton to our moderator of today's event, Pervaiz, an ISOC India Mumbai volunteer, to formally introduce our speaker to you all, a few points to be kept in mind during the entire presentation. Your active participation is important throughout the session. Right now, I have everyone on mute to avoid background noises that may distract you from listening to the webinar. Throughout the presentation someone from our organizing team will be managing the chat functionality. I hope you all maintain expected online etiquettes throughout the event, and take maximum benefit from our speaker's knowledge. You can keep the chatbox lively with your insightful comments and questions pertaining to the topic throughout the presentation. There will be a q&a session at the end of the presentation where your questions will be addressed by our guest speaker. The session is being recorded and livestreamed.
Welcome once again. Happy learning about MANRS, and I now request Pervaiz to take it from here.
Thank you for that opening speech, Shveta. I'm sure ISOC will be a bigger family after that. So, this is Pervaiz your moderator for the event. Before we proceed, I want to thank my chapter leadership for giving me this opportunity. When I attended the Asia Pacific Chapter Leaders Virtual Workshop, I learned about MANRS. I realized how imperative it is for cybersecurity, and therefore wanted to spread the word. Our speaker, Mr Aftab Sidiqui readily consented to present the topic despite his busy schedule. Thank you for that kind gesture. Aftab Siddiqui is a well known personality in ISOC. However, for our new members and non members, Aftab is the Senior Internet Technology Manager at Internet Society. He leads the global initiative on MANRS. He is based in Sydney, Australia. Before joining ISOC, he was working for a system integrator as its chief technologist in Sydney. He has vast experience in the service provider sector. He spent almost a decade at Cybernet, one of the largest ISPs in Pakistan, leading the network operations and projects team. Now that is quite an interesting and amazing profile, so let's stay tuned and learn some MANRS from Aftab. Over to you, Aftab.
Thank you. Thank you, Shveta, for the introduction. I'm really glad to see a lot of people coming up today, on a Saturday morning, to join the session. Thank you. I'm excited to see a lot of new faces, who are interested to learn. It's not new, but it's a new concept for many people, so let's see how we go through this. As Shveta said, it should more be an interactive session. I'm not a teacher. I'm here just to share my information, the knowledge I have gained in the last 15 years or 16 years now, I'm getting old. So, I would encourage you to ask questions. You have chat function, moderators are looking at it, and as I said, it should be an interactive one. No matter how you think a small or irrelevant question it is, just ask. The whole idea is to make sure that everybody takes something positive out of this session. Right? And here we go, let me start my screen share.
Yes. So the problem with the screen share is the moment you start sharing the screen you can't see anyone's faces, so I'm just looking at my face and my presentation. So, if you have any question concern, and if you're writing something on the chat, I will not be able to see that. I would request the moderators to just flag it, I don't mind if you want to interrupt me in the middle to explain something further. I would really like to engage with you guys, right? So let's start.
Please disable the annotation because...
Right.
It's one of the options, view options, disable annotation.
Is this a display, or can you see the right display?
in the view options of your screen you will see there is this disable annotation option.
Aftab can move ahead in any case. There is paucity of time.
No worries, we will manage.
It does say annotate, and it doesn't give me any
No worries.
Okay I'm learning something new from you guys, so maybe I'll just stay back and say what, how to do that, moving forward. Yeah. Good.
So, as Pervaiz an introduction about myself, I Aftab Siddiqui, I'm based out of Sydney, Australia. It is a warm summer afternoon so just bear with me, as somebody said there's a aircon noise, so yes it is an aircon noise. I'd turn it off but that means I'm going to start sweating very soon.
So, yes, moving on, let's start with the routing problem, what is routing and why you need it? You are using Internet, and that's how you're connected, and luckily for you, for an end user, you don't have to understand how it works. For, let's say most of the population, you don't have to understand how it works, but people who are learning, people who would like to understand how the infrastructure works, it is important to know what is routing. I'll give you a quick overview of that but just to make sure, I will not bore you have a lot of information. So, of course, you are taking Internet from your service provider, whether it is a mobile service provider, or a landline, or broadband, whatever you call it, through the fiber, copper whatever. You're taking it from a service provider, and that service provider is connected from another service provider, and that's how the Internet works, it's a connected network of approximately 70,000 networks, all across the globe. So, every ISP has a unique identifier. That unique identifier in the Internet world is called as an autonomous system number. As its name suggests, it's of course autonomous. And that autonomous system number is located by an entity called RIR. RIR is Regional Internet Registry, in Asia Pacific region, it's called APNIC, Asia Pacific Network Information Center. In some cases, there is a further subdivision called NIR. Luckily for India, you have your own national internet registry called IRINN. So, the ISPs have to go to IRINN, register themselves there, and then get the resources. Resources means a ASN, which is the autonomous system number, and the IP addresses. Every individual who has to connect to the Internet gets an IP address. Without it, you can't do it. And that's how you become part of the global network.
And why routing is important? The reason you need routing because, of course you have a, you have an IP address, but if you want to reach out to Google. You have to go through multiple networks. So, to make sure that you are reaching out to Google, you have to be connected to multiple networks, and moving from one place to another, from your source to the destination, which is Google, and coming back, this is called moving from one place to another. I mean you are staying at your own place, of course you are sending the packets from your device to Google, then, in return, Google responding with their own packets. And that's how Internet works, in a nutshell.
How interconnected we are? If you are attending my presentation again, I do show this picture a lot, just to show how interconnected we are. On the right side, we have a picture of Europe. On the left side, we have a picture of Asia Pacific. In Asia Pacific we have multiple -- you can say chunks of connected networks, and it represents mostly bigger countries, like India, of course has the biggest population in the South Asian region, plus then we have China, and, if you go down, Pakistan and Bangladesh, other countries. So, it shows how interconnected we are, the whole region, and then if you go to Europe, it's just all connected in one place right it's very, very well connected. It doesn't matter on the Internet how you are connected. If you have even single link from one place to another, you should be able to reach out through that network.
So, in the last 30 plus years since we have Internet, I mean, Internet is very new in our region, the South Asian region, but it's been there for almost 30 years, mostly it was for research and other purposes, for defense purposes, but it's been there for more than 30 years, and the protocol which is keeping everything together on the Internet is called BGP, Border Gateway Protocol, and that is the only protocol of the Internet. For your own intranet network, or the enterprise network, or if you are working in an office, or you're working in a university, there are protocols which you are using within your own small infrastructure. But, for the Internet, there is only one protocol, which is called BGP, and that protocol was designed almost 30 years ago.
So, what is the problem with this protocol? Well, let's see. The biggest problem with this protocol is this. This is -- I mean it's it's been on the internet, you can see this picture on many places, butthe original picture is at the Cisco Computer History Museum -- this is how the protocol which runs the whole Internet was designed. On a piece of napkin, When three researchers were having a lunch during one of the IETF, Internet Engineering Task Force, meetings. They came up with this idea, in 1989, it was lunchtime, and they decided to write it down, and they couldn't find a piece of paper, so they wrote it on a napkin. And that's how the BGP was designed, 1989. And why I was saying there is a problem with that, the problem was, when it was designed, it was based on trust, trust between the entities who were speaking this protocol, who were using this protocol. Trust, because it was between universities, it was between research institutes, it was between the organization who could trust the other organization. Fast forward in today's world, there are 70,000 plus networks, who are on the Internet, and they are all speaking BGP. That's the only protocol they use. Do you believe that you can build the same level of trust which they had 30 years ago? It's impossible. And the reason for that is because of lack of trust, you see these problems. And the problem that we face, it's because of mistakes, sometimes it's because of deliberate attempts to disrupt the Internet services. We have hackers, we have bad actors, all across the world which causes problem for other nations, and for other people, and for other service providers, to disrupt their businesses to disrupt their day to day life. It happens. And then you see all these news on the Internet.
So, how normal route works? The packet leaves your laptop, or your mobile, or your PC, it goes through your home ISP, the ISP who's giving you the Internet, and that ISP takes it to the ISP it is connected to, and then it is connected to another one, until it reaches Google. And then it comes back, because it's a two way protocol, the packet goes from one place to another and then comes back. So, this is the normal procedure, so what could possibly possibly go wrong in this one. There are three things which can go wrong. Number one is called the route hijack, number two is called route leak, and number three is called the IP address spoofing. I'll explain these three concepts.
So, this is the right route. So, somewhere on the Internet somebody said, Well, I am Google. So, your packet went to your ISP, then the ISP it was connected to, and then to the ISP B, and there it was a miscreant saying, I am Google, which is, of course, what's wrong. But, on the Internet how it works is you will go to the closest destination. If you can see ISP B has a miscreant connected to it. ISP C has Google connected to. So, it means it is much closer to the source, which is you, to read the wrong or the miscreant network. When it is reaches the miscreant, of course, you get something wrong. You get a wrong page of the Google, or you just get a page which is trying to hijack your information, or steal your user ID password, or something like that, it can phish you with the wrong Google gmail account, or a YouTube account, and it asks you to enter your ID and password and then you end up losing your credentials. There are other ways you can you can make sure that you are not providing wrong information, to make sure on the application layer, make sure that you are looking at the SSL or TLS certification. You're looking at the lock sign in your browser, so you're not typing in your user ID password without making sure that this is the right destination. But on the network side, it can also be prevented. This is how route hijack happens and it happens a lot. It's not like that it happens once in a blue moon, but it's quite a normal incident.
The second one is a route leak. A route leak happens when you say, Okay, fine, I need to reach out to Google, but your ISP said, Oh, there is a shortest path which I can take and take you to Google. The shortest path is there, you can reach Google there. But the problem with that shortest path is there is someone in the middle, who is sniffing your information, who's taking the information out of the packets, and then taking you to Google, or, maybe, the shortest path you are taking is so narrow that you feel the Internet is not working properly. It is very slow, it is causing problems. So, you have to make sure that you are reaching the Internet that is your destination through the proper routes. For an end user that's not possible. For an ISP, yes, they can make sure that they are using the right measures to protect you from any problems.
Now the third most important is the IP spoofing or impersonation. It's a very common thing, it's not new, it's not new for Internet as well. Just, for example, if in a phone conversation, let's say, if I receive a missed call from Pervaiz, or even an SMS from Pervaiz, I'll just look at it and say oh, okay, Pervaiz has messaged me, and I just respond him back. And he said, No, I never messaged you. So, but I say, Well I have your number showing on my phone that you messaged me. He say, No, somebody has impersonated me. You must have seen these impersonation attempts from various prank callers and people who try to hijack your numbers, different SMS from different names. The reason for that is, they try to steal information, they try to get information from you. That is one problem, and the other problem is, for example, if you start getting messages. So let's say someone is impersonating Pervaiz, and that someone sends 2000 messages to 2000 different people. And all those 2000 people responded back to him. What will happen to number one, his SMS box -- there will be 2000 messages, and maybe 100 or 200 start people start calling him, saying that, Why are you sending me SMS? That will be denial of service, because once he is on a call with someone, his phone is busy, he will not be able to take somebody else's calls. So, this is another denial of service attack which can happen from a spoof number, or a spoof packet. So this is just a spoof,and this is, again, a common phenomenon, for the reflection attack. So, as I said, if there are 2000 messages coming in from different places for one victim, he will be overwhelmed, and the device, the network will be overwhelmed, and not be able to respond to all these queries, and say, Well, I'm down, that's it.
So these are the three threats I explained, it's the prefix or route hijacking, the route leak, and IP address spoofing. Now, look at the scale of the problem. So, this is for the IP address spoofing. I looked up this morning how India is performing as compared to the other countries in the world. This 21% number is hard to quantify in bandwidth. Let me explain how. It is saying that 21% of all packet the Spoofer received, works. So, how it happens is, you go to the Spoofer project, you download a software, and you run that software. That software will try to spoof your IP address and send it to the server. If you are able to successfully spoof it, it means your network is not secure, your ISP is not secure. Not you, your ISP is not secure, it's not implementing the right security measures, and it reaches the destination. So, they are saying that 21 out of 100 packets they received, they were able to spoof it. But, India being such a large country, with so many so many operators there, it means that more and more people try to test it. So, it means they have more data to make a judgment call on that one. For example, they don't have enough data from Australia, they don't have enough data from Madagascar, or Yemen. See the all these green places. It doesn't mean these countries are implementing the right measure, it just could be that they don't have enough data to make a call on that one. I was looking at the data from India, even in the month of February, they are more than 500 tests done by multiple people from India. So, that is a big number, in terms of tests. So, even though this percentage shows something wrong, it doesn't mean that this is something really very broken in the networks running inside India. So, just just be clear, and go to the Spoofer CAIDA project, link is www.caida.org/projects/spoofer/ to understand how they do these testings.
And, again, in terms of the scale of the issue, there are -- every day you see these problems. I wrote this on APNIC blog a couple of days ago,you can read all the details there, but this is the graph showing -- you see an incident almost every day, sometimes more than 10 incidents every day. Three big lines in 2020 in 2019, you can see they were massive incident, it means your Internet services were impacted, for sure.
Now, so how do you protect yourself from all these problems? As I said, an end user can't do anything about it. It is up to the service provider you're connected to. So, the source address validation and the filtering happens here. Your home ISP can do that. It can make sure that you cannot send anything to them. So, just like in your home, you make sure that you ask who's on the door before you open the door for them, or you peek out and say, okay, there's a camera, or maybe peephole, and just making sure that you know someone who's out there before you open the door. Exactly the same scenario should be applied to ISP. You do not trust your customer when they send you the traffic, you make sure that you check what you are accepting from them. If everybody started doing that, overnight this problem will be solved. But it is just the matter of your customer, but the content providers and all the other enterprises are all over the internet. Everybody has to make sure that they do the right thing, they implement these filtering and the source address validation, on their part, to protect all of us.
And the third thing, coming back on this one. I use the word called filter, and I said that you have to make sure, if somebody knocks on your door. you ask, or you look at that person, say Okay, do I know this person? Of course, if it is from the family, that's the relation, you just open up the door. But if you don't know that person, you then certainly ask a few questions, that Who are you? And then that person has to identify himself or herself that I am XYZ, I came from this organization, and the reason I'm here is for this. You should be able to verify that, Okay, fine, that person is absolutely -- for example, the person is just an electricity meter reader. They said, Okay, here's my card. I'm here just to read the meter, or for the information this is my card, you can verify it. Assuming you are paranoid with everything, you say Well I need to verify that, you go into the website, they say, Okay fine, this person belongs to this organization, or you just give them a call, they say, Yes, I can verify this person. On the Internet, there should be a process to verify who is the legitimate owner of the IP address, or the AS number.
The the entity who can verify this is called RIR, Regional Internet Registry, because they are the people who gave you the IP address and the AS number at the first place. But, how do you do that? They maintain a database, their database is called IRR. Internet Routing Registry. They store all the information, which IP belongs to which ISP, which ASN belongs to which ISP. So, you can go to the database, and you make sure that information is correct. But what if that information should be cryptographically verified?Maybe today when you log into www.google.com, all of a sudden, you see a lock sign, or secure sign, in your browser, that shows that the webpage you're looking at is the correct webpage. It is verified through cryptography. It is a process called TLS, and everything is verified. In the routing world that is called RPKI, Resource Public Key Infrastructure. It is exactly based on the TLS of the web, the PKI, it's Public Key Infrastructure. Same thing. It is not verifying that www.google.com, it is verifying the IP address and ASN peer. It is making sure that whoever is announcing this is the legitimate owner of this resource, and it has been verified by the RIR through a chain of trust.
A chain of trust means that, when you receive a certificate, when you see a visitor card from a person who's on the door, that visitor card has a signature on it. You can verify that signature, go up to the ISP, or the company he came from. And not only that, you can also verify that company signature from the government. Government issued them a unique ID, and then they use that unique ID to issue that visiting card. Exactly the same way you do it on RPKI. What you do is, when you receive a certificate or the ROA, which is called Resource Origin Authorization, it's just a card, you see a card and you see a signature. Using that signature you should be able to verify who issued that signature, it means the ISP. LIR, Local Internet Registry. And then from the Local Internet Registry signature you should be able to verify who issued that signature to the LIR. It means the RIR. So, that way you build a chain of trust, from one point to another. And then, you should be able to say that, Yep, the IP addresses out there, the traffic I'm receiving, is 100% valid. And this is how it works, there are only five RIRs, for Asia Pacific it is called APNIC, for North America it is called ARIN, for Europe it is called RIPE NCC, for Africa's it's AFRINIC, and for Latin American Caribbean It is called LACNIC. The protocol you use is called RPKI-RTR protocol, which talks to the database and give you the right information. I can do a detailed workshop on RPKI, if anybody is interested, I can arrange that as well.
So, you understand the problem, you understand the solution. So, what MANRS is doing? in MANRS, what we are saying that, Just follow the basic principles of the routing, and implement the most important, and the common, features of security in your routing to make sure that the Internet is protected. We are not inventing anything, we are only asking you to implement the BCP, which is the best common practices or procedures. By doing that, as I said, if everybody started implementing it -- there are 70,000 networks -- if everybody started implementing it, all these problems I mentioned, which is wrong hijack, or leak, or IP address spoofing, which is one of the causes of DDoS, that will just vanish overnight. But, of course, to convince 70,000 networks, it's a hard process. So, step by step. We have multiple programs one is for network service providers, another one is for the IXPS, and the third one is for the CDN and the cloud operators. The details are here, you can just read it, I put it in the slide deck, or also it's available on the website manrs.org.
The focus is on three things. One is filtering, another one is anti-spoofing, and the third one, which is most important is coordination. If something goes wrong, I should be able to pick up the phone and give you a call to make sure, if you are an ISP, that you publish your contact details, whether it is phone number or email address. An email address, you should be able to respond to that. Global validation is actually connected to the filtering. The RPKI part is via the global validation sets. You should provide information that people should be able to use to verify who you really are. Same thing goes for the IXPs, and for the cloud and CDN program. I mean if you want to read more deep details about all these programs, please go to our website, and read about it.
But how we are conveying this message? We are conveying this message, of course through our chapters, thankfully. Thanks to the Mumbai chapter for organizing this, but we also have programs, like MANRS Ambassadors and Fellowship program. We do offer fellowship to people who have some kind of experience in the field, who understand how BGP works, who understand how the routing works, and would like to contribute more to the community, then they can apply for the fellowship. Fellowship will open from 1st of March, so if you're interested, and you have some experience, you can apply for that. It's a paid fellowship, and you will learn a lot by engaging the community as well. MANRS Ambassadors Program is only for those whose organizations are already already part of MANRS. So, if you are working for an ISP who is part of MANRS, you can apply to become a MANRS Ambassador, that application process is already open.
Another thing we offer is called the MANRS Observatory, it's observatory.manrs.org. You can go there and look up what is happening on the Internet, we publish all the information., even the country information as well. So, I picked up the data for India this morning, this is 12 months of information. I see a very encouraging thing for India, number one is the number of incidents are going down. Of course, there are certain peaks here and there but, overall, there is a downward trend, which is good. Networks, the service providers, are implementing the right measures to protect the Internet, and the ROA, which is the RKPI implementation, is going up. So, there is a good graphic right at the end, it says thst the numbers are going up. It's a good sign, but still, it's a long way.
If you are a service provider and would like to implement all these actions, we do have an implementation guide on the website. And if you are a student who wants to learn how all this works in detail, you can go to the MANRS resource tutorial, and it will give you an in depth study of how you can implement the routing security according to the MANRS initiative.
We are growing. We have more than 600 participants now. 510 ISPs, 62 IXPs, and 16 CDN cloud providers. Cloud providers and CDN, for example, Google, Microsoft, Akamai CloudFlare, Netflix, Facebook, they are all part of it. So, they are also implementing all these measures to protect the Internet. The smaller ISPs? As I say there are 70,000 networks, now we only have 510, for example, that's a long way to go. But in that 510, we have big players like NTT. If we have those in place, we should be able to protect the Internet quite quickly.
So, that's all from my end. If you have any questions, I'll just stop sharing so that I can see people and look at the chat as well. Yep. Go ahead, I have two questions. There should be many!
This is time for you to ask questions. You may raise your hand, and we will take them by queue.
I would request people to raise their hands, and then I can unmute them, they will not be able to unmute themselves.
Firstly, I want to say that it's quite interesting to know that we began from a napkin.
So, Pervaiz?
Let me put forward. Sorry, Nandita?
Please go ahead.
Okay, Sherrin Viji has put this question on the chat, and it is, How dangerous is spoofing attack?
Aftab, can you take this?
Yes, as I said, it is one of the causes of DDoS. You must have heard about DNS amplification, and NTP amplification attacks. The two attacks only are possible because of because of ISPs not implementing anti-spoofing, or the source address validation. If you recall, one of the biggest DDoS which was faced by some, most importantly by Dyne, which is the DNS service provider for many big companies like Facebook and Twitter a few years ago, I think three years ago. One of the cause was the scale of traffic coming towards it, and the scale was only possible because of the devices, and the devices connected to the ISP's who are not implementing IP anti- spoofing. So, it causes a lot of problems, it is one of the biggest issue for the DDoS. So, if you understand that DDoS is a problem then, of course, if you are not implementing the anti-spoofing, then it is a problem.
I got a written question, so one of the questions was what is unicast reverse path forwarding. So at this is called URPF, it is a method to do anti-spoofing. It's a method to do a source address validation. It only says, if you receive a packetfrom your customer, that packet should not have an IP address which you have not allowed. For example, you have given that customer an IP address of 192.168.0.1, just an example, and the packet came with an IP address of 10.0.0.1, and you will say No, that's not right, I'm not going to accept it. This is unicast reverse path forwarding, one of the methods, it's called URPF, if you will not allow them to send any packet with a spoofed address if they are not allowed to use that. So, you just simply discard it.
So basically it's verifying the person who's coming to you, right?
Absolutely. Making sure that you have a verification process in place on the agenda at the entry point.
Dr. Radhamani has raised her hand.
Good morning.
Please go ahead.
I would like to know whether there are any internship opportunities, or something like that for the students to take it forward?
We have a fellowship opportunity, but not internship opportunity, at the moment for the students. But, if you have students who are willing to contribute in a way, and they can submit a proposal, we can definitely look into this one.
Sure.
We are doing. As we speak, we are doing a research project with the University of Strasbourg in France.
OKay.
Last year we did another research project, too. So, I mean they submitted a proposal, we liked it, and said Fine, let's go ahead. So, if they have any good idea they want to implement or explore, even if it is research-based, or just an implementation-based, we are happy to look at look at it.
Okay. Sure, we will just see how we can coordinate and take it further.
And if they have, if they have raw ideas, I'm more than happy to discuss with them what they want to do. As I said, we are working on many things, so maybe we will be able to adjust them into something.
So, we have undergraduate and master's students in computer science specialized in networks, so probably I'll get in touch with the chapter Chair of ISOC Mumbai, Ms. Shveta, then probably we can see how we can coordinate further.
Absolutely. More than welcome.
Thank you so much.
Sherrin, then you have a couple of questions. Go ahead.
Thank you. Good morning, sir. My name is Sherrin, I just have a question. My question is that, initially when MANRS started there would have been some challenges or drawbacks. Can you please mention some of them?
Okay, when I was explaining the problems, and then I moved into MANRS, the one part I used is that we are not inventing anything new. The only thing what we are saying is, there are best operating procedures in place, just implement them. The only thing we are trying to change is behavior. So, behavioral change takes a long time. It's not a technology change. We are not saying move from 4g to 5g, we're not saying move from 3g to 4g, or from copper to fiber, because it's better. We are saying, you're already using BGP, it is working, but can you just make sure that you implement these features, as well, to make it secure. And the biggest problem we faced in the beginning -- we still do face it, but not at that extent which you are facing in the past -- is, people used to come and say, Well, why should I implement it, nothing is broken, everything is working fine. To convince them that there is a brokenness in the system was the biggest issue, that was the biggest obstacle, showing them a route hijack can happen with your service provider, with your ISP, that was the biggest issue. Thankfully, with the message we are trying to convey for quite some time now, we don't have to explain it to a lot of people, at least not to the network engineer, they now understand what is the problem. So, it's getting better, but that was the biggest issue we had, it's the behavior of the network engineer saying -- and I was part of that a few years ago -- that I can't make a change unless I have a good reason to make that change, because of course the business will say, No, don't do it, there is no ROI. So, now that ROI part has gone, because nobody wants to be on the headline saying that you hijacked the Internet for somebody else, so that problem has been solved, but still it's a long way to go. It's getting better.
Thank you, sir.
So, in context with the drawbacks, does ISP incur expenses in implementing MANRS?
It depends how you how you measure the expense. A network engineer spending three hours on a router is also an expense, because that person is not doing something else, now he or she is implementing a MANRS action. So, that is an expense. If your manager is not very supportive of this idea that you have to protect the Internet, or protect the Internet for everybody else, asking that resource to implement something which is not going to help the ISP only, but it is for the greater good of the internet, yes it's going to be an expensive job. But, if the organization understands how important it is to protect the Internet for everyone, then it is just a matter of few hours, to few days, not more than that. Yes, at times, people are using legacy equipment, which doesn't support some of the features which we are suggesting, for example RPI, or source address validation, it can be a challenge that you might have to buy something new, but that's very very rare, I would say only one per cent. All the equipment we have today supports all the features we are encouraging to implement in MANRS. The cost factor is not that much in terms of cash, but of course the resource cost factor is there.
Thank you. And, as an end user, how can we know that our ISP is following any practice for security, or how can we convince them as end users?
There are two things. One is the Spoofer. You can download the Spoofer software, go to the Spoofer, caida.org, the link is on my slide deck. I'll share it later on with you guys. So, you can go there, download the software and run, and you can see the report yourself that whether your ISP -- because it checks your immediate ISP. You can find out if your ISP is implementing source address validation, number one. You can go to, Is BGP Safe Yet? service by CloudFlare. CloudFlare provides a service for the RPKI. You go there and see if your ISP is implementing route origin validation, if they are accepting invalid routes from the internet. If they are, now you have two things to complain, that why you're not implementing anti-spoofing and why you're not implementing route origin validation. So, you can check if your ISP is doing that. Yeah, these are good things you can do it yourself and then ask your ISP to do something better.
That's nice to know that we can question our ISP. Okay, I'll take the next question from Ashish. Ashish, please go ahead.
Good morning everybody. My question is, I have taken an IP prefix and AS number from a regional or national internet registry. Now, I want to make my reachability redundant to more than one service provider, so does IRR, NIR or RIR have a control of to how many service providers I can advertise my network, or I can do it on my own, to as many as ISPs as possible, or I desire?
You can do it yourself, RIRS have no control, they are just a registry, they give information to the world how you are doing it. But, once you start doing that -- just for example you are connected to Reliance, and you're also connected to BSNL, and I don't know that you are connected to two of them, I can only access the IRR database. So, you make sure that you go into the IRR database and update this information, that you are peering with two different ISPs, so that I'm aware of that. You don't have to ask permission from anyone, but you can just go there and update the records, and start peering with them. That's perfect. You can peer with as many as you want. Because sometimes when you go to -- I have my own ASN, my own prefix, and I use it for my personal use, and I peer with multiple people on the IX side -- so, you don't have to ask anyone, you just go there and peer, but make sure that you update your records accordingly. So, if somebody is filtering you, they should know that you are actually the legitimate owner of these prefixes and you're peering with them. So, you can do that, yes.
You mean ROA has to be taken [inaudible]?
ROA is only for the origin. You do create ROA, but that ROA has nothing to do with who you are peering with. The ROA will only prove that you are the legitimate owner of this ASN and prefix. But who you are peering with, is you go ahead and you create -- you can do two things, number one you create, import and export record in the IRR, through the IRR database, if it is IRINN or APNIC you can go and create that. Or you also ask all these service provider that they add your AS in the AS-SET. So, whoever is filtering it can verify this information that you are the legitimate peer of these two different ISPs, Reliance and BSNL, so they can upgrade in their records. Thank you.
Okay, another one from [name], that's what I see on the chat box. Please, go ahead.
Okay. Good morning. I'm asking, Is there any possibility to implement MANRS in a small business local area network without a connection fro ISP. Maybe, if we are using a modem only, is there any possibility to implement MANRs? And again, is MANRS implemented in BGP only, or any other protocol? Thank you.
Yes and no. It's a difficult question to answer in that manner, there is no clear -- let me explain why. Even if you are a small enterprise, even if you are a small service provider, you don't have IP addresses from the RIR, you can still implement source address validation. You can make sure that you are not sending anything wrong to your ISP, you can filter on your own. Of course, you cannot filter on the BGP, because the prefix filtering is for the BGP only. So, if you're not speaking BGP with your ISP, if you're not using the BGP protocol then, of course, you cannot implement other actions, but at least you can implement the source address validation part on your end, and make sure that you are not sending anything wrong to them. Even if it is a small modem, the modems I have worked with do have these features enabled. They are available, you just have to enable them. So, do have a look, if you can tell if the feature is there or not, irrespective of how big or small your network is.
Thank you. Thank you very much
Guys, we are running short of time. Aftab, if it's okay with you, you can put your email address in the chat box, and people can send you their queries.
Yeah. My email address is here (siddiqui@isoc.org). I usually respond to every email within 24 to 48 hours. Sometimes I slack a little bit over the weekend, but if you have any question, any concern you want to reach out to me directly, drop me an email, and I will be able to help you out. Anything, any questions. And just just to clarify, as I said, I am not a teacher, I have learned a few lessons in my last 15 years, 16 years, of my career, and I am happy to share all of them with you, so it's just a knowledge sharing, I'm not here to teach you everything.
Thank you, Aftab, that was a great session. I hope we have taken a lot of learning from you, and the best part is there are difficulties in the routing system, but there is a solution also.
Okay, so now I hand over the baton to Nandita for the Vote of Thanks.
Thank you Pervaiz, and with this we have finally come to an end to a highly engaging and insightful session. Of course, this would not have been possible without the addition of our guest speaker, Mr. Aftab Siddiqui, so on behalf of ISOC India Mumbai Chapter, I express a heartfelt gratitude to you for being present here, and helping our audiences with their questions, and for this great session.
We also would like to thank Joly MacFie from Internet Society for live streaming this event for us. Thank you, Joly. And as always, every event is a combination of team effort, so I would like to take this opportunity to thank our volunteer Mohammad Pervaiz for coordinating and moderating this event so successfully, our Chapter President Shveta Kokash for leading the organization efforts for the event, our volunteer Nupur Vijh for acting as the rapporteur for the session. Prateek Pathak for his creative and design support. And finally, our wonderful audience present here for their enthusiasm, participation, and their questions.
And now we will pose for a group photograph. So, may I request everyone to kindly switch on their cameras for just five seconds, probably, and we'll take a quick snap, and then we will end the session. So, may i request, everyone to please switch on their camera, and we'll take a photograph.
Thank you, and Okay.
One more, 1-2-3, cheese.
Okay, one more.
and last one.
Thank you so much guys, and with this session is finally ended, we will be sharing our report for this session, so please look forward to that. Thank you so much guys. Thank you, Joly. Thank you, Aftab.
Thank you, Nandita. Thank you. Thank you Aftab, thank you very much for being here today. It's an honor and a privilege.