Business Services
IP NETWORK SECURITY
|
QUALITY
FAST
SECURE
AFFORDABLE
|
|
|
Coordination
Facilitating global operational communication and coordination between network operators
Global Validation
Facilitating validation of routing information
Anti-Spoofing
Preventing traffic with spoofed source IP addresses
Filtering
Preventing propagation of incorrect routing information
|
|
-
What are the 6 recommendations for securing routing and signaling?
-
1. Understand current Border Gateway Protocol (BGP) peering relationships and seek to collaborate with peers to better identify BGP hijacks and be able to effectively respond.
2. Strongly consider joining the Mutually Agreed Norms for Routing Security (MANRS) project and implementing MANRS requirements.
3. Implement BCP38 (or similar) ingress filtering to reduce the ease with which some types of DDoS can be undertaken and the value of infrastructure to attackers.
4. Appropriately manage access to and use of protocols such as DNS which can be used to enact DDoS attacks.
5. Raise awareness of the security vulnerabilities of SS7 and implement relevant solutions (e.g. the GSMA SS7 filtering standard) to better protect customers. Ensure that the next generation of signalling is better secured.
6. Enable The Domain Name System Security Extensions (DNSSEC) validation in resolvers and encourage customers to DNSSEC-sign the zones for which they are authoritative. -
How does RPKI (Resource Public Key Infrastructure) enhance Network Security?
-
Internet routing works with networks called autonomous systems. Each network has its own
unique number by which it is identified, the so called ASN: autonomous system number. With
this number a network advertises the IP addresses that are linked within that network.
How can you be sure that this information is true? The IETF (Internet Engineering Task Force) has worked to develop the RPKI, Resource Public Key Infrastructure, which is a way to digitally sign and validate route announcements. In other words, proof that the IP addresses you announce are indeed the ones you are allowed to announce, attested by the owner of the IP address.
The IP addresses are signed off with a Route Origin Authorization (ROA) via the Regional Internet Registry (RIR, in Europe this is RIPE) that originally assigned the IP addresses to the owner. It seems easy but in reality it isn’t.
As a Tier 1 provider Liberty Global works according to these standards within its own network. All IP addresses we use on our network and for our customers are RPKI signed. We strongly advise any of our BGP customers that maintain their own IP addresses, to sign their prefixes with ROA’s to protect against BGP hijacks when connecting to our network. RPKI protects BGP routing against both intentional, but also unintentional misconfiguration BGP hijacks. -
What does MANRS Compliancy mean?
-
MANRS stands for Mutually Agreed Norms for Routing Security. It is a set of principles and
actions that the global internet society has set up to further secure the internet and
prevent routing failures. This is done to protect both consumers and companies and make sure
the internet keeps on being the place where information is safely shared, worldwide.
The internet is a collection of networks. Its security depends on the collaboration of these networks to ban malicious parties and to make it very hard for them to be successful. Working together is the key. Liberty Global takes its role very seriously. It not only applies RPKI and BCP38 within its own very large network, but is one of the first providers to be fully MANRS compliant.