AARNet is part of the global initiative Mutually Agreed Norms for Routing Security (MANRS), which provides network operators with crucial fixes to reduce the most common Internet routing threats, including route hijacking, route leaks, and IP address spoofing. These harmful activities are global in scale and can lead to Distributed Denial of Service attacks, data surveillance, lost revenue, reputational damage and more.
For the research and education sector, the implementation of MANRS actions can help universities secure their network infrastructure and reduce the risk of data being compromised.
Route hijacking is a common problem and can allow the interception of network traffic by a third party. If you create Route Object Authorisation (ROA) entries for your network blocks, Internet Service Providers (ISPs) are able to validate that the routes received from their peers for your network blocks are either valid or invalid. If a route is received with an invalid ROA, ISPs can and will drop the invalid route as per best practice guidance from MANRS.
If ROA records are not created or maintained correctly, route hijacking by accident or deliberate actions can easily occur because the validity of the route will not be clear to the ISPs. This lack of clarity can be quite disruptive for productivity. An example case occurred within an institution heavily reliant on Google’s cloud services. While data was successfully sent to Google’s servers, instead of data coming back to the institution, the response was routed to a US-based ISP. This effectively locked them out of accessing Google cloud services, and connectivity was only re-established after an involved and time-consuming process.
Protect your data
MANRS co-chair and AARNet Head of Network and Systems Architecture, Warrick Mitchell, explains that it’s more important than ever for universities to ensure their data is protected and to minimise the risk of accidentally advertising their IP block.
“With a growing dependence on cloud services in the research and education sectors, a reliable and secure network infrastructure is vitally important,” he said.
“Through community collaboration with MANRS, institutions can ensure via best practices that their data is routed to the correct destination and they continually retain full access to those crucial services.”
In addition to these data security measures, MANRS also provides guidance on how to maintain a globally accessible repository of your contact information, to enable ISPs or other entities to reach out to you when a security incident is detected.
To further boost customer security, AARNet will soon be implementing the dropping of invalid ROA information, and encourages all institutions to review their records in APNIC to ensure they are up to date and create ROA entries for their network blocks.
Please note, if you peer with AARNet using a private BGP Autonomous System Number (ASN), then your ROA entries need to be created with the ASN originating the network block as 7575 (AARNet), otherwise your network may be dropped from the internet by AARNet’s upstream providers. If you have a public ASN, then your network blocks should be signed with that ASN.
If your institution has historical network blocks, APNIC is now offering a “Historical Maintenance Non-Membership account” allowing you to create ROA’s for your historical network blocks for a small annual fee. For more information on this service, please reach out to APNIC.
Jun 17, 2021
Feb 9, 2021