Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Foreword

 

The Internet is critical to our lives and businesses. The Internet relies on a complex routing eco-system that is made out of the interconnections between our Autonomous Systems (AS). The global routing system is decentralised in nature and technically mostly based on trust. These are two beneficial properties: because of BGP-4’s permissionlessness, we can easily interconnect with each other for peering or use multiple transit providers; all the while maintaining a degree of autonomy. However there are downsides too, a misconfiguration in one AS can negatively impact other ASNs! Malicious actors can abuse the trust system.

Perhaps an analogy can be drawn between the rise and fall of open SMTP mail relays and networks without RPKI Origin Validation. Decades ago open mail relays served an important function as they enabled free communication between various parts of the internet. But as the internet grew, so did the appetite for easy-to-exploit spam cannons. Nowadays, every sensible mail operator keeps a tight lid on who can use their mail servers and whom they can reach through those mail servers. It simply has become unattainable to operate in a promiscuous mode. Looking modern day Internet routing challenges, I can see Best Practises for BGP-4 follow a similar evolutionary path.

With that in mind, I’d like to urge everyone to ensure that any routes propagated by their BGP speakers are in fact correct announcements, verified to the best of their abilities. Routing policy statements designed with security in mind are in the best interest of all Internet participants. In other words: as a network’s trustworthiness increases, so does its value to the global Internet.

Keep in mind that routing security is not like herd immunity: the benefits of a more secure routing perimeter are immediate and unilateral. There is no requirement for a certain amount of Internet Autonomous Systems to have deployed Origin Validation before the effects positively impact business. When you protect the borders of your administrative domain, you immediately enjoy the benefits and have a competitive advantage compared to those networks who inadvertently accepted a misconfiguration or BGP hijack.

Looking at RPKI Origin Validation and other BGP routing security best practises, it appears the Internet Industry’s thinking has shifted from “routing security is a nuisance” to “we have only ourselves to blame if we didn’t deploy the bare minimum of BGP filters”. Organizations are seeing a measurable positive impact on business operations after developing a stronger routing security posture. Only you can protect your network!

I’d like to thank the authors and Juniper Networks for making Day One: Deploying BGP Routing Security available to the operational community. Melchior and Niels have done a fantastic job consolidating a ton of tribal knowledge and disparate information sources into an easy-to-read RPKI Origin Validation deployment guide. This book will help lower the barrier to run a secure and robust network!

Job Snijders, Internet Architect, NTT Communications

February 2019