Adapting to the Future of Network Security in Research and Education
By Steven Wallace - Director, Internet2 Routing Integrity
Estimated reading time: 5 minutes
With a Proposed New Standard on the Horizon for Internet Exchange Points, Now Is the Time to Embrace Advanced Routing Security Protections
A group of internet exchange point (IXP) operators recently proposed a new standard for routing security that will likely gain traction in 2024. It signals a future where adherence to advanced routing security practices is not just beneficial but essential for robust and comprehensive internet infrastructure access.
Is the U.S. research and education (R&E) community prepared for that future? Before we look ahead to what the new standard would mean for the community – and how we can take action now to prepare – let’s set the stage with some recent history.
Response to Google Policy Demonstrates R&E Adaptability
In 2018, Google mandated that networks connecting directly to its network must register their routing policy in Internet Routing Registries (IRRs). IRRs serve as central databases where internet service providers and other network operators can exchange routing policy information, which guides how internet traffic should flow between their networks. In other words, IRRs exist to help manage efficient and reliable traffic flow through the complex web of connections that make up the internet.
This move by Google, which was crucial for network security and efficiency, initially posed a challenge for the Internet2 community. Most IP addresses comprising the community’s R&E networks at the campus, regional, and national levels didn’t comply.
However, the community’s proactive response to this change led to a remarkable turnaround, with 95% compliance now enabling them to leverage the 780 gigabits per second Internet2 to Google capacity.
Five years later, a similar shift is emerging.
Proposed New Standard Looks to Authenticated IRRs
A group of IXP operators recently proposed a new requirement for IP addresses participating in their route servers to be recorded in authenticated IRRs. Unlike standard IRRs that often lack stringent verification processes, authenticated IRRs are operated by Regional Internet Registries (in the U.S., that’s ARIN) and require strict authentication procedures to ensure routing information is accurate and authorized by the official holders of the IP addresses and autonomous system numbers (ASNs).
The majority of the U.S. R&E community has yet to meet this proposed new standard and lags far behind the global internet in adopting other critical routing security services. The risks are reduced internet resilience and fewer connection paths.
This calls for community action to integrate these security practices, ensuring our continued status as first-tier participants in the global internet infrastructure.
One important prerequisite to meet the proposed new standard is that our community’s IP addresses must first be under an ARIN agreement. Only then can a record be created in ARIN’s authenticated IRR. To date, 212 organizations in our community have taken action this year to establish an ARIN agreement for IP addresses that pre-date ARIN’s existence. If your organization has IP addresses not yet covered under an ARIN agreement, start that process by creating a ticket with ARIN now to lock in significantly reduced fees before the fee cap expires on Dec. 31, 2023.
To dive deeper, here are the who, what, why, and when of this IXP-proposed new standard for routing security.
Who Proposed This Standard
During the RIPE Connect Working Group meeting at RIPE86, Stavros Konstantaras of the Amsterdam Internet Exchange presented “A Common Policy for the Use of IRR DB By IXP Route Servers.” The policy was authored by representatives from:
- Amsterdam Internet Exchange (AMS-IX)
- Milan Neutral Access Point (MINAP)
- RomandIX in Switzerland
- InterLAN Romanian Internet Exchange
- Toronto Internet Exchange (TorIX)
While it’s titled as a policy, the Connect Working Group doesn’t traditionally develop RIPE policy. Rather the proposal is to adopt a best common practice for operating route servers at IXPs. And though the proposal was authored by representatives from IXPs outside the U.S., the global impacts would include the U.S. R&E community’s commodity connectivity.
What Is Being Proposed
The Connect Working Group proposed that IXP-operated route servers around the world only accept routes that contain a corresponding record in an authenticated IRR (to recap, the authenticated IRR for the Internet2 community is operated by ARIN). As of today, only 15% of Internet2 routes meet this requirement.
Why Is This Standard Being Proposed
IXPs derive their routing policy from IRR records. Many IRRs may contain outdated and inconsistent information. Sometimes they contain false information created by bad actors attempting to disrupt routing. By restricting the source of information to authenticated IRRs, the IXPs know the information was created by an authorized agent and is more likely to be accurate. This standard will result in greater routing security for IXPs and for the global internet.
When Would This Standard Take Effect
The proposal suggests the change take place within a year of its adoption.
How Might This Standard Affect R&E Institutions
For institutions that lack authenticated IRR records (approximately 85% of Internet2 routes), this standard will reduce the paths that will carry the institution’s internet traffic. That means the institution’s network is less interconnected and in many cases won’t have access to the optimal path. This will result in less resilience and poorer performance.
For institutions with authenticated IRR records, the effect will be positive, as the IXP routing policy will be based on the known, authentic policy for the institution’s routes.
Protecting our R&E networks from common routing threats is in every institution’s best interest – and it takes a community effort. As a future with advanced standards for routing security takes shape, now is the time for us all to prepare and embrace best practices.
Routing Integrity Office Hours
To learn more and get answers to your questions about this proposed new standard, join us for an upcoming Routing Integrity Office Hours session at 4 p.m. ET on Jan. 18, 2024.