Internet2 Community Completes Network Routing Policy, Publishes Plan
By Steven Wallace - Internet2 Security Architect
We are pleased to announce that Internet2 has completed and published its routing policy as of July 29, 2020. The Internet2 community worked together to complete their routing policy records so that 99% of the routes fulfill the Internet2 Peer Exchange’s (I2PX) major peer requirements. This is a significant milestone that took many months of planning and coordination across our community, and wouldn’t be possible without our members’ commitment to ensuring the completion of the routing policy.
The Drive for an Operational Routing Policy Plan
In April of 2019, Hurricane Electric (HE), a large internet service provider that peers with I2PX network, ceased accepting Internet2 routing announcements. Consequently, traffic volume from HE to Internet2 went from gigabits to a trickle. Traffic that once flowed from HE to our members over the Internet2 backbone now used their commodity connections. While HE’s traffic in aggregate is substantial, the effect for any individual campus was modest.
HE is one of the dozens of networks that peer with the Internet2 I2PX network. HE’s rejection of Internet2 routes is directly related to its requirement for peer networks to adhere to the guidelines of Mutually Agreed Norms for Routing Security (MANRS). HE requires their peer networks to publish their routing policy so that HE can validate the routes it accepts.
Shortly after HE ceased to accept Internet2’s routes, Google began communicating that it too would require peers, such as I2PX, to publish their route policy. Google’s impending requirement to adopt this part of MANRS created sufficient urgency for the Internet2 community to organize an effort to communicate this need broadly and to assist with getting our routing policies published.
Even before these requests for published routing policy were being made, Internet2 had communicated the benefits of MANRS on several occasions. Our staff organized workshops and webinars to improve the adoption of Internet Routing Registries (IRRs) and Resource Public Key Infrastructure (RPKI) to enable network peers to validate the routing information they receive. Google’s impending requirement reshaped our efforts. Internet2 needed an operational plan for publishing its routing policy.
Internet2 Members at the Forefront of Planning Efforts
Referencing each of our members’ routing policies in our organization effort was integral to ensuring that Internet2 member networks retained control and responsibility for their published routing policy. In other words, our routing policy would be incomplete until all of our members’ policies were complete.
Complicating things further, publishing Internet2’s routing policy to Google meant publishing the routing policy to all networks. If the routing policy was incomplete, other networks that didn’t require a published policy, might choose to act on a policy if published. It became imperative that Internet2 publish a complete policy before Google’s deadline. Google’s deadline was extended several times, ultimately giving us time to publish an effective routing policy.
Incorporating Border Gateway Protocol Participant Networks
There are over 60 member networks that peer with Internet2. We call these networks BGP (Border Gateway Protocol) participants. Internet2’s routing policy would contain a pointer to the policies of our BGP participant networks. However, many of these networks lacked a published policy and were missing critical records of the policy. An early task in our implementation planning was to develop tools to determine which of our member networks’ policies were missing or inconsistent.
The first version of our tools identified 34% of our member networks as lacking a published routing policy. It is important to note that for many networks having a routing policy hadn’t been a requirement. Our first one-on-one outreach was via email and Zoom meetings to the 34% of BGP participants that lacked a published routing policy. Before we could evaluate the policies for consistency and omissions, we had to first ensure that the policies were published. Over the course of six weeks, dozens of emails, and roughly ten Zoom meetings, nearly all of the BGP participants were publishing a routing policy.
Once the BGP participants published their routing policies, we expanded our tools capabilities to check the consistency of the individual policy records. By May of 2020, we were able to review the policy records and determined that Google would reject approximately 18% of the routes. Now that we were checking the consistency of individual campus network routing policies, we changed communications strategy.
Our communications moved from engaging BGP participants to partnering with Internet2 Connectors to mutually provide support to the individual campuses. We also shifted our webinars from presenting information to informal “office hours,” where the most knowledgeable community members could help campuses with their specific questions.
From May 2020, and until we published Internet2’s routing policy in July 2020, the community worked together to complete their routing policy records so that 99% of the routes were accepted by Google! We are further developing our tools and processes to continuously monitor the state of the community’s published routing policies, so that we’re able to provide useful information to campuses and connectors as the inevitable inconsistencies in published routing policy re-emerge.
The community’s routing policy isn’t static and it changes over time. Internet2 is working with the community to identify the capabilities and processes needed to ensure our published routing policy maintains its currency. While the focus of this effort was generating up-to-date IRR records, going forward we will seek to better diffuse the full adoption of MANRS throughout the community. The networks that interconnect via Internet2 make up a sizable portion of the US-based global Internet. This work will improve the safety and security of our collective infrastructure.
If you have any questions about the Internet2 routing policy, please email us at IRRfirstname.lastname@example.org.
Related articles and blogs: