Adapting to the Future of Network Security in Research and Education

Adapting to the Future of Network Security in Research and Education

Post adapted from the original on Internet2.edu.

A group of Internet exchange point (IXP) operators recently proposed a new standard for routing security that will likely gain traction in 2024. It signals a future where adherence to advanced routing security practices is not just beneficial but essential for robust and comprehensive Internet infrastructure access.

Is the U.S. research and education (R&E) community prepared for that future? Before we look ahead to what the new standard would mean for the community — and how we can take action now to prepare — let’s set the stage with some recent history.

Response to Google Policy Demonstrates R&E Adaptability

In 2018, Google mandated that networks connecting directly to its network must register their routing policy in Internet Routing Registries (IRRs). IRRs serve as central databases where Internet service providers and other network operators can exchange routing policy information, which guides how Internet traffic should flow between their networks. In other words, IRRs exist to help manage efficient and reliable traffic flow through the complex web of connections that make up the Internet.

This move by Google, which was crucial for network security and efficiency, initially posed a challenge for the Internet2 community. Most IP addresses comprising the community’s R&E networks at the campus, regional, and national levels didn’t comply.

However, the community’s proactive response to this change led to a remarkable turnaround, with 95% compliance now enabling them to leverage the 780 gigabits per second Internet2 to Google capacity.

Five years later, a similar shift is emerging.

Proposed New Standard Looks to Authenticated IRRs

A group of IXP operators recently proposed a new requirement for IP addresses participating in their route servers to be recorded in authenticated IRRs. Unlike standard IRRs that often lack stringent verification processes, authenticated IRRs are operated by Regional Internet Registries (in the U.S., that’s ARIN) and require strict authentication procedures to ensure routing information is accurate and authorized by the official holders of the IP addresses and Autonomous System Numbers (ASNs).

The majority of the U.S. R&E community has yet to meet this proposed new standard and lags far behind the global internet in adopting other critical routing security services. The risks are reduced Internet resilience and fewer connection paths.

This calls for community action to integrate these security practices, ensuring our continued status as first-tier participants in the global Internet infrastructure.

One important prerequisite to meet the proposed new standard is that our community’s IP addresses must first be under an ARIN agreement. Only then can a record be created in ARIN’s authenticated IRR. To date, 212 organizations in our community have taken action this year to establish an ARIN agreement for IP addresses that pre-date ARIN’s existence. If your organization has IP addresses not yet covered under an ARIN agreement, start that process by creating a ticket with ARIN now to lock in significantly reduced fees before the fee cap expires on 31 December 2023 (opens in a new window).

To dive deeper, here are the who, what, why, and when of this IXP-proposed new standard for routing security.

Who Proposed This Standard

During the RIPE Connect Working Group meeting at RIPE86, Stavros Konstantaras of the Amsterdam Internet Exchange presented “A Common Policy for the Use of IRR DB By IXP Route Servers.” The policy was authored by representatives from:

While it’s titled as a policy, the Connect Working Group doesn’t traditionally develop RIPE policy. Rather the proposal is to adopt a best common practice for operating route servers at IXPs. And though the proposal was authored by representatives from IXPs outside the U.S., the global impacts would include the U.S. R&E community’s commodity connectivity.

World map displaying Internet Exchange locations Global map of IXPs. View the interactive map.

What Is Being Proposed

The Connect Working Group proposed that IXP-operated route servers around the world only accept routes that contain a corresponding record in an authenticated IRR (to recap, the authenticated IRR for the Internet2 community is operated by ARIN). As of today, only 15% of Internet2 routes meet this requirement.

Why Is This Standard Being Proposed

IXPs derive their routing policy from IRR records. Many IRRs may contain outdated and inconsistent information. Sometimes they contain false information created by bad actors attempting to disrupt routing. By restricting the source of information to authenticated IRRs, the IXPs know the information was created by an authorized agent and is more likely to be accurate. This standard will result in greater routing security for IXPs and for the global internet.

When Would This Standard Take Effect

The proposal suggests the change take place within a year of its adoption.

How Might This Standard Affect R&E Institutions

For institutions that lack authenticated IRR records (approximately 85% of Internet2 routes), this standard will reduce the paths that will carry the institution’s Internet traffic. That means the institution’s network is less interconnected and in many cases won’t have access to the optimal path. This will result in less resilience and poorer performance.

For institutions with authenticated IRR records, the effect will be positive, as the IXP routing policy will be based on the known, authentic policy for the institution’s routes.

Protecting our R&E networks from common routing threats is in every institution’s best interest — and it takes a community effort. As a future with advanced standards for routing security takes shape, now is the time for us all to prepare and embrace best practices.

Post written by:

A photo of Steven Wallace
Steven Wallace
Director, Internet2 Routing Integrity

Steve Wallace promotes the adoption and improvement of routing security and integrity throughout the Internet2 community. He has been an active Internet2 community member for more than 24 years, having started as the engineer responsible for the team that built Abilene, Internet2’s first network.

Any views, positions, statements, or opinions of a guest blog post are those of the author alone and do not represent those of ARIN. ARIN does not guarantee the accuracy, completeness, or validity of any claims or statements, nor shall ARIN be liable for any representations, omissions, or errors contained in a guest blog post.

Recent blogs categorized under: RPKI


Sign up to receive the latest news about ARIN and the most pressing issues facing the Internet community.

SIGN ME UP →

IPv6 •  Business Case for IPv6 •  Internet Governance •  Public Policy •  Elections •  ARIN Bits •  Fellowship Program •  Grant Program •  RPKI •  Caribbean •  Outreach •  Training •  Updates •  IPv4 •  Security •  Data Accuracy •  Tips •  Customer Feedback •  IRR

 

Connect with us on LinkedIn!