Validating MANRS with FORT Monitor

26/03/2024

By Erika Vega, Senior Consultant at SOCIUM and Engineering Manager at MC&H Networks

When an organization connects to the Internet and starts sending and receiving data packets using its own Internet number resources such as Autonomous System numbers and IPv4 or IPv6 addresses, it becomes an identifiable entity within this network of networks. This comes with both risks and responsibilities. These risks include the possibility of malicious parties obtaining data on how information is transmitted and published to and from your network, while the responsibilities involve understanding what actions we can take to protect our organization and other entities with whom we exchange data.

There are multiple actions that a network operator with its own resources can implement to strengthen and improve their routing infrastructure security. These actions range from training and awareness initiatives to the implementation of filtering and applying best practices in the logical configuration of routers.

MANRS Compliance in the LAC Region

Better known as MANRS, the Mutually Agreed Standards for Routing Security represent a global initiative that provides a framework of specific actions and critical solutions for reducing the most common threats to routing security. These actions are grouped in four programs: Network Operators, Internet Exchange Points, CDN and Cloud Providers, and Equipment Vendors.

Included below is an example of the actions specified for Network Operators, along with their compliance based on measurements conducted in the LAC region during the month of March.

As the image shows, adoption and utilization of mechanisms such as Resource Public Key Infrastructure (RPKI) and distributed Internet routing registry databases (IRR) remains below 50%, despite the fact that they are integral for complying with the MANRS global validation action. Therefore, it is crucial to work to increase their deployment in the region, leveraging tools that allow us to validate the status of our announcements in terms of compliance with these measures.

FORT Monitor

Many tools have now been developed to help organizations visualize how announcements are advertised through the global routing system. These tools provide valuable information to facilitate decision-making and the implementation of actions to improve security in our own routing scheme and, consequently, in overall routing.

One such tool is FORT Monitor, the result of a initiative by LACNIC. This freely accessible tool allows us to examine in detail an organization’s announcements and their validity status, either by prefix or by Autonomous System. It also provides simplified data on the status of routing security in the LAC region.

Where Does Fort Monitor Obtain Its Data?

FORT Monitor collects BGP announcement data using the UPDATE messages of the collectors available in CAIDA’s open source BGPStream software. It then classifies the data based on their validity statuses, identifying them thanks to the queries to the FORT and Routinator RPKI validators.

To validate the IRR’s routing records, FORT uses the data available in the RADB and RIPE databases. Finally, in order to produce reports at the regional level, it correlates the prefixes in these BGP announcements with the countries within the LACNIC service region, using the information contained in the delegated-extended file for the blocks managed by LACNIC.

It should be noted that FORT only allows monitoring prefixes and Autonomous System numbers assigned in the region.

Examples of the Use of FORT for Compliance with Global Validation

Below is an example of how to use FORT Monitor to validate compliance with Action 4 specified by MANRS, which validates the use of IRR and RPKI in the prefixes that we announce to the Internet.

The image above shows a query for an Autonomous System number assigned to the region using the FORT Monitor tool available at https://monitor.fortproject.net/es/per_asn. In it, we can observe information on the validity status of the prefixes announced by the ASN. The table includes a maximum of 500 results collected by the application up to the previous month.

If we query by prefix using the FORT Monitor tool available at https://monitor.fortproject.net/es/per_prefix, we can see whether the prefix is being published in a disaggregated manner.

We can also see the ROAs created for the prefix as well as its validity status.

Every day, the tool will display up to 500 results collected by the application, including data from the previous month. This will happen whenever the prefix is seen in the global routing tables and will allow determining whether the prefix’s validity status changed or if it stopped being announced at any time.

This information allows organizations that hold resources to track the status of all the routes they publish to the Internet and to implement measures to maintain their validity.

For more information on routing security, the adoption of best practices, and compliance with MANRS, as well as to access tools for route validation and to learn about new proposals currently under discussion at the IETF to address persistent BGP operational issues, we invite you to participate in ‘New Trends in Secure Routing.’ This tutorial will take place this 6 May in face-to-face format, within the framework of the LACNIC 41 event to be held in Panama City. Click here to register and participate.