• 3 min read

Microsoft introduces steps to improve internet routing security

The internet runs on the Border Gateway Protocol (BGP). A network or autonomous system (AS) is bound to trust, accept, and propagate the routes advertised by its peers without questioning its provenance.

The internet runs on the Border Gateway Protocol (BGP). A network or autonomous system (AS) is bound to trust, accept, and propagate the routes advertised by its peers without questioning its provenance. That is the strength of BGP and allows the internet to update quickly and heal failures. But it is also its weakness—the path to prefixes owned by a network can be changed by accident or malicious intent to redirect, intercept, or blackhole traffic. Last year alone, there were hundreds of routing outages or incidents, such as route hijacking and leaks. These incidents led to large-scale distributed denial of service (DDoS) attacks, stolen data, lost revenue, reputational damage, and more.

Routing security is vital to the future and stability of the Internet and Microsoft has long been committed to improving internet routing security. Back in 2019, Microsoft joined the Mutually Agreed Norms for Routing Security (MANRS) initiative to address the challenges related to routing security, which impacts businesses and consumers daily. We implemented the existing MANRS framework in our operations and partnered with Internet Society, the Cybersecurity Tech Accord, and other organizations to examine how actors beyond network operators and internet exchange points (IXPs) can effectively contribute to routing security.

Today we are pleased to announce the steps Microsoft will take to implement the new actions defined by the MANRS Cloud and CDN program. These set of actions include:

RPKI (Resource Public Key Infrastructure) origin validation

RPKI is public key infrastructure framework designed to secure the Internet’s routing infrastructure. It is used to secure BGP routes origin information. RPKI has come a long way and its adoption has doubled over the last year. Microsoft has completed signing all BGP routes announced by our Autonomous System Number (ASNs). We recently updated our peering policy with the commitment to implement RPKI filtering by the middle of 2021. We understand these changes can take time and we will work with our internet peers to make sure this transition is smooth.

Route object validation

Public Internet Routing Registries (IRR) continue to hold a large part of route origin information and relationships. Microsoft will use IRR databases to validate all incoming routes. We have updated all our records in RADb and to protect our network, we will work with our peer networks to update route records in public IRRs. Inside Microsoft, we developed a global Route Anomaly Detection and Remediation (RADAR) system to protect our global network. RADAR detects and mitigates in real-time Microsoft route hijacks on the Internet. RADAR also detects route leaks in Microsoft network and on the Internet. A BGP route leak is the propagation of routing announcement(s) beyond their intended scope. With RADAR we use the public route database to establish the intended network path information (AS Path).

With RADAR, we make sure to route the traffic from Microsoft to customers via preferred paths even if malicious activity is detected. Customers who are leveraging internet service providers (ISPs), internet exchange partners (IXPs), and software-defined cloud interconnect (SDCI) providers who have joined the Azure Peering Service can also register to RADAR information and stay informed when a route anomaly is detected.

Enhance collaboration with peer networks and registries

Microsoft interconnects with thousands of networks via more than 170 edge points of presence locations. We will work with all peer networks to protect traffic over the Internet. In our peering portal we already provide RPKI and route object information for all the received routes. Peer networks can see RPKI, route object, and network path information in the portal and then can fix the routes in respective registries. Today address spaces are managed by different registries (ARIN, LACNIC, RIPE, and more) and it is not easy to manage route objects across all registries. We will work with registries to make it easier for our internet peers and in general for all internet service providers to easily manage these route objects.

Internet routing security will require constant updates to standards. There is no single standard which can address the issues faced on the Internet today and we need to update routing security standards as and when we see new threats emerging. Recently we worked with the MANRS community to update these standards and we are excited to join with other MANRS members in implementing them. Lastly, we want to thank MANRS and Internet Society for bringing the internet community together on this important subject and being the driving force for accelerating internet security.