Zayo is among the first ISPs to implement two-factor authentication (2FA) for BGP configuration updates
Aaron Werley, Vice President, Technology, Zayo
We hear it every day. We teach it to our kids: it’s better to be trusting, to assume positive intent, to give the benefit of the doubt. Equally important is to be trustworthy. We strive to be trusted experts and partners to our customers, and we place trust at the core of every relationship. Human to human, it’s a nice way to live and operate.
Yet in business we have a lot to protect, so we turn to the wisdom of, “Trust, but verify.”
While the majority of traffic that traverses the Internet is encrypted and leverages advanced frameworks to promote security and identity management, the underlying network infrastructure providing the routing of this Internet traffic is a pretty trusting environment:
Routing… BGP knows how to get your packets to their destinations
The routing of the Internet is managed by one of the core Internet protocols, Border Gateway Protocol (BGP). BGP provides the direction for the exchange of every packet that traverses the internet. Initially developed by academic and research groups in the early days, BGP is an inherently trusting protocol – built without security in mind, and therefore with minimal verification mechanisms in place.
Address Assignments… The five RIRs keep a database of ASNs and IP addresses
Five global Regional Internet Registries (RIRs) assign autonomous system numbers (ASNs) and IP addresses to entities with a presence on the Internet. The five RIRs are AfriNIC (Africa), APNIC (Asia-Pacific), ARIN (North America), LACNIC (Latin America), and RIPE NCC (Europe, Middle East, and Central Asia). While they verify the identities of the people and companies that request assignments, the RIRs are neutral and unbiased entities that maintain a publicly available database of these assignments.
Every Company Registered… They take the first step
All companies with an Internet presence who want to leverage the benefits of having dedicated IP address space register with the RIRs for ASNs and IP address assignments, and provide the RIRs the contacts within their organizations who are authorized to make changes. But when people leave the company, the company often neglects updating the RIR directory, sometimes for years at a time.
ISPs… Provide the network for transport
Internet Service Providers like Zayo reassign address space to our IP customers, or announce customer owned IP address space, accept their traffic onto our networks and pass that traffic to our peers to make sure it reaches its destination. Businesses have a lot of confidence in their “Know your customer” programs. When customers ask for modifications to their BGP service configuration, we perform basic validation of the request, to align new IP address announcements with the requesting party.
This basic validation was the only form of validation performed, until now.
… but Verify
In a system like the Internet, built to be trusting, the Tier 1 Internet providers need to take steps to protect the integrity of the announcements that enter this ecosystem. Zayo has introduced a simple double check on the front end of BGP change requests to ensure that bad actors can’t manipulate traffic routing.
Starting with ARIN, Zayo now asks for a “2nd form of ID” from users wishing to change their BGP service in any way, ensuring the requestor has access to, and is authorized by their organization to make such a request.
The beauty of 2FA is that it removes the human element from the verification, and it drives improved RIR contact accuracy, a Mutually Agreed Norm for Routing Security (MANRS) guideline.
I think it goes without saying, the Internet will benefit from a little more MANRS ;).
Zayo is committed to not just implementing MANRS compliance across our network, but helping promote MANRS across all who connect to our network.
We all know the drill of 2FA well: “We sent a 6-digit code to the email address we have on file…”
The first factor is our customer’s own contact information as we have them listed in our system. The second factor is a unique, time-sensitive code, sent to the contacts listed in the RIR’s database associated with the record. This way, if someone makes a mistake or a bad actor has maliciously masqueraded as another organization, they generally wouldn’t have access to the email addresses associated with the RIR points of contact to obtain the unique key.
This is not a process implemented because we don’t trust our customers. This is a process implemented to protect everyone from both inadvertent and malicious behavior interfacing with a largely trusting protocol and processes in place across ISPs today. Simply said, Zayo’s new practice benefits not only our own customers, but the Internet community at large.
Protecting our customers: Requiring two factors of authentication protects our customers. We’re simply ensuring that when Zayo receives a request to, for example, add or remove IP addresses to a BGP service, the person requesting that change actually owns the address space and has access to or approval from the associated contact for the resource they are attempting to change. If they don’t, Zayo won’t make the change they’re asking for. We protect our customers’ accounts from those who may be trying to hijack the traffic and redirect it from that account.
Protecting the whole Internet community: Zayo is doing our part in helping promote the goals of MANRS by encouraging our customers to practice good Internet hygiene by always keeping their contact information updated with the registry. In addition to preventing unauthorized announcements of your IP address records, this practice:
Ensures that ARIN can reach you. With updated info, ARIN and other RIRs can contact you to notify you of policy changes, resolve any issues they see with your account or resources, or for any reason you may need to act on.
Keeps you compliant with the RIR’s policies. In order to ensure uninterrupted service, ARIN requires that all organizations maintain current records.
Two-factor BGP authentication vs. RPKI
In our blog last month, we described Zayo’s adoption of Resource Public Key Infrastructure, or RPKI. RPKI is a companion protocol to BGP, and checks digital certificates against the information in its system. If the certificate is recognized and signed by a trusted authority, it is allowed access into the BGP environment.
Like the whole Internet, RPKI requires cooperation among multiple ISPs and owners of IP addresses to work to its full potential. The protection of verifying origin identity becomes most meaningful when multiple IP address owners “sign” or identify their own route origins, and when ISPs validate the origins of the announcements from entities connected to their networks.
Zayo’s practice of requiring two factors of authentication for BGP doesn’t replace RPKI. Rather than waiting for a critical mass of ISPs to adopt RPKI to realize its full promise of protection, we’ve taken our own steps. Two factor authentication enhances typical verification processes used by ISPs to prevent someone with malicious intent coming to Zayo attempting to announce routes they don’t actually own.
As a Tier 1 ISP, Zayo recognizes our role in not only protecting our customers’ Internet traffic, but in playing our part in fostering good behavior throughout the Internet community. Two factor authentication for BGP is a simple, but important step toward that end.