Assessing the feasibility of routing security compliance tests

We supported GCA in their efforts to develop an elevated tier of MANRS (MANRS+) by conducting a feasibility study on measuring routing security controls. To this end, we developed a local prototype that simulates the audit of an AS using containerlab. We audit by setting up peering sessions between the audited AS and two other local ASes. The first AS exports prefixes to the audited AS and the second AS imports prefixes received from the audited AS. We then analyse the imported prefixes to draw conclusions about the filters configured at the audited AS.

Our prototype demonstrates the ability to reliably audit the correct implementation of filters. However, we expect auditing of production ASes to bring on much more complexity and the need to further develop the prototype. By presenting at the Routing WG, we aim to gather feedback from the community that can help improve the prototype as well as a provide guidance to a potential future production deployment led by GCA or similar auditing efforts.

Our implementation of the local test-bed is open source.