Understanding GREN
Before analyzing the two incidents involving GREN, it’s essential to understand its role. GREN is a network ecosystem designed to meet the global connectivity needs of R&E institutions. These networks collaborate to ensure seamless, efficient communication worldwide.
GREN comprises approximately 2,600 interconnected Border Gateway Protocol (BGP) autonomous systems in 107 counties. These systems coordinate routing policies to prioritize traffic within GREN, providing faster, more reliable connectivity than the commercial internet. Routes shared within GREN are prioritized over those from external providers, enhancing performance.
Incident #1: Commercial Routes Leaked to GREN
In March 2024, a South American GREN network mistakenly announced commercial internet routes to its GREN peers. As a result, other GREN networks prioritized these routes over commercial providers, causing traffic to be rerouted through South America. This led to delays and outages across GREN institutions.
Lessons Learned
Not all GREN networks filter routes from peers. While networks like GÉANT and Internet2 implement filtering policies, no consistent practice exists across GREN. This lack of filtering increases the risk of route leaks, causing major disruptions.
One solution is for backbone networks to publish their routing policies via Internet Routing Registry (IRR) as-set objects. These objects define which autonomous systems are allowed to announce routes, enabling more precise filtering.
As the use of as-set objects is still gaining traction, the Global Network Advancement Group (GNA-G) Routing Working Group has scheduled workshops to educate the community on their importance and implementation.
Incident #2: GREN Routes Leaked to Commercial Providers
In August 2024, a GREN member in the Middle East accidentally leaked routes to its commercial internet provider. For networks announcing more specific routes to GREN, this misconfiguration caused returning traffic from major cloud providers to route through the Middle East, leading to severe disruptions.
Lessons Learned
Announcing more specific routes is a common BGP traffic engineering tool within GREN, but no BGP mechanisms are currently in place to prevent such leaks. Promising new standards are being developed, but they are still years from deployment.
Rapid detection and manual intervention – such as de-peering the leaking network – are key to mitigating future incidents. The incident underscores the need for caution when using more specific routes as a traffic management tool. Some Internet2 members have already withdrawn more specific routes to minimize risks.
Incident #3: Route Hijack Targeting a U.S. R&E Regional Network
In July 2024, a commercial network outside the U.S. hijacked IP addresses belonging to a U.S.-based R&E regional network, disrupting critical infrastructure. The hijacker announced these IP addresses as more specific routes, rendering key services unavailable.
Fortunately, the regional network mitigated the attack by creating a Resource Public Key Infrastructure – Route Origin Authorization (RPKI-ROA), which prevents ISPs from accepting illegitimate routes. However, one cloud provider had not yet implemented RPKI-ROA technology, delaying full mitigation until communication was established with the provider.
Lessons Learned
Route hijacks remain a serious threat to critical infrastructure. Deploying RPKI-ROAs is a proven, effective mitigation strategy, though full adoption by providers is crucial to prevent future incidents.
Strengthening Routing Integrity Together
The recent routing security incidents in the R&E community underscore the need for collective action. Misconfigurations, route leaks, and hijacks pose ongoing risks to the stability of our networks. By adopting best practices, such as filtering policies, as-set objects, and RPKI-ROAs, we can better safeguard our infrastructure.
Collaboration is key. The GNA-G Routing Working Group, Internet2’s Routing Integrity Initiative, and similar efforts aim to educate and align the community, ensuring a unified approach to routing security. Together, we can strengthen the integrity of our networks and build a more resilient global internet for research and education.
ICYMI