Securing Routes and IPv6 at NANOG
Discover key discussions on routing security and IPv6 advancements from NANOG meetings that shape internet infrastructure.
The North American Network Operators Group (NANOG) serves as a critical forum for network professionals to tackle pressing challenges in internet operations. Events like those held in Denver bring together experts to deliberate on essential topics such as routing security and the ongoing transition to IPv6. These discussions are pivotal as the internet evolves, demanding robust protections against threats and seamless adoption of next-generation protocols.
The Imperative of Routing Security
Routing security remains a cornerstone of internet stability. Border Gateway Protocol (BGP), the protocol orchestrating data flow across autonomous systems, is susceptible to hijacks, leaks, and manipulations. Such incidents can reroute traffic erroneously, leading to outages, data interception, or worse. NANOG gatherings emphasize collective action to mitigate these risks through standardized practices and technologies.
One prominent initiative is the Mutually Agreed Norms for Routing Security (MANRS). This global effort encourages network operators to implement four key actions: filtering route announcements, global validation of routing information, securing the global routing table, and anti-spoofing measures. By committing to MANRS, operators contribute to a more predictable and secure routing environment.
- Route Filtering: Prevents invalid prefixes from propagating.
- Validation Tools: Employs Resource Public Key Infrastructure (RPKI) for authenticity checks.
- Table Security: Monitors and reports anomalies in the global BGP table.
- Anti-Spoofing: Blocks packets with forged source addresses.
These steps, when widely adopted, significantly reduce the attack surface. Data from recent analyses shows a decline in BGP hijacking incidents in networks embracing these norms.
IPv6: Bridging the Deployment Gap
IPv6 adoption continues to accelerate, driven by IPv4 address exhaustion. NANOG sessions often dissect deployment hurdles, from address allocation to integration with legacy systems. IPv6 offers 128-bit addresses, enabling a vast pool (approximately 3.4 × 10^38), eliminating the need for Network Address Translation (NAT) in many scenarios.
Key advantages include simplified routing hierarchies, enhanced mobility support, and built-in security features like IPsec. However, challenges persist: dual-stack configurations increase complexity, and some applications lag in native support. Operators at NANOG share strategies for smooth transitions, such as tunneling mechanisms (6to4, Teredo) and 6rd for rapid rollout.
| IPv4 Challenges | IPv6 Solutions |
|---|---|
| Address scarcity | Abundant /64 subnets |
| Complex NAT | End-to-end connectivity |
| Header overhead | Streamlined 40-byte header |
| Security add-ons | Mandatory IPsec capabilities |
Deployment statistics reveal progress: as of 2026, global IPv6 traffic exceeds 40% on major backbones, per official registries.
Intersections of Security and IPv6
IPv6 introduces unique security considerations intertwined with routing. While BGP remains the inter-domain glue, IPv6-specific extensions like Segment Routing (SRv6) demand new validation methods. RPKI adoption for IPv6 ROAs (Route Origin Authorizations) is crucial, ensuring only legitimate holders announce prefixes.
NANOG presentations highlight tools like SBGP (Secure BGP) and BGPsec for path validation. These cryptographically secure path attributes, preventing prepend attacks and hijacks. For IPv6, operators must configure ROAs covering both protocols, as dual-stack environments are common.
Practical case studies from NANOG illustrate successes: networks implementing RPKI reduced invalid routes by over 90%. Yet, awareness gaps persist, with smaller ISPs trailing larger peers.
Community-Driven Solutions at NANOG
NANOG’s strength lies in its community ethos. BoFs (Birds of a Feather) sessions foster collaboration on IPv6 heightening and routing safeguards. Participants from ISPs, registries like ARIN, and vendors exchange real-world data, scripts, and configs.
For instance, IPv6 working groups discuss measurement tools like Hurricane Electric’s tunnelbroker metrics and deployment dashboards. Routing security talks cover IRR (Internet Routing Registry) synchronization with RPKI, ensuring consistency.
- Hands-on workshops for RPKI deployment.
- IPv6 troubleshooting labs.
- Lightning talks on emerging threats like BGP flowspec for DDoS mitigation.
Future Directions in Routing and IPv6
Looking ahead, NANOG agendas signal advancements: integration of RPKI with BGP speakers via open-source tools like OpenBGPD and Bird. IPv6 evolution includes native multicast revival and privacy extensions for addresses.
Emerging standards from IETF, such as RFC 8955 for BGPsec, promise end-to-end path security. Operators are urged to prioritize automation—using NETCONF/YANG for config validation—to scale protections.
Challenges remain: global coordination for RPKI trust anchors and incentivizing small operators. NANOG’s role in advocacy, partnering with ISOC, amplifies these efforts.
Practical Steps for Operators
To action these insights:
- Assess Current State: Audit BGP peers and filters using tools like BGPmon.
- Deploy RPKI: Start with validation, progress to signing ROAs via regional registries.
- Enable IPv6: Activate dual-stack on core routers, test with public datasets.
- Join MANRS: Publicly commit and monitor compliance.
- Monitor Actively: Leverage ALTO for traffic optimization and anomaly detection.
These steps yield immediate resilience gains.
Frequently Asked Questions
What is MANRS and why join?
MANRS outlines voluntary norms to enhance routing security. Joining signals commitment, boosts reputation, and accesses resources.
How does RPKI work with IPv6?
RPKI issues digital certificates (ROAs) validating prefix origins, applicable to IPv6 allocations from IANA/regionals.
Is IPv6 deployment complete?
No, but accelerating: 40%+ global traffic, varying by region. Full adoption hinges on app ecosystems.
What are BGP hijack risks?
Attackers announce false routes, diverting traffic. Mitigated by validation and filtering.
Resources for getting started?
Check NANOG archives, ISOC MANRS site, ARIN IPv6 guides.
References
- IPv6 Address Allocation and Policy — RIPE NCC. 2023-01-01. https://www.ripe.net/publications/docs/ripe-738
- BGP Security Update — NANOG. 2025-06-01. https://www.nanog.org
- Resource Public Key Infrastructure (RPKI) Overview — IETF RFC 9310. 2022-10-25. https://datatracker.ietf.org/doc/html/rfc9310
- IPv6 Addressing Architecture — IETF RFC 4291. 2006-02 (authoritative standard). https://datatracker.ietf.org/doc/html/rfc4291
- MANRS Actions — Internet Society. 2024-03-15. https://www.manrs.org
- ARIN IPv6 Deployment Guide — ARIN. 2025-01-20. https://www.arin.net/resources/guide/ipv6
Word count: 1723 (excluding HTML tags, metadata, and references).
Similar Articles
Read full bio of Sneha Tete
