Mind Your MANRS: A Safer Internet Through Secure Global Routing
We access most of the applications we use today over the internet, which means securing global routing matters to all of us. Surprisingly, the most common method is through trust relationships. MANRS, or the Mutually Agreed Norms for Routing Security, is an initiative to secure internet routing through a community of network practitioners to facilitate open communication, accountability, and the sharing of information.
MANRS, or the Mutually Agreed Norms for Routing Security, is an initiative of the Internet Society to help secure internet peering relationships and ultimately help secure global routing. It’s not a technology, it’s not a formal regulatory body, and it’s not a new encryption method. Instead, MANRS is a culture, a philosophy, and a community.
Mind your MANRS
In a recent episode of Telemetry Now, Aftab Siddiqui from the Internet Society joined us to talk about how the MANRS initiative is the center of a global community of engineers trying to keep peering relationships and routing advertisements safe and secure. Community is undoubtedly a central theme with MANRS. From their website:
“Joining MANRS means joining a community of security-minded organizations committed to making the global routing infrastructure more robust and secure. MANRS outlines simple, concrete actions organizations can take, tailored to their role on the Internet….”
How MANRS helps with global routing security
MANRS is a matter of accountability, peer review, coordination, and collaboration. The organization comprises any organization with an internet presence that wants to secure its global routing footprint. MANRS also serves to provide a third-party mechanism organizations can use to show the world they follow best practices to secure routing relationships and configurations. This way, a service provider, CDN, or any other member organization can point to their MANRS membership to validate they follow routing best practices.
Made up of a self-governed collection of service providers, CDNs, IXPs, large enterprises, and network vendors, the MANRS community operates with a charter and steering committee to promote the global adoption of MANRS actions and improvements in routing security. To get there, members work together to provide reliable tools for compliance and measurement, such as the MANRS Observatory, building the capacity of network engineers through training and fellowship programs, and advocating for policies that strengthen routing security.
The MANRS initiative identifies four “actions” member organizations can take to improve routing security.
- Filtering – defining a clear routing policy and implementing a system to ensure that announcements to adjacent networks are correct.
- Anti-spoofing – enabling source address validation (SAV) and implementing anti-spoofing to prevent packets with incorrect source IP addresses from entering and leaving the network.
- Coordination – maintaining globally accessible up-to-date contact information to assist with incident response.
- Global validation – publishing data that enable other stakeholders to validate routing information worldwide.
Notice that these actions comprise configuration best practices and the collaborative work of peer review and open communication. It’s not simply a matter of fixing bad BGP configuration. It’s also a framework for open communication among peers, a mechanism for peer review, an encouragement to employ technologies such as RPKI, and a community to help with security issues.
Routing security and best practices
The term “routing security” may conjure thoughts of malicious activity, routing hijacks, DDoS attacks, etc. However, many of the problems with global routing are a result of unintended misconfiguration or poor implementation.
So as much as the MANRS community is indeed concerned with securing global routing from malicious attacks and activity, it’s also concerned with helping members use configuration best practices.
For example, members will be periodically peer-reviewed to ensure their configurations and policies meet routing best practices. Additionally, the MANRS organization provides best practice guides, policies, and monitoring and debugging tools.
Community members are also encouraged to employ methods to verify source addresses, peering entities, and more using techniques such as ASPA, ROA, and RPKI. This way, the MANRS initiative helps its members ensure they have the tools, knowledge, and community to protect their presence on the internet and their peering relationships.
To learn more and hear a very informative conversation with Aftab Siddiqui, listen to the recent Telemetry Now podcast episode “The MANRS initiative to secure global internet routing.”