Building Trust Improving Technical Security Mutually Agreed Norms for Routing Security (MANRS) Technology

MANRS + IXPs = A MORE Secure Internet Routing System

Internet Exchange Points (IXPs) are a critical community to adopt the MANRS (Mutually Agreed Norms on Routing Security) initiative to make the Internet’s routing infrastructure more secure.  I recently made this point when given an opportunity to present MANRS at the MORE-IP conference organized by one of the leading Internet Exchanges AMS-IX.

Why do I think the IXP community is an important audience?

While MANRS is a truly global collaborative effort, its success very much depends on the sense of ownership, peer pressure and common understanding. These properties are the strongest in relatively small communities united by common operational objectives. The IXP community fits this profile very well.

I was very glad to reconfirm to myself that the AMS-IX community takes security issues seriously. For example, there was a presentation from AMS-IX technical team about their proposed setup for outgoing prefix filtering on AMS-IX route servers. In other words instead of each ISP building their own filters on what routing updates to accept or not from each of their peers, the route server is going to do this for them. There is a possibility for a peer to choose between the traditional IRR or the RPKI repository as a source of information for building filters and select whether prefixes are filtered or only tagged. The more members adopt this setup the less vulnerable the global routing system will become. And given 715 networks peering at AMS-IX this will definitely have an impact.

Another presentation was about the Trusted Networks Initiative – a last resort solution hosted by the Hague Security Delta for DDoS attacks that are too big to handle. This initiative is supported by AMS-IX and is based on peering on a separate private VLAN by a set of “trusted” networks. “Trust” is based on adherence to norms that are similar to MANRS. Moreover, the members list has a separate column indicating their participation in MANRS, although I was a bit surprised to see this box checked only for one network.

I think regardless of the existence of “fire exits” it is important that we work on making the whole building fire-proof, to use an analogy. I see MANRS as a tool for local communities, like the AMS-IX association, to use to create a new, more secure and resilient norm for routing.

P.S. If you are with a network operator, have you signed the MANRS document? If not, why not do so today?

Image credit: Photo of Andrei Robachevsky speaking provided by the MORE-IP conference organizers.