Categories
Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

The State of Routing Security at DNS Registries

The Domain Name System (DNS) is an important component of the Internet, but it was not designed with security in mind. In the last 20 years or so, much attention has been directed at improving its inherently insecure aspects.

This includes the deployment of DNS Security Extensions (DNSSEC) that enables cryptographic validation of DNS records, and more recently DNS-over-TLS and DNS-over-HTTPS, which encrypts DNS transactions between hosts and resolvers.

The DNS, though, is also dependent on the global routing system for sending DNS queries from resolvers to servers, and then returning the responses. The integrity of the routing system is, therefore, extremely important for ensuring DNS transactions are delivered efficiently to the correct destination. Yet, at present, few DNS registries are implementing Routing Public Key Infrastructure (RPKI), a public key infrastructure framework designed to secure the Internet’s routing infrastructure, specifically the Border Gateway Protocol (BGP).

A survey of 4,138 zones – that included 1,201 generic top-level domains (gTLDs), 308 country code top-level domains (ccTLDs), 271 reverse map zones, and 1,780 sub-ccTLD zones – showed a total of 6,910 route origins for the name servers that are serving these zones.

Yet, just 22% of these had valid Route Origin Authorisations (ROA), a digitally signed object that verifies an IP address block holder has authorized an AS (Autonomous System) to originate routes to that one or more prefixes within the address block.

Whilst the figures for the reverse map zones (53%) and ccTLD zones (34%) give evidence of deployment, they are significantly lower for the gTLD zones (11%). In fact, around 40% of TLDs have no ROA deployment at all, with 20% only having partial deployment.

These findings are discussed in more depth in “A Look at Route Origin Authorizations Deployment at DNS Registries” on the MANRS website. It is important to highlight an aspect of DNS security that has been somewhat overlooked.

If you’re interested in finding out more about why important routing security is so important, please also read our five-part Introduction to Routing Security.

Categories
Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

Knowledge Sharing and Meaningful Conversation at InterCommunity 2020: Securing Global Routing

Recently, five routing security experts shared how they’ve been working to protect the Internet from the most common routing threats – by implementing and promoting the actions called for in Mutually Agreed Norms for Routing Security, or MANRS. They were all participants in InterCommunity, which gives the Internet Society community a way to connect for meaningful conversations about the issues that matter most to the Internet.

Want to join the InterCommunity conversation? Become an Internet Society member today!

This session of InterCommunity, “Securing Global Routing,” set out to increase awareness of MANRS, share good routing practices, and encourage more network operators to take the MANRS actions to make the Internet more secure for us all.

The speakers shared their network operations and capacity building knowledge while more than 200 participants participated live in the informative conversation.

Special thanks to Melchior Aelmans of Juniper Networks who moderated the discussion skillfully!

Here’s what the panelists had to say:

Abdul Awal, Bangladesh National DataCentre
Awal spoke about his goals in building technical capacity around Resource Public Key Infrastructure (RPKI) and raising awareness of MANRS principles in South Asia. He also discussed how we can help networks validate their routing information by implementing Route Origin Authorizations (ROAs).

ROAs enable network operators to cryptographically sign routing advertisements sent over Border Gateway Protocol (BGP) to other networks on the Internet. Using RPKI, other networks can cryptographically verify ROAs and drop similar routing information that may be received from other networks.

This significantly improves Internet security by preventing distribution of invalid route advertisements that may lead to parts of the Internet being unreachable or being hijacked by malicious networks.

Awal has worked with networks in the Asia-Pacific region to increase the percentage of valid routing information, thus improving the region’s secure routing.

Mark Tinka, SEACOM
Mark has been in the routing and network engineering industry for several years, active in both the Asia-Pacific and African regions as a network operator and trainer.

Working with RPKI since 2014, Mark explained how routing hardware from Cisco and Juniper has helped improve RPKI support over the years. He also described the process of deploying RPKI in Africa and some of the challenges he faced.

Kevin Blumberg, TORIX
Kevin spoke about implementing MANRS principles from the viewpoint of an Internet Exchange Point (IXP).

TORIX is an IXP in Toronto, Canada that has grown from 1 Gigabit per second in 2000 to 1.1 Terabits per second in 2020. He said it was easy for TORIX to become a MANRS participant as it had been running Internet Routing Registry (IRR) based filtering for more than a decade.

He also said IXP operators are generally less restrictive and so IXPs can easily become a source of a BGP hijack where different networks trust the routing information they receive. Therefore, TORIX feel they have a social obligation to ensure the peering data at their IXP is valid. Without this, it would be easy to permeate route hijacks via IXPs and TORIX wants to prevent that.

Jorge Cano, NIC.mx
Jorge spoke about FORT, a free and open source RPKI validator. An RPKI validator helps routers quickly validate routing information received over BGP without burdening routers with more processing load. FORT works on both Linux and BSD that (the Mexican registry) are working on with the help of LACNIC. The validator is free to use and open to everyone.

Jorge ran a poll to see which validator was most commonly used by the audience. We learned that most participants were currently using the RIPE Validator, with a few already using FORT.

Tashi Phuntsho, APNIC
Tashi gave a presentation on why it is important to secure global routing, highlighting the issues with differences in validated ROA outputs observed with different validators, and the ROA outreach work by the APNIC Training team in the region. Tashi also noted the beta testing the APNIC Training team has done with ROSv7.

If you run an ISP, IXP, CDN, or cloud network let’s protect the Internet ecosystem together. Join MANRS!
Categories
Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

A (Fairly) Non-Technical Guide to Routing Security Basics

On the MANRS website, we write about routing security. We dig into the details of technical problems, research the origins of route leaks and hijacks, analyze trends and statistics related to networks around the globe via the MANRS Observatory, and generally get pretty nerdy about how to improve the routing system that underpins the Internet. Last week, we took a step back and published a series of posts regarding Routing Security Basics.

This 5-part series covers the following topics:

While it’s difficult to explain routing security without assuming some baseline knowledge, our intent is for these posts to be as non-technical as possible to help non-experts understand this sometimes-complicated topic.

It all started with a Twitter thread on a Friday afternoon, comparing routing security to online dating. We then expanded this silly analogy into a series of blog posts. Follow along as Juan, Maria, and Bad Guy Chad help us explain the types of routing incidents that happen and how the simple, concrete MANRS actions can help.

We hope you’ll read the Routing Security Basics posts, and if you’re running a network at an ISP, IXP, or CDN/Cloud provider, we hope you’ll consider implementing the MANRS actions and joining the MANRS community.


Image by Alexander Sinn via Unsplash

Categories
Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

Meet the MANRS Ambassadors

We’ve appointed four MANRS ambassadors in the areas of training, research, and policy. We’re excited to welcome Anirban Datta, Flavio Luciani, Boris Mimeur, and Sanjeev Gupta to the program, and can’t wait to benefit from their input and expertise.

Ambassadors are representatives from current MANRS participant organizations who provide mentorship, guidance, and feedback to others in the routing security community. With their wealth of experience and knowledge – and their passion and commitment – they help make the global routing infrastructure more robust and secure.

The MANRS Ambassadors Selection Committee, consisting of six representatives from the MANRS Advisory Group, assessed the applications and appointed four exceptional individuals.

They’ll receive a monthly stipend of US$1,500 for up to six months and together they’ll train people on good routing practices, analyze routing incidents, research ways to secure routing, and survey the global policy landscape. Ambassadors will also provide mentorship to the MANRS Fellows in their respective categories to help the Fellows to fulfill their obligations.

Four Amazing Ambassadors

Anirban Datta, training ambassador

Anirban works for Fiber@Home Global Ltd in Dhaka, Bangladesh. His role is to establish international links and points of presence in different parts of the world. He’s also involved with many Internet network operators’ groups (NOGs) and community-driven organizations like bdNOG, SANOG, and INNOG. As an instructor, he helps to improve the technical knowledge of the local community.

Flavio Luciani, training ambassador

Flavio Luciani has a master’s degree in computer engineering from Roma 3 University. He’s worked with Namex since 2008. He supervised the technical and infrastructural development of the Internet exchange point, firstly as a member of the technical staff and then, from March 2020, as Chief Technology Officer.

Boris Mimeur, research ambassador

Boris is the Vice-President of Engineering Operations at CENGN in Canada. He leads teams developing a secure hybrid cloud platform that enables test and validation for new products and technologies. In the last two years, Boris has supported the promotion of security in BGP routing through partnerships with multiple Canadian Telecom Service Providers. He’s also contributed to the development of the IXP/CXP for the Ottawa Gatineau region (OGIX).

Sanjeev Gupta, policy ambassador

Sanjeev is based in Singapore. He first heard about routing in the late 80s. He believed that every single router contacted every other router every 30 seconds and the idea of security never entered his mind. Since then, he’s learnt the hard way what happens when people announce routes to Google. Trying to figure out why traffic for your network is going to a small Vietnam Internet service provider via a European Tier 1, when you have no relationship with either, is frustrating at best.

The Internet Society supports this program as part of its work to reduce common routing threats and establish norms for network operations. Find out more and join MANRS today.

Categories
Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

MANRS Welcomes Three New CDN and Cloud Participants

The MANRS Content Delivery Network (CDN) and Cloud Program continues to grow in numbers and in strength with three new participants.

Hostmein, Verisign, and Vultr have deepened their commitment to strengthening the security and resilience of the Internet’s global routing system. Participants of this program, which launched in March 2020, implement important practices for mitigating common routing security threats.

Joining means committing to taking five mandatory, and one optional, security-strengthening actions. These include preventing propagation of incorrect routing information and traffic with illegitimate source IP addresses, and facilitating global operational communication and coordination. Read the full list of actions.

“MANRS is more an idea than a framework, and it is a tremendous idea,” said Hostmein CTO Alexander Stamatis. “It raises awareness, it raises new checks to be implemented in the industry, and it keeps us more in line with the primary mission: keeping the network clean, keeping it safe.

“[MANRS] is better because it was built by engineers for engineers. We discovered issues no other initiatives could detect.”

“MANRS is the best implementation that we have done to date. We have found it to be more effective than other specialised IT certifications. And it is better because it was built by engineers for engineers. We discovered issues no other certification could detect and those were resolved thanks to MANRS,” he said.

Yong Kim, Verisign’s Vice President of Cyber Strategy and Research, said: “Routing security is of the utmost importance to Verisign’s mission and, as an early participant in the MANRS Network Operator Programme, Verisign remains fully supportive of this initiative and its efforts to promote a culture of collective responsibility, collaboration, and coordination among network peers in the global internet routing system.”

Kim said Verisign endeavors to assist with the development of and follow industry best practices on filtering non-valid and reserved space from its peers, in addition to implementing anti-spoofing controls at all its borders.

Verisign, an organization member of the Internet Society, also maintains up-to-date contact information in the PeeringDB and relevant RIR databases as well as accurate routing information in the Internet Routing Registries (IRRs). “Verisign personnel actively promote MANRS adoption at conferences and industry meetings,” he said.

Tomas Lynch, Senior Network Architect at Vultr said, “Being MANRS compliant is not only good for Vultr, it’s an opportunity for us to help our peering partners improve their security while we contribute to a more resilient and trustworthy Internet for everyone. It requires cooperation to ensure that routing leaks do not cascade into reliability or security issues. MANRS provides the framework for coordinated action.”

“Being MANRS compliant is an opportunity for us to help our peering partners improve their security while we contribute to a more resilient and trustworthy internet for everyone.”

Hostmein, Verisign, and Vultr join eight current participants: Akamai, Amazon Web Services, Azion, Cloudflare, Facebook, Google, Microsoft, and Netflix, securing large hubs of the Internet from common routing problems.

Would you like to join our ever-growing community of Internet networks committed to improving the resilience and security of the routing infrastructure? They’re helping keep the Internet safe for businesses and consumers alike.

Find out more and join MANRS today.

Categories
Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

Internet2 Ramps up MANRS Support for U.S. Research and Education Community

The research and education community in the U.S. relies on a critical infrastructure to meet our education and research missions: the global Internet. This has been especially true during the COVID-19 pandemic, when it has enabled the rapid transition from on-campus to at-home learning.

In addition to being intense Internet users, we also operate a significant part of the Internet that’s tuned to meet higher education’s unique needs. The Internet2 network interconnects more than 1,000 individual networks across the U.S., and collectively we coordinate our activities and operations to ensure researchers and educators have the capabilities they need.

The Internet2 community is increasing participation in MANRS because routing security is a growing area of concern for network operators around the globe.

Whether from accidental misconfiguration or malicious hijack, the results are often more than just inconvenient. As academic and business critical functions are hosted or off-prem, the Internet is no longer a nice to have, but a key component of an organization’s IT infrastructure.

Colleges and universities have a long history of being connected to the Internet, and there was a time when connecting to the Internet was nearly “set it and forget it.”

But, today, this shared and critical infrastructure needs our attention. Routing security is vital to the future and stability of the Internet.

MANRS provides a framework and specific practices that the Internet2 community can embrace to better care for the security and resilience of this vital infrastructure. With over 1,000 separate networks, we rely on active community engagement to encourage the adoption of MANRS practices.

Our current engagement activities focus on complete and accurate documentation of routing policies in an Internet Routing Registry (IRR). Several of the networks that interconnect with the Internet2 backbone require, or will soon require, a valid route object for each prefix they accept, meaning that each network that connects to them must ensure their Autonomous System Numbers (ASNs) and IP prefix(es) are accurately entered in an IRR. Of Internet2’s over 5,000 routes, roughly 80% currently meet this requirement and the community is working together to assist those that still need to create IRR records for their prefixes.

With such a broad range of organizations, it can be challenging to identify the key individual that is empowered to create the needed records. Fortunately, we have been able to engage the community with a series of webinars, office hours, and other means to ensure these requirements are well understood and the resources are available to assist. The most recent MANRS webinar we hosted took place in April, which you are welcome to watch.

While our current focus is IRR records, we are preparing for the next phase of outreach, which will seek to increase the adoption of RPKI (Resource Public Key Infrastructure). RPKI is a specialized public key infrastructure that allows the holders of Autonomous System Numbers (ASNs) and IP addresses to be cryptographically verified using Route Origination Authorization (ROA) objects. An ROA attests which AS is authorized to originate certain IP prefixes.

Taking part in MANRS and the Internet2 community’s efforts connects you with a community of security-minded professionals and organizations committed to making the global routing infrastructure more robust and secure. Whether you run an ISP, IXP, CDN or cloud network, join us to protect the Internet ecosystem together.


Image by Nathan Dumlao via Unsplash

Categories
About Internet Society Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

MANRS Fellowship Program Now Open

The first-ever MANRS (Mutually Agreed Norms for Routing Security) Fellowship Program is now accepting applications. If you are an emerging leader eager to improve the well-being of the Internet’s global routing system, apply now.

The program gives highly motivated individuals the chance to work alongside MANRS ambassadors, who are industry leaders participating in the Ambassador Program. Together, they will train diverse communities on good routing practices, analyze routing incidents, research into ways to secure routing, and survey the global policy landscape.

Fellows will improve their skills and bring new perspectives and ideas to MANRS. They will also gain valuable insights and networking opportunities from well-respected professionals called MANRS Ambassadors under the MANRS Ambassadors Program. The selection process for this program is currently underway.

The Internet Society supports this program as part of its work to reduce common routing threats and establish norms for network operations.

You can apply for a fellowship in three different areas: training, research, and policy. Each fellow will receive a stipend of $750 a month. There is no age requirement and you can apply for more than one category but will only be selected for one of them.

Online training

Responsible for: Conducting MANRS online tutorial and virtual hands-on workshops, helping improve existing training and workshop content, and working with regional and national operator groups to understand their training requirements.

Requirements: At least two years’ experience, a good understanding of Border Gateway Protocol (BGP), and experience in training Regional Internet Registries (RIRs) or community-based organizations.

Commitment: 3-6 months, up to six hours’ work per week.

Research

Responsible for: Maintaining a list of and writing in detail about the latest BGP hijacks, leaks, and bogon announcements; reviewing, testing, and reporting on Network Operating Systems’ implementation of BGP Prefix filtering, SAV, and RPKI.

Requirements: A minimum of four years’ experience, strong English writing skills, and a good understanding of BGP dumps and routing incidents.

Commitment: 3-6 months, up to four hours’ work per week.

Policy analysis

Responsible for: Reviewing and improving all the existing policy documents targeting Internet security, routing security, DDoS, and other issues that MANRS can act on.

Requirements: An understanding of routing and routing security, experience in writing policy documents and working with policy makers or in policy forums.

Commitment: 4 months, up to four hours’ work per week.

The deadline for fellowship applications is Thursday 25 June.

Find out more and apply online.

If you have any questions about this program or the application process, email manrs-fellows@isoc.org.

Categories
Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

Making the Most of Our MANRS Partnerships – NIC.br and Brazil Lead the MANRS Pack

Read this blog in Portuguese

Improving the state of routing security is no small task. It requires network operators, IXPs, and CDN and cloud providers of all sizes across the globe to work together, improve their own networks, and open lines of communications with both their friends and competitors to make a real difference.

One of the ways we’ve been able to spread the MANRS message so far and wide is through partnerships. We’re lucky to have dedicated, strong partners in several regions of the world. In this post, we’ll talk about one partnership in particular – NIC.br – and how their efforts have changed the landscape for routing security in Brazil and beyond.

A Little History

NIC.br is responsible for the administrative and operational functions related to the .br (Brazil) domain. In addition, NIC.br goes beyond similar entities in other countries, investing in actions and projects that bring a series of benefits to the improvement of activities related to the available Internet infrastructure in Brazil.

In 2017, NIC.br hosted a Safer Internet Program, which the Internet Society supported. NIC.br invited Andrei Robachevsky to speak on a fairly new initiative called MANRS addressing routing security as part of a safer Internet. The message resonated with the audience as well as with NIC.br, and this led to signing a formal Memorandum of Understanding between the Internet Society and NIC.br in June 2018.

What Does NIC.br Do to Support MANRS?

Since then, NIC.br has been busy! Just a few of the ways they’ve supported routing security and MANRS include:

  • Launching the NIC.br RPKI platform, in delegated mode, at the end of 2019
  • Translating the “MANRS Actions for Network Operators” document into Portuguese
  • Promoting MANRS Actions in meetings with major operators across Brazil
  • Training courses on routing best practices
  • Presentations at ISP Association events, to reach thousands of ISPs
  • Developing a MANRS information folder for distribution at ISP Associations events
  • Meetings with local ISPs who have security problems, as measured by NIC.br
  • Creating a website for the Program for a Safer Internet, which includes MANRS as one of the main safety recommendations
  • Articles in specialized magazines mentioning MANRS as a key component of a safer Internet

What Are the Results?

There are currently 365 network operators participating in MANRS, and 96 operate in Brazil, an impressive 26%. There’s also one Brazilian IXP on board.

Figure 1: Country breakdown of MANRS Network Operators Programme participants as of 8 May 2020.

While Brazil continues to have a high number of routing incidents, we have seen some impressive improvements, e.g., more valid ROAs, more valid IRR objects, and a big positive change in Coordination across Brazil and the region.

The graph below, compiled from bgpstream.com data, shows the decrease in the percentage of culprits in top countries, with Brazil showing vast improvement.

Figure 2: Routing incidents over time. Data from bgpstream.com

We hope to replicate this success in other countries through other partnerships. If you’d like to help, contact us or join the initiative.

A huge thank you to NIC.br for tireless work promoting MANRS, better routing security, and a safer Internet for us all. We’re proud to be working with you.


MANRS – aproveitando ao máximo nossas parcerias: NIC.br e Brasil lideram a participação no  MANRS

Melhorar a situação da segurança de roteamento não é uma tarefa fácil. Requer que operadores de rede, IXPs e CDNs e provedores de serviços em nuvem de todos os portes, e em todo o mundo, trabalhem juntos, melhorem suas próprias redes e abram linhas de comunicação com seus parceiros e concorrentes para melhorar a rede como um todo.

Uma das maneiras pelas quais conseguimos disseminar amplamente a mensagem do MANRS é por meio de parcerias. Temos a sorte de ter parceiros dedicados e fortes em várias regiões do mundo. Neste post, falaremos sobre um parceiro em particular o NIC.br – e como seus esforços mudaram o cenário de roteamento seguro no Brasil e no exterior.

Um pouco de história

O NIC.br é responsável pela administração e operação relacionadas ao domínio .br (Brasil), e vai além de entidades similares em outros países, investindo em ações e projetos que trazem uma série de benefícios para o aprimoramento de atividades relacionadas à infraestrutura da Internet no Brasil.

Em 2017, o NIC.br lançou o Programa “Por uma Internet mais segura”, com o apoio da Internet Society e associações de provedores do Brasil. A entidade convidou na época Andrei Robachevsky para apresentar uma iniciativa relativamente nova chamada MANRS, abordando a segurança de roteamento como parte de uma Internet mais segura. A mensagem ecoou pelo público, assim como pelo NIC.br, e isso levou à assinatura de um memorando formal de entendimento entre a Internet Society e o NIC.br em junho de 2018.

O que o NIC.br faz para oferecer suporte ao MANRS?

Desde então, o NIC.br está bastante ocupado! Abaixo, seguem apenas algumas das ações que desenvolve para promover a segurança de roteamento e o MANRS:

  • Tradução do documento MANRS Actions for Network Operators para o português
  • Promoção de ações MANRS em reuniões com grandes operadoras em todo o Brasil
  • Treinamento de profissionais com cursos sobre boas práticas de roteamento
  • Apresentações em eventos de associações de provedores, para alcançar milhares de ISPs
  • Desenvolvimento de um folheto com informações sobre o MANRS para distribuição nos eventos das associações de provedores
  • Reuniões com os ISPs locais com problemas de segurança, conforme medições realizadas pelo NIC.br
  • Criação de um site para o Programa “Por uma Internet mais segura”, que inclui o MANRS como uma das principais recomendações de segurança
  • Lançamento da plataforma RPKI do NIC.br, no modo delegado, no final de 2019
  • Artigos em revistas especializadas mencionando o MANRS como um componente chave para uma Internet mais segura

Quais são os resultados?

Atualmente, 365 operadoras de rede participam do MANRS e 96 operam no Brasil, uma porcentagem impressionante de 26%. Há também um IXP brasileiro participando do MANRS.

Figura 1: Distribuição por país dos participantes do programa MANRS para operadores de rede em 8 de maio de 2020.

Apesar do Brasil continuar a ter um alto número de incidentes de roteamento, verificamos algumas melhorias impressionantes, como por exemplo, mais ROAs válidos, mais objetos em IRRs válidos e uma grande mudança positiva na coordenação no Brasil e na região.

O gráfico abaixo, com dados compilados a partir do site bgpstream.com, mostra a diminuição da porcentagem de responsáveis por incidentes de roteamento nos principais países, com o Brasil apresentando uma grande melhora.

Figura 2: Porcentual de incidentes de roteamento ao longo do tempo. Dados de bgpstream.com

Esperamos replicar esse sucesso em outros países por meio de outras parcerias. Se você quiser ajudar, entre em contato ou participe da iniciativa MANRS.

Um enorme muito obrigado ao NIC.br pelo trabalho incansável na promoção do MANRS para melhorar a segurança de roteamento e termos uma Internet mais segura para todos nós. Estamos orgulhosos de trabalhar com vocês.


Image Sergio Souza by via Unsplash

Categories
Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

Over 300 ISPs Now Improving Routing Security with MANRS

Today, we’re proud to announce another milestone: the number of network operators that commit to the Mutually Agreed Norms for Routing Security (MANRS) has surpassed 300.

The current number of network operator program participants stands at 322. These Internet Service Providers (ISPs) joined the initiative by showing their conformance with the actions to improve the resilience and security of the Internet’s routing infrastructure.

Launched in 2014 with a group of nine operators, the number of MANRS participants reached 100 in 2018 and has risen rapidly in the last two years, with 156 joining in 2019 alone, and 45 so far in 2020.

This includes operators in more than 60 countries across all continents; with Brazil leading the way with nearly 70 MANRS participants, followed by the US with nearly 50.

According to BGPStream, the number of reported routing incidents was on the decrease from 2017 to 2019 (see chart below), while the number of MANRS participants grew in the period. While this does not mean one caused the other, a correlation between the two can be observed.

The MANRS community has grown rapidly through its other programs, too. In 2018, the initiative expanded to include Internet Exchange Providers (IXPs), which now has 48 participants committed to the MANRS IXP Programme.

Last month, the MANRS Content Delivery Network (CDN) and Cloud Provider programme was launched with eight leading companies, including Akamai, Amazon Web Services, Azion, Cloudflare, Facebook, Google, Microsoft, and Netflix, with a number of other companies onboarding soon.

The three programs each have their own set of actions that are based on industry best practices, being developed and approved by community-driven task forces. Together, this growing community has taken concrete actions to secure more of the global Internet.

Awareness of MANRS and routing security in general has also been increasing in the wider world. In January 2020, a World Economic Forum (WEF) report recommended that ISPs should strongly consider joining MANRS to improve the security of the Internet’s global routing system.

MANRS shows that when the community comes together to create a baseline of routing security for network operators around the world, we can protect the core of the Internet. The growth of the community also shows there is an increasing sense of shared responsibility among network operators. Whilst no single operator can improve the Internet’s routing security alone, it is through collective actions like MANRS that progress is made.

Looking ahead, we aim to continue growing community adoption of MANRS by mobilizing other external communities with an awareness of MANRS, by improving monitoring and measurement of routing security, and by building capacity among network engineers around the world.

Whether you run an ISP, IXP, CDN or cloud network, please join the growing MANRS community to protect the Internet ecosystem together by signing up online.

Categories
Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

New Category of CDNs and Cloud Providers Join MANRS to Improve Routing Security

Today, we’re proud to announce the new MANRS Content Delivery Network (CDN) and Cloud Programme. This new program broadens support for the primary objective of MANRS – to implement crucial fixes needed to eliminate the most common threats to the Internet’s routing system.

The founding participants are: Akamai, Amazon Web Services, Azion, Cloudflare, Facebook, Google, Microsoft, and Netflix.

Now, let’s back up and explain how we got here.

What Is MANRS?

Mutually Agreed Norms for Routing Security (MANRS) is a global initiative, supported by the Internet Society, that requires collaboration among participants and shared responsibility for the global Internet routing system. It’s a community of security-minded organizations committed to making routing infrastructure more robust and secure.

Originally designed by and for network operators, the initiative has already been extended once to address the unique needs and concerns of Internet Exchange Points. These two facets of MANRS complement each other – the first secures customer-provider interconnections, while the second creates a safe public peering environment.

How Do CDNs and Cloud Providers Help?

CDNs are a geographically distributed group of servers that work together to provide fast delivery of Internet content across the globe, and today the majority of web traffic is served through CDNs. Cloud providers offer network services, infrastructure, and/or applications in the “cloud” by hosting them in data centers, often distributed around the world, and providing access via the Internet or private interconnections.

CDNs and cloud providers help companies serve their content and online services to end users by delivering it in a distributed manner and from locations closer to them. For instance, when you visit a website, its content is often fetched from a closest location and not from the website owner’s infrastructure, which could be much farther away and, as a result, much slower.

The two typically peer – exchange traffic directly – with thousands of other networks so that data can flow more efficiently, making them large hubs of the Internet interconnection infrastructure. Peering with CDNs and cloud providers can drastically improve performance of network services they host, so there is a clear benefit to interconnect with these networks.

While CDN and Cloud are basically edge networks, their impact on routing security can be significant. Several known incidents showed that an edge network, even a small one, can cause havoc on the Internet by leaking routes. MANRS helps by requiring egress routing controls, so networks can prevent such incidents from happening. Secondly, leveraging CDNs’ and cloud providers’ peering power can have significant positive spillover effect on the routing hygiene of networks they peer with. In other words, if CDNs and cloud providers do their part to improve routing security and demand better practices from their customers, their customers will in turn step up their efforts, and together the Internet will be better and safer for all of us.

That is why in late 2018 the MANRS community formed a task force with representatives from Akamai, Azion, Cloudflare, Comcast, Facebook, Google, Microsoft, Nexica, Oracle, Telefonica, Redder, TORIX, and Verisign committed to developing a set of actions CDNs and cloud providers should take to improve routing security. The outcome of that task force’s work led to the creation of this new MANRS program.

What Do CDNs and Cloud Providers Need to Do?

The MANRS Content Delivery Network (CDN) and Cloud Programme lists six actions, of which five are mandatory to implement:

  1. Prevent propagation of incorrect routing information
  2. Prevent traffic of illegitimate source IP addresses
  3. Facilitate global operational communication and coordination
  4. Facilitate validation of routing information on a global scale 
  5. Encourage MANRS adoption
  6. Provide monitoring and debugging tools to peering partners (optional)

Program participation provides an opportunity to demonstrate attention to the security and sustainability of the Internet ecosystem and, therefore, dedication to providing high-quality services.

How Do I Sign Up?

Any CDN or cloud provider that takes at least the five required actions above is welcome to join us. Besides enjoying improved security posture, MANRS participants also show their commitment to the sustainability and resilience of the Internet ecosystem by:

  • Creating a secure network peering environment, preventing potential attacks at their border
  • Encouraging better routing hygiene from your peering partners
  • Signaling your organization’s security-forward posture
  • Demonstrating responsible routing behavior
  • Improving operational efficiency for peering interconnections, minimizing incidents and providing more granular insight for troubleshooting

Why Is Routing Security Important?

The Internet routing system’s resilience and security is a collective responsibility. No single entity can solve BGP vulnerabilities, and yet without additional controls any network can wreak havoc on the system.

BGP – the protocol used to exchange reachability information between networks and build a “roadmap” of the Internet – does not have built-in validation mechanisms. Without additional controls, routing information is accepted as is, including falsifications and mistakes. When that happens, the roadmap is distorted and traffic follows undesired paths, gets intercepted, or gets blackholed altogether.

Those additional controls have been known for decades and they, if implemented widely, will prevent most routing incidents from happening. MANRS actions encourage any network running BGP to implement well-established, low-risk, low-cost industry best practices and technological solutions that can address the most common threats.

Why Should I Care?

There are numerous examples of the impact of routing incidents, either malicious attacks or configuration mistakes. Route leaks, mentioned above, resulted in several hours outages spread globally. Routing system vulnerabilities can also be exploited to hijack and impersonate important Internet services, like DNS or websites, leading to money and reputation loss.

Let’s Work Together

It is only through collective action and a shared sense of responsibility that we can address problems like BGP leaks, hijacks, DDoS attacks, and IP address spoofing that have real-world consequences for millions of people. We must work together to build a more resilient and secure Internet infrastructure.

This new Content Delivery Network (CDN) and Cloud Programme opens a new chapter in MANRS, further extending its community and bringing us closer to a secure and resilient global routing system – the foundation of the Internet. Please join us.

Read the fact sheet to learn more about this new program.

Categories
Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

Working with APRICOT to Improve Routing Security

We’re pleased to announce that the Internet Society and the Asia Pacific Network Operators Group Ltd (APNOG) signed a Memorandum of Understanding (MoU) to cooperate in supporting the MANRS initiative in the Asia-Pacific region.

APNOG is the non-profit entity that runs the annual APRICOT conference, also called the Asia-Pacific Regional Internet Conference on Operational Technologies. APRICOT is the largest meeting of the technical community in the region.

The agreement will see the two undertake initiatives and activities to promote the security of the Internet’s global routing system and Mutually Agreed Norms for Routing Security (MANRS). MANRS is a global initiative, supported by the Internet Society, that provides crucial fixes to reduce the most common routing threats.

We agree to tackle routing-related cybersecurity incidents such as route hijacking, route leaks, IP address spoofing, and other harmful activities that can lead to DDoS attacks, traffic inspection, lost revenue, reputational damage, and more.

APRICOT draws many of the world’s best Internet engineers, operators, researchers, service providers, and policy enthusiasts from around the world to share the technical knowledge needed to run and expand the Internet securely. The partnership will allow MANRS to better leverage the platform to promote routing security to conference participants, including Internet Service Providers (ISPs) and Internet Exchange Points (IXPs).

Specific activities include hosting events on routing security at the annual APRICOT Summit and/or online; promoting MANRS participation to APRICOT attendees; helping develop the MANRS community in the region; and working together on the MANRS Observatory, which shows a network’s level of MANRS readiness and serves as an indication of the general state of routing security.

We have also agreed to continue to sponsor APRICOT’s Fellowship Program, providing financial support for individuals from developing economies to attend the event, and to contribute to discussions about Internet operations, technologies, and development.

The agreement builds on the long-running partnership between APRICOT organizers (previously the Asia Pacific Internet Association (APIA), now APNOG) and the Internet Society. The Internet Society has contributed to it over the years by not only sponsorship, training, and community building, but has also made multiple high-profile appearances in various sessions, including the keynote speech in 2019 by Internet Society President and CEO Andrew Sullivan.

“We believe Internet routing security issues can be resolved through collective action and a shared sense of responsibility. We look forward to welcoming more MANRS members from the Asia-Pacific region, and working together with APNOG to improve routing security both regionally and globally,” said Rajnesh Singh, Regional Vice-President, Asia-Pacific for the Internet Society.

“We run APRICOT to cultivate the skills and understanding needed to develop a robust Internet infrastructure across the Asia-Pacific region – a goal also strongly supported by the MANRS community and the Internet Society. The partnership will let us work more closely together, and I look forward to MANRS playing an increasingly important role among key Internet builders in the region,” said Philip Smith, Director of APNOG.

Learn more about MANRS and APRICOT.

Categories
Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

APRICOT 2020: Routing Security Takes Center Stage

More than 600 of the world’s leading Internet engineers from 60 economies gathered last week at APRICOT, and it was encouraging to see routing security take center stage in the largest meeting of the technical community in the region.

The Internet Society is a long-time partner of the annual event, also called the Asia Pacific Regional Internet Conference on Operational Technologies, and this year we held two community gatherings, spoke in several sessions, and ran a booth throughout the conference.

The ten-day meeting consisted of workshops, tutorials, conference sessions, birds-of-a-feather sessions, and peering forums from 12-21 February in Melbourne, Australia. This year marked the 25th anniversary of APRICOT, and it was good to recognize how the event has grown over time and contributed to technical capacity building in the region. It also gave me the chance to reflect on my own participation in the event over the years, including from when I was in the private sector prior to my current role.

One of the things Internet builders get together for at APRICOT is to share the technical knowledge needed to run and expand the Internet securely. So it was a great opportunity to bring attention to the Mutually Agreed Norms for Routing Security (MANRS) initiative, one of the eight projects outlined in the Internet Society’s 2020 Action Plan.

That was why our booth was dedicated to MANRS, and we were glad to see many attendees who ran networks come over to have a routing security check-up of their networks’ routing hygiene. The initial test is a first step towards strong and robust routing security, and we are hopeful many of them will join our growing community. Our MANRS t-shirts also proved very popular!

Aftab Siddiqui, our Senior Manager, Internet Technology for Asia-Pacific, was one of the facilitators of the highly popular Resource Public Key Infrastructure (RPKI) Deployathon, in which about 40 network operators learnt to deploy RPKI, a framework to sign Internet routes and protect users from route hijacks and misconfigurations.

Aftab was also appointed Chair of the inaugural APNIC Routing Security Special Interest Group (SIG), a new SIG that will provide a platform to discuss the operational issues and best practices to secure global Internet routing. We look forward to him helping strengthen routing security even further with Co-Chairs, Dr. Di Ma and Rupesh Shrestha.

We got together with more than 40 MANRS participants and partners in the region at the Community Meeting to share the latest on the initiative, including a plan to include new kinds of organizations, such as content delivery networks (CDNs) and cloud providers. Stay tuned for future updates!

In the long run, we aim to make MANRS a norm in routing operations – with non-conformance seen as unacceptable – and for it to be a self-governed community. We had a good discussion with the community on this and other matters, and to those who were able to attend, we thank you for taking the time to come.

Our delegation included Robert Maylath, Senior Director, Organization Membership; Kevin Meynell, Manager, Technical and Operational Engagements; Adrian Wan, Policy Advocacy Manager; Aftab; and myself. We outlined our plans at the AP Star Retreat and the APNIC Global Reports session alongside many of our partners and encouraged the community to join us in our mission.

It was good to see that more than 40 people from our membership community, including the local chapter, were able to join us for a social get-together. We were given a glimpse of the threats the Internet is under in Australia by Paul Brooks, Chair of the Australian Chapter, who told us he and other Chapter leaders would take part the next morning in a public hearing of the Independent National Security Legislation Monitor Review of the Telecommunications and other Legislation Amendment (Assistance & Access) Act 2018, commonly known as the TOLA Act, to stand up for encryption.

If you could not make it to APRICOT this year but wish to catch up on the sessions, you can watch the recordings or read the transcripts on the conference website, and download the presentations.

Next year, APRICOT is scheduled to run from February 16 to 26 in Manila, Philippines.


Image courtesy of APNIC