Categories
Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

You Asked and We Listened: New Features in the MANRS Observatory

Collaboration and shared responsibility are two pillars of the Mutually Agreed Norms for Routing Security (MANRS) initiative, which we support so that there is a baseline of routing security for network operators around the world.

The same values apply to running the MANRS Observatory, an online tool we launched in August that lets users track the state of Internet routing security and network operators their “MANRS-readiness.” Aggregating data from trusted sources, it relies on the community with a shared goal to protect the core of the Internet.

Since we rolled out the tool, many of you have shared that you would like to see updates to make it more informative, intuitive, and easy to use. We take your comments seriously, and we are delighted to introduce some of the new features to you.

We’ve made several improvements to the user interface, including:

  • Improved Search. The search network now displays the name of a network as you type an ASN. This feature is only available to MANRS participants; public access does not provide data for individual networks.
  • Report Sharing. Individual network reports that provide detailed information about potential incidents and cases of non-conformance can now be easily shared with colleagues across the company, for example at a NOC. Metrics and corresponding detailed data can now be exported as separate reports in JSON format. Also, any part of the report can be shared by using a link with a stable URL.
A screenshot of a cell phone

Description automatically generated
Figure 1: Data related to individual metrics are now easy to download or share
  • Simpler Metrics. We consolidated some data related to metrics indicating “bogon” announcements. The reports are now less “chatty” and easier to read.
  • Historical Charts. When more than one network is selected, the history charts are shown as a stacked diagram, showing the distribution of “ready,” “aspiring,” and “lagging” networks as well as the average readiness index for the group.
Figure 2: Historical trends are now presented as stacked diagrams, showing the distribution of different readiness levels in the group, as well as the average score
  • New Data Source. We added new contact information to make the corresponding metric (M8) consistent with the MANRS requirement. Now, next to RIRs’ WHOIS databases, PeeringDB is also queried.
  • Custom Network Groups. Participants and partners can now create custom network groups of ASNs they are interested in monitoring. This does not change access permissions; users still only have access to detailed reports for the ASNs they operate, but groups provide an easy overview, otherwise accomplished by manually adding ASNs through the search function. Several use cases were considered, including: a transit provider monitoring its customer cone, a CSIRT monitoring MANRS conformance of its constituency, or a government monitoring networks of its agencies.
Figure 3: Users can create custom groups, for instance the networks belonging to their customer cone, to monitor conformance

Partner Access, More Granular Data, and an Enhanced Acceptable Use Policy

We have been getting requests from organizations and individuals working together with MANRS to promote this initiative and routing security. They see the MANRS Observatory as a useful tool to support their work. To enable their access to more granular data, we revised the Observatory’s Terms and Conditions, which now clarify an acceptable use policy. In particular, it says that use of any information derived from the Observatory is only permitted “for purposes of promoting routing security or MANRS, such as presentations, technical workshops and tutorials,” and that it can only be shared in “de-identified form.” Partners can still only access overall readiness scores – access to detailed reports remains open only to the operators of respective networks. To apply for partner access, fill out this form.

Aspiring MANRS Networks

Another potentially useful feature that we’ve started testing is a so-called “aspirant” account. When a network applies to MANRS, during the audit process we often share data related to potential areas of improvements that we get from the MANRS Observatory. The aspirant account allows the network engineer to log in and explore all the data related to their network available in the Observatory, fixing any shortcomings they find. That should help streamline the audit process and improve the quality of applying networks.

Your Feedback

Routing security problems cannot be solved by any single entity. It requires collective action, like MANRS. That is why we appreciate the feedback you have given us, so that the Observatory can be more useful to the community. That in turn will help all of us make the Internet more secure.

If you are using this tool, please let us know what you think about these features. If you have suggestions on how to improve the tool further – please let us know, too!  Email us at manrs@isoc.org.


Image by Volodymyr Hryshchenko via Unsplash

Categories
Improving Technical Security Mutually Agreed Norms for Routing Security (MANRS)

MANRS Observatory: Monitoring the State of Internet Routing Security

Routing security is vital to the future and stability of the Internet, but it’s under constant threat. Which is why we’ve launched a free online tool so that network operators can see how they’re doing, and what they can improve, while anyone can see the health of the Internet at a glance. The MANRS Observatory measures networks’ adherence to MANRS – their “MANRS readiness” – a key indicator of the state of routing security and resiliency of the Internet.

Here’s what the MANRS Observatory is in a nutshell:

  • Performance Barometer: MANRS participants can easily monitor how well they adhere to the requirements of this initiative and make any necessary adjustments to their security controls.
  • Business Development: Participants can see how they and their peers are performing. They can leverage the MANRS Observatory to determine whether potential partners’ security practices are up to par.
  • Government: Policymakers can better understand the state of routing security and resilience and help improve it by calling for MANRS best practices.
  • Social Responsibility: MANRS implementation is simple, voluntary, and non-disruptive. The Observatory can help participants ensure they and their peers are keeping their networks secure, which helps improve routing security of the Internet as a whole.

The Observatory has two views: public, open to everyone, and private, available to MANRS participants. The public view user can look at the routing security metrics and statistics on a global, regional, and economic level, while MANRS participants can see performance of individual networks (of more than 64,000!) and even drill down to a detailed monthly incident report for the networks they operate.

  • The public view is aimed at anyone interested in routing security. Users can see the status at a glance for every country on an interactive global map and drill down into data for a chosen country.
  • The private view is intended for network operators. It lets them measure their MANRS readiness and quickly identify problematic areas to help them improve the security of their networks. It also adds an element of accountability where networks can see how well others are keeping their side of the street clean, which helps improve routing security of the Internet as a whole.

The metrics and statistics to measure MANRS readiness are calculated by tracking the number of incidents and networks involved, their anti-spoofing capabilities, and completeness of routing information in public repositories, such as IRRs and RPKI. This data is gathered from trusted third-party sources. (For more information on how MANRS readiness is measured, read “Measurement Framework.”) The Observatory was developed jointly with the MANRS community but still has to pass the test of real-life usage and validation by MANRS participants.

One of the main objectives of the Observatory was to report on cases of MANRS non-compliance, and it provides reliable information on that. But measuring network security from the outside is difficult, and even with highly-reputed data sources there are sometimes false positives or false negatives (an incident that went unnoticed by the data collection systems). To put it into context, in 2018 alone, there were more than 12,000 routing outages or attacks, such as hijacking, leaks, and spoofing. We’re working with our partners to continuously improve the quality of incident data.

While MANRS is seeing steady adoption – worldwide, there are now over 200 network operators and more than 30 IXPs supporting our initiative – we need more networks to implement the actions and more customers to demand routing security best practices. The more organizations applying MANRS actions, the fewer security and related incidents happening, the more secure and resilient the Internet!

Explore the MANRS Observatory.