The global routing system determines how everything, from email messages to videoconferences to website content, moves from network to network across our shared cyberspace. It is, in many ways, the real backbone of the Internet, and this is why the Mutually Agreed Norms for Routing Security (MANRS), intended to protect this system, was one of the first initiatives that the Cybersecurity Tech Accord endorsed in 2018. Furthermore, a number of signatories, including KPN, Microsoft, NTT, Orange, Oracle, and Swisscom, have since worked to implement MANRS within their own organizations to improve security for users and customers.
Our initial endorsement also led to the creation of a working group, which was tasked with investigating how companies beyond network operators and IXPs could contribute to routing security. Initially established as an exploration between the Cybersecurity Tech Accord and the Internet Society, it has grown in scope and brought in other technology players. Working together, we have developed a set of six actions that determine how cloud providers and content delivery networks can do to further support routing security. These are:
- Prevent propagation of incorrect routing information. Cloud providers and content delivery networks often have their own internal networks, as well as peering relationships, where good filtering practice should still apply to help prevent propagation of incorrect routing information.
- Prevent traffic from illegitimate source IP addresses by implementing anti-spoofing controls to prevent packets with illegitimate source IP addresses from leaving the network.
- Facilitate global operational communication and coordination by maintaining up-to-date contact information in PeeringDB and relevant WHOIS RIR databases.
- Facilitate validation of routing information on a global scale by documenting ASNs and prefixes that are intended to be advertised to external parties in either IRRs or an RPKI repository.
- Encourage MANRS adoption by the technology industry. The adoption of these norms has a multiplying effect, whereby the greater the number of adopters, the more secure the entire routing system becomes.
- Provide monitoring and debugging tools to peering partners to facilitate easy resolution of any challenges that may arise and ensure there is a clear feedback mechanism available.
This global initiative represents an important effort to improve cyber hygiene by promoting crucial fixes that reduce the most common threats to routing security. As such, it was also highlighted in our commitment to promote the cyber hygiene as part Paris Call for Trust and Security in Cyberspace. The global Internet routing system does not, on its own, have sufficient security controls to prevent the existence of false routing information, which results in hundreds of incidents involving misrouted traffic and denials of service every year. MANRS helps overcome this problem by establishing a security baseline of concrete actions for network operators. The steady adoption of the initiative – with over 200 network operators and 30 IXPs on board to-date – demonstrates the power of partnership and collective response. But more still needs to be done.
The Cybersecurity Tech Accord signatories strongly believe that a more robust and secure global routing infrastructure demands shared responsibility and coordinated actions from a community of security-minded organizations. We see the efforts undertaken so far under the MANRS initiative as a fantastic example of different stakeholders partnering towards a common objective – a more secure environment, benefiting all of us. from users, to governments and the industry. As such, we believe this effort firmly falls under the 4th principle guiding our efforts – partnering with each other and with likeminded groups to enhance cybersecurity. To this end a number of our signatories, including Cloudflare, Facebook, Microsoft, Oracle, and Telefonica, actively contributed to the working group, and we are determined to see even more implement it.
For more information on MANRS, please visit the Internet Society website.