MANRS + IXPs = A MORE Secure Internet Routing System Thumbnail
Improving Technical Security 1 June 2015

MANRS + IXPs = A MORE Secure Internet Routing System

By Andrei RobachevskyFormer Senior Director, Technology Programmes
Internet SocietyGuest Author

Internet Exchange Points (IXPs) are a critical community to adopt the MANRS (Mutually Agreed Norms on Routing Security) initiative to make the Internet’s routing infrastructure more secure.  I recently made this point when given an opportunity to present MANRS at the MORE-IP conference organized by one of the leading Internet Exchanges AMS-IX.

Why do I think the IXP community is an important audience?

While MANRS is a truly global collaborative effort, its success very much depends on the sense of ownership, peer pressure and common understanding. These properties are the strongest in relatively small communities united by common operational objectives. The IXP community fits this profile very well.

I was very glad to reconfirm to myself that the AMS-IX community takes security issues seriously. For example, there was a presentation from AMS-IX technical team about their proposed setup for outgoing prefix filtering on AMS-IX route servers. In other words instead of each ISP building their own filters on what routing updates to accept or not from each of their peers, the route server is going to do this for them. There is a possibility for a peer to choose between the traditional IRR or the RPKI repository as a source of information for building filters and select whether prefixes are filtered or only tagged. The more members adopt this setup the less vulnerable the global routing system will become. And given 715 networks peering at AMS-IX this will definitely have an impact.

Another presentation was about the Trusted Networks Initiative – a last resort solution hosted by the Hague Security Delta for DDoS attacks that are too big to handle. This initiative is supported by AMS-IX and is based on peering on a separate private VLAN by a set of “trusted” networks. “Trust” is based on adherence to norms that are similar to MANRS. Moreover, the members list has a separate column indicating their participation in MANRS, although I was a bit surprised to see this box checked only for one network.

I think regardless of the existence of “fire exits” it is important that we work on making the whole building fire-proof, to use an analogy. I see MANRS as a tool for local communities, like the AMS-IX association, to use to create a new, more secure and resilient norm for routing.

P.S. If you are with a network operator, have you signed the MANRS document? If not, why not do so today?


Image credit: Photo of Andrei Robachevsky speaking provided by the MORE-IP conference organizers.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related Posts

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Improving Technical Security 23 October 2019

Securing the Internet: Introducing Oracle Internet Intelligence IXP Filter Check

Oracle is an Organization Member of the Internet Society. We welcome this guest post announcing a new tool that...

Improving Technical Security 4 October 2019

Network Operators in Latin America and the Caribbean Take Steps to Strengthen Routing Security

2019 has been a very good year for the Internet in Latin America and the Caribbean. In May, during...