MANRS — Mutually Agreed Norms of Routing Security

MANRS RGB vertical logo dark

MANRS (Mutually Agreed Norms for Routing Security) is a global initiative, supported by the Internet Society, that provides crucial fixes to reduce the most common routing threats.

This initiative appeared as a response to the growing number of Internet routing threats. Not a single day goes without a dozen of incidents affecting the routing system. Route hijacking, route leaks, IP address spoofing, and other harmful activities can lead to DDoS attacks, traffic inspection, lost revenue, reputational damage and more. These incidents are global in scale, with one operator's routing problems cascading to impact others.

MANRS initiative provides the following solutions of the most common routing problems:

Event: Prefix/route Hijacking

Explanation: A network operator or attacker impersonates another network operator, pretending that a server or network is their client.

Repercussions: Packets are forwarded to the wrong place and can cause Denial of Service (DoS) attacks or traffic inspection.

Solution: Stronger filtering policies.

 

Event: Route leak

Explanation: A network operator with multiple upstream providers (often due to accidental misconfiguration) announces to one upstream provider that it has a route to a destination through the other upstream provider.

Repercussions: Can be used for traffic inspection and reconnaissance.

Solution: Stronger filtering policies.

 

Event: IP address spoofing

Explanation: Someone creates IP packets with a false source IP address to hide the identity of the sender or to impersonate another computing system.

Repercussions: The root cause of reflection DDoS attacks

Solution: Source address validation.

 

Tools to help:

  • Prefixes and AS-path filtering
  • RPKI validator, IRR toolset, IRRPT, BGPQ3
  • BGPSEC

 

But these tools are not deployed enough and there is a lack of reliable data. That's why a standard approach to improving routing security is needed.

IXPs are an important part of routing security system. MАNRS lets IXP build "safe neighborhood", leveraging the MANRS security baseline.

As an IXP, that aggregated over 2400 autonomous systems, DTEL-IX is aware of the most important problems and needs of the internet - society. So participation in MANRS initiative is our contribution to routing security not only for our Members but for the Internet globally.

DTEL-IX is now compliant with all MANRS requirements for IXPs. It means that our exchange point became more reliable and resilient to the threats of incorrect routing, i.e. created a safer environment for our Member's work.

As far as risks of incorrect routing are global and affect all others, DTEL-IX recommends to all operators and providers to join MANRS initiative. Participation in MANRS initiative allows Operator:

  • to help solve global network problems;
  • to add competitive value;
  • to "lock-in" from a connectivity provider to a security partner.

 Let's make the Internet better!