September 2018 - Network Security & Safety

Improving the Security and Resilience of the Internet through MANRS

MANRS brings together network operators, ISPs, and IXPs to improve routing hygiene, increasing the security and resilience of the Internet, Christoph Dietzel from DE-CIX explains.

Improving the Security and Resilience of the Internet through MANRS

© Tashka | istockphoto.com

In 2017 alone, 14,000 routing outages or attacks – such as hijacking, leaks, and spoofing – led to stolen data, lost revenues, reputational damage and more, all on a global scale. Convened by the Internet Society (ISOC), network operators have converged around concrete steps – given the name Mutually Agreed Norms for Routing Security (MANRS) – to improve the dissemination of actions that prevent these incidents.

We have known for a long time, from a technical perspective, what to do to make the Internet more secure and resilient. However, at the global scale, only a few of these technical methods are deployed and implemented. This is why network operators developed MANRS. The idea was ultimately to encourage all the networks on the Internet to participate. More recently, MANRS has also been expanded to include IXPs, which is where we at DE-CIX come into the picture. MANRS offers ISPs and IXPs a way of signaling their security-forward stance and value-added service for customers.

The higher goal of MANRS is to allow better routing hygiene – preventing route leaks, route hijacks, and unwanted traffic on the Internet. The idea behind it was to develop a list of technical measures, such as filtering prefixes according to IRR or RPKI. 

And then MANRS goes on to label, in a very visible way, networks which are compliant. To improve dissemination of the project, it also requires participants to not only undertake technical measures, but to also communicate about the project. When we look at the IXP involvement in particular, one requirement is to list networks that are MANRS-compliant, and promote MANRS with their connected networks. 

MANRS Actions are not set in stone. It’s more like a living document, as a living system that can be adapted to our needs.

From a technical perspective, the measures for ISPs and IXPs are fairly similar, such as preventing propagation of incorrect routing information, as well as the communication aspect. However, there are a few things that apply differently for an IXP, because IXPs are the neutral entity in between the networks, and operate a shared infrastructure. The plan was to include as many IXPs as possible to help shape the IXP program. 

MANRS' actions are not set in stone. It’s more like a living document, as a living system that can be adapted to our needs. This means if we have new technologies, or some other things change fundamentally, we can also adapt the document to take these changes into account. 

Route leaks, route hygiene, and the security and resilience of the Internet

So, how does this make the Internet better? Well, if incorrect routing information propagates, it means that traffic is not actually going where it is meant to go. This could be caused by a misconfiguration, but it could also be intentional – for example, in that someone announces IP address space which they are not accountable for or don’t own. 

Regardless of whether the announcement is made by mistake or with malicious intentions, the traffic changes as a result.

And regardless of whether the announcement is made by mistake or with malicious intentions, the traffic changes as a result. This means that traffic can end up being routed to another network rather than the intended one. When this happens, the owner of this address space – which is perhaps hosting a company website, for example – experiences a strong negative impact, because their Internet presence is unreachable. Another possible scenario is that the traffic takes a sort of “detour” – is re-routed over a longer pathway – in such a way that someone can intercept the traffic. But route leaks can also happen unintentionally – for example, if I accidentally send my full routing table to my neighbor, when I should actually just send my own prefixes. If we can ensure that a large number of networks and IXPs implement the technical measures in MANRS, we can minimize the impact and potential damage of these scenarios. The networks and IXPs that have implemented it can then also, by joining MANRS, present their involvement to customers as a sales argument.

What MANRS is achieving that other initiatives haven’t

MANRS, as an initiative for increasing the security and resilience of the Internet, is pretty much one-of-a-kind. There are and have been other efforts by network operators who say, for example, "we should be BCP38 compliant", and of course, these efforts are also to be applauded. But while there are a lot of people in the community that know about the issue, it remains really hard to tackle – because, actually, you would ultimately need every single network on the Internet (which is about 60,000) – or as a minimum, a majority of them – to address the spoofing issue and thereby the root-cause for DDoS attacks, before you can achieve very good security across all networks. And bringing these networks together is very hard to achieve. By providing a clear baseline and building the community of security-minded network and IXP operators, MANRS consolidates the efforts to work towards a solution – and this is a very honorable approach. 

MANRS, with its label, communications activities, and efforts at finding global consensus, offers a way forward. The idea of MANRS is simply to begin with those networks we can feasibly start with – and so far in MANRS, it’s about one hundred ISPs and 22 IXPs. 

Incentives to get involved in self-regulatory initiatives

Getting companies to understand the value of being involved in a project like this is half of the battle. The network security manager may well see the benefits, but getting buy-in from the upper echelons of the company may prove difficult. The issue for an initiative that is trying to improve security and resilience is that the companies don't see clear monetary incentives in it: it would seem that the advantage is for others, and it doesn’t really bring any tangible advantage for them themselves.

Financial incentives in this case often only become apparent when it's too late. You only realize that there would have been hard financial benefits to taking action when you’ve already got burned.

But unfortunately, the only thing in this world which universally works is financial incentives. And as long as we don't have hard financial incentives, the management of many networks may just decide it's more important to open up a new PoP, or to increase bandwidth, for example, rather than to improve the resilience and security of their systems. Financial incentives in this case often only become apparent when it's too late. This is a big issue in the area of security. You only realize that there would have been hard financial benefits to taking action when it's too late and when you have already got burned. 

The simple truth is, everyone benefits if enough participants are part of MANRS, and my call is for more ISPs and IXPs to join us in improving the Internet. This being said, it’s also true that every little bit counts – because even if it were just among three networks where a false prefix could be filtered out so that it has no effect anymore, then there would be no financial loss, in this case, for the end users or the business customers of those networks. Every new network that joins is a step in the right direction.

Getting the ball rolling – how the MANRS IXP project was developed as a global initiative

So, how did we get the ball rolling? Over the period of one and a half to two years it took to develop the concept, the IXP program of MANRS changed quite a bit. In the beginning we sat down with just a small number of mainly European IXPs, and we developed a few measures from our perspective. But as more IXPs from other parts of the world got involved, it became clear that, if we wanted to make this global, the minimal requirements couldn’t be as high as we had initially defined them. It was, like all Internet governance efforts, a gradual process of finding consensus. We needed to find agreement on what works best for all, and along the way, we all needed to find compromises.

Discussions revolved largely around resources and politics, and it took us a while until we converged. After a lengthy process of negotiation, we had a face-to-face meeting in conjunction with the Euro-IX meeting in Galway in early 2018, when we finally launched the project. It took time, but it was worth it; because someone has to do it if you want to improve fundamental Internet security and resilience. 

Achieving trust and cooperating under the radar

Our next steps are to disseminate the project further, and, together with all participants, to think about how to improve it. We need to look at how to attract more members. And we also facilitate what we already have. What I mean is having discussions in this group to resolve security issues. Because if we also use our interaction as a tool to synchronize under the radar things that are occurring, like route hijacks, then this might be also beneficial - to just coordinate, to talk to each other. 

An issue that every self-regulatory initiative needs to deal with is that some things are hard to talk about with externals, even if they’re also specialists in the field. You need trust. Bringing a group of specialists from competing companies together can be difficult, but it is extremely important. Each member needs to resolve for themselves how to deal with the issue of confidentiality. I think it largely works because you know each other – or, at least, if you don't know someone, then you know that others know them, and that they are in for a good reason, because they stand for the same ultimate goals. And then you might find it slightly easier to trust someone. 

Getting your ISP or IXP involved in MANRS

Getting involved in MANRS is fairly easy, either as an ISP or an IXP. There are actions that you need to take, and in the IXP case you need to be compliant with three out of five; we have two measures that are mandatory. And then if you fulfill these, you just need to explain to MANRS how you fulfill them. What should IXPs expect out of their involvement? It basically comes down to: Don't ask what they can do for me, ask what can I do for them. There will be benefits – maybe not for the networks and IXPs themselves – but certainly for their customers, and that’s a real selling point. And the Internet community will be happy that they joined, because they make it a little bit better. We would need to get a lot of people onboard to really make a huge impact, but a small impact can be achieved even with just a few members. Step by step, network by network.


Christoph Dietzel has been Head of the Research & Development Department at DE-CIX since 2017. Previously, he was a part of the DE-CIX R&D team and responsible for several research initiatives, including numerous projects funded by the public sector (EU, German Federal Ministries). Chris is a PhD student at the INET group, supervised by Anja Feldmann at the Technische Universität Berlin and has published at various renowned conferences and for journals including ACM Sigcomm, ACM IMC, IEEE Communications Magazine, and IEEE Journal on Selected Areas in Communications.

His ongoing research interests focus on Internet measurements / security, routing, and traffic classification. Chris is also highly interested in IXP-related aspects of the Internet ecosystem.


Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.