Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

What is MANRS and does your network have it?

Thor Olavsrud | Oct. 14, 2016
The Internet Society's Mutually Agreed Norms for Routing Security (MANRS) initiative is designed to provide measures to improve the resilience and security of the internet's routing infrastructure to keep it safe for businesses and consumers.

Robachevsky notes that MANRS consists of a package of four minimum, actionable measures that network security operators should take: filtering, anti-spoofing, coordination and global validation.

"MANRS is very actionable," he says. "This is a minimum baseline that we would like to introduce as a new norm. It's not an aspiration. It's an absolute minimum. We wanted to set the threshold as not too high, so people can join. If it's implemented on a large scale, we'll see significant improvements in the global routing system."

Most operators that have joined have implemented all four measures, Robachevsky says, including Comcast, one of the world's largest broadband operators, which has done so across 33 ASNs. None of the members to date have acted on fewer than three.

Filtering to prevent the propagation of incorrect routing information

The first measure is filtering, which helps prevent the propagation of incorrect routing information. Robachevsky says network operators need to define a clear routing policy and implement a system to ensure the correctness of their own routing announcements and announcements from the customers to adjacent networks with prefix and AS-path granularity.

Network operators need to be able to communicate to their adjacent networks which announcements are correct and to apply due diligence when checking the correctness of their customers' announcements. This, he says, will provide assurance against "fat-finger" errors that can lead to hijacking traffic directed to other networks. It will also mitigate "route leaks" — the propagation of routing announcements beyond their intended scope.

Prevent traffic with spoofed IP addresses

By implementing a system that enables source address validation for at least single-homed stub customer networks, their own-end users and infrastructure, ISOC says network operators can dramatically diminish the prevalence and impact of DDoS attacks. Essentially, network operators should implement anti-spoofing filtering to prevent packets with an incorrect source IP address from entering and leaving the network.

Facilitate global operational communication and coordination between network operators

To grease the wheels, network operators need to maintain globally accessible and up-to-date contact information to facilitate communication and coordination with their peers. This, Robachevsky says, is essential for incident mitigation and better assurance of the technical quality of relationships.

Facilitate validation of routing information on a global scale

Whereas the first three measures are about sweeping your own sidewalk, the fourth is about looking out for your peers. By facilitating the global validation of routing information, you can limit the scope of routing incidents and make the global system as a whole more resilient.

Taken as a whole, Robachevsky says the four measures won't just help improve Internet security and resilience, they'll enable a sustainable business environment that will benefit network operators and their customers alike. They will provide better protection against traffic anomalies caused by misconfigurations, cleaner setups (resulting in easier troubleshooting and lower time-to-resolution (TTR)), improved peering conditions and opportunities for collaboration with other operators through a discussion forum and professional network.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.