Routing Security

MANRS as Fire Code

  • By Andrew Gallo
  • 11 Jun 2024

[Editor’s Note: This is a guest post from MANRS Steering Committee member Andrew Gallo from The George Washington University.]

Where does a norm fit in Internet operations and engineering?

Technical standards that define how the Internet operates, and the processes that create them, are silent on how societies are to deal with these systems once built. Enter the Mutually Agreed Norms for Routing Security (MANRS), which started as a set of recommendations for operators on behaviors, or “norms,” that make the global routing infrastructure more resilient. These norms are outcome driven – they don’t specify anything new, but rather collect a group of behaviors based on established standards. They act as a reminder of what we should already be doing.

When do such collections become more than just norms? When should they become requirements?

John Curran’s keynote at NANOG 89, “The Expanding Landscape of Internet Governance: Why Network Operators Need a Global View,” offered some thought-provoking ideas on the differences between the development of Internet standards and Internet governance. This article is largely inspired by that talk and will expand on Curran’s notions.

Internet Standardization

The development of the rules for the Internet is an open, collaborative, and global process. Internet standards are open to anyone; the results are freely available and can be implemented by large corporations selling products, open-source communities making freely available software, or even individual hobbyists. For many years, this was de facto Internet governance – the Internet was a research project that supported other research. Governance, to the extent there was any, emerged from the bottom-up, with consensus-driven technical standards. Governments and regulatory authorities left those tinkering with packet switching on their own, largely unregulated and sometimes ignored. In those early years, when routing protocols and applications were being designed to connect remote terminals to mainframes and the total number of endpoints was only in the thousands, who would have thought the outcome would have such a transformative impact on society?

To the extent that governance was considered, it was easy to conflate it with standardization.

“The Internet was created in simpler times. Its creators and early users shared a common goal—they wanted to build a network infrastructure to hook all the computers in the world together so that as yet unknown applications could be invented to run there. All the players, whether designers, users or operators, shared a consistent vision and a common sense of purpose.”

from Tussle in Cyberspace: Defining Tomorrow’s Internet

Internet engineers are familiar with what John Curran terms ‘Internet coordination’ – the development of technical standards such as the IETF’s Request for Comments (RFCs) and management of number resources by Regional Internet Registries. These activities differ from Internet governance, which directs the way individuals and governments should use the Internet. Put another way, standards define how devices and applications interact with each other, while governance deals with how people and organizations use the network defined by the standards. Technical standards, and the processes that create them, have largely remained silent on how societies are to deal with these systems once built.

Our daily lives rely on the Internet. Even if we ignore life safety and national security concerns, outages and disruptions are impactful and newsworthy. In 2002, the interaction of Internet technology and society was predicted: “…as the Internet becomes mainstream it inevitably moves from being an engineering curiosity to being a mirror of the societies in which it operates.”

By 2024, the Internet has become critical infrastructure, as well as providing service to other critical infrastructure sectors. Outages and disruptions can cause serious harm, and governments are taking notice[1] [AG2] :

  • In 2017, then UK Member of Parliament, now current Prime Minister, Rishi Sunak commented on the vulnerability, and potential loss, of undersea infrastructure including both power and communication, “Short of nuclear or biological warfare, it is difficult to think of a threat that could be more justifiably described as existential.”

Traditional roles of government, such as maintaining an orderly, healthy, and safe society, are difficult to map onto the Internet. While governments participate in Internet coordination activities through standards bodies, that process has focused on developing technical standards. Governments are not unified on how they should interact with an Internet enabled by those standards. Curran’s talk highlights how the landscape is changing, because technical coordination alone does not help governments serve their constituents.

“We’ve got this weird disconnect where governments [say] ‘we don’t want to regulate the Internet but the bodies that [we] work with-they’re not interested in the problems […] we’re interested in or they’re not skilled at it or they won’t take action.’”

The RFC process, primarily run by subject matter experts, focuses on addressing the technical needs of network operation, not the societal need for ensuring safety and stability.

By comparison, in the United States, building codes are usually the responsibility of local jurisdictions such as cities or counties. These smaller entities generally don’t have the expertise or resources to independently develop building codes. Instead, domain-specific experts develop sample language that can be adopted as a template by various jurisdictions as needed. The National Fire Protection Association (NFPA), the Underwriters Laboratories (UL), and the National Electrical Manufacturers Association (NEMA) are all examples of organizations that develop standards that can be adopted by governments to protect the common good.

Curran points out that MANRS could behave similarly for the Internet, at least with respect to routing security. “MANRS is a great example – it’s how you do routing. It isn’t the routing protocol.” MANRS does not specify or standardize anything new – it collects behaviors and practices, then recommends outcomes.

Kevin Thompson, Program Director in the Office of Advanced Cyberinfrastructure at the National Science Foundation (NSF), says this about MANRS: “NSF views MANRS as community defined and community driven best practices in routing security. That’s why CC* [a funding program for campus cyber infrastructure] identifies it in the Campus CI plan language.”

While some governments may think of regulation as a way to address the routing security problem, it is instructive to consider an approach that seeks to protect the public without the burden of bureaucracy. John Braithwaite, an academic in the domain of criminal justice, speaks of a technique called Responsive Regulation, in which “…industry leaders take self-regulation up through new ceilings and then drag laggards up toward their standards.” This is what MANRS is doing today. He continues, “[r]esponsive regulation is about ‘tripartism’ in regulation. It highlights the limits of regulation as a transaction between the state and business. It argues that unless there is some third party (or a number of them) in the regulatory game, regulation will be captured and corrupted by money power.”

Curran encourages us to, “Work with each other to develop good practices that you’re willing to live by,” and a growing number of operators have pledged to abide by these practices. MANRS is a successful example of the community collaborating to drive improvements in routing safety and governments are responding positively to this self-regulation. Please continue to participate, ensuring MANRS remains a vibrant organization, as well as a trusted partner and advisor for the global community.

Related Content

Leave a Comment