New Category of CDNs and Cloud Providers Join MANRS to Improve Routing Security
Today, we’re proud to announce the new MANRS Content Delivery Network (CDN) and Cloud Programme. This new programme broadens support for the primary objective of MANRS – to implement crucial fixes needed to eliminate the most common threats to the Internet’s routing system.
The founding participants are: Akamai, Amazon Web Services, Azion, Cloudflare, Facebook, Google, Microsoft, and Netflix.
Now, let’s back up and explain how we got here.
What Is MANRS?
Mutually Agreed Norms for Routing Security (MANRS) is a global initiative, supported by the Internet Society, that requires collaboration among participants and shared responsibility for the global Internet routing system. It’s a community of security-minded organizations committed to making routing infrastructure more robust and secure.
Originally designed by and for network operators, the initiative has already been extended once to address the unique needs and concerns of Internet Exchange Points. These two facets of MANRS complement each other – the first secures customer-provider interconnections, while the second creates a safe public peering environment.
How Do CDNs and Cloud Providers Help?
CDNs are a geographically distributed group of servers that work together to provide fast delivery of Internet content across the globe, and today the majority of web traffic is served through CDNs. Cloud providers offer network services, infrastructure, and/or applications in the “cloud” by hosting them in data centers, often distributed around the world, and providing access via the Internet or private interconnections.
CDNs and cloud providers help companies serve their content and online services to end users by delivering it in a distributed manner and from locations closer to them. For instance, when you visit a website, its content is often fetched from a closest location and not from the website owner’s infrastructure, which could be much farther away and, as a result, much slower.
The two typically peer – exchange traffic directly – with thousands of other networks so that data can flow more efficiently, making them large hubs of the Internet interconnection infrastructure. Peering with CDNs and cloud providers can drastically improve performance of network services they host, so there is a clear benefit to interconnect with these networks.
While CDN and Cloud are basically edge networks, their impact on routing security can be significant. Several known incidents showed that an edge network, even a small one, can cause havoc on the Internet by leaking routes. MANRS helps by requiring egress routing controls, so networks can prevent such incidents from happening. Secondly, leveraging CDNs’ and cloud providers’ peering power can have significant positive spillover effect on the routing hygiene of networks they peer with. In other words, if CDNs and cloud providers do their part to improve routing security and demand better practices from their customers, their customers will in turn step up their efforts, and together the Internet will be better and safer for all of us.
That is why in late 2018 the MANRS community formed a task force with representatives from Akamai, Azion, Cloudflare, Comcast, Facebook, Google, Microsoft, Nexica, Oracle, Telefonica, Redder, TORIX, and Verisign committed to developing a set of actions CDNs and cloud providers should take to improve routing security. The outcome of that task force’s work led to the creation of this new MANRS program.
What Do CDNs and Cloud Providers Need to Do?
The MANRS Content Delivery Network (CDN) and Cloud Programme lists six actions, of which five are mandatory to implement:
- Prevent propagation of incorrect routing information
- Prevent traffic of illegitimate source IP addresses
- Facilitate global operational communication and coordination
- Facilitate validation of routing information on a global scale
- Encourage MANRS adoption
- Provide monitoring and debugging tools to peering partners (optional)
Program participation provides an opportunity to demonstrate attention to the security and sustainability of the Internet ecosystem and, therefore, dedication to providing high-quality services.
How Do I Sign Up?
Any CDN or cloud provider that takes at least the five required actions above is welcome to join us. Besides enjoying improved security posture, MANRS participants also show their commitment to the sustainability and resilience of the Internet ecosystem by:
- Creating a secure network peering environment, preventing potential attacks at their border
- Encouraging better routing hygiene from your peering partners
- Signaling your organization’s security-forward posture
- Demonstrating responsible routing behavior
- Improving operational efficiency for peering interconnections, minimizing incidents and providing more granular insight for troubleshooting
Why Is Routing Security Important?
The Internet routing system’s resilience and security is a collective responsibility. No single entity can solve BGP vulnerabilities, and yet without additional controls any network can wreak havoc on the system.
BGP – the protocol used to exchange reachability information between networks and build a “roadmap” of the Internet – does not have built-in validation mechanisms. Without additional controls, routing information is accepted as is, including falsifications and mistakes. When that happens, the roadmap is distorted and traffic follows undesired paths, gets intercepted, or gets blackholed altogether.
Those additional controls have been known for decades and they, if implemented widely, will prevent most routing incidents from happening. MANRS actions encourage any network running BGP to implement well-established, low-risk, low-cost industry best practices and technological solutions that can address the most common threats.
Why Should I Care?
There are numerous examples of the impact of routing incidents, either malicious attacks or configuration mistakes. Route leaks, mentioned above, resulted in several hours outages spread globally. Routing system vulnerabilities can also be exploited to hijack and impersonate important Internet services, like DNS or websites, leading to money and reputation loss.
Let’s Work Together
It is only through collective action and a shared sense of responsibility that we can address problems like BGP leaks, hijacks, DDoS attacks, and IP address spoofing that have real-world consequences for millions of people. We must work together to build a more resilient and secure Internet infrastructure.
This new Content Delivery Network (CDN) and Cloud Programme opens a new chapter in MANRS, further extending its community and bringing us closer to a secure and resilient global routing system – the foundation of the Internet. Please join us.
Read the fact sheet to learn more about this new program.
Leave a Comment