MANRS and the US FCC Notice of Intent on Routing Security

Andrew Gallo is a MANRS Steering Committee Co-chair and Principal IT Architect and Network Engineer at The George Washington University.

Earlier this year, the Federal Communications Commission (FCC) of the United States Government issued a Notice of Inquiry (NOI) asking the Internet community for information and feedback on the state of routing security and what can be done to improve it. MANRS participants were surveyed to inform the Internet Society’s response to this NOI. Megan Kruse summarized the results of the MANRS survey, and Joseph Lorenzo Hall provided an overview of the Internet’s Society’s filing.

The FCC uses responses to an NOI to inform its decision making and regulatory processes. Comments are public and reading them can provide insight into industry and subject matter experts’ opinions about the topic. In this post, I highlight some issues raised by commenters.   

Forty-five organizations or individuals filed 49 comments. Respondents included Internet Service Providers, trade associations, academic/researchers, and individuals. I was pleased that nearly 70% of the responses included some mention of MANRS, some relying heavily on MANRS for recommendations (e.g., Microsoft), and many using MANRS articles and data as citations and references. 

I’ll start with one of the most positive quote about MANRS, from Geoff Houston, Chief Scientist of APNIC:

Microsoft, both a MANRS participant and contributor, highlights the success of the program and suggests the FCC encourage and respect the work the industry has done so far on routing security.

And

Overall, we see many comments cautioning the FCC from taking strong regulatory action. While it is no surprise that ISPs don’t want regulation, there are some valid points and common threads in many comments. No one operator can secure the Internet, nor can any one country regulate the Internet to be more secure. It may be an obvious point, but one that needs to be stated – the Internet is comprised of tens of thousands of operators that agree to follow the same community-developed standards. They operate in different regulatory domains and have different business models. Action by a single regulatory authority is not likely to have widespread, positive impact. In fact, it might have a negative impact by ‘freezing’ the state of routing security and requiring operators to conform to regulations that don’t adequately address the changing security landscape.

More recently, the US Department of Defense and Department of Justice filed a joint comment urging the Commission to take a more active stance: “Carefully constructed rules, issued in concert with other government actions, could far more effectively reduce the risks associated with foreign operators or bad actors exploiting BGP insecurity.”

In a comment filed prior to the DoD/DoJ, Geoff Huston had this word of caution: “I would urge the FCC to exercise due care and attention to the level of maturity and the effectiveness of these mechanisms and adopt a position that balances careful consideration of both the technology aspects of this work and the drivers for industry adoption with the further development of tools and technology that improve the security stance of the routing and forwarding infrastructure of the Internet.”

Several respondents highlighted past work of the FCC’s Communication, Security, Reliability, and Interoperability Council (CSRIC). Most recently, CSRIC VI Working Group 6 released a “Report on Best Practices and Recommendations to Mitigate Security Risks to Current IP-based Protocols” in 2019. There were several suggestions in this NOI for the FCC to continue its role as a convener of industry, academia, and government to develop and recommend best practices.

Two responses raised some concern. One industry group indicated that the actions in MANRS may take expertise and resources not available to its members. The current actions specified by MANRS are the minimum any BGP network operator should be doing to help secure the global routing infrastructure. However, we realize that not all networks are actually doing the minimum, and in the spirit of “we’re all in this together,” MANRS has extensive resources available to help individual engineers and operators. I invite any individual or operator to engage with the MANRS community. Let us help you, because the actions you take on your network help the whole Internet operate in a more secure and stable manner. Many aspects of routing security are a classic collective action problem, and the MANRS community is here to help overcome that barrier.

The other comment that concerned me was the reluctance of some members of an industry group to join MANRS because both the security actions and participants list are public. I’ve raised the issue of participant anonymity with the Steering Committee. For the point about the actions being public – I’ll gently suggest that these are basic security measure all operators should implement on their networks, so there’s no risk to telling the world. 

In summary, I was quite pleased to see MANRS championed by government, industry, and individual subject matter experts in response to the FCC’s Inquiry. Everyone that’s been involved with the formation and growth of MANRS should be proud. It’s unclear what the FCC will do with the information gathered in this process, but we’re keeping a close eye on the process and will provide updates.