In our paper, Mind Your MANRS: Measuring the MANRS Routing Ecosystem, we at CAIDA (UC San Diego), in collaboration with Georgia Tech, and IIJ Research Lab, provided the first independent look into the MANRS ecosystem by using publicly available data to analyze the routing behavior of participant networks.
MANRS membership has increased significantly in recent years, but our research goal was to get more clarity on the impact of the MANRS initiative on the state of overall Internet routing security.
In this post, we summarize:
- How we characterized the growth of MANRS members.
- Explain our process of analyzing ISP conformance with the MANRS practices we studied.
- Compare RPKI ROA registration status between MANRS and non-MANRS members.
- Reflect on the implications of our analysis for the future of MANRS.
Focusing on MANRS Actions #1 and #4
We first analyzed what types of networks have joined MANRS over time and whether MANRS members are properly implementing the routing security practices (MANRS conformance). The two practices (which MANRS calls Actions) we focused on in our study are:
- Participating ISPs will register their IP prefixes in a trusted routing database (either Resource Public Key Infrastructure (RPKI) or one of the databases of the Internet Routing Registry (IRR). This practice is “MANRS Action #4”.
- Participating ISPs will use such information to prevent the propagation of invalid routing information. This practice is “MANRS Action #1”.
Our paper analyzed the MANRS ecosystem in May 2022. Since MANRS is a growing community, for this post we have updated our analysis using data collected in November 2022 to capture a more recent view of the MANRS ecosystem. We have also published our analysis code here for interested readers to reproduce the analysis using the latest available data.
We found that between 2015 and November 2022, 863 ASes joined MANRS. Over these seven years, an additional 12.1% of routed IPv4 address space was originated by MANRS ASes.
Plotting growth by ASes and by address space (Figure 1) shows that most of these new ASes were based in the LACNIC region, but that those ASes originated little or no address space into BGP.
Figure 1 – MANRS participation grew between 2015 and 2022 (left), but the picture looks quite different if measured by the number of ASes vs. the percentage of routed address space (right).
We examined whether MANRS (ISP and CDN) members properly implemented MANRS Action #4 and #1 according to the MANRS requirements:
- To conform to Action #4, members must register at least 90% (100% for CDNs) of IP prefixes in IRR or RPKI.
- To conform to Action #1, members must filter out customer BGP announcements that do not match IRR or RPKI records.
We downloaded BGP prefixes and their IRR/RPKI status from the Internet Health Report (IHR) maintained by IIJ Research Labs. We found that in November 2022, 893 (95.9%) of all 931 MANRS ASes conformed to MANRS Action #4 (prefix registration).
Figure 2 shows that in November 2022, 3.7% of the address space originated by MANRS ASes was contained in prefixes that either were not registered or were incorrectly registered in IRR or RPKI. We also conducted case studies of non-conformant MANRS CDN members and found that one large CDN was not conformant because one of their 7,000+ prefixes was RPKI-invalid. Please refer to section 8.4 of the paper for more details.
Figure 2 – Most ASes participating in MANRS conformed with Action #4 (left), and correspondingly, most of the address space those ASes originated into BGP was IRR or RPKI valid, that is, had records that matched observed BGP announcements (right).
To evaluate whether MANRS members filtered out customer BGP announcements that do not match IRR or RPKI records (Action #1), we downloaded BGP prefixes, their IRR and RPKI statuses, and their upstream ASes from the Internet Health Report. We then calculated the prevalence of IRR/RPKI Invalid prefixes propagated through each MANRS network.
Figure 3 shows that in November 2022, 790 (84.9%) of 931 MANRS ASes conformed to the MANRS Action #1. Figure 3 also shows that 141 (15.1%) MANRS ASes did not conform to Action #1.
Figure 3 – (left) MANRS ASes that did not conform to MANRS Action #1 (left) only propagated a small fraction of address space announced by MANRS ASes that were not IRR or RPKI Valid. (right) 95.2% of MANRS-propagated address space was IRR/RPKI Valid despite being propagated by Action #1 non-conformant members.
However, not all of the address space propagated by these ASes was incorrectly registered in RPKI or IRR. Those 141 ASes propagated 96.7% of the address space propagated by MANRS ASes, but only 1.5% of that total was incorrectly registered.
In addition, we found that 25 out of 27 MANRS members that are large transit providers (had >180 customer ASes) did not fully conform with MANRS Action #1, suggesting that conformance was hard to achieve for networks with complex routing relationships.
Are MANRS Members More Likely to Register in RPKI?
Except for a few cases, MANRS organizations tended to conform to the two actions we studied. However, to estimate the impact of the MANRS initiative on the state of routing security, we compared the behavior of MANRS and non-MANRS ASes.
We first compared these two subsets of ASes in terms of registration of RPKI ROAs of prefixes announced in BGP. In November 2022, 60.1% of routed IPv4 address space originated by MANRS ASes was covered by RPKI ROAs, compared with only 38.8% of all routed IPv4 addresses covered by ROAs.
Figure 5 shows that in November 2022, IPv4 address space originated by MANRS ASes was more likely to be registered in RPKI in all RIR regions except APNIC. In the APNIC region, we found significant RPKI registration by non-MANRS networks from JPNIC and TWNIC, possibly due to local RPKI outreach efforts. Overall, this difference suggests a positive influence of MANRS members on the adoption of RPKI.
Similarly, changing the view from routed address space to the originating ASes, we found that in November 2022, MANRS members were more likely to originate at least 80% RPKI Valid prefixes in BGP compared to their non-MANRS counterparts in all RIR regions (Figure 6).
Future for MANRS
In November 2022, we found 71 MANRS ASes that registered their prefixes only in IRR but not RPKI. Registering only in an IRR database is less optimal than registering in RPKI, since some IRR databases may contain inaccurate records due to looser validation standards (See our paper IRR Hygiene in the RPKI Era).
We recommend that MANRS members register in RPKI in addition to IRR databases. We also recommend that MANRS add a conformance checker to its existing Observatory to motivate its members further to maintain good routing security practices. We have published our analysis code to facilitate such conformance checking.
Contributors: Cecilia Testart.
This post is adapted from the original one featured on the CAIDA Blog.
Ben Du is a Ph.D. student in the Center for Applied Internet Data Analysis (CAIDA) group at UC San Diego.