The MANRS initiative will hold a Community Meeting at APRICOT 2023 on Monday, 27 February 2023 (11.30-13.00 UTC+8), but we thought we’d also take the opportunity to discuss our plans for the coming year.
MANRS went from strength to strength over the past 12 months and now has over 900 participants across its four programs, along with 20 partners who help support our work. We saw RPKI adoption increase to 77% and ROV implementation to 10% amongst MANRS participants, while we observed an overall decline in routing incidents.
We began issuing monthly reports to all participating network operators showing their state of routing security and conformance with the four MANRS Actions, supported the development of the Global Routing Intelligence Platform (GRIP) to provide an alternative source of route incident data, and in the past month launched the MANRS API that allows users to build their own reporting mechanisms.
The MANRS Steering Committee was also established with elected members now providing oversight and guidance of the MANRS programs by the MANRS participants. The Steering Committee met nine times during 2022 and discussed how to enhance the existing programs, how to improve data quality, levels of MANRS conformance of existing participants, the MANRS response to the FCC Notice of Inquiry on Secure Internet Routing, the problems of ‘administrative’ bogons, cybersquatting of AS-SETs and issues with third-party IRRs, and developing new initiatives such as MANRS+.
2023 marks an important point in the MANRS program as we look to build on this work. We’ve achieved so much over these past eight years, but for us to move towards a self-sustainable model we as a community need to discuss how it should be governed and funded in the years ahead.
Route Incidents and Bogons
The MANRS Observatory is a powerful tool that we use to measure the conformance of ASNs with the MANRS Actions. It collates information from third-party data sources BGPStream, GRIP, CIDR Report, RIR databases, PeeringDB, and CAIDA Spoofer.
Unfortunately, of the two data sources we use to identify route incidents, BGPStream is no longer actively maintained, while GRIP is a newer development but has a tendency to generate false positives. We’ll therefore be working on improvements to tune and improve the accuracy of our route incident detection.
We have also observed significant issues with bogon advertisements on the public Internet, which account for around 50% of observed route incidents. Bogons are number addresses (ASNs and IP addresses) that should not be routed. They typically include unallocated and special purpose addresses, but legitimately assigned number resources are marked bogon (usually temporarily) by some Regional Internet Registries (RIRs) for administrative reasons — typically a loss of contact or unpaid bills. This causes many route incidents to be flagged and not only reduces conformance with MANRS Actions but in the future could cause problems for networks implementing ROV.
We are working to persuade the NRO and RIRs to categorize these so-called administrative bogons differently so we can exclude them as route incidents. We are also looking at developing a technical solution to allow them to be more easily filtered from the MANRS measurements.
Discussions kicked off in 2022 for a new elevated tier of MANRS participation currently known as MANRS+. This concept was established by network operators and service providers along with their customers who require higher levels of routing security assurance. It aims to develop a quality mark, certification, and possibly standards in the future that can be incorporated into procurement recommendations and policies.
The MANRS+ Working Group is currently developing a set of requirements around path security, DDoS attack protection, anti-spoofing protection, and validated routing information such as ROAs and AS-SETs, along with auditing approaches to assure high levels of conformance. These requirements are focused on the needs of the relying parties and cover a broader set of risks compared to the existing MANRS programs.
Mentors and Ambassadors Program
We’re continuing the MANRS Mentors and Ambassadors (formerly Ambassadors and Fellows) Program, which aims to extend outreach and involve the wider Internet community in routing security. This will be the fourth year we’re running this program, and applications will open in April 2023.
Mentors are individuals who are well-established in the MANRS Community and can provide mentorship, guidance, and feedback to others in the routing security community. Ambassadors are emerging leaders who can enthusiastically bring knowledge and skills about routing security to their communities.
There will again be three tracks based on training, research, and policy. Usually, between one and three Mentors and two to five Ambassadors are appointed for each track.
The global routing system is increasingly being recognized as a critical component of the Internet and routing security is therefore increasingly gaining the attention of policymakers. MANRS is often referenced by government agencies and has provided input to governmental inquiries. Our standpoint is that industry-led best practices are the most appropriate way of improving routing security. MANRS will continue to monitor and provide input where appropriate to regulatory-related developments as these happen.
Capacity building is an important part of MANRS. We offer various self-paced online tutorials, hands-on workshops (both directly and via our Mentors and Ambassadors Program), and Internet Society moderated courses. We have also developed training labs for network engineers and administrators to learn how to configure routing security features, and will continue to update the Implementation Guides that provide step-by-step instructions.
We Need Your Help Moving Forward
MANRS has established itself as the leading routing security program, recognized by the Internet industry, policymakers, and increasingly enterprises relying on Internet services. It develops best practices in collaboration with the Internet industry, develops and maintains the MANRS Observatory to monitor the state of global routing security, and provides information sharing and capacity building to encourage the implementation of good routing security practices.
The MANRS Steering Committee, in consultation with the MANRS Community, will therefore be formulating plans for how the community would like to see MANRS develop, including how it should be governed and funded in the years ahead. MANRS is a community-led initiative, so the input of everyone in the community is welcome.
The Internet Society has funded the MANRS initiative since its inception, but it also needs your support to continue to grow and strengthen the routing security community. We are therefore looking for industry sponsors interested in supporting the MANRS Observatory, its Mentors and Ambassadors Program, its Training Program, and its community events, including the Routing Security Summit. Please reach out to us at [email protected] to learn more about sponsoring these activities.
If you are a MANRS participant, such as a network operator, IXP, CDN/cloud provider, or vendor, please also consider becoming an Organizational Member of the Internet Society to help us continue to secure the global Internet for everyone.
If you’re not already a MANRS participant, please take a look at the MANRS website to learn more.