IXP Actions
MANRS is an important step toward a globally robust and secure routing infrastructure.
The MANRS Actions were initially designed for network operators, but Internet Exchange Points (IXPs) should also play an active role in protecting the Internet. IXPs represent active communities with common operational objectives and already contribute to a more resilient and secure Internet infrastructure.
MANRS can help IXPs build safe neighborhoods, leveraging the MANRS security baseline. It also demonstrates an IXP’s commitment to security and sustainability of the Internet ecosystem, and dedication to providing high quality services.
IXPs are important partners in the MANRS community.
IXPs can be a collaborative focal point to discuss and promote the importance of routing security. To address the unique needs and concerns of IXPs, the community is creating a related but separate set of MANRS actions for IXP members.
Eligibility criteria and proof of implementation
To join, an IXP must demonstrate commitment by implementing a majority of the IXP Program Actions (at least three out of five). Actions 1 and 2 are mandatory, and the IXP must implement at least one additional Action.
The implementation of specific Actions should be reflected in relevant documentation (e.g. IXP policies, technical briefs, etc.). This documentation should be publicly available, or at least available for the IXP members. When joining MANRS, an IXP will be asked to provide links to this documentation.
Terms used in this document
IXP member – a network using interconnection services provided by an IXP. Depending on the IXP model that may be an IXP member, as IXP customer, etc.
MANRS IXP Program (MANRS IXPP) participant – an IXP participating in the MANRS IXPP
The IXP Program Action Set
Action 1. Prevent propagation of incorrect routing information. (Mandatory)
The IXP implements filtering of route announcements at the Route Server based on routing information data (IRR and/or RPKI). Based on the outcome of the validation process, the invalid announcements are filtered in accordance with the IXP published policy.
IXPs using a Route Server to facilitate multilateral peerings should use it to validate received route announcements from a peer and subsequently filter them to other peers. Special purpose cases, such as research projects, are out of scope for this requirement.
Validation is usually done by checking BGP announcements against IRR data (by resolving the AS-SET object) or RPKI data (ROA objects or a validated cache). It is also common to check the announcements against “bogons” or “martians” (IP prefixes as defined in RFC1918, RFC5735, and RFC6598; ASNs in the AS-PATH as defined by RFC5398, RFC6793, RFC6996, RFC7300, RFC7607).
Action 2. Promote MANRS to the IXP membership. (One or more must be checked)
The IXP provides encouragement or assistance for members to implement MANRS actions. (There are 4 separate check-boxes for different levels of incentives; one or more must be checked.)
The IXP actively promotes MANRS by encouraging its members to implement the MANRS actions in part or in full. The encouragement can take different forms:
Action 2-1: Offer assistance to its members to maintain accurate routing information in an appropriate repository (IRR and/or RPKI)
This may take a form of trainings or tutorials, for example, as part of the on-boarding process
Action 2-2: Offer assistance in implementing MANRS ISP Actions for the members
This may take a form of trainings or tutorials, for example, as part of the on-boarding process
Action 2-3: Indicate MANRS participation on the member list and the website
Action 2-4: Provide incentives linked to MANRS readiness
This may be a symbolic price reduction or any other benefit with the rationale that a MANRS compliant member will less likely cause trouble to other peers and the IXP operations, easy to coordinate with, etc. therefore reducing the cost of providing the IXP service.
Action 3. Protect the peering platform.
The IXP has a published policy of traffic not allowed on the peering fabric and performs filtering of such traffic.
Commonly, filtering applies to:
- Not allowed Ethernet frame formats
- Not allowed Ethertypes
- Link-local protocols, such as IRDP, ICMP redirects, Discovery protocols (CDP, EDP), VLAN/trunking protocols (VTP, DTP), BOOTP/DHCP, etc.
- Restricted by the MAC port security configuration
While not strictly routing, applying hygiene on Layer 2 can ensure the smooth operation of the platform and contribute to the stability of the IXP infrastructure and routing.
Action 4. Facilitate global operational communication and coordination between network operators.
The IXP facilitates communication among members by providing necessary mailing lists and member directories. The IXP and each of its members has at least one valid, active email address and one phone number that other members can use for cases of abuse, security, and operational incidents.
Effective communication among members of an IXP is essential in mitigating network incidents such as misconfigurations, outages, or DoS attacks. Mailing lists or other means of communication and a member directory available to all members of the exchange containing up-to-date contact information play a crucial role.
Action 5. Provide monitoring and debugging tools to the members.
The IXP provides a looking glass for its members.
A looking glass is an important facility that can help debug routing incidents or anomalies and prevent or shorten potential outages. An IXP should offer a looking glass interface of its Route Server to its members.
Other Versions of the MANRS IXP Program
- Traditional Chinese (courtesy of TWNIC)