Skip to main content

Overview

MANRS is an important step toward a globally robust and secure routing infrastructure

Mutually Agreed Norms for Routing Security (MANRS) is an initiative to greatly improve the security and resilience of the Internet's global routing system. It does this by encouraging those running BGP to implement well-established industry best practices and technological solutions that can address the most common threats.

MANRS was initially targeted at network operators, but Internet Exchange Points (IXPs) should also play an active role in protecting the Internet. IXPs represent active communities with common operational objectives and already contribute to a more secure and resilient Internet infrastructure.

MANRS can help IXPs build safe neighborhoods through the MANRS Actions. It also demonstrates an IXP's commitment to improving security, developing a culture of collective responsibility, and building a responsible community.

MANRS has the following objectives:

  • Raise awareness of routing security problems and encourage the implementation of actions that can address them;

  • Promote a culture of collective responsibility toward the security and resilience of the Internet's global routing system;

  • Demonstrate the ability of the Internet industry to address routing security problems;

  • Provide a framework to better understand and address issues relating to the security and resilience of the Internet's global routing system.

IXPs are important partners in the MANRS community

IXPs can be a collaborative focal point to discuss and promote the importance of routing security. To address the unique needs and concerns of IXPs, the community created a separate set of MANRS actions for IXP participants.

Eligibility criteria and proof of implementation

To join, an IXP must demonstrate commitment by implementing at least three out of the five IXP Program Actions. Actions 1 and 2 are mandatory, and the IXP must implement at least one additional Action.

The implementation of specific Actions should be reflected in relevant documentation (e.g. IXP policies, technical briefs, etc.). This documentation should be publicly available, or at least available for the IXP's members. When joining MANRS, an IXP will be asked to provide links to this documentation.

Terms used in this document

IXP member-- a network operator using interconnection services provided by an IXP. Depending on the IXP model that may be an IXP member, an IXP customer, etc.

Blackhole community - Blackhole community (65535:666) is the BGP community used to implement the RTBH (Remote-Triggered Black-Hole) mechanism. This mechanism is used by Route Servers to divert the flow of malicious data toward a specific next-hop.

Internet Routing Registry (IRR) - a database of Internet route (IRRDB) objects for determining and sharing routes and related information used for configuring routers, with a view to facilitate the exchange of routing information between Internet service providers. The objects are specified in RPSL format.

RPKI (Resource Public Key Infrastructure) - proves the association between specific IP address blocks or ASNs and the holders of those Internet number resources. The certificates are proof of the resource holder's right of use of their resources and can be validated cryptographically.

ROA (Route Origin Authorization) - the key object of the RPKI architecture. They can be seen as an object that authorizes an AS to announce a specific IP prefix. The validation process of a BGP announcement is based on the comparison between the information contained in the announcement, and the ROAs present in the database of the router itself, downloaded from the RPKI Validator. There are 3 possible results from the validation process:

  • Valid: RPKI Validator contains a ROA with the same ASN, and the length of the prefix netmask updated is <= of the max length specified in the ROA.

  • Invalid: RPKI Validator contains a ROA but either it has a different ASN or the netmask length is > than the one specified in the ROA.

  • Not found: within RPKI Validator there are no ROAs matching the update.

Route Servers (RS) - typically used on shared access media networks, such as IXPs, to facilitate simplified interconnection between multiple Internet routers. They are a value-added service offered by IXPs and their popularity has made them critical infrastructure for large IXPs.

Martian/Bogon - A "bogon" (plural: "bogons") is a packet with an IP source address in an address block not yet allocated by IANA or the Regional Internet Registries (AFRINIC, APNIC, ARIN, LACNIC, or RIPE) as well as all addresses reserved for private or special use by: [RFC1918], [RFC2544], [RFC3927], [RFC5735], [RFC5737], [RFC6598] and [RFC6890]. Unallocated addresses are blocks of public address space that have not been allocated by IANA to the RIRs yet, but that could be allocated in the future.

MANRS IXP Program (MANRS IXPP) participant-- an IXP participating in the MANRS IXP Program.