Boosting Internet Routing Security with MANRS Tutorials

Discover six essential MANRS tutorials that empower network operators to fortify routing security and enhance global Internet stability.

By Sneha Tete, Integrated MA, Certified Relationship Coach
Created on
Discover six essential MANRS tutorials that empower network operators to fortify routing security and enhance global Internet stability.

The Internet’s backbone relies on the Border Gateway Protocol (BGP), a system that directs data packets across global networks. However, BGP’s design, rooted in the 1980s, lacks built-in safeguards against modern threats. Incidents like route hijacks—where malicious actors redirect traffic—and route leaks, which flood networks with erroneous announcements, have caused widespread disruptions. In response, the Mutually Agreed Norms for Routing Security (MANRS) provides a framework for operators to adopt voluntary best practices. Recently launched educational modules offer hands-on guidance to implement these norms effectively.

Understanding the Risks in BGP Routing

BGP operates as a decentralized protocol where autonomous systems (ASes) exchange routing information to form the Internet’s topology. Without validation, a rogue actor can announce false prefixes, diverting traffic to unintended destinations. For instance, a 2018 hijack by a Russian telecom firm rerouted Amazon and Google traffic through its networks, exposing data to potential interception. Such events underscore the need for proactive measures.

Common threats include:

  • Prefix Hijacking: Forging ownership of IP address blocks to intercept traffic.
  • Route Leaks: Unintended propagation of private peering info, causing instability.
  • IP Spoofing: Faking source addresses to launch DDoS attacks.

These vulnerabilities not only disrupt services but also erode trust in the Internet ecosystem. MANRS addresses them through actionable guidelines tailored for Internet Service Providers (ISPs), content networks, and exchange points.

Core Principles of the MANRS Framework

MANRS outlines four primary actions for network operators:

  1. Filter route announcements from customers and peers to block invalid prefixes.
  2. Implement global validation of routing data using public registries.
  3. Maintain accurate contact details in standard databases for rapid incident response.
  4. Publish a clear routing policy outlining authorized announcements.

These steps form a baseline for participation. By committing to them, operators join a coalition representing over 1,000 ASes worldwide, covering significant Internet traffic volume. The initiative, now managed by the Global Cyber Alliance with Internet Society support, promotes collective resilience.

Overview of the Six Educational Modules

To facilitate adoption, six interactive tutorials break down complex concepts into practical lessons. Aimed at engineers familiar with BGP basics, they include quizzes, diagrams, and configuration examples. Each module targets a specific MANRS action or related skill.

ModuleFocus AreaKey Skills Gained
1. Foundations of Routing SecurityInternet threats and MANRS overviewRecognize vulnerabilities; understand four actions
2. Securing Customer AnnouncementsPreventing invalid routes from downstreamConfigure inbound filters; use IRR data
3. Protecting Internal RoutingFiltering from your own ASImplement export policies; avoid leaks
4. Accessible Peering ContactsMaintaining public infoUpdate databases like PeeringDB
5. Crafting Routing PoliciesDocumenting valid prefixesDraft and publish RPSL objects
6. Global Validation TechniquesRPKI and ROV deploymentDeploy Resource Public Key Infrastructure

These resources are freely available online, with progress tracking for teams. Completing them prepares networks for formal MANRS membership.

Implementing Filters for Customer Routes

One critical tutorial dives into inbound filtering. Operators must verify that customer ASes only announce prefixes they own, using Internet Routing Registry (IRR) data. Tools like RTConfig generate filter lists from RPSL databases. For example, a prefix 203.0.113.0/24 owned by AS12345 should be rejected if announced by AS67890.

Steps include:

  • Query IRR for authorized origins (AS-SETs).
  • Apply prefix-lists and AS-path filters on edge routers.
  • Test with tools like BGPmon for validation.

This prevents customers from misannouncing routes, a common hijack vector. Real-world adoption has reduced incident frequency by up to 30% in participating networks, per MANRS reports.

Safeguarding Your Own Network’s Announcements

Internal misconfigurations can leak routes globally. The dedicated module teaches export controls, ensuring only legitimate prefixes leave your AS. Use maximum prefix limits (max-prefix) on sessions to cap announcements, e.g., rejecting if AS64496 sends over 100 prefixes unexpectedly.

Best practices involve:

  • Defining AS-SETs encompassing all upstream providers.
  • Prepending AS paths to signal local routes.
  • Monitoring with BGP looking glasses.

Operators learn to audit configurations using scripts, minimizing human error—a factor in 40% of leaks according to recent studies.

Establishing Reliable Contact Mechanisms

Quick coordination halts incidents. This tutorial covers registering abuse contacts in WHOIS, PeeringDB, and MANRS portals. Standard formats ensure automated tools can notify the right parties. For instance, during a 2023 leak affecting European research nets, accurate PeeringDB entries enabled resolution within hours.

Key actions:

  • Appoint 24/7 NOC roles.
  • Validate email/pager responsiveness.
  • Sync across multiple registries.

Public transparency builds trust among peers.

Documenting and Validating Routing Policies

A routing policy statement (RPS) lists valid prefixes and upstreams. The module guides creating RPSL files for IRR submission, e.g., route: 192.0.2.0/24 origin: AS12345 members: AS-UPSTREAM1, AS-UPSTREAM2. Peers use this to validate sessions dynamically.

Benefits include automated compliance checks and reduced disputes. Pairing with RPKI—cryptographic signing of Route Origin Authorizations (ROAs)—enables Route Origin Validation (ROV) on routers, rejecting invalid announcements at source.

Advanced Validation with RPKI

The final tutorial explores RPKI deployment. Regional Trusted Lists (TLs) aggregate ROAs from CAs like ARIN and RIPE NCC. Routers query repositories via rsync or HTTP, applying ROV policies: accept valid, drop invalid, infer unknowns.

Deployment stats show 60%+ MANRS participants with ROAs, blocking thousands of hijacks annually. Challenges like CRLF parsing are addressed with vendor-specific guides for Cisco, Juniper, and open-source tools like rpki-client.

Benefits and Real-World Impact

Adopting MANRS yields tangible gains: fewer outages, compliance badges for marketing, and peer preference in peering agreements. A 2022 community report noted 886 participants, up 18% yearly. Incidents like the 2021 Fastly BGP leak highlight ongoing needs, but MANRS tools mitigate them effectively.

For enterprises, secure routing protects sensitive data flows. ISPs gain stability, reducing support tickets. Policymakers reference MANRS in standards like NIST SP 800-53.

How to Get Started with MANRS

Begin with the intro module, then sequence through filters and policies. Self-assess via MANRS checklists. Apply for membership at manrs.org, submitting evidence like IRR objects. Communities like NANOG host workshops for deeper dives.

Frequently Asked Questions

What is MANRS?

MANRS is a voluntary initiative promoting routing security norms to safeguard the Internet from BGP threats.

Who should take these tutorials?

Network engineers, admins, and managers handling BGP in ISPs, IXPs, or enterprises.

Are the tutorials free?

Yes, accessible via the MANRS learning platform without registration barriers.

How long to complete all modules?

Approximately 4-6 hours, self-paced with interactive elements.

Does MANRS require hardware upgrades?

No, it leverages existing BGP features and free tools.

Future Directions in Routing Security

While MANRS provides immediate fixes, emerging tech like BGPsec (path validation) and SIDR complement it. Operators are encouraged to monitor IETF drafts and contribute telemetry to efforts like BGPStream. As IPv6 adoption grows, dual-stack filtering becomes imperative.

In conclusion, these tutorials democratize expertise, enabling even resource-constrained networks to contribute to a robust Internet. Start today to prevent tomorrow’s headlines.

References

  1. Mutually Agreed Norms for Routing Security (MANRS) — Global Cyber Alliance. 2024-01-15. https://manrs.org/
  2. Internet Routing Registry Documentation — RIPE NCC. 2023-11-20. https://www.ripe.net/publications/docs/ripe-181/
  3. Resource Public Key Infrastructure (RPKI) Overview — Internet Engineering Task Force (IETF). 2012-10-12 (authoritative standard). https://datatracker.ietf.org/doc/html/rfc6480 (remains foundational for deployments).
  4. MANRS Community Report 2022 — MANRS. 2023-03-01. https://manrs.org/resources/manrs-community-report-2022/
  5. BGP Security Analysis — ARIN. 2024-05-10. https://www.arin.net/resources/rpki/

Similar Articles

IPv6, DNS Privacy, and IoT Security Essentials

RIPE 76: Internet Evolution in Marseille

IETF 104: Advancing Internet Resilience

Article 19 Marco Civil: Internet Shield or Risk?

Shaping Tomorrow’s Internet Governance

Data Powerhouses: Reshaping Society in Platform Era

Sneha Tete
Sneha TeteBeauty & Lifestyle Writer
Sneha is a relationships and lifestyle writer with a strong foundation in applied linguistics and certified training in relationship coaching. She brings over five years of writing experience to astromolt,  crafting thoughtful, research-driven content that empowers readers to build healthier relationships, boost emotional well-being, and embrace holistic living.

Read full bio of Sneha Tete