CDNs and Clouds Boost Internet Routing Security via MANRS
Major CDN and cloud giants unite under MANRS to fortify global routing, slashing risks from hijacks and leaks for a resilient web.
The Internet’s backbone relies on Border Gateway Protocol (BGP) routing to direct data packets across the globe. Yet, vulnerabilities in this system—such as route hijacks, leaks, and IP spoofing—pose constant threats to connectivity, privacy, and service integrity. In a landmark development, major Content Delivery Networks (CDNs) and cloud service providers have rallied under the Mutually Agreed Norms for Routing Security (MANRS) initiative to address these issues head-on. This collaboration marks a significant expansion of MANRS, bringing influential edge network operators into the fold to safeguard the routing ecosystem.
Understanding the Routing Crisis in Modern Networks
BGP, the protocol powering Internet routing since the 1980s, was never designed with robust security in mind. It trusts announcements from peers without inherent validation, leaving the door open for malicious actors to divert traffic or cause outages. High-profile incidents, like the 2018 MyEtherWallet hijack or repeated route leaks from major providers, underscore the urgency. These events disrupt services for millions, enable surveillance, and facilitate DDoS amplification.
CDNs and cloud platforms exacerbate these risks due to their scale. They peer with thousands of networks worldwide, handling massive traffic volumes. A single misconfiguration in such a network can propagate faulty routes globally, as seen in past leaks from edge providers that blackholed traffic for hours. By 2026, with cloud computing projected to underpin 45% of IT spending worldwide, securing these hubs is non-negotiable.
Birth and Evolution of the MANRS Initiative
Launched by the Internet Society in 2014, MANRS started as a voluntary framework for network operators to adopt best practices against common routing threats. Initially focused on ISPs, it expanded to Internet Exchange Points (IXPs) in 2016, recognizing their role in peering fabrics. The latest phase, introduced in 2020, tailors guidelines for CDNs and cloud providers, acknowledging their unique position at the Internet’s edge.
This evolution reflects community-driven input. A 2018-2019 task force, comprising experts from Akamai, Cloudflare, Google, Microsoft, and others, crafted tailored actions. By March 2020, pioneers like Amazon Web Services (AWS), Netflix, and Facebook signed on, signaling industry momentum. As of 2026, over 300 networks participate across categories, with MANRS actions influencing BGP filters at major exchanges.
Core Commitments: The Six Pillars of CDN/Cloud MANRS
Participants pledge to implement five mandatory actions (plus one optional), forming a baseline for routing hygiene. These measures target propagation errors, source validation, and collaboration. Here’s a breakdown:
- Block Invalid Route Announcements: Filter outbound BGP updates to prevent advertising non-allocated prefixes or those not authorized via IRR or RPKI. This curbs leaks and hijacks at the source.
- Reject Bogus Source IPs: Deploy ingress filtering (e.g., BCP 38/uRPF) to drop packets with spoofed origins, mitigating DDoS and reflection attacks.
- Enable Peering Coordination: Publish 24/7 contact points in databases like PeeringDB, ensuring rapid incident response.
- Support Route Validation: Promote tools like RPKI for cryptographically verifying route origins, with mandatory Route Origin Authorization (ROA) for own prefixes.
- Promote Adoption: Advocate MANRS within ecosystems, sharing resources to grow participation.
- Optional: Offer Diagnostics: Provide partners with route monitoring and debugging APIs for proactive issue resolution.
These pillars align with IETF standards like RFC 8704 (BGP YANG) and RFC 9234 (RPKI), ensuring interoperability.
| Action | Mandatory? | Key Benefit | Implementation Example |
|---|---|---|---|
| Block Invalid Routes | Yes | Prevents global leaks | RPKI-ROV + IRR checks |
| Reject Bogus IPs | Yes | Stops spoofing | Strict uRPF on edges |
| Peering Contacts | Yes | Faster fixes | PeeringDB integration |
| Route Validation | Yes | Authenticates origins | Full RPKI deployment |
| Promote MANRS | Yes | Network effects | Workshops, badges |
| Diagnostics Tools | No | Troubleshooting | Route leak detectors |
Founding Participants and Growing Momentum
The 2020 launch featured heavyweights: Akamai, AWS, Azion, Cloudflare, Facebook, Google, Microsoft, and Netflix. These entities serve billions, peering at 100+ IXPs. Their commitment amplifies impact—Cloudflare alone filters routes for 20% of web traffic. Post-launch updates in 2021 strengthened requirements, mandating ROV in peering policies and consistent IRR usage.
By 2026, participation has surged, with metrics showing 80%+ RPKI coverage among members. This peer pressure incentivizes non-members to comply, creating a virtuous cycle. IXPs like AMS-IX and DE-CIX now prioritize MANRS-compliant peers in port assignments.
Real-World Gains: From Theory to Impact
MANRS isn’t abstract—it’s curbing incidents. A 2022 CAIDA study found MANRS ISPs 50% less likely to leak routes. For CDNs, egress filters have prevented small errors from cascading, as in a 2023 Fastly incident contained within minutes. Benefits extend beyond security:
- Secure Peering: Reduces attack surfaces at borders.
- Peer Influence: Encourages upstream hygiene.
- Reputation Boost: MANRS badges signal trustworthiness.
- Ops Efficiency: Fewer outages mean stable SLAs.
Quantitatively, RPKI adoption hit 54% of IPv4 table by 2025, per Hurricane Electric stats, partly due to MANRS ripple effects.
Technical Deep Dive: RPKI and Beyond
Central to MANRS is Resource Public Key Infrastructure (RPKI), per RFC 6480. It issues ROAs signing prefix-to-AS mappings. Validators query repositories, discarding invalid routes. CDNs must publish ROAs for all prefixes and apply ROV inbound/outbound.
Complementing this: IRR objects (e.g., RADB) for legacy validation, plus tools like RIPEstat for monitoring. Future horizons include BGPsec (RFC 8205) for path validation, though deployment lags.
Challenges on the Path to Universal Adoption
Despite progress, hurdles remain. Legacy routers lack RPKI support; validation adds CPU overhead. Smaller providers resist voluntary norms without incentives. Geopolitical tensions hinder global coordination. MANRS counters via education, badges, and IXP incentives.
Future Roadmap: Scaling Security Ecosystem-Wide
Looking ahead, MANRS eyes enterprise networks and data centers. Integration with SD-WAN and 5G slicing will demand new actions. Community goals: 70% ROV by 2028, zero major leaks. Collaboration with RIPE NCC, ARIN, and APNIC bolsters this.
Frequently Asked Questions
What is MANRS?
MANRS is a global initiative promoting routing security norms across ISPs, IXPs, CDNs, and clouds to mitigate BGP threats.
Why focus on CDNs and clouds?
Their vast peering amplifies errors; securing them prevents widespread disruptions and improves partner hygiene.
How does one join?
Implement the actions, self-attest via manrs.org, and get listed publicly.
Is RPKI mandatory?
Participants must use it for validation and register prefixes, fostering global adoption.
What’s the impact so far?
Reduced leaks, higher RPKI deployment, and resilient peering fabrics.
References
- Leading CDN and Cloud Providers Join MANRS to Improve Routing Security — Internet Society. 2020-03-31. https://www.internetsociety.org/news/press-releases/2020/leading-cdn-and-cloud-providers-join-manrs-to-improve-routing-security/
- MANRS for CDN and Cloud Providers — MANRS.org. 2024-01-15. https://manrs.org/cdn-cloud-providers/
- Mind Your MANRS: Measuring the MANRS Ecosystem — CAIDA/UCSD. 2022-07-01. https://www.caida.org/catalog/papers/2022_mind_your_manrs/mind_your_manrs.pdf
- CDN & Cloud Providers Improve Routing Security with Expanded & Improved MANRS Program Actions — MANRS.org. 2021-03-01. https://manrs.org/2021/03/cdn-cloud-providers-improve-routing-security-with-expanded-improved-manrs-program-actions/
- RPKI Deployment Status — RIPE NCC. 2026-05-01. https://www.ripe.net/publications/stats/rpki/
Similar Articles
Read full bio of medha deb
