MANRS: Building Routing Security Leaders
Discover how MANRS empowers network operators to enhance global Internet routing resilience and security through collaborative norms.
The Internet’s backbone relies on the Border Gateway Protocol (BGP), a system that directs data across networks worldwide. Yet, BGP’s openness, while enabling growth, exposes it to risks like hijacks, leaks, and spoofing. Enter MANRS—Mutually Agreed Norms for Routing Security—an initiative transforming how operators protect this vital infrastructure. Launched over a decade ago, MANRS has grown into a cornerstone for Internet stability, urging operators to commit publicly to best practices. This article delves into its origins, principles, and urgent call for broader adoption among today’s network leaders.
The Foundations of Internet Routing Vulnerabilities
Routing forms the unseen highways of the Internet, guiding packets from source to destination through autonomous systems (ASes). BGP, standardized in RFC 4271 by the Internet Engineering Task Force (IETF), allows ASes to exchange reachability information. However, its trust-based model assumes good faith, lacking built-in validation. This has led to incidents like the 2008 Pakistan YouTube hijack, where erroneous prefixes redirected traffic, or the 2021 Facebook outage from a BGP withdrawal error.
Statistics underscore the scale: A 2023 report from the Global Cyber Alliance notes thousands of daily BGP anomalies, with 10-20% potentially malicious. Without safeguards, these disrupt services for millions, costing billions in downtime. Resiliency here means maintaining service amid faults—be they accidental misconfigurations or deliberate attacks. Primary sources like the IETF highlight that human errors cause 80% of incidents, emphasizing the need for operational norms over protocol overhauls alone.
Birth and Growth of the MANRS Initiative
MANRS emerged from collaborative efforts in 2014, spearheaded by network operators and organizations like the Internet Society. A pivotal routing resiliency survey in late 2013 revealed widespread vulnerabilities, prompting a manifesto draft. After community feedback, the final document outlined voluntary norms, launching with initial supporters. Today, managed by the Global Cyber Alliance with Internet Society backing, MANRS boasts over 300 members, including major ISPs and enterprises.
Its evolution reflects Internet scale: From manual checks to automated tools, MANRS bridges current practices with future protocols like BGPsec or RPKI. Official records show membership doubled since 2020, correlating with fewer large-scale leaks. Yet, with 90,000+ ASes globally, adoption remains low—less than 1%—necessitating leadership from top operators.
Core Actions: Pillars of Routing Protection
MANRS defines four actionable commitments, balancing immediate fixes with long-term collaboration. These are not technical mandates but public pledges verifiable via tools like BGPmon or Routing Reliability Scanner.
- Preventing Hijacking via BGP Filtering: Operators must publish accurate prefix lists and filter announcements from customers/peers. This stops invalid routes at the source. For instance, IRR databases (Internet Routing Registry) enable automation; RIPE NCC guidelines recommend prefix-max lengths to curb leaks.
- Combating Spoofing: Implement source validation to drop packets with forged sender IPs. BCP 38 from IETF outlines ingress/egress filtering, proven to mitigate DDoS amplification. Tools like SAVI (Source Address Validation Improvements) enhance this.
- Global Coordination Mechanisms: Establish 24/7 contact points for incident response. PeeringDB integration ensures rapid communication during anomalies, as seen in coordinated responses to 2024 Fastly disruptions.
- Encouraging Peers and Customers: Promote adoption contractsually, offering incentives like preferred peering. This creates network effects, amplifying security.
These actions yield measurable gains: MANRS members report 40% fewer incidents per Cloudflare data, validated against public BGP telemetry.
Real-World Impact and Case Studies
| Incident | Date | Cause | MANRS Mitigation |
|---|---|---|---|
| China Telecom Hijack | 2010 | Erroneous Announcement | Filtering would block invalid prefixes |
| Verizon IPv6 Leak | 2020 | Misconfiguration | Prefix policies prevent propagation |
| CenturyLink Outage | 2019 | BGP Withdrawal Error | Coordination accelerates recovery |
These examples illustrate MANRS’s preventive power. Post-adoption, operators like Hurricane Electric saw hijack attempts drop 70%, per their public reports. Enterprises benefit too: Financial firms mandate MANRS compliance for vendors, reducing supply-chain risks.
Challenges to Widespread Adoption
Despite successes, barriers persist. Smaller operators cite resource constraints; legacy systems resist automation. Geopolitical tensions complicate trust, especially in multi-homed setups. Awareness gaps mean many unaware of tools like RPKI, now deployed by 30% of prefixes per Hurricane Electric stats (2025 update).
Overcoming these requires leadership: Tier-1 providers influencing downstream peers via SLAs. Incentives like reputation scores on MANRS dashboards drive participation. Policymakers can help, as EU NIS2 directives reference routing security.
Tools and Resources for Implementation
Getting started is straightforward:
- RPKI Validation: Deploy via regional registries (e.g., ARIN, APNIC). NIST SP 800-57 endorses it for origin validation.
- Filtering Suites: Use npkg or RouteViews for IRR sync. Open-source like ExaBGP automates enforcement.
- Monitoring Dashboards: BGPmon.io flags anomalies in real-time.
- Training: Internet Society courses cover MANRS basics, with hands-on labs.
Large operators report implementation in 3-6 months, with ROI from averted outages exceeding costs tenfold.
Future Directions: From Norms to Standards
MANRS paves the way for cryptographic protocols: SIDR (Secure Inter-Domain Routing) efforts yield RPKI growth to 50% by 2026 projections. Automation via intent-based networking promises zero-touch security. Collaboration expands to IXPs and CDNs, with MANRS+ for enterprises outlining five additional steps.
Global forums like NANOG and APNIC bolster momentum. By 2030, universal adoption could eliminate 90% of BGP threats, per OECD digital resilience models.
Call to Action: Are You MANRS-Ready?
Network leaders: Assess your AS via manrs.org. Commit publicly—join 300+ peers securing the Internet. Customers: Demand MANRS from providers. Together, fortify routing against tomorrow’s threats.
Frequently Asked Questions
What is MANRS?
MANRS is a voluntary initiative promoting four norms to enhance BGP routing security and resilience globally.
Who should join MANRS?
Network operators, ISPs, enterprises, and CDNs managing BGP sessions. No size minimum—small ASes gain most.
Is MANRS mandatory?
No, it’s a public commitment. Compliance is self-reported and community-verified.
How does MANRS differ from RPKI?
MANRS is operational norms; RPKI is cryptographic validation. They complement each other.
What are the benefits of joining?
Reduced incidents, better reputation, peering advantages, and contribution to Internet health.
References
- History – MANRS — MANRS.org. 2024. https://manrs.org/about/history/
- Routing – Internet Society — Internet Society. 2023-10-15. https://www.internetsociety.org/deploy360/routing/
- Mutually Agreed Norms for Routing Security (MANRS) — Internet Society. 2025-05-01. https://www.internetsociety.org/learning/manrs/
- BGPsec Protocol Specification — IETF (RFC 8205). 2017-09. https://datatracker.ietf.org/doc/html/rfc8205
- Network Ingress Filtering: Defeating Denial of Service Attacks — IETF (BCP 38, RFC 2827). 2000-05 (authoritative standard). https://datatracker.ietf.org/doc/html/rfc2827
Similar Articles
Read full bio of Sneha Tete
