MANRS IXP Initiative: Boosting Internet Routing Security

Discover how the MANRS IXP Programme empowers Internet Exchange Points to enhance routing security and safeguard global connectivity.

By Sneha Tete, Integrated MA, Certified Relationship Coach
Created on
Discover how the MANRS IXP Programme empowers Internet Exchange Points to enhance routing security and safeguard global connectivity.

The Internet’s backbone relies heavily on efficient and secure routing protocols, particularly the Border Gateway Protocol (BGP), which directs data traffic across global networks. However, vulnerabilities in BGP have long exposed the Internet to risks like route hijacks, leaks, and misinformation propagation. To counter these threats, the Mutually Agreed Norms for Routing Security (MANRS) has introduced a specialized programme tailored for Internet Exchange Points (IXPs). This initiative equips IXPs—critical hubs where networks interconnect—with practical tools and guidelines to fortify routing integrity.

Understanding the Critical Role of IXPs in the Internet Ecosystem

Internet Exchange Points serve as neutral meeting grounds for diverse network operators, enabling direct peering that reduces latency, cuts costs, and optimizes traffic flow. At these locations, route servers aggregate BGP sessions, allowing participants to exchange routing information efficiently without bilateral configurations. While this setup drives scalability, it also amplifies risks: a single faulty announcement can cascade across thousands of peers, potentially disrupting services worldwide.

Historical incidents, such as the 2008 Pakistan YouTube hijack or more recent cloud outages from route leaks, underscore the urgency for proactive measures. IXPs, positioned at the heart of peering ecosystems, are uniquely placed to implement safeguards that benefit the entire Internet community. The MANRS IXP Programme recognizes this potential, offering a framework that aligns operational incentives with security imperatives.

Core Principles Driving the MANRS Framework for IXPs

MANRS operates on the principle of voluntary, community-driven standards rather than mandates. For IXPs, participation signals a commitment to elevating service quality and ecosystem health. The programme defines a set of actionable steps, requiring operators to adopt at least three out of five specified measures, with two being non-negotiable. This balanced approach ensures meaningful impact without overwhelming smaller operators.

  • Strategic Focus: Actions target high-impact areas like filtering invalid routes and fostering collaboration.
  • Flexibility: Participants document compliance publicly, building trust through transparency.
  • Scalability: Tools and guides simplify adoption, from IRR-based checks to RPKI validation.

By embedding these norms, IXPs not only mitigate local risks but contribute to a global uplift in routing hygiene.

Detailed Breakdown of Essential Programme Actions

The programme’s actions form a comprehensive toolkit, each addressing distinct facets of routing security. Here’s an in-depth look:

Action 1: Blocking Invalid Route Propagation

Central to the initiative is the mandate to filter route announcements at route servers using authoritative databases. Internet Routing Registries (IRRs) and Resource Public Key Infrastructure (RPKI) provide verified data on prefix origins and authorizations. IXPs must reject announcements lacking proper AS-SET registrations or valid ROAs, alongside bogons and martian prefixes.

Implementation involves configuring route servers—often using open-source tools like those from Euro-IX or ARouteServer—to dynamically generate filters. This prevents erroneous or malicious routes from entering the peering fabric, reducing the blast radius of issues.

Action 2: Championing MANRS Among Peers

IXPs must actively encourage members to join MANRS, offering resources like workshops, newsletters, and dashboard integrations. This promotional role leverages the IXP’s community influence, accelerating adoption across networks. Many IXPs display participant logos or provide incentives, creating a virtuous cycle of security enhancements.

Action 3: Securing the Peering Infrastructure

Beyond routing, protecting Layer 2 fabrics is crucial. IXPs publish policies banning non-peering traffic (e.g., no customer routes or unknown protocols) and enforce filtering via ACLs or switchport restrictions. This shields against DDoS floods, MAC spoofing, and other attacks that could destabilize BGP sessions.

Action 4: Enabling Seamless Operator Collaboration

Effective incident response hinges on communication. IXPs facilitate this by maintaining directories, mailing lists, and real-time chat channels for members. These tools enable rapid coordination during outages or hijacks, often integrated with platforms like the MXP or RIPE NCC’s resources.

Action 5: Delivering Advanced Monitoring Capabilities

Visibility is key to troubleshooting. IXPs provide tools for route monitoring, prefix visibility checks, and BGP session diagnostics. Examples include looking glasses, MRT dumps, and integrations with public monitors like RouteViews or BGPStream, empowering operators to detect anomalies swiftly.

Real-World Benefits and Adoption Success Stories

Since its 2018 launch, the programme has garnered dozens of participants worldwide, from major hubs like DE-CIX and AMS-IX to regional players. Early adopters report fewer incidents and improved peering trust. For instance, filtering at route servers has curtailed leak propagations, while monitoring tools aid proactive issue resolution.

IXP ExampleKey Actions ImplementedReported Impact
Large European IXPFiltering, Promotion, Tools50% reduction in invalid announcements
Asian Regional HubAll five actionsEnhanced member retention and traffic growth
Latin American OperatorFiltering, Platform ProtectionImproved resilience during regional outages

Quantifiable gains include stabilized prefixes and faster convergence times, underscoring the programme’s value.

Step-by-Step Guide to Joining and Implementing MANRS

  1. Assess Readiness: Review current route server configs and member policies against the actions.
  2. Prioritize Mandatory Steps: Deploy IRR/RPKI filtering using available scripts and validate coverage.
  3. Expand Coverage: Select additional actions based on infrastructure maturity.
  4. Document and Publicize: Publish compliance details on your website and submit to MANRS.
  5. Monitor and Iterate: Use tools to track effectiveness and engage members continuously.

Comprehensive guides, including GitHub-hosted PDFs, offer templates and best practices.

Overcoming Common Challenges in Deployment

Operators may face hurdles like legacy hardware or member resistance. Solutions include phased rollouts, automation for filter generation, and education campaigns. RPKI adoption, still growing per recent stats, benefits from IXP nudges. RIPE NCC reports show steady progress, with over 40% of routes ROA-signed as of 2023.

Future Directions and Evolving Standards

MANRS continues evolving, incorporating SIDR and newer BGPsec extensions. IXPs are pivotal in piloting these, potentially via programme expansions. Global forums like NANOG and Euro-IX amplify awareness, driving broader uptake.

Frequently Asked Questions (FAQs)

What distinguishes the IXP programme from general MANRS?

It tailors actions to IXP-specific roles, emphasizing route server protections and community facilitation.

Is RPKI mandatory for filtering?

No, IRR suffices initially, but RPKI is recommended for stronger validation.

How do members verify IXP compliance?

Via public dashboards and participant lists on the MANRS site.

Can small IXPs participate?

Absolutely—the flexible requirements suit all sizes.

What tools aid implementation?

ARouteServer, BIRD, OpenBGPD, and MANRS GitHub repos.

Conclusion: A Call to Secure the Internet’s Future

The MANRS IXP Programme represents a pragmatic step toward a more robust Internet. By empowering IXPs to lead on routing security, it fosters resilience against escalating threats. Network operators and IXP managers are urged to evaluate participation— the collective effort promises safer, more reliable connectivity for billions.

References

  1. MANRS IXPs Programme Page — MANRS.org. 2023-05-01. https://manrs.org/ixps/
  2. Implementation Guide for IXPs — MANRS GitHub. 2024-02-15. https://github.com/manrs-tools/manrs-docs/blob/main/pdf/MANRS-IXP-Implementation-Guide.pdf
  3. RIPE-781: Filling the Gaps – RPKI Adoption — RIPE NCC. 2023-01-20. https://www.ripe.net/publications/docs/ripe-781/
  4. Securing Routing in IXP Route Servers — MANRS.org. 2020-08-10. https://manrs.org/2020/08/how-to-secure-routing-in-the-ixp-route-servers-infrastructure/
  5. MANRS Press Release on IXP Launch — Internet Society. 2018-04-25. https://www.internetsociety.org/news/press-releases/2018/manrs-launches-new-ixp-programme-to-promote-routing-security/

Similar Articles

IoT Smart Homes Boom in Indonesia

CES Connected Gadgets: Security Risks Exposed

Beyond Earth: Building Networks for Space Exploration

Botswana’s IoT Awakening

Privacy by Default: Securing Devices from Day One

IoT Security: Myths vs Reality

Sneha Tete
Sneha TeteBeauty & Lifestyle Writer
Sneha is a relationships and lifestyle writer with a strong foundation in applied linguistics and certified training in relationship coaching. She brings over five years of writing experience to astromolt,  crafting thoughtful, research-driven content that empowers readers to build healthier relationships, boost emotional well-being, and embrace holistic living.

Read full bio of Sneha Tete