MANRS: Securing Internet Routing for Network Operators
Discover why network operators must prioritize routing security and how MANRS provides actionable steps to protect the global Internet infrastructure.
The Internet’s backbone relies on the Border Gateway Protocol (BGP), which directs data packets across vast networks worldwide. Yet, this system remains vulnerable to disruptions that can cascade into major outages, financial losses, and security breaches. Network operators face mounting pressure to safeguard their infrastructure against these risks. Enter the Mutually Agreed Norms for Routing Security (MANRS), a collaborative framework designed to elevate routing practices and build a more resilient digital ecosystem.
The Hidden Vulnerabilities in Global Routing
Routing forms the invisible highway system of the Internet, determining how information travels from source to destination. BGP, the protocol powering this system, was engineered decades ago without modern security in mind. Its trust-based model allows any network to announce routes for any IP address space, opening doors to malicious activities.
Consider route hijacking, where attackers falsely claim ownership of IP prefixes, redirecting traffic to unauthorized servers. This can lead to data interception, service blackouts, or ransomware deployment. Route leaks, another prevalent issue, occur when internal routes are mistakenly advertised publicly, causing inefficiencies and potential blackholing of traffic. Spoofing exacerbates these problems by forging source addresses, enabling amplified denial-of-service (DDoS) attacks.
Recent statistics underscore the urgency. High-profile incidents have disrupted major cloud services, financial platforms, and even national infrastructures. Without proactive measures, these events erode customer trust and expose operators to regulatory scrutiny.
Why Network Operators Can’t Ignore Routing Risks
For network operators, routing failures translate directly to business impacts. Downtime from hijacks can violate service-level agreements (SLAs), incurring penalties and customer churn. Enterprises increasingly demand verifiable security postures, viewing lax routing controls as deal-breakers.
Moreover, the interconnected nature of the Internet means one operator’s lapse affects peers globally. A single leak can flood networks with bogus routes, overwhelming routers and triggering widespread instability. Regulators and insurers are also stepping up, with compliance frameworks like GDPR and NIST emphasizing supply chain security, including routing integrity.
Operators who neglect these areas risk reputational damage. Peering disputes arise when faulty announcements disrupt partners, while attackers exploit weaknesses for targeted campaigns. Proactive adoption of security norms not only mitigates these threats but also positions networks as reliable partners in a competitive landscape.
Understanding MANRS: A Blueprint for Routing Resilience
Launched by the Internet Society in 2014, MANRS unites network operators, Internet Exchange Points (IXPs), content delivery networks (CDNs), and cloud providers around shared security commitments. Over 600 participants worldwide have joined, demonstrating tangible improvements in global routing hygiene.
MANRS defines four core actions, each addressing specific vulnerabilities:
- Filtering: Implement strict policies to announce only authorized prefixes and ASNs, preventing invalid routes from propagating.
- Anti-Spoofing: Deploy source address validation to block packets with forged IP origins, curbing DDoS amplification.
- Coordination: Maintain accurate, accessible contact details for rapid incident resolution with peers.
- Global Validation: Publish routing data in registries and support cryptographic validations like Resource Public Key Infrastructure (RPKI).
These actions form a baseline that scales with adoption. As more entities comply, the entire ecosystem benefits from reduced incidents and faster recovery.
Implementing MANRS: Step-by-Step Guidance
Adopting MANRS begins with self-assessment. Operators should audit current BGP configurations against the four actions, using tools like the MANRS Observatory for insights into compliance and incidents.
| Action | Key Steps | Tools/Resources |
|---|---|---|
| Filtering | Define routing policy in IRR; validate with ROAs | IRRd, Routinator |
| Anti-Spoofing | Enable BCP38/uRPF on edges | SCRUB scrubbers, SAVI |
| Coordination | Update PeeringDB contacts | PeeringDB, MANRS portal |
| Global Validation | Publish objects; deploy RPKI validators | RPKI repositories, OctoRPKI |
Start small: stub networks can focus on inbound filtering, while transit providers prioritize comprehensive SAV. Training resources, including implementation guides from MANRS, provide templates and scripts. Certification requires peer review and public commitment, signaling credibility to customers.
Challenges include legacy equipment and resource constraints, but open-source tools and community support lower barriers. CDNs and clouds amplify impact by enforcing MANRS on upstream providers.
Real-World Impact: MANRS in Action
Participants report fewer hijacks and leaks post-implementation. The MANRS Observatory tracks metrics, showing declining invalid announcements in compliant regions. For instance, IXPs mandating actions have seen peering disputes drop significantly.
Case studies highlight benefits: A major European ISP reduced outage duration by 40% through RPKI deployment, while an Asian CDN prevented spoofed floods affecting millions. These outcomes foster a virtuous cycle, where secure networks attract premium peering and enterprise clients.
Overcoming Barriers to Widespread Adoption
Despite progress, adoption lags in some sectors due to awareness gaps and perceived complexity. Operators can counter this by leveraging MANRS training, fellowships, and policy advocacy. Customers play a role too—demanding MANRS compliance in RFPs drives change.
Future enhancements include automated validation via ASPA (Autonomous System Provider Authorization) and integration with emerging protocols. Collaborative efforts with standards bodies ensure MANRS evolves with threats.
Measuring Success and Future Directions
Success metrics include incident rates, validation coverage, and participant growth. The Observatory provides dashboards for networks to benchmark performance. Looking ahead, MANRS aims for universal baseline security, potentially integrating with AI-driven anomaly detection.
Operators joining today contribute to a safer Internet while gaining operational edges like cleaner peering and troubleshooting insights.
Frequently Asked Questions (FAQs)
What is MANRS?
MANRS is a voluntary initiative promoting four routing security actions to prevent hijacks, leaks, and spoofing across the Internet.
Who should implement MANRS?
Network operators, IXPs, CDNs, cloud providers, and enterprises with public BGP announcements.
How does RPKI fit into MANRS?
RPKI enables cryptographic validation of route origins, supporting the filtering and global validation actions.
Is MANRS mandatory?
No, but adoption is growing as a de facto standard for secure peering and customer trust.
Where can I get started?
Visit manrs.org for guides, tools, and membership application.
References
- MANRS for Network Operators – SANOG Tutorial — SANOG. 2023. https://www.sanog.org/resources/sanog37/SANOG37_Tutorial_MANRS_Tutorial_v2.pdf
- Mutually Agreed Norms for Routing Security (MANRS) — Internet Society. 2024. https://www.internetsociety.org/learning/manrs/
- Securing Global Routing — Internet Society. 2024. https://www.internetsociety.org/action-plan/securing-global-routing/
- What are the MANRS Actions? — MANRS.org. 2020-07-01. https://manrs.org/2020/07/what-are-the-manrs-actions/
- MANRS Implementation Guide for Network Operators — MANRS.org. 2024. https://manrs.org/netops/guide/
Similar Articles
Read full bio of Sneha Tete
