What is MANRS and does your network have it?
14 October 2016 | 0
The Internet Society’s Mutually Agreed Norms for Routing Security (MANRS) initiative provides measures to improve the resilience and security of internet routing infrastructure to keep it safe for businesses and consumers.
While the Internet itself was first envisioned as a way of enabling robust, fault-tolerant communication, the global routing infrastructure that underlies it is relatively fragile. A simple error such as the misconfiguration of routing information in one of the 7,000 to 10,000 networks central to global routing can lead to a widespread outage, and deliberate actions, like preventing traffic with spoofed source IP addresses, can lead to distributed denial of service (DDoS) attacks.
The Internet Society (ISOC), a cause-driven non-profit organisation that seeks to promote the open development, evolution and use of the Internet and the parent organisation of the Internet Engineering Task Force (IETF) standards body, is moving to change that. In 2014, ISOC introduced its Mutually Agreed Norms for Routing Security (MANRS) initiative. ISOC has now announced that the initiative membership has more than quadrupled in its first two years, growing from its initial nine network operators to 42 network operators today.
The newest members are SUNET and NORDUnet, two leading research and education networks in Scandinavia. MANRS 42 members now operate autonomous system networks (ASNs) across 21 countries. The MANRS initiative is now established in Asia, North and South America, Africa and Europe.
“We’re seeing a lot of uptake and much more awareness,” says Andrei Robachevsky, Technology Program Manager for ISOC. “There are more than 50,000 networks participating in global routing. Perhaps 7,000 to 10,000 networks are really defining how global routing works. If we can get 10,000 networks to sign up to MANRS, we’ll see significant improvement in global routing.”
Pakistan killed the video star
As one example, Robachevsky says that if ISOC can get enough ASNs to support the measures suggested in MANRS, it would prevent incidents like the one in which Pakistan knocked YouTube off the Internet for two-thirds of the globe for several hours in 2008.
In that incident, Pakistan attempted to block access to YouTube within its own borders. Pakistan’s telecommunications ministry had ordered 70 ISPs to block access to the site due to anti-Islamic videos. In response, Pakistan Telecom, the leading telecommunications company in the country, configured its routing information to suggest that it was the legitimate destination for anyone trying to reach YouTube’s internet addresses, though it didn’t actually point to YouTube at all.
The move was intended only to make YouTube unavailable inside Pakistan, but the routing information propagated outside the country. Soon, not only was YouTube unavailable to two-thirds of the globe, Pakistan Telecom was suffering from a self-inflicted DDoS.
“For more than two hours, YouTube was unavailable to a large amount of the internet,” Robachevsky says. “Pakistan Telecom was just buried under this traffic, under a DDoS of its own making. These types of accidents happen on the Internet every day. The majority of these incidents are misconfigurations. Anyone could, in principal, do this misconfiguration and create havoc if additional measures aren’t taken.”
Robachevsky notes that MANRS consists of a package of four minimum, actionable measures that network security operators should take: filtering, anti-spoofing, coordination and global validation.
“MANRS is very actionable,” he says. “This is a minimum baseline that we would like to introduce as a new norm. It’s not an aspiration. It’s an absolute minimum. We wanted to set the threshold as not too high, so people can join. If it’s implemented on a large scale, we’ll see significant improvements in the global routing system.”