The Internet is under continuous attack; look at the routing system – not a single day goes by without dozens of incidents. Enterprises of all sizes value security more and more as issues with routing security become more common – and more public. They require a secure and resilient Internet to conduct business and keep their end users happy. And Internet service providers (ISPs) are the key to providing that security and signaling to their enterprise customers that they take these issues seriously, are tackling them head on, and are contributing to the health and resilience of the Internet’s routing system.
We know that things like route hijacking, route leaks, IP address spoofing, and other harmful activities can lead to DDoS attacks, traffic inspection, lost revenue, reputational damage, and more. What can you do to protect your organization, your data, and your customers when ultimately your safety depends on a secure and robust routing infrastructure that weeds out bad actors and accidental misconfigurations that wreak havoc on the Internet?
With Mutually Agreed Norms for Routing Security (MANRS), a community-driven initiative coordinated by the Internet Society, we’re working on implementing system wide solutions. MANRS provides a baseline – a minimum set of low-cost and low-risk actions that, taken together, can help improve the resilience and security of the routing infrastructure to keep the Internet safe for businesses and consumers alike. The more service providers apply these minimum actions, the fewer incidents there will be, and the less damage they can do.
There are four MANRS Actions:
- Filtering – Ensure the correctness of your own announcements and of announcements from your customers to adjacent networks with prefix and AS-path granularity
- Anti-spoofing – Enable source address validation for at least single-homed stub customer networks, your own end-users, and infrastructure
- Coordination – Maintain globally accessible up-to-date contact information
- Global Validation – Publish your data, so others can validate routing information on a global scale
Maintaining up-to-date filters for customer announcements could mitigate many cases of route leaks. Preventing address squatting could help ward off things like spam and malware. Keeping complete and accurate routing policy data in Internet Routing Registry (IRR) or Resource Public Key Infrastructure (RPKI) repositories is essential for global validation that helps prevent BGP prefix hijacking. Having updated contact information is vital to solving network emergencies quickly.
These MANRS Actions are not groundbreaking. Nor are they the solution to all of the Internet’s woes. But I do think they are an important step toward a globally robust and secure routing infrastructure.
New Research Shows Disconnect Between Enterprises and Service Providers
The Internet Society recently commissioned a research study to understand the attitudes and perceptions of ISPs and the broader enterprise community around MANRS. The study results demonstrate considerable unrealized potential for MANRS, showing that enterprises are very interested in security and their interest should be a strong incentive for more service providers to join MANRS.
The key points from the study are:
1. Enterprises were not aware of MANRS initially, but highly value its attributes.
Most enterprises stated that security is a core value for their organization, and with more and more security incidents in the news, they are looking for ways to mitigate potential future damage to their organizations, reputations, data, and security posture. They feel that their security objectives are well aligned with MANRS.
2. Service providers who are or become MANRS-compliant may be able to increase revenue and gain competitive advantage.
Enterprises were asked how much more they would be willing to spend, if anything, for services from a provider that was MANRS-compliant. The median value of the price premium was 15 percent - a considerable valuation for what’s often considered a commodity service to many buyers. The study results showed that enterprises are enthusiastic about including MANRS as a selection criterion. Additional analysis indicated that improvements in competitive position and reductions in necessary discounts could add as much as 7 percent to longer-term revenue.
3. Service providers may be able to extend the MANRS Actions into further revenue-generating opportunities.
Service providers could introduce new revenue streams by adding MANRS-derived services to their portfolio. For example, anti-spoofing controls that log activity can be used to generate periodic reports for customers, which could be part of an intelligence feed that alerts customers to misconfigurations or potential attacks. There are also significant internal benefits to service providers, including increased operational efficiency, better communication with peers, and goodwill gained from contributing to the overall security of the Internet community.
Enterprise results indicate there is a great opportunity for service providers that participate in MANRS. Enterprise decision-makers are looking for the kinds of values that MANRS confers on members. There are real and significant opportunities for increased revenue and competitive improvement. Security is a strong focus area for enterprises of all sizes, and MANRS can be a mark of trust in a critical part of their IT infrastructure at a time when it is increasingly difficult for enterprises to differentiate between service providers.
Do you already implement most of the MANRS Actions in your network? You can join today and become part of the community! MANRS participants form a community of like-minded, security-focused organizations that collaborate to improve the MANRS actions, update best current practices, and generally help move routing security forward.
If you’re not quite there yet, a new Best Current Operational Practices (BCOP) document is available to provide guidance in implementing the MANRS actions. A set of online training modules is also in development and will be available soon (watch the MANRS Blog for updates).
Even if you’re not ready to join MANRS yet, you can share the initiative with colleagues, start internal discussions with your engineering teams, or require MANRS compliance of your partners.
Throughout the history of the Internet, collaboration and shared responsibility have been two of the pillars supporting the Internet’s tremendous growth and success, as well as its security and resilience.
MANRS was founded with the ambitious goal of improving the global Internet routing system. Will you help make the Internet a safer place?
Andrei Robachevsky, Technology Programme Manager, Internet Society
Image Credit: Toria / Shutterstock