CDNs and cloud providers join MANRS to improve routing security

By on 3 Apr 2020

Categories: Community Tech matters

Tags: , , , ,

Blog home

Originally designed by and for network operators, the Mutually Agreed Norms for Routing Security (MANRS) initiative has expanded over the years to also address the unique needs and concerns of Internet Exchange Points (IXPs) and now CDNs and cloud providers.

Read: Measuring routing (in)security

The MANRS Content Delivery Network (CDN) and Cloud Programme broadens support for the primary objective of MANRS — to implement crucial fixes needed to eliminate the most common threats to the Internet’s routing system. The founding participants in the programme are: Akamai, Amazon Web Services, Azion, Cloudflare, Facebook, Google, Microsoft, and Netflix.

How do CDNs and cloud providers help?

CDNs and cloud providers help companies serve their content and online services to end-users by delivering it in a distributed manner and from locations closer to them. For instance, when you visit a website, its content is often fetched from the closest location and not from the website owner’s infrastructure, which could be much farther away and, as a result, much slower.

The two typically peer — exchange traffic directly — with thousands of other networks so that data can flow more efficiently, making them large hubs of the Internet interconnection infrastructure. Peering with CDNs and cloud providers can drastically improve performance of network services they host, so there is a clear benefit to interconnect with these networks.

While CDN and Cloud are basically edge networks, their impact on routing security can be significant. Several known incidents showed that an edge network, even a small one, can cause havoc on the Internet by leaking routes. MANRS helps by requiring egress routing controls, so networks can prevent such incidents from happening.

Secondly, leveraging CDNs’ and cloud providers’ peering power can have significant positive spillover effect on the routing hygiene of networks they peer with. In other words, if CDNs and cloud providers do their part to improve routing security and demand better practices from their customers, their customers will, in turn, step up their efforts, and together the Internet will be better and safer for all of us.

That is why in late 2018 the MANRS community formed a task force with representatives from Akamai, Azion, Cloudflare, Comcast, Facebook, Google, Microsoft, Nexica, Oracle, Telefonica, Redder, TORIX, and Verisign committed to developing a set of actions CDNs and cloud providers should take to improve routing security. The outcome of that task force’s work led to the creation of this new MANRS programme.

What do CDNs and cloud providers need to do?

The MANRS Content Delivery Network (CDN) and Cloud Programme lists six actions, of which five are mandatory to implement:

  1. Prevent propagation of incorrect routing information.
  2. Prevent traffic of illegitimate source IP addresses.
  3. Facilitate global operational communication and coordination.
  4. Facilitate validation of routing information on a global scale. 
  5. Encourage MANRS adoption.
  6. Provide monitoring and debugging tools to peering partners (optional).

Programme participation provides an opportunity to demonstrate attention to the security and sustainability of the Internet ecosystem and, therefore, dedication to providing high-quality services.

How do I sign up?

Any CDN or cloud provider that takes at least the five required actions above is welcome to join the MANRS community. Besides enjoying improved security posture, MANRS participants also show their commitment to the sustainability and resilience of the Internet ecosystem by:

  • Creating a secure network peering environment, preventing potential attacks at their border.
  • Encouraging better routing hygiene from your peering partners.
  • Signalling your organization’s security-forward posture.
  • Demonstrating responsible routing behaviour.
  • Improving operational efficiency for peering interconnections, minimizing incidents, and providing more granular insight for troubleshooting.
Take the MANRS online course
Take the MANRS online course.

Let’s work together

It is only through collective action and a shared sense of responsibility that we can address problems like BGP leaks, hijacks, DDoS attacks, and IP address spoofing that have real-world consequences for millions of people. We must work together to build a more resilient and secure Internet infrastructure.

This new Content Delivery Network (CDN) and Cloud Programme opens a new chapter in MANRS, further extending its community and bringing us closer to a secure and resilient global routing system — the foundation of the Internet. Please join us.

Read the fact sheet to learn more about this new program.

Adapted from original post which appeared on MANRS News.

Andrei Robachevsky is the Senior Technology Program Manager at the Internet Society.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *