The Mutually Agreed Norms on Routing Security (MANRS) initiative is an industry-led effort to improve Internet routing security. MANRS encourages participating networks to implement a series of routing security practices.
In our paper, ‘Mind Your MANRS: Measuring the MANRS Routing Ecosystem‘, we at CAIDA (UC San Diego), in collaboration with Georgia Tech, and IIJ Research Lab, provided the first independent look into the MANRS ecosystem by using publicly available data to analyse the routing behaviour of participant networks. MANRS membership has increased significantly in recent years, but our research goal was to get more clarity on the impact of the MANRS initiative on the state of overall Internet routing security.
In this post, we summarize how we characterized the growth of MANRS members, explain our process of analysing ISP conformance with the MANRS practices we studied, compare RPKI ROA registration status between MANRS and non-MANRS members, and reflect on the implications of our analysis for the future of MANRS.
We first analysed what types of networks have joined MANRS over time and whether MANRS members are properly implementing the routing security practices (MANRS conformance). The two practices (which MANRS calls actions) we focused on in our study are:
- Participating ISPs will register their IP prefixes in a trusted routing database (either Resource Public Key Infrastructure (RPKI) or one of the databases of the Internet Routing Registry (IRR). This practice is MANRS Action 4.
- Participating ISPs will use such information to prevent the propagation of invalid routing information. This practice is MANRS Action 1.
Our paper analysed the MANRS ecosystem in May 2022. Since MANRS is a growing community, for this post we have updated our analysis using data collected in November 2022 to capture a more recent view of the MANRS ecosystem. We have also published our analysis code here for interested readers to reproduce the analysis using the latest available data.
We first downloaded a list of MANRS members. The Internet Society kindly provided us with the dates when each MANRS participant joined the programs. We found that between 2015 and November 2022, 863 Autonomous Systems (ASes) joined MANRS. Over this seven-year period, an additional 12.1% of routed IPv4 address space was originated by MANRS ASes. Plotting growth by ASes and by address space (Figure 1) shows that most of these new ASes were based in the LACNIC region, but that those ASes originated little or no address space into Border Gateway Protocol (BGP).
We examined whether MANRS (ISP and CDN) members properly implemented MANRS Action #4 and #1 according to the MANRS requirements:
- To conform to Action #4, members must register at least 90% (100% for Content Distribution Networks (CDNs)) of IP prefixes in the IRR or RPKI.
- To conform to Action #1, members must filter out customer BGP announcements that do not match IRR or RPKI records.
We downloaded BGP prefixes and their IRR/RPKI status from the Internet Health Report (IHR) maintained by IIJ Research Labs. We found that in November 2022, 893 (95.9%) of all 931 MANRS ASes conformed to MANRS Action #4 (prefix registration). Figure 2 shows that in November 2022, 3.7% of the address space originated by MANRS ASes was contained in prefixes that either were not registered or were incorrectly registered in IRR or RPKI. We also conducted case studies of non-conformant MANRS CDN members and found that one large CDN was not conformant because one of their 7000+ prefixes was RPKI-invalid. Please refer to section 8.4 of the paper for more details.
To evaluate whether MANRS members filtered out customer BGP announcements that do not match IRR or RPKI records (Action #1), we downloaded BGP prefixes, their IRR and RPKI statuses, and their upstream ASes from the Internet Health Report. We then calculated the prevalence of IRR/RPKI invalid prefixes propagated through each MANRS network.
Figure 3 shows that in November 2022, 790 (84.9%) of 931 MANRS ASes conformed to the MANRS Action #1. Figure 3 also shows that 141 (15.1%) MANRS ASes did not conform to Action #1. However, not all of the address space propagated by these ASes was incorrectly registered in RPKI or IRR. In fact, those 141 ASes propagated 96.7% of the address space propagated by MANRS ASes, but only 1.5% of that total was incorrectly registered. In addition, we found that 25 out of 27 MANRS members that are large transit providers (had >180 customer ASes) did not fully conform with MANRS Action #1, suggesting that conformance was hard to achieve for networks with complex routing relationships.
Are MANRS members more likely to register in RPKI?
Our study found that, except for a few cases, MANRS organizations tended to conform to the two actions we studied. However, to estimate the impact of the MANRS initiative on the state of routing security, we compared the behaviour of MANRS and non-MANRS ASes.
We first compared these two subsets of ASes in terms of registration of RPKI Route Origin Authorizations (ROAs) of prefixes announced in BGP. In November 2022, 60.1% of routed IPv4 address space originated by MANRS ASes was covered by RPKI ROAs, compared with only 38.8% of all routed IPv4 addresses covered by ROAs.
Figure 4 shows that in November 2022, IPv4 address space originated by MANRS ASes was more likely to be registered in RPKI in all Regional Internet Registry regions except APNIC. In the APNIC region, we found significant RPKI registration by non-MANRS networks from JPNIC and TWNIC, possibly due to local RPKI outreach efforts. Overall, this difference suggests a positive influence of MANRS members on the adoption of RPKI.
Similarly, changing the view from routed address space to the originating ASes, we found that in November 2022, MANRS members were more likely to originate at least 80% RPKI valid prefixes in BGP compared to their non-MANRS counterparts in all RIR regions (Figure 5).
Future for MANRS
In November 2022, we found 71 MANRS ASes that registered their prefixes only in IRR but not RPKI. Registering only in an IRR database is less optimal than registering in RPKI, since some IRR databases may contain inaccurate records due to looser validation standards (See our paper IRR Hygiene in the RPKI Era).
We recommend that in the future, MANRS members register in RPKI in addition to IRR databases. We also recommend that MANRS add a conformance checker to its existing observatory to further motivate its members to maintain good routing security practices. We have published our analysis code to facilitate such conformance checking.
Ben Du is a PhD student in the Center for Applied Internet Data Analysis (CAIDA) group at UC San Diego.
Contributors: Cecilia Testart.
This post is adapted from the original at CAIDA Blog.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.