Paving the Way Forward for MANRS Thumbnail
Improving Technical Security 18 February 2016

Paving the Way Forward for MANRS

By Andrei RobachevskyFormer Senior Director, Technology Programmes

How do you get a community effort off the ground and make it a success? How do we even define success? Is it the number of participants, general awareness beyond its participants, or new parallel activities that the effort stimulates? Last week during NANOG 66, several MANRS participants met to discuss the challenges we want to address in 2016 and beyond that are critical to the success of this effort.

Someone recently commented that MANRS will start paying off when it begins to motivate network operators to implement the outlined Actions in order to join the initiative. That is, indeed, our objective and that is what we really see as success.

We are not there yet. In the 14 months since MANRS launched, the membership has grown steadily, but the questions remain: What are the main components that can grow it faster, solidify the membership, and mature the whole effort?

In our view there are three: Scalability, Credibility, and Community.

Scalability is about how we facilitate exponential growth and wider promotion of MANRS. We discussed a few potential ideas for us to will work on:

  • Encourage and support existing participants to become active ambassadors of the effort and MANRS.
  • Allow participants to publish guest blog posts related to their experiences on the MANRS website.
  • Develop guidance on how an organization can leverage MANRS to differentiate itself; market it internally and externally; and encourage customers, peers and suppliers to meet this security baseline.
  • Design a cool t-shirt, for MANRS members only.

Credibility is crucial. The attractiveness and motivation to join can be severely affected if operators don’t believe existing participants are running their networks above the norm documented by MANRS. There are two possible avenues to explore:

  • Compliance tests. For some Actions, such tests are relatively easy and we are already doing them when evaluating sign-up requests. Is up-to-date contact information recorded in the PeeringDB, RADB, or RIPE? Does the network publish its routing policy in one of the IRRs?

    It is more difficult to tell if the first two Actions are properly implemented by looking from the outside. Can you say if a network has deployed measures preventing wrong announcements from its customers, or those originated in the network itself? Probably not. But you can infer the opposite – there are potential holes in a network’s outward defense – if you observe announcements from it. It has the caveat of having false negatives, but it is better than no checks. That is what we are probably going to develop: look at the network’s BGP activity over past, say six months, and see if there are “suspicious” events that need further explanation.

    It is almost impossible to test from the outside whether or not a network blocks packets with spoofed source IP addresses (see, for example http://www.internetsociety.org/doc/addressing-challenge-ip-spoofing). Fortunately, there is a tool operated and maintained by CAIDA called Spoofer that we can ask a potential participant to run to verify compliance with Action 2.

  • Vouching. When building trusted communities, it is common to use vouching when accepting new members. In many cases, peers, upstreams, and customers have a pretty good idea of the quality and security of a network they are dealing with. This probably cannot be the only acceptance test, but vouching for new members can positively contribute to the credibility and further strengthen the community around MANRS.

Community is probably one of the most important elements, since it makes the effort both scalable and credible. How can we make MANRS not a one-off sign-up event, but a continuous collaborative activity? Like security in general, MANRS is not a product – it is a process. Here, participants offered three ideas:

  • Develop a BCOP document that provides guidance for practical implementation of the Actions. This activity is already underway.
  • Use the member-only mailing list for MANRS participants to discuss issues and coordinate actions in a more trusted environment than on a public NOG list. This mailing list already exists.
  • Encourage MANRS participants to contribute to related activities, like URSA.

It was only a lunch meeting, and we could not touch on all aspects or do a deep dive into any specific issue, but the discussion provided great feedback and guidance for the improvements and expansion of the effort.

What other ideas do you have for bringing MANRS to the wider global technical community?

Note: This post originally appeared on the Routing Resilience Manifesto blog at https://www.routingmanifesto.org/2016/02/paving-the-way-forward-for-manrs/.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related Posts

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Improving Technical Security 23 October 2019

Securing the Internet: Introducing Oracle Internet Intelligence IXP Filter Check

Oracle is an Organization Member of the Internet Society. We welcome this guest post announcing a new tool that...

Improving Technical Security 4 October 2019

Network Operators in Latin America and the Caribbean Take Steps to Strengthen Routing Security

2019 has been a very good year for the Internet in Latin America and the Caribbean. In May, during...