Routing Security Goes to Washington Thumbnail
‹ Back
Mutually Agreed Norms for Routing Security (MANRS) 12 April 2022

Routing Security Goes to Washington

Joseph Lorenzo Hall
By Joseph Lorenzo HallDistinguished Technologist, Strong Internet

A month ago, the United States Federal Communications Commission (FCC) published a “Notice of Inquiry” (NOI) around a subject close to our hearts: secure Internet routing. In this NOI, the FCC asked a series of questions to the public about how data is routed around the Internet, and what kinds of security controls, standards, and efforts exist to protect those routes. (Note that the FCC is not proposing regulations currently, just asking for more information.)

We worked with our community to submit comments in this proceeding. We’ll describe the high notes here.

The Internet Society has incubated and supported the Mutually Agreed Norms for Routing Security  (MANRS) initiative since 2014. Today it is a growing effort with more than 800 participants, each making commitments about what actions they will take to support secure routing. Cold War-era “mutually assured destruction” relied on a tense equilibrium of assured nuclear attack. Routing security, however, is a different kind of problem. Security will only be achieved by more and more networks taking actions to thwart entire classes of attacks and vulnerabilities. So, instead of a “promise to attack,” so to speak, MANRS is “a promise to thwart attacks.”

This is no easy problem! The routing system is based on chains of trust. Each network relies on not only its own security efforts, but those of its neighboring networks, which in turn rely on their neighbors. Efforts to deploy routing security measures do not necessarily produce proportional protection. While securing a network’s routing may protect it from certain vulnerabilities, that same network can still fall prey to routing vulnerabilities from networks that have not yet secured their routing. At the same time, routing security is open to “free-riding”—if other network operators implement secure routing measures, a given network may benefit from that additional protection even without deploying security controls themselves. This is all made more challenging by the fact that it is hard to determine if a particular network implements routing security measures.

In our comments we discuss these general considerations and then go on to answer specific questions from the FCC and make recommendations. We also include insight from a survey of MANRS participants that we conducted. (We’ll cover this on the MANRS blog soon, stay tuned!)

We can’t cover all 60-plus pages of our filing in this post, so please check out our full comments: “Internet Society’s Comments on Docket PS-22-90, Secure Internet Routing.”

Ultimately, we recommended against any hard mandates in this area given the early state of the technology and discipline of secure routing. We recommended that any action by the FCC focus on:

  • Incentives to deploy routing security measures
  • Encouraging procurement requirements that give preference to support for routing security
  • A staged approach to any harder requirements in routing security, beginning with critical infrastructure sectors

Unlike other areas of technology and communications policy, such as network neutrality, routing security is somewhat of a blank slate for regulators like the FCC. It’s one of the last frontiers in Internet security and an area where we all must proceed very deliberately and carefully to make positive change. We look forward to collaborating more with all parties involved to identify and advocate for ways to better secure Internet routing.

Our first suggestion would, naturally, be that every network operator, Internet exchange point, cloud provider, content distribution network, and equipment vendor sign up for MANRS and secure all of our routes together.


Image credit: Harold Mendoza on Unsplash

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Mutually Agreed Norms for Routing Security (MANRS) 15 February 2022

MANRS in 2021: A Year of Growth and Change

Here are some highlights in the MANRS Community Report 2021 and outline some of our plans for 2022.

Mutually Agreed Norms for Routing Security (MANRS) 7 October 2021

MANRS Steering Committee: Call for Nominations

The MANRS community is looking for volunteers to serve on its new Steering Committee and is accepting nominations in anticipation of...

Mutually Agreed Norms for Routing Security (MANRS) 15 September 2021

New MANRS Equipment Vendor Program Launched To Improve Internet Routing Security

Enabling routing security features on network equipment – and providing support and training on them – means network operators can...