A community effort to improve the internet's routing security has won the backing of some of the web's biggest names.
Amazon, Google, Facebook, Microsoft, Akamai, and Netflix, among others, have signed up to the Mutually Agreed Norms for Routing Security (MANRS) group, in their roles as content delivery networks (CDNs) and cloud providers (CPs).
MANRS’s goal is to shore up the internet's lax security when it comes to routing people's connections around Earth. It is, essentially, depending on the circumstances, too easy for miscreants to hijack and redirect internet traffic from legit servers to malicious machines so that web browsing and other online activities can be snooped on or meddled with.
This widespread issue is something that has become increasingly important in the past few years as the number and size of connectivity breakdowns and attacks on the global system have grown. Criminals and possibly government spies have realized the potential that exists in snatching people's internet traffic for surveillance, disruption, and theft.
The MANRS group pushes four main approaches, two technical and two cultural: filtering, anti-spoofing, and then coordination and validation. Combined, they help weed out bad routing information and so reduce the ability to carry out attacks. The project appears to run parallel to other efforts to strengthen internet security, such as the push to adopt BGPSEC.
Akamai, Azion, and Cloudflare have also signed up to MANRS, bringing membership up to over 300 organizations and covering a significant chunk of global internet traffic (roughly 50 per cent in fact).
Several of those organizations provided canned quotes explaining why they’d joined. “Being MANRS compliant not only improves our routing security capabilities, but has the potential to help other networks to improve theirs,” said Akamai’s VP of network technology Christian Kaufmann.
Cloudflare CTO John Graham-Cumming said: “Route leaks have a cascading negative impact on businesses, and coordinated action is needed by the Internet infrastructure community to improve the security, resilience, and reliability of networks.”
Netflix Open Connect’s VP Gina Haspilaire said: “A secure routing framework is essential to maintaining the ongoing health and stability of the global Internet, and MANRS provides the resources to develop, foster, and promote this framework.”
Those companies interconnect with thousands of other networks, and so the hope is that signing up these giants to MANRS will lead to concrete action among the roughly 60,000 network operators that make up the global internet – and that routing security will be taken more seriously.
Mind your MANRS: Internet Society names and shames network operators that bungle their routing securityREAD MORE
We spoke to the Internet Society's senior director for technology programs, Andrei Robachevsky, who oversees many of the efforts. He is hopeful that it will lead to a significant reduction in the number of route hijackings, blunders, and misconfigurations.
“We hope this will build peer pressure inside the community,” he noted, pointing to a decrease in incidents in each of the three years that MANRS has been running and expanding. “This will increase scalability and provide more transparency.”
MANRS has its own metrics engine called the MANRS Observatory which Robachevsky says had added new features, although most of them are not public. Only members can see behind the curtain where those network operators that are causing most of the problems are visible.
When asked if MANRS will name-and-shame the worst, he said “not yet,” and argued that it was too early for such trend analysis. The truth is that the industry hopes good old-fashioned peer pressure will resolve most of the issues.
Despite occasional claims of state-level hacking efforts, most routing problems are more a result of bad configuration settings and lax security controls by operators.
“It is always going to be an arms race,” he told The Register. It’s also not a matter of fixing your systems once and being done. “You have to create a process,” Robachevsky notes. “And have a security framework that creates ongoing checks on compliance.”
Every new member that joins MANRS is given an audit check, though Robachevsky says that may need to be expanded to occasional spot-checks to ensure that organizations remain compliant with the group's standards.
In a clear sign that the approach may be working the way intended, we asked about one network operator that has been repeatedly fingered as a source of problematic routing: China Telecom. We asked if MANRS had spoken to the outfit, and Robachevsky told us the opposite had happened.
“In fact, they reached out to us,” he said, noting that it seemed genuinely interested in working with MANRS to fix its issues.
There is nothing to oblige any network operator, exchange point, CDN or CP to sign up with MANRS, and in that respect the entire process is dependent on MANRS’ standing and reputation. Today’s announcement will help bolster both. ®