CDN & Cloud Providers Improve Routing Security with Expanded & Improved MANRS Program Actions

Content Delivery Networks (CDNs) and cloud providers exchange traffic with thousands of other networks so data can flow efficiently around the world, and their participation in MANRS amplifies the positive effect they have on routing security and the routing hygiene of networks they peer with.

MANRS launched the CDN and Cloud Providers Program in 2020, setting a baseline of routing security actions they should take. Within months, participants realized they could raise the bar to make the Program stronger and to produce a bigger impact on the Internet. Participants from Akamai, Amazon, Azion, Cloudflare, Comcast, Facebook, Google, Microsoft, Netflix, Verisign, and Vultr came together to strengthen the actions and ask more of each other and their colleagues. Read more about the process in this blog post about the Task Force and its work.

Today, we’re excited to announce that the MANRS Community has adopted the Task Force’s recommendations, and the expanded actions are officially part of the MANRS CDN & Cloud Provider Program as of 1 March 2021. The updated actions set higher expectations for routing security measures by strengthening filtering controls and clarifying their implementation guidelines, encouraging more concrete technical and operational commitments, and facilitating coordination among participants.

The two primary enhancements are:

• Fostering RPKI as the primary technology for validation of routing information on a global scale
  • CDN and cloud providers commit to use Route Origin Validation (ROV) as part of their filtering policy for peering relationships, and to register all their prefixes in RPKI
• Improving consistency of route validation based on route objects published in an Internet Routing Registry (IRR), so that peers face a consistent requirement when interconnecting with any MANRS CDN or cloud provider.
  • This defines a standard process for collecting all necessary routing information in order to build an effective filtering policy. In particular, it standardizes the procedure of expanding the AS-SET object, which is used to document the downstream customers of a peer network.

This collaboration also brought in new ideas about how MANRS can develop further. There is an ongoing conversation on how to improve security collaboration between CDN and cloud providers and large global network operators, and on developing common standards for hosted RPKI management infrastructure with major RPKI operators.

If you’re interested in joining as a MANRS participant and getting involved, join here!