Mutually Agreed Norms for Routing Security (MANRS) has grown to more than 800 participants, including network operators, IXPs, CDNs and Cloud providers, and network equipment vendors. MANRS stimulates collective action for solving routing security issues. It sets norms for routing operations by providing a clear baseline (MANRS Actions) and building a community to support this baseline by implementing these Actions.
Its focus has traditionally been on peer-to-peer relationships between network operators of various types. The business case, beyond good netizenship, is mainly around the reputational value it has for the participants. Some organizations see a business case in leading the work for better routing security, but, on average, the value proposition of MANRS is somewhat limited. We need significantly more networks implementing MANRS actions to stop routing security incidents in their tracks.
We believe customer demand can be a driving force in increasing the number of organizations implementing the MANRS actions. If we can enhance the business case for MANRS, customers will demand better routing security of their network connectivity providers. The providers will respond to this demand by making the necessary investment to ensure they’re complying with the MANRS Actions that mitigate routing security risks.
The purpose of the MANRS+ Working Group is to explore the idea of creating a second, elevated tier of MANRS participation for organizations that comply with more stringent requirements and auditing.
MANRS+ (working title) will create a significantly higher value proposition for a subset of the existing MANRS participants based on a credible quality mark it will represent, recognized by customers (called relying parties further in the document), and used in their business decisions. This quality mark and its implementation and conformance requirements assume better alignment with customer needs leading to better security assurance.
This working group is tasked with developing the requirements for MANRS+. Development and implementation of a potential certification program for MANRS+ is outside the scope of the working group and will be considered based on the outputs of this work.
The goals of the MANRS+ Working Group are to:
- Identify a viable set of security requirements for network operators (certified parties, holders of the MANRS+ mark) that have additional value to them and to the relying parties (their potential customers, such as enterprises, cloud service providers, content providers).
- Based on the collected input (1) and the analysis and evaluation of the existing MANRS Actions, develop an expanded set of MANRS+ Actions for network operators. The Actions include:
- Implementation requirements outlining specific controls and the way they should be deployed.
- Conformance requirements that provide the necessary level of assurance for the relying parties.
- Identify requirements for necessary tooling for conformance testing and other aspects of the quality mark.
- Identify potential partners for the development of a certification program for MANRS+.
Membership in this MANRS+ Working Group is open to everyone. MANRS participation is not required.
The MANRS+ Working Group will have two co-chairs.
Milestones and Term
The milestones of the MANRS+ Working Group are:
- September 2022 – Form the Working Group
- Q1 2023 – Requirements of potential customers
- Q2 2023 – Draft implementation requirements
- Q3 2023 – Draft conformance testing
- Q3 2023 – Draft tooling requirements
- Q4 2023 – Publish final MANRS+ document (Implementation and Conformance requirements)
The MANRS+ Working Group will last until all identified milestones have been accomplished. The milestones and the timeline can be changed in agreement by the Working Group participants as needs arise.