Originally designed for network operators, the MANRS initiative has expanded over the years to also address the unique needs and concerns of Internet Exchange Points (IXPs) and now CDNs and cloud providers.
CDNs and cloud providers typically exchange trafﬁc with thousands of other networks so data can ﬂow efﬁciently around the world. This makes them large hubs of the Internet interconnection infrastructure. Their participation in MANRS ampliﬁes the positive effect they have on routing security, and the routing hygiene of networks they peer with.
According to industry estimates, over half of all web trafﬁc is served over CDNs, and their use continues to grow to meet Internet users’ growing appetite for media content, such as video, music, gaming, and software downloads. CDNs are therefore in a unique position to help to secure the global Internet.
By joining, CDN and cloud providers support and commit to the baseline of routing security deﬁned by a set of six security-enhancing actions, of which ﬁve are mandatory to implement.
The CDN and Cloud Programme Action Set
Action 1. Prevent propagation of incorrect routing information (Mandatory)
Ensure correctness of own announcements. Ensure correctness of announcements of their peers (non-transit) by implementing explicit (whitelist) filtering with prefix granularity.
Cloud providers and content providers do have own internal networks, such as corporate networks, or other sub-networks for R&D and other purposes. With regard to those networks good filtering practice should still apply to help prevent propagation of incorrect routing information due to human error or failures in automation.
CDNs and Cloud providers have many peering (networks that do not provide transit for the CDN/Cloud) relationships. Implementing ingress filtering for all non-transit peers and their customers not only will make a significant positive impact on routing security but will also send a clear signal that incorrect routing announcements are not acceptable. Whenever feasible, checks should be made that the announcements are originated from legitimate holders.
- This requirement is part of the peering policy of the CDN/Cloud provider and is publicly available (e.g. on their website or peering portal).
Action 2. Prevent traffic with illegitimate source IP addresses (Mandatory)
Implement anti-spoofing controls to prevent packets with illegitimate source IP address from leaving the network (egress filters).
There is a difference between CDN and Cloud network with regards to this Action. There is additional challenge for Cloud providers, since they have to monitor and control what a virtual machine can do on the network. This Action requires controls that prevent traffic with illegitimate source IP addresses leaving the Autonomous System of the CDN or Cloud provider.
- A cloud provider periodically runs a Spoofer (https://www.caida.org/projects/spoofer/) test from a VPS (typical setup) confirming that controls are in place. A CDN can run the test from their own infrastructure segment.
Action 3. Facilitate global operational communication and coordination (Mandatory)
Maintain globally accessible up-to-date contact information in PeeringDB and relevant RIR databases.
The operator should register and maintain contact information in PeeringDB and appropriate RIRs’ whois databases. This contact information should include the operator’s current point of contact information for the NOC of the AS.
- Check that phone or e-mail address (other than abuse-c) for provider’s AS’es is present in at least one RIR database
- Check that PeeringDB contains Contact information for provider’s AS’es
Action 4. Facilitate validation of routing information on a global scale (Mandatory)
Publicly document ASNs and prefixes that are intended to be advertised to external parties. Two main types of repositories are IRRs and RPKI. The requirement is to publish this information in at least one type of the repository (there may be more than one appropriate IRR), a recommendation is to maintain in both.
CDN and Cloud provider also indirectly contribute to the facilitation of validation on global scale by implementing Action 1. It effectively results in motivating third parties to maintain their routing information. This will have a significant impact on the quality and completeness of such data.
- Check that the announcements originated by the provider’s AS’es are registered in at least one IRR and/or RPKI systems
Action 5. Encourage MANRS adoption (Mandatory)
Actively encourage MANRS adoption among the peers.
There is benefit in encouraging the implementation of good practices on routing security from the peers. Even if Action 1 is implemented by a CDN/Cloud provider, an incorrect announcement from a peer can still find its way in the routing table, e.g. through a transit arrangement. Implementation of the MANRS Actions by a peer ensures this won’t happen. Additionally, a reference to a clearly defined specific baseline as MANRS can align such requests and amplify them. This is essential for scaling up the adoption of MANRS. This is a path for transforming MANRS in true norms with the global effect.
- A publicly available policy, a peering form or an e-mail template with a recommendation to implement MANRS.
Action 6. Provide monitoring and debugging tools to the peering partners (Optional).
Provide a mechanism to inform peering partners if their announcements did not meet the requirements of the peering policy of the CDN and Cloud provider.
To facilitate debugging of potential routing problems and provide feedback to peers on the effects of policy controls applied by a CDN and Cloud provider, the provider offers a tool, accessible publicly, or at least to the peering partners.
- Description of the tool
- Availability of the tool publicly or to the peers