MANRS Implementation Guide – Online Version

To assist you in implementing the steps necessary to be compliant with the Mutually Agreed Norms for Routing Security, the community of MANRS participants developed an Implementation Guide. This document captures the best current operational practices deployed by network operators around the world.

• A PDF version is also available

As you complete the steps, please sign up as a MANRS participant and help us build a more trusted Internet.

---

MANRS Implementation Guide

• Introduction
• Coordination
• Global Validation
• Anti-Spoofing
• Filtering
• Summary and checklists
• Additional information

---

1. What is a BCOP?

A Best Current Operational Practices (BCOP) document describes best current operational practice on a particular topic, as agreed by subject matter experts and periodically reviewed by the Internet community.

2. Summary

The “Mutually Agreed Norms for Routing Security” (MANRS) BCOP provides guidance to ease deployment of measures required by MANRS and is targeted at stub networks and small providers. The document should also assist in checking if the network setup is compliant with MANRS.

3. MANRS

Throughout the history of the Internet, collaboration amongst participants and shared responsibility for its smooth operation have been two of the pillars supporting the tremendous growth and success of the Internet, as well as its security and resilience. Technology solutions are an essential element here, but technology alone is not sufficient. To stimulate visible improvements in this area, a greater change toward a culture of collective responsibility is needed.

As such, we are calling upon network operators around the world to join the Routing Resilience Manifesto Initiative, and to agree to the Mutually Agreed Norms for Routing Security (MANRS) Principles.

3.1 The MANRS Principles

• We (the ISP/network operator) recognize the interdependent nature of the global routing system and our own role in contributing to a secure and resilient Internet.
• We will integrate best current practices related to routing security and resilience in our network management processes in line with the Actions.
• We are committed to preventing, detecting and mitigating routing incidents through collaboration and coordination with peers and other ISPs in line with the Actions.
• We encourage our customers and peers to adopt these Principles and Actions.

3.2 The MANRS Actions

1. Filtering – Preventing propagation of incorrect routing information.
   • Network operator defines a clear routing policy and implements a system that ensures correctness of their own announcements and announcements from their customers to adjacent networks with prefix and AS-path granularity.
   • Network operator is able to communicate to their adjacent networks which announcements are correct.
   • Network operator applies due diligence when checking the correctness of their customer’s announcements, specifically that the customer legitimately holds theASN and the address space it announces.
2. Anti-Spoofing – Preventing traffic with spoofed source IP addresses.
   • Network operator implements a system that enables source address validation for at least single-homed stub customer networks, their own end-users and infrastructure. Network operator implements anti-spoofing filtering to prevent packets with an incorrect source IP address from entering and leaving the network.
3. Coordination – Facilitating global operational communication and coordination between network operators.
   • Network operator maintains globally accessible up-to-date contact information.
4. Global Validation – Facilitating validation of routing information on a global scale.
   • Network operator has publicly documented routing policy, ASNs and prefixes that are intended to be advertised to external parties.

3.3 Becoming a MANRS Participant

Network operators who agree to the Principles and implement at least one of the Actions (though not solely the Coordination Action) can become a MANRS Participant. This entitles you to use of the MANRS badge, you will be listed on the routingmanifesto.org website, and you can contribute to this document and others like it.

The proposed recommendations, referred to as Actions in the MANRS document and in this BCOP, address the most common cases and are designed to incur minimum cost and risk when implementing them. Any particular Action is not a comprehensive solution to the outlined problems.

4. Implementation guidelines for the MANRS Actions

The selection of actions was based on an assessment of the balance between small, incremental individual costs and the potential common benefit. They define a minimum security baseline. Any particular Action is not a comprehensive solution to the outlined problems.

For configuration examples a simple topology, presented in fig 1. is used.

The goal is to ensure that network operators have accurate contact information so they can reach out to each other when necessary, that traffic leaving the network uses valid source addresses and that all routing information that is exchanged between autonomous systems is correct and can be verified.

Detailed information on MANRS actions:

4.1. Coordination

4.2. Global Validation

4.3. Anti-Spoofing

4.4. Filtering