Verisign has been involved with an initiative known as Mutually Agreed Norms for Routing Security, or MANRS, since its inception. MANRS, which is coordinated by the Internet Society, focuses on strengthening the security and resiliency of IP networks throughout the world by identifying and providing best practices for mitigating common routing security threats.
MANRS began as a collaboration among network operators and internet exchange providers, with Verisign formally becoming a participant in its Network Operator Program in 2017. Since then, with the help of Verisign and other MANRS participants, the initiative has grown to also include content delivery networks (CDN) and cloud providers.
Recently, Verisign deepened its commitment to MANRS by becoming an official participant in its newly launched CDN and Cloud Programme, along with several prominent technology companies, including Google, Microsoft, and AWS. This program is comprised of five mandatory, and one optional, security-strengthening participant actions. The five mandatory actions that every MANRS CDN participant must implement are:
- Prevent propagation of incorrect routing information: Ensure correctness of own announcements; ensure correctness of announcements of their peers (non-transit) by implementing explicit (whitelist) filtering with prefix granularity.
- Prevent traffic with illegitimate source IP addresses: Implement anti-spoofing controls to prevent packets with illegitimate source IP address from leaving the network (egress filters).
- Facilitate global operational communication and coordination: Maintain globally accessible up-to-date contact information in PeeringDB and relevant Regional Internet Registry (RIR) WHOIS databases.
- Facilitate validation of routing information on a global scale: Publicly document ASNs and prefixes that are intended to be advertised to external parties. Two main types of repositories are Internet Routing Registries (IRRs) and Resource PKI (RPKI). The requirement is to publish this information in at least one of these repositories, (publication of information in one or more IRRs may be appropriate), a recommendation is to maintain in both.
- Encourage MANRS adoption: Actively encourage MANRS adoption among their peers.
As a responsible, security-focused network operator and cloud service provider, Verisign endeavors to assist with the development of and follow industry best practices on filtering non-valid and reserved space from its peers, in addition to implementing anti-spoofing controls at all of its borders. Verisign also maintains up-to-date contact information in the PeeringDB and relevant RIR databases as well as accurate routing information in the IRRs. Finally, Verisign personnel actively promote MANRS adoption at conferences and industry meetings.
Verisign enables the security, stability, and resiliency of key internet infrastructure and services, including providing root zone maintainer services, operating two of the 13 global internet root servers, and providing registration services and authoritative resolution for the .com and .net top-level domains. Routing security is of the utmost importance to Verisign’s mission and, as an early participant in the MANRS Network Operator Program, Verisign remains fully supportive of this initiative and its efforts to promote a culture of collective responsibility, collaboration, and coordination among network peers in the global internet routing system.
The post Verisign Expands MANRS Relationship to Strengthen Global Routing Security appeared first on Verisign Blog.
- DNS-Based Threats: Cache Poisoning
- Recognizing Lessons Learned From the First DNSSEC Key Rollover, a Year Later
- Operational Update Regarding the KSK Rollover for Administrators of Recursive Name Servers