The MANRS initiative — that's the "Mutually Agreed Norms for Routing Security" — was started a few years ago to try an improve the security and resilience of global routing. It is a sort of manifesto for network operators who are trying to keep the core of how the Internet works (currently with routers talking to each other using BGP) as clean and secure as possible.
Faelix has joined MANRS to show its support for the initiative, and that we are working hard on — both our own network and those of our customers — to ensure we apply best current operating practices. We have adopted all four of the actions as follows:
1. Prevent propagation of incorrect routing information.
- Network operator defines a clear routing policy and implements a system that ensures correctness of their own announcements and announcements from their customers to adjacent networks with prefix and AS-path granularity.
- Network operator is able to communicate to their adjacent networks which announcements are correct.
- Network operator applies due diligence when checking the correctness of their customer's announcements, specifically that the customer legitimately holds the ASN and the address space it announces.
Our participation in events organised by the likes of UKNOF means we are well aware of the dangers that not performing due diligence upon customers' ASN and address space holdings can bring.
We prefer to peer with validating route-servers.
We apply ingress filters from our customers and other peers wherever this is practical.
2. Prevent traffic with spoofed source IP addresses.
- Network operator implements a system that enables source address validation for at least single-homed stub customer networks, their own end-users and infrastructure. Network operator implements anti-spoofing filtering to prevent packets with an incorrect source IP address from entering and leaving the network.
We filter at our upstream and peering edges to restrict source addresses to those belonging to ourselves and our customers. We keep an eye on the CAIDA test results for our network to make sure we've not broken something.
3. Facilitate global operational communication and coordination between network operators.
- Network operator maintains globally accessible up-to-date contact information.
4. Facilitate validation of routing information on a global scale.
- Network operator has publicly documented routing policy, ASNs and prefixes that are intended to be advertised to external parties.
Faelix's routing policy has been published in the RIPE database since we set up our own network in early 2007. I attended a training course organised by the RIPE NCC in Edinburgh to make sure our RPSL was as correct and accurate as possible.
We announce AS-FAELIX — our own network plus our customers' — to our peers and upstream providers.