Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

Internet2 Ramps up MANRS Support for U.S. Research and Education Community

The research and education community in the U.S. relies on a critical infrastructure to meet our education and research missions: the global Internet. This has been especially true during the COVID-19 pandemic, when it has enabled the rapid transition from on-campus to at-home learning.

In addition to being intense Internet users, we also operate a significant part of the Internet that’s tuned to meet higher education’s unique needs. The Internet2 network interconnects more than 1,000 individual networks across the U.S., and collectively we coordinate our activities and operations to ensure researchers and educators have the capabilities they need.

The Internet2 community is increasing participation in MANRS because routing security is a growing area of concern for network operators around the globe.

Whether from accidental misconfiguration or malicious hijack, the results are often more than just inconvenient. As academic and business critical functions are hosted or off-prem, the Internet is no longer a nice to have, but a key component of an organization’s IT infrastructure.

Colleges and universities have a long history of being connected to the Internet, and there was a time when connecting to the Internet was nearly “set it and forget it.”

But, today, this shared and critical infrastructure needs our attention. Routing security is vital to the future and stability of the Internet.

MANRS provides a framework and specific practices that the Internet2 community can embrace to better care for the security and resilience of this vital infrastructure. With over 1,000 separate networks, we rely on active community engagement to encourage the adoption of MANRS practices.

Our current engagement activities focus on complete and accurate documentation of routing policies in an Internet Routing Registry (IRR). Several of the networks that interconnect with the Internet2 backbone require, or will soon require, a valid route object for each prefix they accept, meaning that each network that connects to them must ensure their Autonomous System Numbers (ASNs) and IP prefix(es) are accurately entered in an IRR. Of Internet2’s over 5,000 routes, roughly 80% currently meet this requirement and the community is working together to assist those that still need to create IRR records for their prefixes.

With such a broad range of organizations, it can be challenging to identify the key individual that is empowered to create the needed records. Fortunately, we have been able to engage the community with a series of webinars, office hours, and other means to ensure these requirements are well understood and the resources are available to assist. The most recent MANRS webinar we hosted took place in April, which you are welcome to watch.

While our current focus is IRR records, we are preparing for the next phase of outreach, which will seek to increase the adoption of RPKI (Resource Public Key Infrastructure). RPKI is a specialized public key infrastructure that allows the holders of Autonomous System Numbers (ASNs) and IP addresses to be cryptographically verified using Route Origination Authorization (ROA) objects. An ROA attests which AS is authorized to originate certain IP prefixes.

Taking part in MANRS and the Internet2 community’s efforts connects you with a community of security-minded professionals and organizations committed to making the global routing infrastructure more robust and secure. Whether you run an ISP, IXP, CDN or cloud network, join us to protect the Internet ecosystem together.

Image by Nathan Dumlao via Unsplash

Growing the Internet Infrastructure and Community Development

In a Time of Crisis, A Global Lockdown Needs a Digital Unlocking

We welcome this guest post from DE-CIX Group, an Organization Member of the Internet Society.

We are at a very special moment in history right now. Never before in modern times have we seen such a global impact and a global response to a crisis which largely ignores geopolitical borders. The COVID-19 outbreak and its repercussions have put cities, countries, entire regions on hold.

One saving grace of this crisis is that the global digital infrastructure – the terrestrial and mobile networks, the data centers, the undersea cables, and the satellite connections that support the global Internet – is by now well enough developed for people in many countries to stay in constant contact despite isolation.

This means that, today, lockdown does not necessarily need to mean shut down.

Digital applications are key to enduring the crisis

Digital communication is vital to this. It enables companies to send their workforce home to work. It enables people to stay in contact with loved ones they can’t meet with. It enables children and students of all ages to continue with their education. Even the researchers who we all pin our hopes on finding a vaccine are using digital applications to remain in contact and share data in their efforts to understand the virus.

So digital applications that enable communication and collaboration are key to enduring the current crisis. But even the best application cannot perform if the underlying digital infrastructure is not as solid, resilient, and secure as possible.

Digitalization – and therefore reliable digital infrastructure – is the only answer

Therefore, one answer to some of the challenges posed by the COVID-19 pandemic – and the modern world in general – is sophisticated digital infrastructure, because this allows the use of smart digital applications and solutions which will make people’s lives better.

As a result, the interconnection community – more than ever before – must deliver continuous and high-performance connectivity: everywhere, for everybody, and for everything. This community, and the infrastructure that they build and care for, is just as critical as other critical services in a crisis. It is essential that this digital infrastructure is as global, open (neutral), resilient, scalable, and secure as possible, in order to deliver the many and varied services needed by people, institutions, and businesses.

As an element of this crucial digital infrastructure, Internet Exchange Points like DE-CIX are key to improving the quality of performance of digital applications and digital communication – for businesses, for medical facilities, for education, recreation/entertainment, and for news and media outlets – for all users, wherever they are.

Digital communication on the rise

As a global operator, DE-CIX’s Internet Exchanges on four continents are all recording the same trend: Internet traffic is growing, together with demand for quality. While different regions are at different stages of development, depending on when the COVID-19 infections began to take off in their locality, the trend is valid from North America to Europe, to the Middle East, and on to the Indian sub-continent.

Three types of Internet traffic in particular have risen substantially: traffic from collaborative communication tools has doubled since the crisis began, as has traffic from streaming services. This is significant of both enterprises and the education sector migrating their activities online. Added to this, we see around a 50% increase in traffic from online gaming. Everywhere, we see a similar demand for reliable digital infrastructure.

Communication behavior will significantly change in the long term

Many business decision-makers are beginning to recognize the long-term benefits of profound digital transformation. Companies are taking a long, hard look at how they manage their offices, how staff interact, how teams collaborate, what business travel is actually essential, and whether meetings can be reconceived to be more productive. They are becoming aware of how the move online can unlock the potential to save money and increase revenue.

Meaningful investment decisions should be made in the future

We have to learn out of this so we can make meaningful investment decisions in the future. Digital infrastructure is the enabler of this long-term transformation, and it helps to ease the pain of today’s lockdown. The Corona crisis throws into stark relief the regions that have solid, reliable digital infrastructure, and those regions of the globe that remain underserved. The digital divide must be eliminated so that all communities can in future have access to information, access to digital communication tools, and access to digital content. The Internet industry must take as their mandate the goal of a minimum level of digital infrastructure everywhere.

Nothing will be the same after COVID-19. The current global crisis will change our life going forward, and to survive in the present and prepare for the post-Corona future, this global lockdown needs a full digital unlocking.

Resilient infrastructure depends on a resilient community. Learn about IXPs and how you can make a difference.

Image by Flo Karr via Unsplash

Privacy Security Technology

What to Look for When Choosing a VPN

We welcome this guest post from, an Organization Member of the Internet Society.

The search for online privacy has driven a quarter of the world’s Internet users to download a Virtual Private Network (VPN). VPN services are now an important tool for anyone concerned about security and privacy on public networks.

There’s a world of difference between VPNs, though. Without clear and unbiased information many users are forced to navigate their choice of VPN without much clarity.

Why is choosing the right VPN provider so important?

Whenever you switch on a VPN you are entrusting its provider with your personal data, browsing activity, and sometimes even your security. For this reason, VPN providers must be held to a higher standard than most products. It’s important you do your due diligence when making a decision.

What should I look out for? 

A good VPN will ensure that no one – even the VPN itself – can see what the user is doing online. Consider the following qualities:

Technical Security

The most secure VPN services will be transparent about the measures they have in place to safeguard their users and their business.

Any VPN worth its salt will offer the latest and most secure levels of encryption, a wide selection of strong protocols, and a range of additional security features including kill-switches, split-tunneling, and Tor compatibility.

Look for features like AES-256 encryption, OpenVPN functionality, and products that are independently audited by a respected third party. You should also look for VPNs that accept anonymous payments, incorporate open source software where appropriate, and have a clear policy for disclosing vulnerabilities.

Some VPNs can suffer from IP and DNS leaks. These leaks can be seen and collected by your ISP or any other entity that’s able to access your network. Needless to say, this renders the VPN effectively useless in terms of protecting your privacy.

Ultimately, a secure service will have several measures in place to protect user data and will actively offer the most sophisticated security standards available. Be sure to test your provider for leaks and ensure that respected third-parties have validated your provider’s claims of security.

Privacy Policy

Evaluating the privacy policy is one of the most important stages in assessing a VPN. Unfortunately, there are some products on the market with policies that leave room for improvement.

The best VPNs have ‘zero logs’ policies which, if implemented properly, will not store any identifying data. However, many providers use this term with very little substantiating evidence, and it can be difficult to know with complete certainty whether a provider is logging or not.

Secure VPNs will only log a minimal amount of basic connection data like bandwidth usage, server load, or server location. This is used to optimize provision of the service, and can’t be used to identify a user. Some VPNs, by contrast, have been found to log activity data including the originating IP address, DNS requests, and even a user’s entire online history – websites visited, files downloaded, and message contents included.

To make matters worse, the logging policies of some providers are often vague or unnecessarily complicated. It’s not uncommon for some VPN services to avoid directly stating whether their policy applies to connection logs, activity logs, or both. A provider might advertise ‘zero-logs’ or ‘minimal logs’ for one type of data, but continue to record the other.

It should be clear exactly what type of data your VPN creates and stores during or after a session. Look for VPNs that explain clearly what their logging policy is and VPNs that have a demonstrated history of inability to cooperate with legal data requests for this reason.

Make sure you read your provider’s privacy policy in full, or consult a third party who can do this research for you. 

Location and Jurisdiction

Jurisdiction is an important issue that’s often overlooked. Every VPN provider is bound to local laws and regulations. It’s crucial that you are aware of these laws and how they might affect your privacy.

In theory, if a provider’s logging policy is watertight, its jurisdiction shouldn’t matter. That being said, any legitimate VPN provider will have clear procedures for responding to requests from law enforcement regardless of its logging policy. These procedures, including a warrant canary, should be publicly available along with any measures in place to protect user data if a third party were to gain access to their servers.

It’s wise to check the country your VPN is based in, the laws of that country, and the company’s history in terms of cooperation with law enforcement.

Ownership and Business Model

VPN services can monetize your data in unexpected ways. It’s expensive to develop and operate a reliable VPN, and many services choose to subsidize these costs with income from other channels.

It’s possible that some form of data collection, sharing, or sale is occurring in order to cover the cost of the product. Many services also rely heavily on advertising, which is less than ideal for privacy.

Providers should clearly explain how they make money and how your financial details are processed. You should be able to easily tell whether a service runs on user subscriptions alone or if it also profits from the processing of personal data.

Before buying a subscription or reading a review, make sure you understand who ultimately owns the VPN service and whether or not it can be trusted.

You should be able to find the company’s legal name if it differs from its brand name, along with information on any other entities that control or invest in the provider’s services. Be sure to find out if these groups have financial stakes in other VPN products, and if so, whether they share information between them.

Determining your standards 

People use VPNs for many different reasons. Whether you’re picking a service for streaming, torrenting, censorship circumvention, or strictly for privacy purposes, it’s important to understand whether your chosen provider offers all the necessary features you need.

Once you have an idea of how your VPN stands up in terms of technical security, privacy, and business model, it’s worth considering broader qualities like customer support, speed, and device compatibility.

Some VPNs offer dedicated servers for specific streaming platforms, while others can give you a connection specifically optimized for torrenting. Check the company’s website and third-party reviews to see if your provider will work with the platforms you need and provide speeds that are sufficient for your purposes. You can also find out whether its servers will work in heavily-censored countries.

Check to see if your provider has dedicated apps for each of your devices. A lack of native support for your tablet, smartphone, or streaming device means you could risk partial protection and a suboptimal user experience.

Can you trust your VPN?

At the most basic level, a trustworthy VPN will never collect, share, or sell user data without appropriate legal precedent. Make sure to consider its business model, location, technical security and privacy policy. If it’s unable to provide clear answers to all of these questions, it’s probably not worth your time.

Common sense can save you a lot of trouble. Review your provider’s reputation and never use a VPN you’re not fully comfortable with. Just like you wouldn’t give a stranger unrestricted access to your home, you shouldn’t give unfamiliar applications access to your personal data.

Ultimately, if you’re really concerned about security and performance, you should be using a VPN that’s independently tested and well-reviewed by unbiased experts.

A good VPN can be seen as an investment in your security, privacy, and freedom – to prevent costly data loss, open up your browsing capabilities, and protect your right to privacy.

Ready to do more? Read The Lazy Person’s Guide to Better Online Privacy.

Improving Technical Security Internet Exchange Points (IXPs) Mutually Agreed Norms for Routing Security (MANRS)

Securing the Internet: Introducing Oracle Internet Intelligence IXP Filter Check

Oracle is an Organization Member of the Internet Society. We welcome this guest post announcing a new tool that complements our work to improve the security of the Internet’s routing infrastructure.

We are proud to announce the launch of the IXP Filter Check, which is designed to improve Internet routing security by monitoring route filtering at Internet Exchange Points (IXPs). Here we describe the origin of this project, how it works, and what it hopes to achieve.


Last year, Oracle started partnering with the Internet Society to explore ways to make the Internet safer and more secure for our enterprise customers and users. Businesses – banks, insurance companies, pharmaceutical firms – as well as non-profit organizations and governments continue to turn to Internet-facing assets as key components of their critical infrastructure. Market research firm IDC estimates that 55.9 billion devices will be online by 2025. We believe it is incumbent upon us, as trusted partners and suppliers, to help make the global Internet as safe as possible.

Securing trust-based Internet routing is one such security challenge. Despite decades of research and engineering on the topic, securing Internet routing remains a notoriously difficult task. The challenge is evidenced by the fact that nearly every month there is another major story of a disruptive BGP routing incident.

Routing mistakes will inevitably occur as long as people configure routers. Our best hope at containing these incidents is deploying layers of route filtering at key junctions of the Internet. Those junctions fall into two categories: network operators and IXPs.

With respect to network operators, large telecoms have begun announcing their plans to implement the Resource Public Key Infrastructure (RPKI), which is very encouraging. As for IXPs, there is an active movement within the IXP community to filter routes exchanged at route servers based on RPKI and other best practices. With its announcement of its IXP program last year, the MANRS Initiative broadened the scope of its secure routing initiative beyond network operators.

Filtering at Route Servers

Implementing route filtering at IXPs offers the opportunity to make real progress in the improvement of Internet routing hygiene. IXPs serve a vital role in the infrastructure of the Internet by facilitating thousands of connections between the networks of telecoms, content providers, and other major businesses.

However, the implementation of route filtering can be complicated and to date there has been no way to independently and programmatically verify whether an IXP was appropriately filtering its routes. Using data graciously published by Packet Clearinghouse (PCH) and data processing supported by Oracle Cloud Infrastructure, the Oracle Internet Intelligence team developed IXP Filter Check to analyze route filtering at nearly 200 IXPs around the world.

By monitoring the routes passed by route servers at these IXPs, and identifying those routes that should have been filtered, IXP Filter Check identifies gaps in route filtering and aims to assist in technical compliance of MANRS IXP requirements.

In the course its development, IXP Filter Check has identified major filtering misconfigurations at three IXPs including a month-long RPKI filter outage at one of the world’s largest IXPs. By detecting these problems, IXP Filter Check enabled cooperating route server administrators to fix their route filtering and also validated the need for third party technical review of route server filtering.

What is IXP Filter Check?

Essentially, IXP Filter Check is a table of metrics observed in BGP messages collected by PCH at various IXPs in the previous day. The table (see below) reports the unique number of prefix/origin pairs, messages that were RPKI invalid, or those lacking a route object (IRR registration) at the time of collection, as well as prefixes and ASNs that are either bogons or on Spamhaus droplists.

Note that acting on Spamhaus droplists is not a MANRS IXP requirement, but after last year’s experience of removing Bitcanal from IXPs, we felt it was important to include reports of questionable routing to the IXPs.

One can click on an IXP to see the individual prefixes being reported as potentially problematic. In that view, one can expand each prefix to reveal recent raw BGP messages which include timestamp and BGP community information as depicted below:

Finally, one can click on either the RPKI or IRR assessment (“INVALID_ASN” or “VALID” in the example above) to be taken to an external source to verify the claim.


The IXP program is an important component of the MANRS initiative that strives to prevent Internet disruptions caused by adverse routing incidents. It is no longer an unthinkable goal for all Tier 1 carriers and major IXPs to drop invalid RPKI messages.

Moreover, if your organization hasn’t created Route Origin Authorizations (ROAs) for its routes, please consider doing so. This will help enable RPKI filtering to prevent routes from being affected during a routing mishap. Find your regional RIR (listed below) and follow their instructions for creating ROAs.

Oracle is committed to helping make the Internet safer and more secure for enterprises and global users and we are proud to contribute this tool to assist IXPs in improving routing security. We thank PCH and the Internet Society for being strong partners in these efforts.