A study released today shows that enterprises and service providers don't see eye to eye on the value of an industry initiative to boost routing security.
The 451 Research study was commissioned by the Internet Society to gauge industry perceptions of the Mutually Agreed Norms for Routing Security (MANRS) initiative. The global nonprofit Internet Society launched MANRS three years ago with the goal of spurring voluntary collaboration among service providers to improve internet security and reliability.
So far, 47 operators running 157 autonomous system networks have signed on, agreeing to implement the MANRS framework, which includes steps for preventing traffic with spoofed source IP addresses in order to reduce distributed denial-of-service attacks.
451 Research said its study showed that MANRS has a way to go in terms of visibility, especially among service providers. It also "revealed that service providers underestimated the value their customers place on broad security positioning," wrote Eric Hanselman, chief analyst at 451 Research. "One unexpected finding was the extent to which enterprises saw security as a core value for themselves."
In fact, 71% of the 250 enterprise IT managers polled said security is a core value for their organization. Traffic hijacking topped their list of internet security concerns (75%), followed by DDoS attacks and address spoofing, which tied for second place at 57%. Sixty-four percent of IT managers said they believed MANRS compliance would be effective. Moreover, many would be willing to pay a premium to support MANRS compliance; the median value was 15%, according to the report.
Of the 25 service providers surveyed – most of them in North America and not MANRS participants – only 12% would plan for implementation if a MANRS requirement was included in a customer's RFP and 16% said it would have no impact. Of the enterprises surveyed, 13% said they would consider adding MANRS compliance as mandatory in their RFPs. As such, ISPs are missing out by not participating in the program, the report concludes.
"There are opportunities for revenue enhancement and competitive improvement that are real and significant," Hanselman wrote.
"In the past year, we’ve seen more and more examples of why better operational security is necessary to keep the Internet secure and reliable. MANRS codifies a set of actions that can make a difference," Hanselman told me in an email interview. "They’re operational hygiene practices that all service providers should follow, but, in practice, many don’t. Anti-spoofing protections, for example, could have made a large impact on the ferocity of the Mirai botnet. DDoS attacks thrive on spoofed traffic and blocking it deprives these scourges of fuel. Traffic path integrity has received less public notice, but can be just as large a problem."
"Service providers can be concerned about operational complexity, but the MANRS actions should be part of everyone’s security posture," he added. "This has to be a community effort in which everyone does their share."
Another industry effort, this one by the Internet Engineering Task Force (IETF), also aims to improve routing security. The IETF released new draft standards earlier this for BGP Path Validation.
Hanselman said the IETF efforts and MANRS are both necessary for improving routing security, adding that MANRS actions are things that service providers and enterprises can do today.