The US Government is Making Moves on Routing Security. So Should You.

For all the network operators waiting for a clear sign that it’s time to step up in improving routing security, it’s time to take note of government efforts and start implementing (and helping refine) industry-accepted improvements in routing security.

If you’re new to the world of routing security, you might want to pause here and read: 

The United States government is not alone in taking steps to drive improvements in cybersecurity at all levels, but two recent announcements highlight its commitment to seeing change in the routing landscape. 

First, the US Department of Commerce has announced that it is taking a key step in securing its own network routing announcements. Not only is this an important step in demonstrating commitment to the cause of improved security, it demonstrates that even “legacy address space” (allocated before the Regional Internet Registry (RIR) system was established and the current legal agreements between network operators and RIRs were required) can and should be secured.

Secondly, the US Federal Communications Commission (FCC) has followed up its notice of intention to regulate in the area of routing security for US-based networks, providing a draft “Notice of Proposed RuleMaking” (NPRM). We joined the Internet Society in expressing our concerns over the FCC’s intention to use regulation to drive adoption of improved routing security practices. That ex parte filing covers a lot of ground in explaining why imposing security rules on routing could be detrimental to the implementation of improved routing security practices (in the US, and around the globe), and we were pleased that the resulting NPRM indicates the FCC regulation will focus on reporting requirements – for now.

Taken together these actions should make it clear to network operators, in the US and all around the world, that it is time to take orderly action to improve the state of routing security. Historically, resistance to implementing improved routing security practices has stemmed from one or more of: a lack of perceived need, lack of agreed, feasible practices, or specific operational requirements that make it difficult. The US government’s actions point squarely at the question of need. The Mutually Agreed Norms for Routing Security (MANRS) were developed to address the feasibility of improvements. And, if the US Department of Commerce can get their legacy address space routes secured, surely now is the time to broaden the discussion to address the next steps in making routing security workable for even “difficult” cases.

Routing is very much the “inter” part of Internetworking, so moving forward requires coordinated action: we’ve moved beyond the era supporting bespoke requirements between networks; it won’t be helpful if different governments impose varying technical routing requirements on networks in their regions. Rather, we should continue along the path MANRS started, using industry collaboration to identify workable global norms for routing security, continuing to evolve at industry’s pace, while giving governments a referenceable standard for setting expectations in their own rulemaking.

Learn more about MANRS and how to join this effort at