Routing and traffic security requirements

MANRS+ is a concept of a second, elevated tier of MANRS participation for connectivity providers that comply with stringent traffic security and auditing requirements.

This survey seeks to understand how organizations that contract connectivity providers for Internet connectivity think about securing their traffic flows as it transits the Internet. Your feedback will be used to evaluate possible future requirements for connectivity providers, as part of a ongoing work in the MANRS+ working group, related to how they secure their customers’ Internet traffic.

Time to complete the survey: 5-10 min.

The answers to the survey should reflect the perspective of an organization that contracts a network provider for Internet connectivity: An Enterprise (business, university), a Cloud provider or an access ISP recognizes threats coming from being connected to the Internet and looks for a MANRS+ connectivity provider (IP Transit provider) for transit that has sufficient controls and services in place to mitigate these risks. An example use case is when an enterprise is looking for a new connectivity provider, they would put in their request for proposal (RFP) a requirement for being “MANRS+ certified” and that would ensure the bidding provider has implemented best practice routing security capabilities.

Question Title

* 1. What is the size of your organization?

Small (1-100 employees)

Mid-sized (101-1000 employees)

Large (more than 1000 employees)

Question Title

* 2. What is your industry sector?

Telecommunications (ISP)

Telecommunications (Cloud provider)

Telecommunications (other)

Technology

Manufacturing

Health

Finance

Trade

Education

Other (please specify)

Question Title

* 3. How many Internet connectivity providers do you have globally (if you have multiple points of presence please count them all)?

Question Title

* 4. Which countries/regions are you purchasing Internet connectivity in?

North America

Latin America and the Caribbean

European Union

Europe (non-EU)

Middle East

Africa

Asia-Pacific

Oceania

Question Title

* 5. Do you have security compliance requirements required by law or business practice?

PCI DSS

ISO27001

NIST SP 800-53

Other (please specify)

Question Title

* 6. Is management of risks related to your Internet connectivity included in your security framework/Information Security Management System (ISMS)?

Yes, they are managed as part of supply chain security activities

We do have a formal framework, but Internet connectivity risks are not managed as a part of it

We do not use a formal framework, but have processes and controls related to routing and traffic security

We do not have a systematic approach to managing these risks

In the following section, we’d like feedback on what traffic security features you value from your connectivity provider. Please evaluate it from the perspective of whether you are willing to pay a premium for these features.

Question Title

* 7. Routing Security. A connectivity provider maintains the capability to detect and mitigate the risk that a relying party’s traffic will be hijacked or detoured on networks they control as a result of a mistake or an attack. An example of such capability is filtering incorrect routing announcements or monitoring and mitigating routing incidents related to enterprise networks.

	Not important	Nice to have	Fairly important	Has high business value for us	Essential, we require this in contracts
Routing security	Routing security Not important	Routing security Nice to have	Routing security Fairly important	Routing security Has high business value for us	Routing security Essential, we require this in contracts

Question Title

* 8. DDoS attack prevention. A connectivity provider maintains detection and mitigating capabilities to reduce the risk of a volumetric DDoS attack. Examples are detection and blocking of attack traffic, and coordination.

	Not important	Nice to have	Fairly important	Has high business value for us	Essential, we require this in contracts
DDoS attack prevention	DDoS attack prevention Not important	DDoS attack prevention Nice to have	DDoS attack prevention Fairly important	DDoS attack prevention Has high business value for us	DDoS attack prevention Essential, we require this in contracts

Question Title

* 9. Anti-spoofing protection. A connectivity provider prevents traffic from their direct customers or peers with spoofed source IP addresses.

	Not important	Nice to have	Fairly important	Has high business value for us	Essential, we require this in contracts
Anti-spoofing protection (source address validation)	Anti-spoofing protection (source address validation) Not important	Anti-spoofing protection (source address validation) Nice to have	Anti-spoofing protection (source address validation) Fairly important	Anti-spoofing protection (source address validation) Has high business value for us	Anti-spoofing protection (source address validation) Essential, we require this in contracts

Question Title

* 10. Maintaining routing information. A connectivity provider has accessible, complete, and up-to-date documentation of the intended routing announcements and other information on its routing policy that are essential for detecting and mitigating routing incidents on a global scale.

	Not important	Nice to have	Fairly important	Has high business value for us	Essential, we require this in contracts
Maintaining routing information	Maintaining routing information Not important	Maintaining routing information Nice to have	Maintaining routing information Fairly important	Maintaining routing information Has high business value for us	Maintaining routing information Essential, we require this in contracts

Question Title

* 11. Operational communication and coordination. A connectivity provider maintains a responsive NOC/helpdesk capable of coordinating and resolving traffic and routing security issues such as a large-scale DDoS attack.

	Not important	Nice to have	Fairly important	Has high business value for us	Essential, we require this in contracts
Operational communication and coordination	Operational communication and coordination Not important	Operational communication and coordination Nice to have	Operational communication and coordination Fairly important	Operational communication and coordination Has high business value for us	Operational communication and coordination Essential, we require this in contracts

Question Title

* 12. Supply chain transparency. A connectivity provider offers the feature “transparency of your communication supply chain” to its clients. This means that it provides to its customers additional information about itself and its upstream connectivity providers, such as administration settings (e.g., legal ownership, third parties used, and applicable data laws) and security properties (e.g., MANRS+ certification).

	Not important	Nice to have	Fairly important	Has high business value for us	Essential, we require this in contracts
Supply chain transparency	Supply chain transparency Not important	Supply chain transparency Nice to have	Supply chain transparency Fairly important	Supply chain transparency Has high business value for us	Supply chain transparency Essential, we require this in contracts

Question Title

* 13. Security services. A connectivity provider offers security services helping the enterprise to maintain strong security posture. Such services may include performing router security settings (e.g. based on CIS benchmarks), routing incident monitoring and reporting.

	Not important	Nice to have	Fairly important	Has high business value for us	Essential, we require this in contracts
Security services	Security services Not important	Security services Nice to have	Security services Fairly important	Security services Has high business value for us	Security services Essential, we require this in contracts

Question Title

* 14. Are there other high business value or essential security requirements?

Question Title

* 15. How do you verify that security requirements are met by the connectivity provider?

We do not verify

We rely on connectivity provider's explanation

We require formal certification

We review feedback from other customers

We collect evidence using audit tools (please specify)

None of the above

Question Title

* 16. Do you implement any of the routing/traffic security controls yourself?

	Never heard of	Not implemented	Planned	Outsourced to our connectivity provider	Deployed by ourselves	Deployed by ourselves and automated
Administration of registrations of AS numbers and IP addresses	Administration of registrations of AS numbers and IP addresses Never heard of	Administration of registrations of AS numbers and IP addresses Not implemented	Administration of registrations of AS numbers and IP addresses Planned	Administration of registrations of AS numbers and IP addresses Outsourced to our connectivity provider	Administration of registrations of AS numbers and IP addresses Deployed by ourselves	Administration of registrations of AS numbers and IP addresses Deployed by ourselves and automated
Registration of all announced prefixes in the IRR	Registration of all announced prefixes in the IRR Never heard of	Registration of all announced prefixes in the IRR Not implemented	Registration of all announced prefixes in the IRR Planned	Registration of all announced prefixes in the IRR Outsourced to our connectivity provider	Registration of all announced prefixes in the IRR Deployed by ourselves	Registration of all announced prefixes in the IRR Deployed by ourselves and automated
Registration of RPKI Route Origin Authorizations (ROA) for all announced prefixes	Registration of RPKI Route Origin Authorizations (ROA) for all announced prefixes Never heard of	Registration of RPKI Route Origin Authorizations (ROA) for all announced prefixes Not implemented	Registration of RPKI Route Origin Authorizations (ROA) for all announced prefixes Planned	Registration of RPKI Route Origin Authorizations (ROA) for all announced prefixes Outsourced to our connectivity provider	Registration of RPKI Route Origin Authorizations (ROA) for all announced prefixes Deployed by ourselves	Registration of RPKI Route Origin Authorizations (ROA) for all announced prefixes Deployed by ourselves and automated
IRR-based filtering of BGP announcements	IRR-based filtering of BGP announcements Never heard of	IRR-based filtering of BGP announcements Not implemented	IRR-based filtering of BGP announcements Planned	IRR-based filtering of BGP announcements Outsourced to our connectivity provider	IRR-based filtering of BGP announcements Deployed by ourselves	IRR-based filtering of BGP announcements Deployed by ourselves and automated
RPKI Route Origin Validation (ROV) of BGP announcements	RPKI Route Origin Validation (ROV) of BGP announcements Never heard of	RPKI Route Origin Validation (ROV) of BGP announcements Not implemented	RPKI Route Origin Validation (ROV) of BGP announcements Planned	RPKI Route Origin Validation (ROV) of BGP announcements Outsourced to our connectivity provider	RPKI Route Origin Validation (ROV) of BGP announcements Deployed by ourselves	RPKI Route Origin Validation (ROV) of BGP announcements Deployed by ourselves and automated
Source address validation/anti-spoofing filtering	Source address validation/anti-spoofing filtering Never heard of	Source address validation/anti-spoofing filtering Not implemented	Source address validation/anti-spoofing filtering Planned	Source address validation/anti-spoofing filtering Outsourced to our connectivity provider	Source address validation/anti-spoofing filtering Deployed by ourselves	Source address validation/anti-spoofing filtering Deployed by ourselves and automated

Question Title

* 17. What is your role in the organization?

Technology and Engineering

Business

Legal and compliance

Question Title

* 18. Please provide any thoughts or comments you might have that might advance the goals of this survey.

Question Title

* 19. Please provide your details if you’re ok with us following up with you.

Name

Company

Email Address

This section is for the piloting of the survey. Its objective is to collect feedback about the survey itself

Question Title

* 20. How long did it take to fill out the survey?

Less than 5 minutes

5 - 15 minutes

More than 15 minutes

Routing and traffic security requirements

Question Title

* 1. What is the size of your organization?

Question Title

* 2. What is your industry sector?

Question Title

* 3. How many Internet connectivity providers do you have globally (if you have multiple points of presence please count them all)?

Question Title

* 4. Which countries/regions are you purchasing Internet connectivity in?

Question Title

* 5. Do you have security compliance requirements required by law or business practice?

Question Title

* 6. Is management of risks related to your Internet connectivity included in your security framework/Information Security Management System (ISMS)?

Question Title

Question Title

* 8. DDoS attack prevention. A connectivity provider maintains detection and mitigating capabilities to reduce the risk of a volumetric DDoS attack. Examples are detection and blocking of attack traffic, and coordination.

Question Title

* 9. Anti-spoofing protection. A connectivity provider prevents traffic from their direct customers or peers with spoofed source IP addresses.

Question Title

* 10. Maintaining routing information. A connectivity provider has accessible, complete, and up-to-date documentation of the intended routing announcements and other information on its routing policy that are essential for detecting and mitigating routing incidents on a global scale.

Question Title

* 11. Operational communication and coordination. A connectivity provider maintains a responsive NOC/helpdesk capable of coordinating and resolving traffic and routing security issues such as a large-scale DDoS attack.

Question Title

Question Title

* 13. Security services. A connectivity provider offers security services helping the enterprise to maintain strong security posture. Such services may include performing router security settings (e.g. based on CIS benchmarks), routing incident monitoring and reporting.

Question Title

* 14. Are there other high business value or essential security requirements?

Question Title

* 15. How do you verify that security requirements are met by the connectivity provider?

Question Title

* 16. Do you implement any of the routing/traffic security controls yourself?

Question Title

* 17. What is your role in the organization?

Question Title

* 18. Please provide any thoughts or comments you might have that might advance the goals of this survey.

Question Title

* 19. Please provide your details if you’re ok with us following up with you.

Question Title

* 20. How long did it take to fill out the survey?

Question Title

* 21. Were there any unclear questions? Please provide question numbers and your feedback

Question Title

* 22. Are there questions that would be useful to ask, given the objective of the survey, but are missing?

Question Title

* 23. Please provide any other feedback regarding the survey you'd like to share