Mutually Agreed Norms for Routing Security (MANRS) is an Internet Society initiative to harden the global routing system against leaks, spoofing and bogon traffic. The IXP Programme defines five concrete actions — we comply with all five.
Action 1 · Route filtering
All route-server sessions filter on IRR-registered AS-SETs and prefix lists. Members must register their AS-SET (e.g. AS-YOURASN) in RIPE, RADB or ARIN before turn-up. Filters are regenerated daily.
Action 2 · Anti-spoofing
Members are required to implement BCP38/SAVE on customer-facing interfaces. We perform unsolicited spoof testing twice per quarter using RIPE Atlas anchors as source.
Action 3 · Coordination
Member NOC contacts are kept current in PeeringDB and the Member Portal. Operational notices are delivered via signed PGP-mail and the public status page.
Action 4 · Global validation (RPKI)
Three independent Routinator validators feed the route servers. Invalid announcements are dropped. Members must publish ROAs for every announced prefix.
Action 5 · IXP-specific filtering
We filter bogons, default-route, RFC1918 and unallocated/reserved space at the route servers. Maximum-prefix limits are enforced and tunable per member.
Why this matters
A leak or hijack on one IXP propagates globally within minutes. Filter discipline is not optional — it's the difference between a peering fabric that strengthens the internet and one that weakens it. MANRS audits keep us honest.
For members
Joining DATAHUB-IX implies committing to MANRS Network Operator actions. We don't enforce certification, but we expect:
- Up-to-date IRR objects with strict AS-SET hierarchy.
- RPKI ROAs for every announced prefix, with conservative
maxLength. - BCP38 filtering on all customer-facing interfaces.
- Current peeringdb.com record with reachable NOC contacts.