Beyond the Perimeter – Managing Internet Routing as a Supply Chain Risk
topDNS Best Practice Series #12 - 11 May 2026
VIDEO | AUDIO | RECAP EN / ES / FR | ARCHIVE | PERMALINK
Speakers: Andrei Robachevsky - Technical Director, Internet Integrity Program, Global Cyber Alliance; Matthew Davy - Chief Network Architect, Visa
Moderator: Lars Steffen - Director International, eco - Association of the Internet Industry
Lars Steffen opened the webinar by introducing the topDNS initiative and framing the discussion around Internet routing security as an overlooked but critical infrastructure risk. He explained that topDNS is an industry-led initiative launched in 2022 to combat DNS abuse and content-related harms by fostering cooperation across Internet infrastructure stakeholders including registries, registrars, DNS providers, CDNs, hosting companies, cloud providers, and policymakers.
He outlined the initiative’s activities, including monthly abuse reports, best-practice webinars, workshops with industry professionals and policymakers such as the European Commission, and a broader effort to break down silos between infrastructure actors. He then introduced the session’s speakers, Andrei Robachevsky from the Global Cyber Alliance and Matthew Davy from Visa.
Internet Routing as an Invisible Security Dependency
Andrei Robachevsky began by arguing that Internet routing remains one of the least understood yet most foundational elements of enterprise security. While organizations invest heavily in endpoint protection, encryption, identity management, and application security, the paths their traffic takes across the Internet remain largely outside their control and are often not secured to equivalent standards.
He described Internet routing as a globally distributed system composed of tens of thousands of independently operated networks that exchange route information using the Border Gateway Protocol (BGP). Each network effectively maintains its own “roadmap” of the Internet, learning routes from neighboring networks and propagating them onward. Because there is no centralized enforcement or authentication mechanism built into BGP, routing information can be manipulated accidentally or maliciously.
Robachevsky emphasized that enterprises are fundamentally dependent on this loosely coordinated infrastructure despite having little visibility into it. He characterized routing as a “blind spot” in enterprise cybersecurity because routing decisions determine whether services remain reachable, reliable, and trustworthy.
Route Hijacks, Leaks, and Supply Chain Exposure
Robachevsky then explained the two primary categories of routing incidents:
Route hijacks or misoriginations, where a network falsely announces ownership of destinations it does not host, causing traffic to be redirected improperly.
Route leaks, where unintended routing paths are propagated, potentially placing malicious or unintended networks between communicating parties.
He noted that these incidents are not theoretical. High-profile outages and disruptions affecting companies such as YouTube, Amazon, Google, and Cloudflare have resulted from routing failures occurring elsewhere on the Internet rather than within the organizations themselves. Hundreds of routing incidents occur monthly, many of them hidden behind symptoms that appear to be routine outages or service degradation.
The broader implication, he argued, is that business continuity increasingly depends on infrastructure beyond an organization’s direct control. Routing failures can interrupt access to cloud-hosted assets, breach SLAs, erode customer trust, and facilitate man-in-the-middle attacks or reconnaissance activity, even when internal enterprise security controls are otherwise strong.
Robachevsky described the problem as a classic collective-action challenge. Deploying routing security controls requires time and investment by individual networks, while the benefits are shared across the broader Internet ecosystem. Even organizations implementing best practices remain exposed to others that do not.
Reframing Routing Security as a Supply Chain Issue
Matthew Davy expanded on the enterprise perspective, arguing that routing security should be treated explicitly as a supply chain risk rather than merely a technical Internet issue. He observed that enterprises often perceive routing security as too large and diffuse a problem because of the Internet’s approximately 70,000 interconnected networks. However, from the perspective of an individual enterprise, the operational dependency chain is often much smaller and more manageable.
Davy argued that enterprises can significantly reduce risk by focusing on their direct suppliers — ISPs, cloud providers, CDN operators, and connectivity vendors — and embedding routing security expectations contractually into procurement and vendor-management processes. He suggested that routing security frequently remains absent from enterprise risk assessments and service-level agreements because organizations do not yet view it as a controllable risk domain.
He referenced survey work conducted by the MANRS+ working group showing that enterprises rate routing security, anti-spoofing, and DDoS protection as highly important business concerns. However, relatively few organizations currently mandate these controls contractually. The gap, he argued, is not recognition of importance but lack of standardized procurement language and measurable requirements.
Enterprise Connectivity Scenarios and Routing Risk
Davy walked through several common enterprise connectivity models to illustrate how routing security can be operationalized.
For SD-WAN deployments, enterprises replacing MPLS VPNs with Internet-based connectivity often rely on only a handful of providers globally. By requiring strong routing security from those providers, organizations can significantly reduce exposure without needing to solve Internet-wide coordination challenges.
In public cloud deployments, enterprises increasingly depend on hyperscale cloud providers as both hosting environments and Internet transit providers. Because major cloud providers typically operate large, well-peered global networks, improving routing security within those infrastructures substantially reduces the likelihood of route hijacks affecting customers.
CDNs, Davy explained, offer similar advantages due to their extensive peering relationships and network scale. Ensuring routing security practices at the CDN layer can therefore mitigate a large portion of enterprise exposure.
For enterprises still delivering services from private data centers, Davy acknowledged that routing paths may involve more ISPs. Nevertheless, customer traffic within specific regions typically traverses only a small number of dominant providers. Direct contractual relationships with those providers can still meaningfully reduce risk.
RPKI, ROAs, and Enterprise Under-Adoption
Davy then focused on Resource Public Key Infrastructure (RPKI) and Route Origin Authorizations (ROAs), which help validate route announcements and reduce hijacking risk. Although many large ISPs and cloud providers already implement RPKI filtering, enterprises themselves frequently fail to register ROAs for their own address space.
He shared data showing that among the top ten companies in sectors such as finance, healthcare, and automotive, many had registered ROAs for less than half of their IP address allocations. In the financial sector, approximately 70% of leading firms fell below 50% ROA coverage. Healthcare organizations performed even worse.
Davy argued that this demonstrates enterprises already possess opportunities to improve routing security independently, even before broader ecosystem changes occur.
MANRS and the Collective Action Model
Returning to the presentation, Andrei Robachevsky introduced MANRS — Mutually Agreed Norms for Routing Security — as an industry-led initiative launched more than a decade earlier to address routing security’s collective action problem. MANRS establishes baseline security practices for different categories of network operators, including ISPs and Internet Exchange Points, tailored to the roles those organizations play within the ecosystem.
He showed data indicating that as MANRS adoption increased globally, the number of routing incidents and networks responsible for them declined. While he cautioned that correlation does not necessarily prove causation, he argued that the trend strongly suggests positive ecosystem-wide impact from routing security adoption.
Robachevsky characterized MANRS as a lightweight global compliance framework providing a minimum operational baseline. However, he stressed that enterprise requirements exceed what MANRS alone currently guarantees.
MANRS+ and Enterprise-Grade Routing Security
The discussion then shifted to MANRS+, which Robachevsky described as a more advanced framework intended to define enterprise-grade routing security requirements. MANRS+ aims to provide broader coverage, stronger controls, and measurable assurance mechanisms that enterprises can require contractually and verify operationally.
He explained that the MANRS+ working group had completed substantial work defining controls covering routing, DDoS mitigation, operational security, and related services. The goal is to create a practical and auditable procurement framework enabling enterprises to incorporate routing security into vendor evaluations and contractual obligations.
Robachevsky emphasized that enterprises should begin treating routing security like any other supply chain risk, comparable to software or ICT procurement risk management. He encouraged organizations to:
Assess routing exposure,
Integrate routing security into risk frameworks,
Include routing requirements in procurement contracts,
Implement internal routing best practices,
Demand measurable controls from providers.
He also noted that enterprises had not yet fully validated the MANRS+ requirements and invited participation from security, network, and risk professionals to help shape the final standards and ensure alignment with enterprise operational realities.
Discussion on Non-Adoption and Awareness Gaps
During the discussion period, Lars Steffen asked what excuses or barriers most commonly prevent adoption of routing security measures.
Matthew Davy suggested that enterprises prioritize more visible and frequent threats such as DDoS attacks, which occur regularly and command executive attention. Route hijacks and leaks occur less frequently and therefore often receive less organizational focus, despite their potentially severe consequences.
Andrei Robachevsky added that organizational silos between security teams and network operations teams contribute significantly to the problem. Network engineers may understand routing risks deeply, but security leadership often lacks visibility into incidents because routing attacks are technically complex, relatively short-lived, and difficult to detect without specialized expertise.
Lars Steffen reflected that organizations often learn only through operational pain, observing that significant incidents tend to become the strongest drivers of change. He also highlighted the positive correlation between increased adoption of routing security practices and reductions in observable harms.
Closing Call to Action
In closing remarks, Matthew Davy encouraged enterprises to participate actively in the MANRS+ effort. He argued that creating an auditable enterprise routing-security standard that could simply be referenced in procurement contracts would significantly improve global Internet resilience.
Andrei Robachevsky noted that while connectivity-provider work within MANRS+ had largely been completed, the initiative now needed enterprises to engage directly in defining expectations and accountability mechanisms. He argued that enterprise participation would strengthen the ecosystem overall and create stronger business incentives for routing security adoption.
Lars Steffen concluded by emphasizing that routing security is essential for improving the reliability and trustworthiness of the Internet as a whole. He thanked the speakers and audience and invited future collaboration and updates from the MANRS community.
RESOURCES
topDNS Initiative — eco’s industry-led initiative addressing DNS abuse and content-related harms, host of this best practice series
topDNS Best Practice Series (event archive) — recordings and materials from prior topDNS webinars
MANRS — Mutually Agreed Norms for Routing Security, the global initiative providing the baseline routing security framework discussed throughout
MANRS+ Working Group — the enterprise-tier framework Andrei Robachevsky and Matthew Davy invited enterprises to help shape
MANRS+ Concept — overview of the elevated-tier participation model and Control Matrix
The Internet Routing Supply Chain — MANRS paper outlining the business case for enterprises to demand routing security from providers
Global Cyber Alliance — Internet Integrity Program — GCA’s program covering names, numbers, and routes, where Andrei Robachevsky leads as Technical Director
Andrei Robachevsky — Technical Director, Internet Integrity Program, Global Cyber Alliance
Matthew Davy — Chief Network Architect at Visa and co-chair of the MANRS+ Working Group
RPKI (RFC 6480) — Resource Public Key Infrastructure, the framework underpinning the ROA-based filtering Matthew Davy highlighted