netsec-sig - RE: [Security-WG] Internet2 border anti-spoofing
Subject: Internet2 Network Security SIG
List archive
- From: Michael Hare <>
- To: "" <>
- Subject: RE: [Security-WG] Internet2 border anti-spoofing
- Date: Thu, 17 Aug 2017 14:40:07 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:6PZQdRZ22RmkLI4PG6YpYcf/LSx+4OfEezUN459isYplN5qZr864bnLW6fgltlLVR4KTs6sC0LuG9fi4EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQtFiT6+bL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjmk8qxlSgLniD0fOjA57m/Zl9BwgqxYrhKvpRN/woHabZqJNPVlYq/RYc8WSXZDU8tXSidPApm8b4wKD+cZOuhYrpXyp1sUohSgAQmnGeHhxSVShnDowKY31OEhEQDa0wwgBd0BrnDUoM/1NKgIS+C60rLFzDvCb/NNxTjx8pbHfQ08ofyVW797bMnfyVE3Gg/YgVidppbpMjeL2ugXrmSW6+htWfixh2I5tQ19uiWjy8gjh4XTgo8Z1ErI+CR7zYovO9G1S1Z3bcC4HJZSrS2XOIp7Ttk/T2xptis20L0LtJG9cSMX0poo3QTfZOaCc4WQ4hLsSuKRITBgiXJ+fbK/mw6y/lK9yu3gVsm4zkxGryREktnXqn8N0gbc6smDSvdn8Eah2C2P2BzJ5u5aPE80iLLXK58nwrEuipoeqVnPEyD5lUnsiKKaaF8o9vWs5unleLnquIGQO5FshgH7KKsum8i/AeoiMggJWmiW4eG81Lz/8k35WrpFkPk2nrPZsJ/AP8QUuLW0AgFU0oY49xmzFSmp38kFnXUfNlJKZAqHj5T1O1HJOP34FumwjEixkDdxxvDGIr3gDozDL3jMi7rhebd961VAyAoo09xT/ZNUCrcdIP3tQE/xssLXDgMnPwCu3enoFch9hcsiXjfFGaKSLbnTrU7N+e0HIu+QaZUTtSqnbfUp+rSm2WQ0kkIHfLW4mIQYQHG+Avl8JUiFOzzhjspXQkkQuQ9rae3hiFSPVXZzbmy/F/Y55zo7AY+iS4fKXI2Fn72a12G2EoAANTMOMUyFDXq9L9bMYPwLci/HesI=
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
> -----Original Message-----
> From:
>
> [
> ]
> On Behalf Of Karl Newell
> Sent: Wednesday, August 16, 2017 4:30 PM
> To:
>
> Subject: Re: [Security-WG] Internet2 border anti-spoofing
>
> ...
>
> Your example is one of the reasons we don’t implement uRPF. We also
> transit traffic for sources that we don’t have a route for (e.g., an
> organization
> is not a member of I2 but their upstream is a connector and the best route
> to
> AWS is through us). But is that the right thing to do?
Yes, it is the right thing to do, and it's what every other provider of
providers has to do.
Alternative; programmatically build firewall filters from RADB [and accept
the performance/cost implications of doing so], convince --> all <-- of your
connectors (peers, customers) to keep said RADB up to date --> without fail
<-- , develop flow tools to log the inevitable exceptions and be willing to
operate on said exceptions.
-Michael
>
> Karl
>
> --
> Karl Newell
> Cyberinfrastructure Security Engineer
> Internet2
> 520-344-0459
- [Security-WG] Internet2 border anti-spoofing, Karl Newell, 08/16/2017
- Re: [Security-WG] Internet2 border anti-spoofing, Andrew Gallo, 08/16/2017
- Re: [Security-WG] Internet2 border anti-spoofing, Karl Newell, 08/16/2017
- RE: [Security-WG] Internet2 border anti-spoofing, Michael Hare, 08/17/2017
- Re: [Security-WG] Internet2 border anti-spoofing, Karl Newell, 08/16/2017
- [Security-WG] RE: Internet2 border anti-spoofing, Michael Hare, 08/17/2017
- Re: [Security-WG] Internet2 border anti-spoofing, Andrew Gallo, 08/16/2017
Archive powered by MHonArc 2.6.19.