Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] I2 - Anti-Spoofing/uRPF discussion summary from Technology Exchange

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] I2 - Anti-Spoofing/uRPF discussion summary from Technology Exchange


Chronological Thread 
  • From: Karl Newell <>
  • To: Michael H Lambert <>, "" <>
  • Cc: "" <>
  • Subject: Re: [Security-WG] I2 - Anti-Spoofing/uRPF discussion summary from Technology Exchange
  • Date: Mon, 6 Nov 2017 16:41:01 +0000
  • Accept-language: en-US
  • Authentication-results: psc.edu; dkim=none (message not signed) header.d=none;psc.edu; dmarc=none action=none header.from=internet2.edu;
  • Ironport-phdr: 9a23:sot6SB0lI6iptEgUsmDT+DRfVm0co7zxezQtwd8ZsesWLfvxwZ3uMQTl6Ol3ixeRBMOAuqIC07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9ZDeZwZFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QKsqUjq+8ahkVB7oiD8GNzEn9mHXltdwh79frB64uhBz35LYbISTOfFjfK3SYMkaSHJBUMhPSiJBHo2yYYgBD+UDPOZXs4bzqFQVoBuiHgasAf/jxiNUinL026AxzuQvERvB3AwlB98AtW7brM/xNKwPSe660qfJwivHb/NSxDzw74vIchY/rvCCQ71wdc7RxFIuFwPDklWft5blPzWL2eQRrWSX9fRvWv+yi2M+rQx6vzuhxt80h4XXnI0Z1k3I+CBkzIooONG1TUB7bNG4HJdMsiyXNZV5T8w8T2xtvSs21KEKtYKjcCULy5kr3QPTZ+CGfoSS/x7uVfydLSp6iX9lYL6/iQi9/Eu8xuD5U8S500pGoTBYndTJuHACzRLT582JR/Z85Eis2DOC1w7d6uxLIE05k7fQJYQ7zb4qjJUTtFzOHi/ol0Xyi6+bbl0q9/Sv5ej7f7nqv4KROI1qhg3nNaQhgdKwDf4/MggTQ2iU4uO81KDl/ULkWrlKluc2kq7FsJ/EOcsbuq+5AwhT0oo57Ba/Eium0NAfnXkAL1JJYg6Ij4/sO13WIfD4C+mwg0i0nTt13f/KIqDtD5DQInTejbvseLh95kFAxAYvyN1S5YxbB74fLP/2X0L9qsDUAgMhPwyx2ennCdF91o0EWWKIB6+UKKDSsVmW6eMhPeaMYIsVtS38K/gj+/7hk2U5mVkDcqm1w5cbcm63Eel7I0mBe3rjns8BEXsWvgo5VOHqjkGCXiRPaHaqQa0z+Cs7CIOgDYfMXY2thL2B3DynHp1NeGxKEFGMEXH0d4qaQfcMbjydItN/njAeS7euVpIh3wm0tADm07pnMvbU+ioAuJL4ytd6+/DTlQsz9TxoD8WRym+MT25vk2MMRj82x7x/oVdjxluZ0Kh4heBYGsJJ5/NPTAg6KYDQw/ZkBN/vRwKSNuuOHXOnSdWvDDV5bpoVytoEblxhU4GmhxXJ0jC2K6cOnPqGCIFituqW2WT4LN5wxmzH0qYJjl86T9FJOHH8wKNz6kKbU4jVmk6BmquwdKIT9C/L6GqZy2eS5gdVXBMmAovfWnVKRULMqZzf61zPS7vmXbchPxRMzcqqK61WZ8fvgEkcAvrvJYKNMCqKh26sCEPQlfu3Z43wdjBYhX2FBQ==
  • Spamdiagnosticoutput: 1:0

Good points David and Michael. They remind me of part of the discussion we
had during the WG meeting at TechEx. While most agreed with efforts on this
front, they also felt that the connectors are the best place for
implementation. So how do we foster that? What can Internet2 do to help?
Getting back to Grover’s suggestion to turn on uRPF and log, we can use that
data to inform the community. There was also discussion of something like
the I2 Innovation Platform but for security; connectors that commit agree to
BCP38/uRPF, RPKI, and there was mention of a third item but I don’t recall
what it was. Would people support this effort and sign on?

Karl

--
Karl Newell
Cyberinfrastructure Security Engineer
Internet2
520-344-0459

On 11/6/17, 9:17 AM,
"
on behalf of Michael H Lambert"
<
on behalf of
>
wrote:

> On 6 Nov 2017, at 10:54, David Farmer
<>
wrote:
>
> So a question, how do we communicate this going forward as we interact
with more and more people? I'm worried some will just see this as an effort
to apply a traffic security policy on the Internet2 backbone.

I think the primary targets/victims/beneficiaries of this process should
be the connectors. To me, it makes much more sense for them to be filtering
their members on ingress, especially since BCP38 does tend to crop up in
various NSF solicitations. If Internet2 does the filtering, it can hide
these downstream issues. It is appropriate for Internet2 to identify
"offending" traffic, but once it has been identified, the connector should be
encouraged/cajoled/shamed to fix the problem.

International peers are another matter. One would hope that they would
have similar policies.

Michael






Archive powered by MHonArc 2.6.19.

Top of Page