netsec-sig - [Security-WG] I2 - Blocking Ports on the backbone?
Subject: Internet2 Network Security SIG
List archive
- From: gcbrowni <>
- To:
- Subject: [Security-WG] I2 - Blocking Ports on the backbone?
- Date: Thu, 1 Mar 2018 11:19:53 -0500
- Ironport-phdr: 9a23:w93egRSX7mNa8mQBb+5m44ZG59psv+yvbD5Q0YIujvd0So/mwa69YRyN2/xhgRfzUJnB7Loc0qyK6/umATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfb1/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4qF2QxHqlSgHLSY0/mHLhcJ/g61VvRGvqRJhzYPPfIGVLf9+cr/Bcd8GR2dMWNtaWSxbAoO7aosCF+UBMvpDoInnoFsPox2+BQixD+7oxT9HmmT53bc90+UvFwHG3RctH90KsHTTt9r6LqMSUeayzKbU1znDbu5W1S3j54fVbxAsuPeBVq9zf8rJ0UQjCR/JgkmNpYHgIj+Y1foCvmue4upuW+Kjl3IrpgRvrjWhw8ohj4vEi4ITx1vZ7yt22pw1Kse9SENjYd6rDp9QtyaCOotzWMwiQmVotDwmxb0apZG3ZicKyI4hxx7Yd/OLaYmI4g/5WOmPPDh4mWppeLO5hxms7Uit0vPwWtWo3FpXqydJj9rBuW4O2hHW5MiHROdx8luk1DqR2Q3e7+RJLEI0mKbDLp4u2L8wlp4dsUTZGS/2nV37jKCKeUo/4Oio7OrmYrPnppKHOI90jgb+Pb80lcy7B+Q4NRQBU3Ka+eShzrHs41D2QKhSgv0sjqbZqIzaJdgcpqOhGA9azJos6wulDzenzNQZnWALLVxKeB+ci4jpOkrOIOzjDfuhmViskTFrx+zYMb37BJXCMGTDnKn7cblj9kFc1Vl78dcK/J9fF6sAPOO2RUDZtdrEAwU/PhDuhevrFYZTzIQbDG2ECLWeL6XT+QuH7eg1JPaKZacavDH3Ivwj4PWojGJ/lFMAK/r6laALYWy1S6w1a36SZmDh148M
All,
memcached has raised this as a discussion item again. There had been a bit of
discussion recently as well regarding (AT&T?) declaring they just block ports
without telling folks, and then memcached came along. I believe we last
discussed this at Technology Exchange and the community came to the
conclusion that it was not something they wanted Internet2 to pursue.
This is another opportunity for us to change our minds, or discuss more.
But…. I think there’s a far more interesting discussion to be had also.
We’ve spun up some documentation and tutorial sessions on Routing Security …
I wonder if we might not do the same regarding DDOS mitigations on I2?
Community-string based blocking, Flowspec, and maybe some talk of the DDOS
service … if we can do it in a way that doesn’t have a sales orientation.
Maybe something like "how to be prepared if you want to use it on a moments
notice", or something like that.
A strong community push for Flowspec, supported by documentation and
tutorials, would seem to get us a decent way down the blocking road, as a
community, while it still being member self service option. And, frankly,
strong support from the WG would help us prioritize resources to get it in
place.
That’s just my thoughts. Does anyone have more/different ideas or commentary?
-G
- [Security-WG] I2 - Blocking Ports on the backbone?, gcbrowni, 03/01/2018
- Re: [Security-WG] I2 - Blocking Ports on the backbone?, Steven Wallace, 03/01/2018
- Re: [Security-WG] I2 - Blocking Ports on the backbone?, gcbrowni, 03/01/2018
- Message not available
- Re: [Security-WG] I2 - Blocking Ports on the backbone?, John Kristoff, 03/01/2018
- RE: [Security-WG] I2 - Blocking Ports on the backbone?, Spurling, Shannon, 03/01/2018
- Re: [Security-WG] I2 - Blocking Ports on the backbone?, Chris Wopat, 03/01/2018
- Re: [Security-WG] I2 - Blocking Ports on the backbone?, Steven Wallace, 03/01/2018
- Re: [Security-WG] I2 - Blocking Ports on the backbone?, Steven Wallace, 03/01/2018
- Re: [Security-WG] I2 - Blocking Ports on the backbone?, Steven Wallace, 03/01/2018
- Re: [Security-WG] I2 - Blocking Ports on the backbone?, Chris Wopat, 03/01/2018
- RE: [Security-WG] I2 - Blocking Ports on the backbone?, Spurling, Shannon, 03/01/2018
- Re: [Security-WG] I2 - Blocking Ports on the backbone?, John Kristoff, 03/01/2018
- Re: [Security-WG] I2 - Blocking Ports on the backbone?, Steven Wallace, 03/01/2018
Archive powered by MHonArc 2.6.19.