Internet2 Network Security SIG

[Steven Wallace <>]

Grover,

Here’s a copy of the WG’s “fast track” recommendations circa 2015. Flowspec support was in the first recommendation.

Internet2 Security Working Group DDoS Mitigation Recommendations

23-Oct-2015

on behalf of the Internet2 Security Working Group

Background

During the October 2015 Technology Exchange, at the Network Members and Connectors BOF, Internet2 asked the Security Working Group to recommend Distributed Denial of Service (DDoS) mitigation capabilities that should be “fast-tracked” (i.e., expeditiously offered as Internet2 services). After receiving clarification concerning the request from I2 network services, an e-mail was sent to the Security WG list requesting input by Friday October 23rd. This document contains the Security WG’s recommendations.

The 17 e-mails generated by the request represent a group discussion of various DDoS capabilities and their attributes. The following recommendations reflect the author’s interpretations, and their translation into specific recommendations. The recommendations fall into three categories; additional capabilities in the operation of the Internet2 network, vended services that can leverage the Internet2 Network and/or the collective influence of the Internet2 community, and activities that Internet2 can support and coordinate.

Recommendation for additional Internet2 Network capabilities

1. Following the advice of a small group of engineers experienced with Unwanted Traffic Removal Service (UTRS),  Remote Triggered Black Hole Filtering (RTBH), and BGP FlowSpec, implement backbone support for all three mechanisms as-soon-as reasonable.
2. Where reasonable, establish layer 3 and/or layer 2 connectivity with all credible DDoS mitigation providers. Such connectivity represents a fundamental value to Internet2 members, regardless of the provider's participation in Internet2’s Net+ program. To ensure success, the connectivity should be settlement free with reasonable interconnection terms.
3. Develop and share real-time detection of DDoS incidents with affected stakeholders.

Recommendation for vended services that leverage the Internet2 network

1. Offer vended DDoS mitigation capabilities that are appropriate for the Internet2 community. Given the variety of capabilities and their implementation details, engage at least two network engineers from the community to vet potential vended capabilities. In addition, given the variety of pricing models, engage at least one campus and one RON volunteer to participate in the negotiations.
2. Where possible, with the consensus of stakeholders, use Internet2’s influence with peers and transit providers to participate in UTRS and RTBH.

Recommended activities Internet2 support and coordinate

1. Make RON and Network participants universal adoption of UTRS a goal of Internet2’s Network Services team.
2. Sponsor technically-focused workshops in coordination with select community members to aid in the implementation of tools such as RTBH, UTRS, exabgp, and FastNetMon.
3. Engage GEANT in the transfer of experience and expertise. Create a formal and structured relationship with GEANT concerning security and DDoS mitigation. Internet2 can learn from their progress.
4. Work with funding agencies, such as the National Science Foundation, to establish a Best Common Practice (BCP) required of awardees to prevent a campus from contributing to DDoS attacks.
5. Report progress on these recommendations quarterly to the Internet2 NTAC and Security WG.

On Mar 1, 2018, at 11:19 AM, gcbrowni <> wrote:

All,

memcached has raised this as a discussion item again. There had been a bit of discussion recently as well regarding (AT&T?) declaring they just block ports without telling folks, and then memcached came along. I believe we last discussed this at Technology Exchange and the community came to the conclusion that it was not something they wanted Internet2 to pursue.

This is another opportunity for us to change our minds, or discuss more. But…. I think there’s a far more interesting discussion to be had also.

We’ve spun up some documentation and tutorial sessions on Routing Security … I wonder if we might not do the same regarding DDOS mitigations on I2? Community-string based blocking, Flowspec, and maybe some talk of the DDOS service … if we can do it in a way that doesn’t have a sales orientation. Maybe something like "how to be prepared if you want to use it on a moments notice", or something like that.

A strong community push for Flowspec, supported by documentation and tutorials, would seem to get us a decent way down the blocking road, as a community, while it still being member self service option. And, frankly, strong support from the WG would help us prioritize resources to get it in place.


That’s just my thoughts. Does anyone have more/different ideas or commentary?


-G

Attachment: smime.p7s
Description: S/MIME cryptographic signature