Skip to Content.
Sympa Menu

netsec-sig - RE: [Security-WG] I2 - Blocking Ports on the backbone?

Subject: Internet2 Network Security SIG

List archive

RE: [Security-WG] I2 - Blocking Ports on the backbone?


Chronological Thread 
  • From: "Spurling, Shannon" <>
  • To: "" <>, Steven Wallace <>
  • Cc: "" <>
  • Subject: RE: [Security-WG] I2 - Blocking Ports on the backbone?
  • Date: Thu, 1 Mar 2018 17:39:50 +0000
  • Accept-language: en-US
  • Ironport-phdr: 9a23:5pWRRR2M90g0QeCQsmDT+DRfVm0co7zxezQtwd8ZseITK/ad9pjvdHbS+e9qxAeQG9mDsLQc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPbQhEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7S60/Vza/4KdxUBLmiDkJOSMl8G/ZicJwgqBUoBO9qBJwzIHZe52VNON8fq/BYd8WWXRNU8BMXCJBGIO8aI4PAvIPMehFt4n9ukEOrR+/BQmqC+Pj0iJDiGL23aIg1eQhFwbG3AouE9kTt3nUt9X1O70UUeCzy6nIyy7Ob/ZR2Tfn9ofEaBYhru+QXb9pd8fa1EohFxvdg1mOtYDoOymZ2vkRv2Wa9eZsS/yjhmo9pw1svjSixd8ghpfVio8X0FzI6CR0zJovKdGlRkN2b8SoHZ9fui2CKod7RsAvT3t2tComzrAKo562cSkQxJg6wxPSbeGMfZKS7RL5TumRJC91hHJ7d7K7gBa/6VWgyujlWsm30VZKtitInsPRtnAIzRDT982HSuB9/0e6xTaAyQXT5vtaLk8piKrXM58hwrgumZoPqUnPADP6lUHsgKOLakkp+/Kk5/r5brjivJOQKpN4hwLmPqQrgMO/AOA4MgYUX2ic/OSxzKbj/U3jT7VMiP02la/ZvYvfJcQcvK62HRVZ0oA95BajFzumysgXnWEbLFJZfxKKl5PpNE/SL/DlF/e/gkiskTdyy/HIMb3sGZHNLnnYkLf9ZrZx9VRQyAs1zdBD+Z1UELcBL+zvWkPvrtDXEAI2MxHni9rgXZ9/yoA2UGKGGLffMaTIuhmE6/omPu3KaYMI8n6pKeQmz/fuhGUh314aZ6Lv0ZYPYW28WPlqPhPdKUHwj8kMFy81tw46RefnwAmZSiF7Zmv0Uq4hsGIVEoWjWM34Xp23hL2H02PzJZ1fYGZBDBrERWzofoOCXPEkbSWIL4lnnyBSBuvpcJMoyRz77Fyy8LFgNOeBoiA=

I think that part of the difficulty in flowspec implementation is that in the
wider Internet, how do you determine a good rate for some attack vector at
any particular connection? Doing a RTBH is pretty basic and black and white.
Doing a rate limit could be an issue depending on how broad and deep the
reflection network is. If the reflection is only slightly higher than normal
request patterns, but the number of reflection hosts is large, rate limiting
can be an issue. Also, if there's a large number of valid requests, but they
all end up flowing through the flowspec rate limter by virtue of where it
ends up, you could impair needed traffic. Making a determination of how much
traffic is acceptable is problematic when you don't know where the flowspec
is going to end up being applied. I might do it with an upstream or
downstream, but with a community routing service, how do you make it useful?

Shannon Spurling




-----Original Message-----
From:


[mailto:]
On Behalf Of John Kristoff
Sent: Thursday, March 1, 2018 11:24 AM
To: Steven Wallace
<>
Cc:

Subject: Re: [Security-WG] I2 - Blocking Ports on the backbone?

On Thu, 1 Mar 2018 16:25:34 +0000
Steven Wallace
<>
wrote:

> Recommendation for additional Internet2 Network capabilities Following
> the advice of a small group of engineers experienced with Unwanted
> Traffic Removal Service (UTRS), Remote Triggered Black Hole Filtering
> (RTBH), and BGP FlowSpec, implement backbone support for all three
> mechanisms as-soon-as reasonable.

Note, having been the person behind the implementation and support of UTRS at
TC, most of you know I am no longer there and have nothing to with it any
longer. It is still running and I believe TC still technically supports it,
but I'm sorry to say I don't believe it has lived up to the dream and seems
unlikely to. I even ended up disabling it here at DePaul. I'll take the
blame for the lack of success and I'm sorry to TC if this undermines the
effort further, but I know I'm not alone in this sentiment.

I know of at least one other group that was interested in trying to recreate
a version of UTRS elsewhere and I've suggested doing something new and
related, but other things have since taken over my time.
inter-AS flowspec was what I had plans to to add to UTRS next, but left
before I could safely deploy it. To relay flowspec messages successfully and
safely I would argue is not as simple as just "turning it on".

John



Archive powered by MHonArc 2.6.19.

Top of Page