Skip to Content.
Sympa Menu

netsec-sig - [Security-WG] Notes from the Security WG meeting at I2 GS 2018

Subject: Internet2 Network Security SIG

List archive

[Security-WG] Notes from the Security WG meeting at I2 GS 2018


Chronological Thread 
  • From: "Brock, Anthony W" <>
  • To: "''" <>
  • Subject: [Security-WG] Notes from the Security WG meeting at I2 GS 2018
  • Date: Mon, 14 May 2018 16:38:02 +0000
  • Accept-language: en-US
  • Ironport-phdr: 9a23:yCrIRBTOuzzw2SNtp8ZkOjaBR9psv+yvbD5Q0YIujvd0So/mwa6zZhaN2/xhgRfzUJnB7Loc0qyK6/umATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfb1/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4qF2QxHqlSgHLSY0/mHJhMJtkKJVrhGvpx1jzIHbe4yaLuZyc6fHcN8GWWZNQ8BcXDFBDIOmaIsPCvIMMehFoonnoFsBsRi+CRGxD+7zzD9Imn/23ao80+UhDArJ3AIsFM8JvXnIqtX1KKcSUeezzKjI1znOculW2TDh54jLaR0hpuuMUqx/ccrWz0kvDB/FgU+MqYP7JT+ayPkCs3WC4udmSOmhhWknqwRrrTiuwMchkozJiZgTylDe7iV12oE1Jce3SEN9fNWqE4NQujmHO4doQc4uWXxktSI0x7EcpJK2czIGxZskyhLHdvCLbYuF7gj+WOuVLzp0nnBodKi9ihuy6USs1+zxW82u3FpUridIncPAum4X2xDO98SLV/1w9Vq71zmVzQDc8ORELFg0laXFL54hxaY9mYQcsETZACD2nF/5ja+PekU64uik9/nrbq/9pp+dOI94kAb+Mr4wlcywBuQ4NBMOX3SB9uSgyrLv51P2T6hXjvEuk6nZto7VJdgDq6KkHQNY0Zwv5wu7AjqoytgUgHYKIEhKdR+El4TpPkvBIPH8DfexmVSslzJryujaM73nHpXNLn/DkLHhfLpn9kNc0g0zwsxc559PDbEBOuz8WkD2tNzeFR85Lxa7w/r5B9lnyIwRRH+PDreDMKzOqV+I+v4vI+6UaY8OpjnyN+Ul5+TvjX8lmV4RZKeo3ZQMZXC8H/RmOFmZYWHyjtsbEGcKuBY+Q/LwiF2ETzFTe2i+U7gi6T4mFYL1RbvEE8rim7GKwT26AowTeW9uC1aQHG3uepneHfoAdW3Yapt6nzcZT7m9Wso+2jmvshP30bxqMrCS9yEF48HNzt9wsqf5jxY59ng8JsKB02aLXilL1Ctcbjkq3Kd5sApX0FCI0oB/mfFXEtpI+/pVX0E3OYOKnL8yMMz7Rg+UJoTBc12hWNjzWTw=

Thank you all for a great meeting last week!

 

We covered several topics and it looks like some interesting projects are on the horizon. Here are my notes:

 

2018 Internet2 Global Summit

Security WG

 

-          Introductions

-          uRPF

o   Internet2 has been investigating possible uRPF solutions for their environment

§  Started with basic management ACLs

§  Is now rolling out uRPF in logging mode to track data

§  Mostly seeing asymmetric traffic

o   Indiana University

§  Strict uRPF at client edge

§  Loose uRPF at border

o   Oregon State University

§  Some strict uRPF at client edge

§  Loose uRPF, RTBH and ACLs at border

o   Internet2 will report back concerning how much traffic crossing their network is spoofed

o   Internet2 will investigate the potential for notifying connectors/campuses when they source spoofed traffic

-          Flowspec

o   Internet2 is in the process of configuring a pilot.

o   The pilot is expected to start around the beginning on June.

o   Anyone interested in participating should contact Karl or Paul at Internet2

o   Items that need to be addressed:

§  How will Internet2 validate injected entries?

§  How will entries be logged/recorded for posterity?

§  How will entries be aged and removed? What is the feedback loop to the advertising connector/campus?

§  (What is the/Will there be a) feedback loop to connectors/campuses that sourced the traffic triggering creation of an entry?

§  What are the limits for number entries?

o   Potential solutions/examples:

§  The Flowspy at GÉANT.

§  Firewall on demand.

-          REN Routing Security group

o   This is a collaboration among various RENs (Internet2, GÉANT, Jisc, etc.)

o   The group has met twice.

o   Current focus is on the Mutually Agreed Norms for Routing Security (MANRS - https://www.manrs.org/)

o   The idea is to generate interest at the top levels of management, freeing time and resources for technical staff to prioritize activities such as RPKI

-          RPKI

o   This project is now being driven by the REN Routing Security group

o   I2 will keep the Security WG informed and, in the future, may be looking for their assistance in rolling something out

-          BGP hijacking (prefix hijacking)

o   Some members have recently suffered this type of attack

o   Solution:

§  The first step is monitoring; BGPmon or similar services

§  Some members have successfully worked around this through disaggregation, although this will not work for prefixes longer than a /24

 

Tony


  • [Security-WG] Notes from the Security WG meeting at I2 GS 2018, Brock, Anthony W, 05/14/2018

Archive powered by MHonArc 2.6.19.

Top of Page