Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Security group highlights - December 2018

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Security group highlights - December 2018


Chronological Thread 
  • From: Adair Thaxton <>
  • To: "" <>
  • Subject: Re: [Security-WG] Security group highlights - December 2018
  • Date: Mon, 7 Jan 2019 16:59:37 +0000
  • Accept-language: en-US
  • Authentication-results: internet2.edu; dkim=none (message not signed) header.d=none;internet2.edu; dmarc=none action=none header.from=internet2.edu;
  • Ironport-phdr: 9a23:Wq+txxxL0lu8Vw7XCy+O+j09IxM/srCxBDY+r6Qd0uoUIvad9pjvdHbS+e9qxAeQG9mDu7Qc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPYAhEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7S60/Vza/4KdxUBLmiDkJOSMl8G/ZicJwgqBUoBO9qBJwzIHZe52VO+Fkc6/BYd8WWWhMU8BMXCJBGIO8aI4PAvIdMOlFtYb9pkEOpgagCwmsHuzuxSNIhnjw3aYn1OkhCh3G3Aw6ENMBrHTUq9P1ObwTUeCz0KnH0y/Db/VI1jfh9oTEaA4uruyRXb9pd8fa1EchFwTAjlqKqIzlOSuY1vgNs2eF9epvS+2vi288qwFtvDev3N0ghZXOho4P11DE9j11wJo7JN25VE57fcCrEIFKuy6GMIt2R9suQ2douSY/0LIGtoS3czQNyJQiwRPUdv+Jc5CQ7x79TumdPSp0iXd4dL6imhq/9Eagx+LgWsWo1VtHrDRKn9bQuX0I0hHf9NSLR/9l8ku/1juDzR7f5vxZLUwuiKbWJZwszqQtmpcXs0nPBiH2l1v1gaOKc0gp/+yl5Pnlb7Xoo5KRNpF7hR/7P6QgmsGzHeA1Pw0QU2iV5+iwyrvu9lDjTrpQlP05iKzZvYjaJcsFoq65BBdY3J4/5hi4Ezur380Uk2QfIl5YYR6HiJPmNE/ULPD/EPe/n0+jkDB2x/DAI7LtGI3NLmLEkLf9Y7ly91JcyAs0zdBZ/Z5UDawBIO73Wk/2s9zYDQU1PBCzw+biENl914UeVnyTAqKBLq/dq0OE6v8qLuWReYMZpTPwK/Yq6vLykXM0nF0Qcrem0JQLbX21G+pqL1mdbHb0h9cOC2YKvg4wTOzwj12CVCZeZ22uX6I8/D46B56mDYDFRo22gbyB2ju7EYNMZmBAFF+MDWnke5+aVPgRdSKeOtVhnSAcVbi9V48h0gmjtBTkxLV7M+rU4CwYtY7j1dRs6ezTmgo/9Th1D8SGz2GNVH94knkJRz8wwKBwv1Z9ylGd3qhknfBUD8Jc6O5UUlRyCZmJhfd3AM3oWx7QO8iGYFegXti8BzwtFJQ8z8JEKxJmFt6/lBHfzm+1DJcUkaCGHpo57via0nTscZVT0XHDgYAthlg8CvdPPH26gag3oxPPB4fZj0Kfv6esaakG2iPRriGOwXfY7xIQaxJ5TaiQBSNXXUDRt9msvhmYHbazFbQqNBdAwseeK6xML8fklkhCWOy6YoSMYmStln22CArSgL6Acdmid2Yc2XDbD04J20AW8G2dPAczTiGmvyrFDTNoGF6uBiGk8eR3pH6hCENhyQaMYh5g0aa44BgYmabaRv8OjfoIvS47oGByG1Cwl9vdF9uHoV9ne6NRBLF14FpO2W/D8QJnOZn1LqZ+i0QYfhgt+U7iykZ6
  • Spamdiagnosticoutput: 1:0

I believe that only RFC1918 space is in scope for now. Baby steps!

Adair


On 1/7/19 11:58 AM, Michael H Lambert wrote:
> I fully agree with blocking RFC1918 addresses. There are lots of other
> "static" bogon ranges, too, in both modern and legacy IP. These include
> documentation and IANA-reserved addresses. How aggressive should Internet2
> (or connectors) be in blocking these in addition to RFC1918?
>
> Michael
>
>> On 7 Jan 2019, at 11:43, Brad Fleming
>> <>
>> wrote:
>>
>> I’m assuming RFC1918 IPs as the source, correct? Regardless of source or
>> destination address I’m good with it. We shouldn’t be leaking that junk,
>> if we are something is broken, and I don’t expect Internet2 or the greater
>> community to deal with our failures. A publicly viewable counter on the
>> firewall filter term could be useful; I could make one of our junior
>> network team check the I2 counter every month to verify we don’t have an
>> internal issue. I’d be fine if that instrumentation wasn’t added until
>> later if I2 staff would like to move quickly on deploying filters but also
>> want to gather more input from the community on exposing FW filter
>> counters in this manner.
>> --
>> Brad Fleming
>> Assistant Director for Technology
>> Kansas Research and Education Network
>>
>>> On Jan 7, 2019, at 10:13 AM, Adair Thaxton
>>> <>
>>> wrote:
>>>
>>> I trust everyone had a nice break, and hasn't been driven up the wall by
>>> bored children yet. Our three-year-old reached the "why?" stage just in
>>> time for break, so if you're still sane, I envy you!
>>>
>>>
>>> - Internet2 is considering blocking all RFC1918 space at ingress links.
>>> We do not expect this to affect cloud tunnel traffic, or any legitimate
>>> traffic. However, we all know the pitfalls of that last statement,
>>> especially on our networks! We plan to start by logging RFC1918 traffic
>>> only, and then move to blocking it. We also plan to offer opt-outs for
>>> customers who need them. We would welcome your input on this, for our
>>> benefit as well as for the benefit of other customers.
>>>
>>>
>>> - Check your routing tables!
>>> https://twitter.com/InternetIntel/status/1080466509292621829
>>>
>>>
>>> - Hat tip to researchers at the University of Maryland!
>>> https://www.theregister.co.uk/2019/01/03/recaptcha_voice_challenge/
>>>
>>>
>>> - A lot of it, as it turns out.
>>> http://nymag.com/intelligencer/2018/12/how-much-of-the-internet-is-fake.html
>>>
>>>
>>> Happy new year, everybody!
>>>
>>> Adair
>>
>



Archive powered by MHonArc 2.6.19.

Top of Page