netsec-sig - Re: [Security-WG] Security group highlights - December 2018
Subject: Internet2 Network Security SIG
List archive
- From: gcbrowni <>
- To:
- Subject: Re: [Security-WG] Security group highlights - December 2018
- Date: Mon, 7 Jan 2019 12:01:27 -0500
- Ironport-phdr: 9a23:uS3ZvBBymwBFlWfgQ8r0UyQJP3N1i/DPJgcQr6AfoPdwSPT+ocbcNUDSrc9gkEXOFd2Cra4c26yO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUhzexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Xymp4aV2Rx/ykCoJNyI2/27KhMJ+gqJVvhCuqR9kzo7bfI2VMeBzcr/Bcd4YQ2dKQ8ZfVzZGAoO5d4YPAPYOMv1Cr4n6qVoOqxq+DhSrCePg1jBHnWX23ao00uQnEAHLxwMgH9YJsHvPttr1MKESUeepw6XSzDXDcula1ing54jVax0sp+yHU7x3ccrU00YvFgXFg02MqYzlITyVzPoCs2ea7+p7SeKglXQnpxttrTio3Mssl4rJipoJylHK9CV53Jo1KsOiSEJhfdGkF55QuzmcN4p2R8MtWW5otDwmxb0BvJ62ejUBxpc/xxPHdfCLb5SE7g/mWeqMIjp3mnFodbexhxa87USs1ujxWte63VtPqydIkNnBu3YQ3BLJ8MeHUOFy/kK51DaPyQ/T7uZELFgxlaXBKp4hxqQ8mYYPsUvfBCP2l1/2jKmRdko44OSo6vnnbq/4qZCBKo94kgD+MqIwlcyjGek0LBQCU3SG9em5ybHu/lP2TbZPg/04nKnVrIzWKMEFqqO3BgJY14Qu5hanAzejytsYnH0HLFxfeBKAiojkI17OL+zjAvelhFStnjFrx/HdM73uBpXNKWPMn63lfbZ77E5T1BA/zdFC555OFL4OPe/zVlfrtNPEFh85LxC0w+H/BdVmyIwRRX+PArWYMKPOsV6E/+wuI+aXaY8RuTb9MOQl5+XwgXMjmF8de7Wp0oUNaHC+APtmP1uVbWDyjdgcDGdZ9jY5Gffng0CYUCJCImm9d6M6+jwhDo+6V8HOSp3+rqaG2XK0FZdMYX9ACxjYHnzibYKbXfYkZyaVKMZllDsPE7m8DYItyEf950fB17N7I7+MqWUjvpX52Y0t6g==
Well, unless we change the scope.
Let’s do 1918 and other "well known" bad source addresses. We can worry about
"unassigned space" later.
How's that sound?
> On Jan 7, 2019, at 11:59 AM, Adair Thaxton
> <>
> wrote:
>
> I believe that only RFC1918 space is in scope for now. Baby steps!
>
> Adair
>
>
> On 1/7/19 11:58 AM, Michael H Lambert wrote:
>> I fully agree with blocking RFC1918 addresses. There are lots of other
>> "static" bogon ranges, too, in both modern and legacy IP. These include
>> documentation and IANA-reserved addresses. How aggressive should
>> Internet2 (or connectors) be in blocking these in addition to RFC1918?
>>
>> Michael
>>
>>> On 7 Jan 2019, at 11:43, Brad Fleming
>>> <>
>>> wrote:
>>>
>>> I’m assuming RFC1918 IPs as the source, correct? Regardless of source or
>>> destination address I’m good with it. We shouldn’t be leaking that junk,
>>> if we are something is broken, and I don’t expect Internet2 or the
>>> greater community to deal with our failures. A publicly viewable counter
>>> on the firewall filter term could be useful; I could make one of our
>>> junior network team check the I2 counter every month to verify we don’t
>>> have an internal issue. I’d be fine if that instrumentation wasn’t added
>>> until later if I2 staff would like to move quickly on deploying filters
>>> but also want to gather more input from the community on exposing FW
>>> filter counters in this manner.
>>> --
>>> Brad Fleming
>>> Assistant Director for Technology
>>> Kansas Research and Education Network
>>>
>>>> On Jan 7, 2019, at 10:13 AM, Adair Thaxton
>>>> <>
>>>> wrote:
>>>>
>>>> I trust everyone had a nice break, and hasn't been driven up the wall by
>>>> bored children yet. Our three-year-old reached the "why?" stage just in
>>>> time for break, so if you're still sane, I envy you!
>>>>
>>>>
>>>> - Internet2 is considering blocking all RFC1918 space at ingress links.
>>>> We do not expect this to affect cloud tunnel traffic, or any legitimate
>>>> traffic. However, we all know the pitfalls of that last statement,
>>>> especially on our networks! We plan to start by logging RFC1918 traffic
>>>> only, and then move to blocking it. We also plan to offer opt-outs for
>>>> customers who need them. We would welcome your input on this, for our
>>>> benefit as well as for the benefit of other customers.
>>>>
>>>>
>>>> - Check your routing tables!
>>>> https://twitter.com/InternetIntel/status/1080466509292621829
>>>>
>>>>
>>>> - Hat tip to researchers at the University of Maryland!
>>>> https://www.theregister.co.uk/2019/01/03/recaptcha_voice_challenge/
>>>>
>>>>
>>>> - A lot of it, as it turns out.
>>>> http://nymag.com/intelligencer/2018/12/how-much-of-the-internet-is-fake.html
>>>>
>>>>
>>>> Happy new year, everybody!
>>>>
>>>> Adair
>>>
>>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- [Security-WG] Security group highlights - December 2018, Adair Thaxton, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, Brad Fleming, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, Michael H Lambert, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, Adair Thaxton, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, gcbrowni, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, David Farmer, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, gcbrowni, 01/08/2019
- Message not available
- Re: [Security-WG] Security group highlights - December 2018, John Kristoff, 01/08/2019
- Re: [Security-WG] Security group highlights - December 2018, David Farmer, 01/08/2019
- Re: [Security-WG] Security group highlights - December 2018, Adair Thaxton, 01/08/2019
- RE: [Security-WG] Security group highlights - December 2018, Spurling, Shannon, 01/08/2019
- Re: [Security-WG] Security group highlights - December 2018, Jesse Bowling, 01/08/2019
- Re: [Security-WG] Security group highlights - December 2018, David Farmer, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, gcbrowni, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, Adair Thaxton, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, Michael H Lambert, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, Brad Fleming, 01/07/2019
- Re: [Security-WG] Security group highlights - December 2018, David Farmer, 01/08/2019
Archive powered by MHonArc 2.6.19.