Internet2 Network Security SIG

["Dale W. Carder" <>]

Thus spake Adair Thaxton 
()
 on Mon, Jan 07, 2019 at 04:13:36PM +0000:
> I trust everyone had a nice break, and hasn't been driven up the wall by 
> bored children yet.  Our three-year-old reached the "why?" stage just in 
> time for break, so if you're still sane, I envy you!

My 3yr old is firmly planted in the "No." phase (default-deny is not a
bad security policy per se, but I am not going to tell her that).

> - Internet2 is considering blocking all RFC1918 space at ingress links.  
> We do not expect this to affect cloud tunnel traffic, or any legitimate 
> traffic.  However, we all know the pitfalls of that last statement, 
> especially on our networks!  We plan to start by logging RFC1918 traffic 
> only, and then move to blocking it.  We also plan to offer opt-outs for 
> customers who need them.  We would welcome your input on this, for our 
> benefit as well as for the benefit of other customers.

It looks like our filters largely match this list (minus multicast) and
of course we have explicit bcp38 filters for downstream networks to only
allow their prefixes.
https://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
For v6 we drop non 2000::/3 space and the documentation prefix.  That
could probably be expanded to include 2001:0002::/48
Are there others?

> - Check your routing tables!  
> https://twitter.com/InternetIntel/status/1080466509292621829

:-(  ESnet as well as folks from DOE and WAPA saw it and we were able 
to get it shut down.  It was also useful for us to figure out folks 
who weren't following best practices and MANRS.

Dale