Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Security group highlights - December 2018

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Security group highlights - December 2018


Chronological Thread 
  • From: David Farmer <>
  • To:
  • Subject: Re: [Security-WG] Security group highlights - December 2018
  • Date: Tue, 8 Jan 2019 17:47:36 -0600
  • Ironport-phdr: 9a23:JWxUsxVKAp/+FGEVWO9NYgJZhE7V8LGtZVwlr6E/grcLSJyIuqrYbBWCt8tkgFKBZ4jH8fUM07OQ7/iwHzRYqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjWwba9xIRmssQndqtQdjJd/JKo21hbHuGZDdf5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXMTRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KptVRTmijoINyQh/W7YhMx/jqJVrhyiqRJi3YDbfJqYO+Bicq7HZ94WWXZNU8RXWidcAo28dYwPD+8ZMOhWtYb9uVoOogajDgesHuzv0DpIiWHs3aYn1OkhHxvJ3BYlH90QqnTZt8j1NKIUUeyv0qbH0CjDYupQ1Dzg5obIdRUhruuNXbJ2acfd1E0iGx3fglmMs4DpIymZ2vgVv2SF8eZtWvijh3I9pw1tuDSj2t8gipXXiY0Pz1DI7Dl2wYYwJd2iVU53e9mkEIFfty2CNot5WMUiTHtytCY90L0Gtpi2dzUJxpQ/3xPTdvKKfoeS7h/gW+udOyp0iXZkdb6lmRq+7UqtxvXiWsWo1FtGtClIn9nWunwTyhDe6NKLR/lh8kqnxD2BzRrc6vteLkAxjafbK4Auwro3lpcLtETDAjX5lFzujKKUbEkk/emo6/j9brX7o5+cMZV4hR/jPaQzgsC/AOI4PRYSX2WD5Oix2rLu8Vf6TbhFlPE6j63UvZHAKcgFuqK0ARdZ0oM55Ba+Czem3s4YnX4CLF9ddhKIlZLpO1TQL/DiFvq/nlGskDFxy//YI7LhH43BLmLfn7f5YbZ990lcxRIozd9B+51UF6sBIPPvWk7xrdDZABA5Pheww+bmE9V9ypgeVXyVDq+YNqPSrUGH5vgpI+aSeI8ZpizxJOY46P7z3jcFngoGcKK0x5oLeTWnEdxnJVmUe3zhno1HHGsX7SQkS+m/pFScUDIbSX+oWq8mrmU1AZijAJ3rW4WrxrGNwXHoTdVtemlaBwXUQj/TfIKeVqJUZQ==



 


On Tue, Jan 8, 2019 at 4:28 PM Dale W. Carder <> wrote:

It looks like our filters largely match this list (minus multicast) and
of course we have explicit bcp38 filters for downstream networks to only
allow their prefixes.

Do you permit any packets not source from their assigned blocks?  Like maybe for IPv4 192.0.0.9 or 192.88.99.1, or for IPv6 2002:a.b.c.0/40 or larger, where a.b.c.0/24 are their IPv4 prefixes?
 
https://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt

That is basis for our IPv4 Bongon filters.  Note: Multicast 224.0.0.0/4 is an invalid source but a valid destination. Also, you might not want to block 192.0.0.0/24, as at least 192.0.0.9 is a valid source address for packets on the Internet, there could be valid ICMPv4 packets notifying a real IPv4 destination of a dropped packet in a 4rd tunnel, see RFC7600.

Two other handy reference links, not everything on the lists are bogons, but all the bogons are listed;

 
For v6 we drop non 2000::/3 space and the documentation prefix.  That
could probably be expanded to include 2001:0002::/48
Are there others?

Just curious, how do you implement that?  And, do you allow link-local on the external facing router ports?

Deny 0000::/3 any
Deny 4000::/2 any
Deny 8000::/1 any
Deny any 0000::/3
Deny any 4000::/2
Deny any 8000::/1
Deny 2001:db8::/32 any
Deny 2001:0002::/48 any
Deny any 2001:db8::/32
Deny any 2001:0002::/48
Pemit any any

Or;

Deny 2001:db8::/32 any
Deny 2001:0002::/48 any
Deny any 2001:db8::/32
Deny any 2001:0002::/48
Permit 2000::/3 2000::/3
Deny any any

Thanks

--
===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

Archive powered by MHonArc 2.6.19.

Top of Page