netsec-sig - Re: [Security-WG] Blocking RFC1918 from connectors: It's happening!
Subject: Internet2 Network Security SIG
List archive
- From: Jeff Bartig <>
- To: "" <>, Adair Thaxton <>
- Subject: Re: [Security-WG] Blocking RFC1918 from connectors: It's happening!
- Date: Fri, 10 May 2019 20:32:52 +0000
|
INTERFACE-CONNECTOR is kind of poorly named, as it is used in a number of applications. It is a config template (JUNOS apply-group) that is used in the configs on Internet2 routers to apply a number of standardized settings for "edge" interfaces in both the R&E and I2PX routing tables. It applies configuration for things like MTU, firewall filter ACLs, It would be better named INTERFACE-EDGE, given where it is applied. All I2PX edge logical interfaces (121 private peers, 18 public exchanges, and 115 participant) should have INTERFACE-CONNECTOR applied on them. When the firewall filter specified by INTERFACE-CONNECTOR is updated to include the RFC1918 filtering, all of the I2PX peers will be covered by this change. Previously, INTERFACE-CONNECTOR was also applied to VRF interfaces such as Internet2's Cloud Connect services. In those VRFs, it is highly likely that private addressing would be in use and validly need to be routed. Brian is wrapping up a project to deploy a new template for those interaces, so RFC1918 sourced packets won't be filtered in those VRFs. Jeff Adair Thaxton wrote on 5/10/19 2:45 PM: ">Brian Pullin's answer: The INTERFACE-CONNECTORS are direct connected interfaces and that is the only thing I was made aware of by Nathan. We can approach peering but it will be difficult in I2PX(TRCPS). In R&E the peers are mostly controlled by access list (prefix list) and we do not allow the RFC1918 in to the prefix list. They would still be able to send RFC1918 packets but not advertise the address. This is something we can spend more time on after we fix the connectors. On 5/10/19 2:43 PM, Michael H Lambert wrote:On 10 May 2019, at 14:15, Adair Thaxton wrote: Internet2 will be implementing the new INTERFACE-CONNECTOR filter to block RFC1918 packets being sent via connectors.Will these filters also be applied to peer interfaces once they are deemed stable on connector interfaces? Michael |
- [Security-WG] Blocking RFC1918 from connectors: It's happening!, Adair Thaxton, 05/10/2019
- Re: [Security-WG] Blocking RFC1918 from connectors: It's happening!, Michael H Lambert, 05/10/2019
- Re: [Security-WG] Blocking RFC1918 from connectors: It's happening!, Adair Thaxton, 05/10/2019
- Re: [Security-WG] Blocking RFC1918 from connectors: It's happening!, Jeff Bartig, 05/10/2019
- Re: [Security-WG] Blocking RFC1918 from connectors: It's happening!, Adair Thaxton, 05/10/2019
- Re: [Security-WG] Blocking RFC1918 from connectors: It's happening!, Michael H Lambert, 05/10/2019
Archive powered by MHonArc 2.6.19.