Educause Security Discussion mailing list archives
Re: border filtering questions
From: Jeff Murphy <jcmurphy () BUFFALO EDU>
Date: Mon, 28 Feb 2011 17:35:26 -0500
On Feb 28, 2011, at 4:07 PM, Valdis Kletnieks wrote:
On Mon, 28 Feb 2011 13:41:13 EST, Jeff Murphy said:[ ] We don't block traffic to/from known bad addresses/netblocks at our border.Define "known bad addresses/netblocks". With the recent exhaustion of the IANA IPv4 space, this basically equates to "RFC1918, class E, and similar bogons", unless you want to follow the Team Cymru feed of space not sub-allocated by an RIR yet. If you have some *other* definition of "known bad" (including hijacked space, dead space, and so on), it probably should be specified...
REN-ISAC offers a feed, Cymru has lists, Cisco sells a feed, you may have your own internal list (eg derived from phishing urls you see), etc. I was intentionally vague. By bad I meant "an address you dont want to trade packets with across your border" but I should've excluded the examples you give in order to avoid the "well we do block, but only rfc 1918, et al" folks. What I'm interested in is whether or not there's a trend towards automated intelligence based blocking. My sense is that there's interest in it, but that it hasn't really made it to the mainstream. I hear a lot a bout it, but when I ask around amongst the people I know, I generally get "no, you?"
Oh, and you probably should ask separately for IPv4 and IPv6. ;)
I'll ask about v6 when v6 is becomes more than just a flamefest that fills my nanog (er i mean newnog) folder. ;) jeff
Attachment:
smime.p7s
Description:
Current thread:
- border filtering questions Jeff Murphy (Feb 28)
- Re: border filtering questions Jeff Murphy (Feb 28)
- Re: border filtering questions Charlie Reitsma (Feb 28)
- Re: border filtering questions Valdis Kletnieks (Feb 28)
- Re: border filtering questions Jeff Murphy (Feb 28)
- Re: border filtering questions Anthony Maszeroski (Mar 01)