Internet2 Network Transit Security Policy
(Updated Feb 17, 2015)
This page describes the security policy of the Internet2 Network when viewed as a transit network. That is, the policy of the network and how it functions when hosts behind connectors or peers are under attack or being compromised. As a backbone network, the policy is determined by the basic properties of an IP network, where control is at the edge. Hosts determine when and where to send packets and initiate traffic flows. Control, however, often leads to vulnerability. Hosts may become compromised and send large amounts of traffic to other hosts, or they may compromise additional hosts, leading to potential chaos on the network. The fundamental security problems of an IP network therefore lie at the edge, in the hosts attached to the network, and not in the network itself. As an IP backbone network, the basic premise that defines the Internet2 Network security policy is the view that the Internet2 Network is a pipe and not a controlling entity. That premise is consistent with the fundamental design of the IP protocol.
The Internet2 Network backbone has the means to apply at least some control. It is possible for the network to block traffic on particular ports, or to block all traffic from particular IP addresses. However, the Internet2 Network does not apply such controls in a unilateral fashion on a network wide basis unless the network itself is under threat. That premise is the first security basic policy of the network:
Internet2 Network does not unilaterally filter traffic on a network-wide basis unless the network itself is under attack.
For example, a recent threat involved port 135. Compromised hosts propagated a virus through that port that infected numerous machines. The Internet2 Network did not unilaterally block that port to protect hosts on the network. That function is handled more efficiently on devices that are closer to the edge of the network rather than on the backbone. Had the network itself been under attack, meaning the routers and switches, then the Internet2 Network would have blocked the traffic immediately.
The Internet2 Network will filter traffic in some situations, however. In particular, if one or more hosts on a connector or peer network were under attack, and the connector or peer were to request blocking the traffic from the Internet2 Network, then the Internet2 Network would filter the traffic to the site:
The Internet2 Network will filter traffic to a connector or peer if requested by that particular connector or peer network, filtering the appropriate traffic through the connection in question.
The Internet2 Network will make every possible attempt to authenticate those making requests for traffic filtering through interconnection points.
The Internet2 Network has an efficient method for connectors to black hole a route by adding a particular community string to the route. All traffic that enters the network destined for that particular host is then dropped by all routers in the network. (See Response to DDoS Attacks.) The section below entitled BGP Discard Routing describes this procedure.
The Internet2 Network reserves the right to protect itself and its connectors and peers from other connectors and peers. If a threat to the network exists through a particular connector, then the Internet2 Network has the right to filter that traffic, and ultimately disconnect the offending connector or peer. Every attempt will be made to contact the network in question to discuss various options and alternatives.
The Internet2 Network reserves the right to filter all traffic or terminate any connection if it is under attack.
How does a backbone network determine if traffic is a security threat? This is a difficult question to answer. Fundamentally it is a network research problem. The Internet2 Network currently incorporates a measurement infrastructure as part of its network operations. It collects data in a variety of ways pertaining to network performance and evaluation. It also allows access to that data to the research community.
As part of its normal data gathering process, the Internet2 Network collects flow statistics on a sampling basis that potentially could identify source and destination addresses and ports. That data is anonymized before it is saved to disk by zeroing out the low order 11 bits on all IP addresses. In particular, the Internet2 Network does not collect data pertaining to communications between identifiable hosts on the network to protect the privacy of the individuals using those hosts.
During times of security threats, however, data pertaining particular hosts could theoretically be used to identify compromised hosts that are a security risk to other hosts on the network. To that end, the Internet2 Network may use identifiable flow data to create summary reports helping research institutions and connected networks to determine security threats at their respective institutions.
Information derived from analysis of the flow data that identifies specific institutions or hosts is treated as confidential information. The occasion for confidentially reported information may arise and it is guided by the following general principles:
During times of security attacks, Internet2 may use identifiable flow data. Institutions may request specific sources of cyber security attacks located on their respective networks. Only security related information we be reported to the institutions.
While use of this data is expected to help institutions identify potential security threats on their individual campuses, Internet2 strongly encourages those institutions to collect their own data, potentially providing a greater degree of specificity to particular security problems. The Internet2 Network data is meant to supplement, not replace, data collected by individual institutions or connectors.
BGP Discard Routing
The Internet2 Network Connectors can now advertise routes to the Internet2 Network via BGP for which all traffic to those routes will be discarded by the Internet2 Network routers. This is useful if there's a DoS attack which consumes a large portion of the link between the Internet2 Network and the Connector because the traffic is dropped before it crosses the link. Here's how it works...
The Internet2 Network's BGP policy has always been to allow Connectors to advertise routes which are more specifics of the routes they already advertise; up to and including a /27 mask. Now, if a more specific route is tagged with the BGP Community 11537:911 and the mask length is between /24 and /32, the route advertisement will be accepted and the NEXT-HOP will be set to the discard interface causing all packets destined to that route to be discarded by the Internet2 Network router(s).
Here are a few important points:
- Discard routes will NOT be accepted for routes larger than a /24.
- There is no way to place a limit on the number of discard routes a Connector can advertise. The limit on the total number of routes a Connector can advertise is currently 3,000.
- The Internet2 Network's default policy is to not accept routes smaller than a /27. There have been some exceptions made to this policy. For those /28 and smaller routes, it will not be possible to announce more specific discard routes.