Network access controls in the database

Various exceptions to the general network access controls are applied at CUDN routers for some individual IP addresses. Some of these are at the border routers between the CUDN and JANET, and others at the individual CUDN routers interfacing to institutional networks.

The IP Register database has a scheme which helps us to keep better control over these exceptions, by adding IP addresses to special aname objects listed below. These are not generally visible to users of the IP Register database, but they can be found in the DNS.

As long as the attachment to the aname remains, it prevents the main registration from being rescinded, typically by causing an IPREG.ANAME_V4_ADDR_ADDRESS_REF_USED constraint violation error. The intent is that this will result in the institutional COs requesting removal of the exception at that point.

Requests for the creation or removal of network access control exceptions, or explanations of existing ones, should in most cases be sent to network-support@uis.cam.ac.uk in the first instance, who will redirect them if necessary. However, CSIRT csirt@uis.cam.ac.uk are solely responsible for the cudn-blocklist contents in particular.

The special aname objects are:

  • janet-filter.net.private.cam.ac.uk for exceptions at the CUDN border routers, often permitting some network traffic that would otherwise be blocked.

  • cudn-filter.net.private.cam.ac.uk for exceptions at internal CUDN routers.

  • cudn-blocklist.net.private.cam.ac.uk for addresses for which all IP traffic is completely blocked, usually as the result of a security incident.

  • cudn-config.net.private.cam.ac.uk for addresses that are referred to in the CUDN routing infrastructure.

If the IP address is not registered, then it is first registered as reserved.net.cam.ac.uk or reserved.net.private.cam.ac.uk as appropriate, and then added to one of the anames above. This prevents it being reused while the exception still exist. (Some of these cases are due to the fact that we did not have the scheme in the past, and there are several now-unregistered IP addresses whose exceptions were never removed.)

Note that this apparatus only deals with exceptions for individual IP addresses, not those for whole subnets.

Related Links