Representing network access controls in the database

2008-12-15 - News - Chris Thompson

(Updated and partly obsoleted on 2014-05-20)

(Updated 2009-01-13)

Various exceptions to the general network access controls are applied at CUDN routers for some individual IP addresses. Some of these are at the border routers between the CUDN and JANET, and others at the individual CUDN routers interfacing to institutional networks.

We have implemented a scheme which we hope will enable us to keep better control over these exceptions. When an exception is created for a registered IP address, that address is added to one of the following anames

  • janet-acl.net.private.cam.ac.uk for exceptions at the border routers, usually permitting some network traffic that would otherwise be blocked,

  • cudn-acl.net.private.cam.ac.uk for exceptions at the local CUDN routers, usually allowing some use of high-numbered ports for those vlans for which such a restriction is imposed.

  • block-list.net.private.cam.ac.uk for addresses for which all IP traffic is completely blocked, usually as the result of a security incident.

As long as the attachment to the aname remains, it prevents the main registration from being rescinded. The intent is that this will result in the institutional COs requesting removal of the exception at that point.

If the IP address is not registered, then it is first registered as reserved.net.cam.ac.uk or reserved.net.private.cam.ac.uk as appropriate, and then processed as above. This prevents it being reused while the exception still exist. (Some of these cases are due to the fact that we did not have the scheme in the past, and there are several now-unregistered IP addresses whose exceptions were never removed.)

Note that this apparatus only deals with exceptions for individual IP addresses, not those for whole subnets.

Requests for the creation or removal of network access control exceptions should be sent to cert@cam.ac.uk.