Representing network access controls in the database

2014-05-20 - News - Chris Thompson

The scheme described in news item 2008-12-15 has been reworked to represent a larger number of references to specific IP addresses from the various parts of the CUDN infrastructure. The intention remains the same: to prevent such IP addresses being rescinded or reused without appropriate changes being made to the CUDN configuration.

There are now four "anames" used instead of three:

  • for exceptions at the CUDN border routers, often permitting some network traffic that would otherwise be blocked. This is essentially the same as the old which is temporarily an alias.

  • for exceptions at internal CUDN routers. This includes the old high-numbered port blocking, where it is still in use, but also many other sorts of exception which were previously not represented. The old name is temporarily an alias.

  • for addresses for which all IP traffic is completely blocked, usually as the result of a security incident. This is essentially the same as the old which is temporarily an alias.

  • for addresses that are referred to in the CUDN routing infrastructure. This is completely new.

Both IPv4 and IPv6 addresses may appear in these lists (although at the moment only cudn-config has any IPv6 addresses).

Requests for the creation or removal of network access control exceptions, or explanations of existing ones, should in most cases be sent to in the first instance, who will redirect them if necessary. However, the CERT team at are solely responsible for the cudn-blocklist contents in particular.