Last updated: 
3 days 22 hours ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Net Neutrality: BCP-38 Seems OK

Wednesday, August 31, 2016 - 14:12

The Board of European Regulators of Electronic Communications (BEREC) have now released the final version of their net neutrality guidelines, following a public consultation that received nearly half a million responses. These seem to have resulted in clarifications of the draft version, rather than any significant change of policy.

Jisc's response raised a concern that the guidelines appeared to prohibit permanent filtering of spoofed IP addresses. Such filtering is recommended internet good practice (see BCP-38) to address a security threat identified by BEREC themselves, that spoofed addresses greatly enhance the ability to perform denial of service attacks. The revised guidelines include a small change, apparently in response to this comment. Paragraph 85 now says [new text in capitals]:

85. [National Regulatory Authorities] should consider that, in order to identify attacks and activate security measures, the use of security monitoring systems by ISPs is often justified. In such cases, the monitoring of traffic to detect security threats … may be implemented in the background ON A CONTINUOUS BASIS, while the actual traffic management measure preserving integrity and security is triggered only when concrete security threats are detected. Therefore, the precondition "only for as long as necessary" does not preclude implementation of such monitoring of the integrity and security of the network.

This suggests viewing a router's actions in blocking spoofed packets as continually monitoring for invalid addresses and only turning on the traffic management measure (to drop the packet) at the moments when such an address is detected. At a very deep technical level that is how it works, but it's probably not how most people configuring firewalls or routers think about it! Nonetheless it's good to have some response indicating, however indirectly, BEREC's support for measures to protect networks against denial of service attacks. In preparing our response I also learned of a number of national regulators who are actively promoting BCP-38 compliance in their countries, which is excellent news.

The other changes are summarised in BEREC’s presentation and Jon Hunt’s blog post.