2008-12-15 - News - Chris Thompson
(Updated and partly obsoleted on 2014-05-20)
(Updated 2009-01-13)
Various exceptions to the general network access controls are applied at CUDN routers for some individual IP addresses. Some of these are at the border routers between the CUDN and JANET, and others at the individual CUDN routers interfacing to institutional networks.
We have implemented a scheme which we hope will enable us to keep
better control over these exceptions. When an exception is created
for a registered IP address, that address is added to one of the
following anames
janet-acl.net.private.cam.ac.ukfor exceptions at the border routers, usually permitting some network traffic that would otherwise be blocked,cudn-acl.net.private.cam.ac.ukfor exceptions at the local CUDN routers, usually allowing some use of high-numbered ports for those vlans for which such a restriction is imposed.block-list.net.private.cam.ac.ukfor addresses for which all IP traffic is completely blocked, usually as the result of a security incident.
As long as the attachment to the aname remains, it prevents the main
registration from being rescinded. The intent is that this will result
in the institutional COs requesting removal of the exception at that point.
If the IP address is not registered, then it is first registered as
reserved.net.cam.ac.uk or reserved.net.private.cam.ac.uk as
appropriate, and then processed as above. This prevents it being
reused while the exception still exist. (Some of these cases are due
to the fact that we did not have the scheme in the past, and there are
several now-unregistered IP addresses whose exceptions were never
removed.)
Note that this apparatus only deals with exceptions for individual IP addresses, not those for whole subnets.
Requests for the creation or removal of network access control exceptions should be sent to cert@cam.ac.uk.