sitemap
DANTE logoEuropean Union DG Information Society and Media
The ProjectThe NetworkServicesNewsroomFAQsContact
DANTE home
GÉANT Home > The Network > Security
Print this page

Security on GÉANT

The purpose of the security implementation on GEANT is twofold:

  • To protect the GÉANT infrastructure and the services provided therein, specifically mitigating hacking and Denial of Service (DoS) capabilities against GEANT core equipment.
  • To prevent easily identifiable Denial of Service (DoS) traffic from reaching target victims within NRENs.

Features are also in place to prevent specific types of attack against NREN access equipment.

Service Description

Flows of traffic from NRENs remain unaffected by any of the GÉANT security features unless they fulfil one of the following criteria:

  1. The packets in the flow have bogon source addresses.
  2. The packets in the flow have a source address taken from the prefix allocated to GÉANT.
  3. The packets in the flow are not from legitimate and/or known BGP or MSDP speakers for the local or any peering with(in) GÉANT.
  4. The packets in the flow are not from legitimate sources for snmp or SSH.
  5. The flow of traffic is specifically directed at GEANT core infrastructure and exceeds set bandwidth limitations for that type of traffic (ICMP, SSH, BGP, snmp, PIM, MSDP).
  6. The packets in the flow have a source address relating to a network that is not advertised to GÉANT by the respective NREN.

All traffic that meets the first five of the above match conditions will be logged, counted and then discarded. Traffic that matches the final condition is policed, with traffic exceeding the specified limits being discarded. Traffic from NRENs that does not match any of the above conditions remains unaffected from a security perspective.

Flows of traffic from DWS peerings remain unaffected by any of the GÉANT security features unless they fulfil one of the following criteria:

  1. The packets in the flow have bogon source addresses.
  2. The packets in the flow have a source address taken from the prefix allocated to GÉANT.
  3. The packets in the flow are not from legitimate and/or known BGP or MSDP speakers for the local or any peering with(in) GEANT.
  4. The packets in the flow are not from legitimate sources for snmp or SSH.
  5. The flow of traffic is specifically directed at GÉANT core infrastructure and exceeds set bandwidth limitations for that type of traffic.

Traffic from commodity providers that does not match any of the above conditions remains unaffected from a security perspective. The features associated with the match conditions specified above prevent DoS attacks from the global Internet, using spoofed bogon addresses, from transiting GÉANT to attack NREN networks.

In addition, the current security implementation prevents specific attacks against NREN access equipment that would transit GÉANT; these attacks would require spoofing packets with an address taken from the prefix range allocated to GÉANT. The remaining match conditions specified above, for both NREN and DWS interfaces, relate to security features that protect the GÉANT infrastructure from attack.

On request, additional security features can be put in place to further protect NREN infrastructure from attacks that would transit by way of the GEANT network.

The GÉANT network also incorporates anti-spoof security features based on specific entries in the routing table. This is achieved by activating the Unicast Reverse Path Forwarding (uRPF) utility on the GÉANT access interfaces. The feature is used to prevent DoS attacks using spoofed source addresses from being launched from an NREN.

The feature works by cross-checking the source address of each ingressing packet with the routing table. The router performs a look-up on the source address and attempts to correlate the best route back to the source with the interface on which the router received the packet. If the best route back to the source is via the interface that the corresponding packet was received on then that packet is accepted; if not then it is deemed to have failed the check and is available for discard.

An additional check is performed on those packets that have been deemed to have failed the uRPF checking function, the purpose of which is to negate some of the sensitivities associated with uRPF due to fluctuating BGP topologies. All packets that fail the check are then run against a prefix list which is generated from the corresponding NREN's RIPE AS macro. Should a 'failed' packet match a prefix range specified in the list then that packet is accepted. All other failed packets are then discarded. This feature means that an NREN can accommodate for potential leakage traffic by way of their RIPE AS Macro.

Work is continuously ongoing with regard to efforts to increase and improve the level of security and the ability to detect security-related incidents on the network.

Information regarding the specific security implementation on GÉANT is not publicly available.

Service Request

For any security requests (not incidents) please feel free to contact the DANTE operations team and/or DANCERT via the forms linked below.

For further information please refer to the NREN Operational Procedures for GÉANT.

GÉANT2
GÉANT
TEIN2
EUMED­CONNECT
ALICE
Global Connectivity
DANTE Web Archive
See Also
DANCERT Incident Reporting
Contact form for reporting network security incidents to DANCERT.
About This SiteCreditsLegalContact Us
Up Arrow
top of page