A new EU law, created earlier this year, requires public network providers to ensure “network neutrality” – roughly, that every packet be treated alike unless there are legitimate reasons not to. The Body of European Regulators of Electronic Communications (BEREC) has now published draft guidelines on how this will be implemented, in particular the circumstances in which network traffic may be filtered to protect the security of networks and services. Janet is a private network, so not subject to the law; we already operate as neutral a policy as possible in order to facilitate the use of the network for innovative teaching and research. However BEREC’s proposals affect us because security measures taken (or not taken) by public networks will affect the level of malicious traffic directed to Janet and its customers.
Overall the proposal shows a good appreciation of the sorts of hostile traffic that networks may need to deal with, and authorises most of the actions we would like networks to take. These are declared to be necessary and acceptable reductions in strict neutrality. However the guidance requires that filtering only be used temporarily, in response to a particular threat. That may be possible when dealing with threats to a network or its users, but some filtering is used to protect others from the consequences of local incidents. In particular, the Internet Engineering Task Force identified filtering spoofed outbound packets as best practice for all networks more than a decade ago. BEREC, too, regard spoofed addresses as something that should be filtered. However to provide effective protection, that filtering needs to be in place permanently.
Our response to BEREC, developed with the assistance of other members of GEANT’s CSIRT Task Force, explains why spoofed addresses are a security problem, and why filtering them permanently has no effect on network neutrality.