The Board of European Regulators of Electronic Communications (BEREC) have now released the final version of their net neutrality guidelines, following a public consultation that received nearly half a million responses. These seem to have resulted in clarifications of the draft version, rather than any significant change of policy.
Jisc’s response raised a concern that the guidelines appeared to prohibit permanent filtering of spoofed IP addresses. Such filtering is recommended internet good practice (see BCP-38) to address a security threat identified by BEREC themselves, that spoofed addresses greatly enhance the ability to perform denial of service attacks. The revised guidelines include a small change, apparently in response to this comment. Paragraph 85 now says [new text in capitals]:
85. [National Regulatory Authorities] should consider that, in order to identify attacks and activate security measures, the use of security monitoring systems by ISPs is often justified. In such cases, the monitoring of traffic to detect security threats … may be implemented in the background ON A CONTINUOUS BASIS, while the actual traffic management measure preserving integrity and security is triggered only when concrete security threats are detected. Therefore, the precondition “only for as long as necessary” does not preclude implementation of such monitoring of the integrity and security of the network.
This suggests viewing a router’s actions in blocking spoofed packets as continually monitoring for invalid addresses and only turning on the traffic management measure (to drop the packet) at the moments when such an address is detected. At a very deep technical level that is how it works, but it’s probably not how most people configuring firewalls or routers think about it! Nonetheless it’s good to have some response indicating, however indirectly, BEREC’s support for measures to protect networks against denial of service attacks. In preparing our response I also learned of a number of national regulators who are actively promoting BCP-38 compliance in their countries, which is excellent news.
The other changes are summarised in BEREC’s presentation and Jon Hunt’s blog post.