I forwarded this email to both the AP SC and the Lang SC distribution lists. Applies to both subcommittees and need everyone’s perspectives.
Thoughts?
From: Everett, Alex D <alex.everett@unc.edu>
Sent: Wednesday, January 30, 2019 9:58 AM
To: Brule, Joseph M <jmbrule@radium.ncsc.mil>; 'duncan sfractal.com' <duncan@sfractal.com>
Subject: [Non-DoD Source] ipconn vs ipaddr
Joe/Duncan:
For my use case to work in the slpf to only use the ipconn option, there needs to be a new row added to ip-connection such as
addr, IP-Net, 0..1, ip address in either source or destination, expressed in CIDR must be unpopulated if either src_addr or dst_addr are populated. An entry without a mask is treated
as a single host.
We also need to fix IP-Addr, as that is useless without the CIDR mask.
Why?
Some popular devices (e.g. cisco, tippingpoint) actually block on source OR dest.
Palo Alto is the outlier that actually can support blocking just on source, or dest, or both using rules.
As ip-conn is written today, these devices could not use the slpf.
If you issued a command to block src address 1.1.1.1, these devices dont do that.
What they would do is block any packet with a source or dest of 1.1.1.1
Sincerely,
Alex