Last updated: 
1 month 4 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

BEREC clarifies that permanent network security measures may be OK

Friday, October 25, 2019 - 11:49

Four years ago, Jisc responded to the Board of European Regulators of Electronic Communications (BEREC) consultation on network neutrality to point out that some security measures cannot just be temporary responses by the victims of attacks, but need to be permanently configured in all networks to prevent them being used for distributed denial of service and other attacks. This applies, in particular, to blocking of spoofed addresses, as recommended by BCP-38. The final 2015 version of the BEREC guidelines contained a four word change to the consultation draft, suggesting that such measures should not be considered as breaking network neutrality.

BEREC is now consulting on new draft guidelines, published in October 2019, which contain a much more explicit statement that permanently configured blocks do not automatically breach neutrality:

NRAs should consider that, in order to identify attacks and activate security measures, the use of security monitoring systems by ISPs is often justified. Such traffic management systems consist of two separate components: one component that executes the traffic management itself and one component that monitors traffic on an ongoing basis and triggers the traffic management. Monitoring of traffic to detect security threats may be implemented in the background on a continuous basis. Traffic management measures (such as those listed in paragraph 84) preserving integrity and security are only triggered when concrete security threats are detected. Therefore, the precondition "only for as long as necessary" does not preclude implementation of such monitoring of the integrity and security of the network.

[Paragraph 85]

This should be welcomed by network operators and users alike.