UBNT Security was Re: Cloudflare 1.1.1.1 public DNS broken w/ AT&T CPE

Mon Apr 2 21:23:31 UTC 2018

I believe at one point UBNT did block outside management access, but then their customers voiced to bring it back. 

That said, I think they're taking security more seriously going forward. 

----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "Brielle Bruns" <bruns at 2mbit.com> 
To: nanog at nanog.org 
Sent: Monday, April 2, 2018 4:20:38 PM 
Subject: Re: Cloudflare 1.1.1.1 public DNS broken w/ AT&T CPE 

On 4/2/2018 9:35 AM, Simon Lockhart wrote: 
> Quite. 
> 
> This looks like a willy-waving exercise by Cloudflare coming up with the lowest 
> quad-digit IP. They must have known that this would cause routing issues, and 
> now suddenly it's our responsibility to make significant changes to live 
> infrastructures just so they can continue to look clever with the IP address. 
> 
> Simon 

I don't see how this is Cloudflare's fault really? Its the 
responsibility of network maintainers to... well, lets be blunt here, 
maintain their network. 

If part of maintaining their network involves updating bogon 
routes/filters, then that's part of maintaining the network that can't 
be lapsed. 

This is like the WISPs blaming Ubiquiti for their failure to update 
their CPEs and PtP devices for a security flaw that Ubnt released fix 
for more then a year before (and for not properly securing the 
management interfaces of their network devices). 

Or even better, the morons who blocked all of 172.0.0.0/8 even though a 
good portion of that block is live public IP space. I actually felt 
really bad for AOL having been assigned IP blocks from that space, since 
it had to have created customer complaints at times. 

There's only one person to blame here, and it's not the RIRs or Cloudflare. 

-- 
Brielle Bruns 
The Summit Open Source Development Group 
http://www.sosdg.org / http://www.ahbl.org 