[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Referenceing 3704 in OPSEC filtering document ?




> I think Chris' filtering capabilities draft should be 
> modified to include the process of how the filtering rules 
> are configured. 3704 would then be a reference to an implementation.
> 
> Regards,
> Fred Budd  
> 
> -----Original Message-----
> From: George Jones [mailto:eludom@gmail.com]
> > There are three possibilities that come to mind immediately:
> > - manual configuration (implementation being static ACLs)
> > - dynamic based on something known (implementation being uRPF)
> > - triggered by external source/API (implementation being shunning, 
> > quarantine, VOIP midcom pinholes)

In that case, all three of these are configured the same on hardware
implementations. The supporting CPU converts a classification/action policy
to microcode and loads the rule on the ASIC/NP/FPGA. 

Classification/Action rules are distributed to the box via CLI, routing
protocols, configuraiton/provisioning protocols, service control protocols,
and in the future specific security reation protocols. The only different
between these are the transport of the policy and the security to insure the
transport is trusted/secure.

So there is something that can be worked with for either document (current
practices or future requirements). I'm not sure it is what you were
thinking.