[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Control Plane Security of ISP Network

Hi Merike:

In the past1.5 years I was involved in development of standard of router
security requirement. During the development there are a lot of discussions
on security of control plane. Quite a few professionals from SPs gave much
concerns and ideas on planes seperation, which is to seperate control and/or
manage plane from end user/data plane physically or logically. Actually OOB
management is one such solution with physical/logical seperation mechanism
to seperate management traffic from end user data, which makes it impossible
for attack on data plane to launch an attack to management interfaces or
systems. As for control plane, while some SPs are practicing plane
seperation by VPN or other technology, it is much more sophisticated than
management plane. I think planes seperation should be considered in
Practices draft, specifically section 2.5.7. 

Route authentication, which is identified in Practices draft section 2.5.7,
is extremely important security aspect of  control plane in spite of
criticism for MD5 weaks and cumbersome configuration. Sometimes Filtering
helps control plane security,  but it is not complete. So a new Capability
draft is required to describing security capabilty of route authentication
and control plane seperation. I will trying to write a very initial draft
before IETF 63 meeting to give primary idea.

Wish the same also answers questions of Mr. George Jones in another mail.

Miao Fuyou

-----Original Message-----
From: Merike Kaeo [mailto:merike@doubleshotsecurity.com] 
Sent: Friday, June 03, 2005 1:08 PM
To: Miao Fuyou
Cc: opsec@ops.ietf.org
Subject: Re: Control Plane Security of ISP Network

Hello Miao.

Yes,  more text needed to be added to address current control plane 
practices and in the next version of the document you will see this 

As to having another capabilities document, that depends on how much 
there is with filtering.  Were you proposing to author such a document?

- merike

On Jun 2, 2005, at 7:49 PM, Miao Fuyou wrote:

> Hi, All:
> In the Pratices document(draft-ietf-opsec-current-practices-00.txt)
> routing
> control plane security is explicitly identified as an important aspect 
> of
> network security. Sp network is comprised of the most essential assets 
> and
> facilities to provide service for customer. IP is liable to attack on
> control plane and the consequences of such attack usually are very 
> serious.
> So, it is the foremost concern for ISP to protect control plane from 
> attack
> inside or outside. In order to mitigate security risk on control 
> plane, we
> need a lot of work to do on standardization except filtering, logging 
> or dos
> tracing. Actually some security mechnisms are identified in Pratices
> document for control plane, BGP MD5 for example, but I think there are 
> still
> other important aspect to identify. For example, quite a few SP use 
> VPN to
> seperate user/customer traffice from core network keep the attack on 
> SP core
> from user/customer away from control plane.
> So I suggest following change,  (1) to add more text to Pratice
> document to
> reflect more security pratices on protecting control plane of SP 
> network (2)
> we need another Capabilty document to cover control plane security of 
> SP
> network wihtout confliction on content with other Capabilty documents, 
> such
> as filtering.
> Miao Fuyou
> Data Communication, Wireline Research
> Huawei Technologies Co., Ltd.
> TEL: 86-10-8288 2502
> *****************************************************************
> This e-mail and its attachments contain confidential information from 
> HUAWEI, which is intended only for the person or entity whose address 
> is listed above. Any use of the information contained herein in any 
> way (including, but not limited to, total or partial disclosure,
> reproduction,
> or dissemination) by persons other than the intended recipient(s) is
> prohibited. If you receive this e-mail in error, please notify the 
> sender by
> phone or email immediately and delete it