[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Control Plane Security of ISP Network



I've defined in-band as anything that is in the same RIB/FIB structure.
You are out of band if you are using a RIB/FIB structure that is
isolated from the other. So a VRF, while providing a tool for
compartmentization, does not provide "control plane separation." Since
the VRF is using the same RIB/FIB structure you have a tie point - which
breaks separation.

So today, the only "out of band" we have in practice are the networks
which plug into the console ports. Some vendors have an option on their
equipment where the "management FE/GE" is on a separate RIB/FIB, but
since this is not everywhere, it is hard to build an OOB network which
has complete seperation. ACLed and compartmentized, yes. But not two
separate planes. 

So having a clear industry definition of in-band and out-of-band would
be helpful. 

> -----Original Message-----
> From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On 
> Behalf Of jbenedict@ca.safenet-inc.com
> Sent: Monday, June 06, 2005 8:09 AM
> To: Bora Akyol (bora); Donald.Smith@qwest.com; pmrn@mac.com; 
> miaofy@huawei.com
> Cc: merike@doubleshotsecurity.com; opsec@ops.ietf.org; 
> eludom@gmail.com
> Subject: RE: Control Plane Security of ISP Network
> 
> Does anyone have a clear definition of "in-band" vs. 
> "out-of-band" in this case?
> 
> For example, can we consider anything that contacts the same 
> interface as data traffic "in-band"?
> (i.e. IPSec or SSL connection for management)
> 
> Or can it be over the same network, just a different interface (VLAN)?
> 
> Or does it have to be separate interface/separate network (NOC)?
> 
> Or does it have to be completely non-ip (serial-port)?
> 
> All of these scenarios are in use today.  In my opinion, 
> in-band would probably fall somewhere around VLANs (my 
> theoretical half says they're OOB, but my practical half can 
> still connect the dots).
> 
> --
> James
> 
> -----Original Message-----
> From: Bora Akyol (bora) [mailto:bora@cisco.com]
> Sent: Monday, June 06, 2005 10:47 AM
> To: Smith, Donald; pmrn; Miao Fuyou
> Cc: Merike Kaeo; opsec@ops.ietf.org; eludom@gmail.com
> Subject: RE: Control Plane Security of ISP Network
> 
> 
> May want to i
> 
> May want to include a requirement to the document:
> 
> Under no circumstance will there be a separation of faith 
> between the control and the data planes; that is, control 
> plane thinks everything is solid, and the data plane is out 
> cold, or vice versa.
> 
> Personally, I think we can do a lot to protect the control 
> traffic even when it is in-band that such a separation is unnecessary.
> 
> Bora
> 
> The information contained in this electronic mail 
> transmission may be privileged and confidential, and 
> therefore, protected from disclosure. If you have received 
> this communication in error, please notify us immediately by 
> replying to this message and deleting it from your computer 
> without copying or disclosing it.
>