[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Control Plane Security of ISP Network



Barry, based on that should we assign a percentage of shared resources.
Instead of PURE in-band vs. out-of-band 

Nearly-oob could be defined something like this:
90% of the resources are not-shared with other planes.
10% of the resources are shared with other planes.

Realizing ANY shared resource could be exhausted and therefore impact
your "nearly-oob" network.
But it would let us quantify the risk a little bit better.

How to determine 90/10 split may be difficult but I think its
quantifiable.



donald.smith@qwest.com giac 

> -----Original Message-----
> From: Barry Greene (bgreene) [mailto:bgreene@cisco.com] 
> Sent: Monday, June 06, 2005 9:44 AM
> To: jbenedict@ca.safenet-inc.com; Bora Akyol (bora); Smith, 
> Donald; pmrn@mac.com; miaofy@huawei.com
> Cc: merike@doubleshotsecurity.com; opsec@ops.ietf.org; 
> eludom@gmail.com
> Subject: RE: Control Plane Security of ISP Network
> 
> 
> 
> I've defined in-band as anything that is in the same RIB/FIB 
> structure.
> You are out of band if you are using a RIB/FIB structure that is
> isolated from the other. So a VRF, while providing a tool for
> compartmentization, does not provide "control plane separation." Since
> the VRF is using the same RIB/FIB structure you have a tie 
> point - which
> breaks separation.
> 
> So today, the only "out of band" we have in practice are the networks
> which plug into the console ports. Some vendors have an 
> option on their
> equipment where the "management FE/GE" is on a separate RIB/FIB, but
> since this is not everywhere, it is hard to build an OOB network which
> has complete seperation. ACLed and compartmentized, yes. But not two
> separate planes. 
> 
> So having a clear industry definition of in-band and out-of-band would
> be helpful. 
> 
> > -----Original Message-----
> > From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On 
> > Behalf Of jbenedict@ca.safenet-inc.com
> > Sent: Monday, June 06, 2005 8:09 AM
> > To: Bora Akyol (bora); Donald.Smith@qwest.com; pmrn@mac.com; 
> > miaofy@huawei.com
> > Cc: merike@doubleshotsecurity.com; opsec@ops.ietf.org; 
> > eludom@gmail.com
> > Subject: RE: Control Plane Security of ISP Network
> > 
> > Does anyone have a clear definition of "in-band" vs. 
> > "out-of-band" in this case?
> > 
> > For example, can we consider anything that contacts the same 
> > interface as data traffic "in-band"?
> > (i.e. IPSec or SSL connection for management)
> > 
> > Or can it be over the same network, just a different 
> interface (VLAN)?
> > 
> > Or does it have to be separate interface/separate network (NOC)?
> > 
> > Or does it have to be completely non-ip (serial-port)?
> > 
> > All of these scenarios are in use today.  In my opinion, 
> > in-band would probably fall somewhere around VLANs (my 
> > theoretical half says they're OOB, but my practical half can 
> > still connect the dots).
> > 
> > --
> > James
> > 
> > -----Original Message-----
> > From: Bora Akyol (bora) [mailto:bora@cisco.com]
> > Sent: Monday, June 06, 2005 10:47 AM
> > To: Smith, Donald; pmrn; Miao Fuyou
> > Cc: Merike Kaeo; opsec@ops.ietf.org; eludom@gmail.com
> > Subject: RE: Control Plane Security of ISP Network
> > 
> > 
> > May want to i
> > 
> > May want to include a requirement to the document:
> > 
> > Under no circumstance will there be a separation of faith 
> > between the control and the data planes; that is, control 
> > plane thinks everything is solid, and the data plane is out 
> > cold, or vice versa.
> > 
> > Personally, I think we can do a lot to protect the control 
> > traffic even when it is in-band that such a separation is 
> unnecessary.
> > 
> > Bora
> > 
> > The information contained in this electronic mail 
> > transmission may be privileged and confidential, and 
> > therefore, protected from disclosure. If you have received 
> > this communication in error, please notify us immediately by 
> > replying to this message and deleting it from your computer 
> > without copying or disclosing it.
> > 
>