[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Control Plane Security of ISP Network

To: "Smith, Donald" <Donald.Smith@qwest.com>
Subject: RE: Control Plane Security of ISP Network
From: "Christopher L. Morrow" <christopher.morrow@mci.com>
Date: Mon, 06 Jun 2005 16:57:16 +0000 (GMT)
Cc: "Barry Greene (bgreene)" <bgreene@cisco.com>, jbenedict@ca.safenet-inc.com, "Bora Akyol (bora)" <bora@cisco.com>, pmrn@mac.com, miaofy@huawei.com, merike@doubleshotsecurity.com, opsec@ops.ietf.org, eludom@gmail.com
In-reply-to: <9921AB57EA49D242A076864C5F473D3C0180D5B5@itdene2km08.AD.QINTRA.COM>
References: <9921AB57EA49D242A076864C5F473D3C0180D5B5@itdene2km08.AD.QINTRA.COM>

On Mon, 6 Jun 2005, Smith, Donald wrote:

> Barry, based on that should we assign a percentage of shared resources.
> Instead of PURE in-band vs. out-of-band
>
> Nearly-oob could be defined something like this:
> 90% of the resources are not-shared with other planes.
> 10% of the resources are shared with other planes.
>
> Realizing ANY shared resource could be exhausted and therefore impact
> your "nearly-oob" network.
> But it would let us quantify the risk a little bit better.
>
> How to determine 90/10 split may be difficult but I think its
> quantifiable.

oh how I hate to say this, but... Look at MUX networks, they reserve
bandwidth on the data path for control. Is it not feasible to think of a
solution where:
1) adjacent devices communicate a % of link bandwidth to reserve for
control traffic
2) adjacent devices never dip into the control reserve except for control
traffic

This lets you maintain the 'path' of control/data traffic (for quality
checks/controls/goodness) and still gives you an 'inexhaustible' resource
for control traffic.

>
>
>
> donald.smith@qwest.com giac
>
> > -----Original Message-----
> > From: Barry Greene (bgreene) [mailto:bgreene@cisco.com]
> > Sent: Monday, June 06, 2005 9:44 AM
> > To: jbenedict@ca.safenet-inc.com; Bora Akyol (bora); Smith,
> > Donald; pmrn@mac.com; miaofy@huawei.com
> > Cc: merike@doubleshotsecurity.com; opsec@ops.ietf.org;
> > eludom@gmail.com
> > Subject: RE: Control Plane Security of ISP Network
> >
> >
> >
> > I've defined in-band as anything that is in the same RIB/FIB
> > structure.
> > You are out of band if you are using a RIB/FIB structure that is
> > isolated from the other. So a VRF, while providing a tool for
> > compartmentization, does not provide "control plane separation." Since
> > the VRF is using the same RIB/FIB structure you have a tie
> > point - which
> > breaks separation.
> >
> > So today, the only "out of band" we have in practice are the networks
> > which plug into the console ports. Some vendors have an
> > option on their
> > equipment where the "management FE/GE" is on a separate RIB/FIB, but
> > since this is not everywhere, it is hard to build an OOB network which
> > has complete seperation. ACLed and compartmentized, yes. But not two
> > separate planes.
> >
> > So having a clear industry definition of in-band and out-of-band would
> > be helpful.
> >
> > > -----Original Message-----
> > > From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On
> > > Behalf Of jbenedict@ca.safenet-inc.com
> > > Sent: Monday, June 06, 2005 8:09 AM
> > > To: Bora Akyol (bora); Donald.Smith@qwest.com; pmrn@mac.com;
> > > miaofy@huawei.com
> > > Cc: merike@doubleshotsecurity.com; opsec@ops.ietf.org;
> > > eludom@gmail.com
> > > Subject: RE: Control Plane Security of ISP Network
> > >
> > > Does anyone have a clear definition of "in-band" vs.
> > > "out-of-band" in this case?
> > >
> > > For example, can we consider anything that contacts the same
> > > interface as data traffic "in-band"?
> > > (i.e. IPSec or SSL connection for management)
> > >
> > > Or can it be over the same network, just a different
> > interface (VLAN)?
> > >
> > > Or does it have to be separate interface/separate network (NOC)?
> > >
> > > Or does it have to be completely non-ip (serial-port)?
> > >
> > > All of these scenarios are in use today.  In my opinion,
> > > in-band would probably fall somewhere around VLANs (my
> > > theoretical half says they're OOB, but my practical half can
> > > still connect the dots).
> > >
> > > --
> > > James
> > >
> > > -----Original Message-----
> > > From: Bora Akyol (bora) [mailto:bora@cisco.com]
> > > Sent: Monday, June 06, 2005 10:47 AM
> > > To: Smith, Donald; pmrn; Miao Fuyou
> > > Cc: Merike Kaeo; opsec@ops.ietf.org; eludom@gmail.com
> > > Subject: RE: Control Plane Security of ISP Network
> > >
> > >
> > > May want to i
> > >
> > > May want to include a requirement to the document:
> > >
> > > Under no circumstance will there be a separation of faith
> > > between the control and the data planes; that is, control
> > > plane thinks everything is solid, and the data plane is out
> > > cold, or vice versa.
> > >
> > > Personally, I think we can do a lot to protect the control
> > > traffic even when it is in-band that such a separation is
> > unnecessary.
> > >
> > > Bora
> > >
> > > The information contained in this electronic mail
> > > transmission may be privileged and confidential, and
> > > therefore, protected from disclosure. If you have received
> > > this communication in error, please notify us immediately by
> > > replying to this message and deleting it from your computer
> > > without copying or disclosing it.
> > >
> >
>

References:
- RE: Control Plane Security of ISP Network
  - From: "Smith, Donald" <Donald.Smith@qwest.com>

Prev by Date: Re: What about X.805? (was RE: Control Plane Security of ISP Network)
Next by Date: Re: Control Plane Security of ISP Network
Previous by thread: RE: Control Plane Security of ISP Network
Next by thread: RE: Control Plane Security of ISP Network
Index(es):
- Date
- Thread