[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Control Plane Security of ISP Network

To: "Miao Fuyou" <miaofy@huawei.com>, "Merike Kaeo" <merike@doubleshotsecurity.com>
Subject: RE: Control Plane Security of ISP Network
From: "Ryan Mcdowell \(rymcdowe\)" <rymcdowe@cisco.com>
Date: Mon, 6 Jun 2005 13:31:12 -0400
Cc: <opsec@ops.ietf.org>, <eludom@gmail.com>

My two cents:

There are several techniques that can be used with your igp and/or MPLS
to isolate your network devices such that they cannot be reached from
the outside of the network.  This is not technically separation of
management/control plane from the user/data plane, but it eliminates of
threats directed at the infrastructure devices themselves.  The real
threat at this point is attacks through the devices that saturate a 10G
or 40G link.  I'm not sure what the solution is there, but I think we
need to be careful that we don't "break IP" by moving management/control
OOB.

As far as protecting routing updates, there are two main attack vectors:
attacks against the channel itself and corrupt data within the channel.
If we implement things like GTSM and MD5, the channel itself can be made
99.9% secure.  To ensure the integrity and validity of the data itself,
we'll need to look at something like SoBGP.

----------------------------
Ryan McDowell
Cisco Systems
PGP Fingerprint: EED9 192F 9F45 FAE4 F6A3 8764 FEE1 299D 1B62 A361 
----------------------------

-----Original Message-----
From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On Behalf Of Miao
Fuyou
Sent: Monday, June 06, 2005 5:43 AM
To: 'Merike Kaeo'
Cc: opsec@ops.ietf.org; eludom@gmail.com
Subject: RE: Control Plane Security of ISP Network

Hi Merike:

In the past1.5 years I was involved in development of standard of router
security requirement. During the development there are a lot of
discussions on security of control plane. Quite a few professionals from
SPs gave much concerns and ideas on planes seperation, which is to
seperate control and/or manage plane from end user/data plane physically
or logically. Actually OOB management is one such solution with
physical/logical seperation mechanism to seperate management traffic
from end user data, which makes it impossible for attack on data plane
to launch an attack to management interfaces or systems. As for control
plane, while some SPs are practicing plane seperation by VPN or other
technology, it is much more sophisticated than management plane. I think
planes seperation should be considered in Practices draft, specifically
section 2.5.7. 

Route authentication, which is identified in Practices draft section
2.5.7, is extremely important security aspect of  control plane in spite
of criticism for MD5 weaks and cumbersome configuration. Sometimes
Filtering helps control plane security,  but it is not complete. So a
new Capability draft is required to describing security capabilty of
route authentication and control plane seperation. I will trying to
write a very initial draft before IETF 63 meeting to give primary idea.

Wish the same also answers questions of Mr. George Jones in another
mail.
Thanks!

Miao Fuyou

-----Original Message-----
From: Merike Kaeo [mailto:merike@doubleshotsecurity.com]
Sent: Friday, June 03, 2005 1:08 PM
To: Miao Fuyou
Cc: opsec@ops.ietf.org
Subject: Re: Control Plane Security of ISP Network

Hello Miao.

Yes,  more text needed to be added to address current control plane 
security
practices and in the next version of the document you will see this 
addition.

As to having another capabilities document, that depends on how much 
overlap
there is with filtering.  Were you proposing to author such a document?

- merike

On Jun 2, 2005, at 7:49 PM, Miao Fuyou wrote:

>
> Hi, All:
>
> In the Pratices document(draft-ietf-opsec-current-practices-00.txt)
> routing
> control plane security is explicitly identified as an important aspect

> of
> network security. Sp network is comprised of the most essential assets

> and
> facilities to provide service for customer. IP is liable to attack on
> control plane and the consequences of such attack usually are very 
> serious.
> So, it is the foremost concern for ISP to protect control plane from 
> attack
> inside or outside. In order to mitigate security risk on control 
> plane, we
> need a lot of work to do on standardization except filtering, logging 
> or dos
> tracing. Actually some security mechnisms are identified in Pratices
> document for control plane, BGP MD5 for example, but I think there are

> still
> other important aspect to identify. For example, quite a few SP use 
> VPN to
> seperate user/customer traffice from core network keep the attack on 
> SP core
> from user/customer away from control plane.
>
> So I suggest following change,  (1) to add more text to Pratice
> document to
> reflect more security pratices on protecting control plane of SP 
> network (2)
> we need another Capabilty document to cover control plane security of 
> SP
> network wihtout confliction on content with other Capabilty documents,

> such
> as filtering.
>
> Miao Fuyou
> Data Communication, Wireline Research
> Huawei Technologies Co., Ltd.
> TEL: 86-10-8288 2502
>
> *****************************************************************
> This e-mail and its attachments contain confidential information from 
> HUAWEI, which is intended only for the person or entity whose address 
> is listed above. Any use of the information contained herein in any 
> way (including, but not limited to, total or partial disclosure,
> reproduction,
> or dissemination) by persons other than the intended recipient(s) is
> prohibited. If you receive this e-mail in error, please notify the 
> sender by
> phone or email immediately and delete it
>
>
>

Prev by Date: Re: Control Plane Security of ISP Network
Next by Date: Re: Control Plane Security of ISP Network
Previous by thread: RE: Control Plane Security of ISP Network
Next by thread: RE: Control Plane Security of ISP Network
Index(es):
- Date
- Thread