[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Draft opsec working group minutes
Here are draft minutes from the OPSEC
working group in Paris. Please
send corrections to Pat and me. If you commented or spoke, then
check that we didn't mangle either your name or what you said.
Operational Security Capabilities for IP Network Infrastructure
August 3rd, 2005 (at Paris IETF)
Chairs: Pat Cain
- Administrivia / agenda bashing
- working group and document status (Pat)
- Current Documents
- Framework (Ross)
- Survey of Service Provider
Current Practices (Merike Kaeo)
- Filtering Capabilities for
IP Net Infrastructure (Chris Morrow)
- Proposed New Document
- A proposed new document on
Best Practices (Chris Morrow)
Administrivia / Agenda Bashing
Ross and Pat agreed to take minutes (with help from Matthew
(no jabber scribe)
Current document / working group status (Pat)
- there are four classes of documents
(take from slides)
- four documents are currently out
- survey of other security
- current provider
- filtering capabilities
- The charter calls for quite a few documents. Some may be
- Some volunteers have gotten their work done. Some have not. Some
volunteers have disappeared. We are still looking for
to work on documents. If you have volunteered in the
past, expect us
to bug you. ;-)
Framework status (Ross Callon)
- This is a roadmap of the working group effort.
- update coming
- not much different. This is primarily just a re-issue to keep
from timing out.
Current Practices document (Merike Kaeo)
- Documents the security practices currently used in SP networks.
- document is almost done
- deleted filtering section, since felt that this would be
redundant with the
existing filtering capabilities draft.
- added text for DOS mitigation but this still needs work. Added
to detail some common packet mangling attacks.
Merike intends to submit a -02 version within the next month which will
include DoS mitigation section with more detail. She will also solicit
input from the mailing list.
Ross; What about large enterprises? This might for example include things
like firewalls and perhaps intrusion detection and/or prevention. Merike:
Interested. Chris Morrow: this is a large can of worms. Merike: If it is
this large a can of worms, it might be worth putting this into a
different document (allowing us to finish this document). This would
imply a change in the title of this document to limit it to service
providers. Merike volunteered to work on the large enterprise network
security practices document.
Packet Filtering Capabilities (Chris Morrow)
Chris Morrow briefly discussed the packet filtering capabilities draft.
This document is cut'n'paste of multiple inputs (including RFC3871)
Draft -01 is out. The change is mainly structure regarding data plane
versus mgt/control plane.
Filter traffic through the device, but also filter snmp, bgp, telnet to
-Need to filter non-transit traffic
-Trying to protect the lower speed customer traffic
-Map functions back to the current practices document
- in some cases rate limiting is useful (eg, to reduce size of
- work at line rate
The capabilities in this document should map back to the current
practices document (which implies that it might be useful to have a
filtering section in the current practices document).
Added some layer2 functionality
-MAC address, ATM, SONET, etc
(I think that Chris said that he would be adding more text on this based
Darrel Lewis: Does the mgt plane include control plane?
A: Yes, it's really a combination, includes BGP, control, login,
Ross: To me the term "control plane" normally includes both
routing and management (which I believe is the intent here, and thus the
term "control plane" fits).
Darrel: Maybe we should use the X.805 definitions for consistency
- Need to map doc sections to practice document.
- Validate current structure and subsections are valid
Barbara Fraser: Is there any new functionality in the document (ie,
capabilities which are not currently widely deployed)?
A (Chris). Not really. Some deployed devices do all the functions, but
there are some devices that don't do all of them.
Merike: Don't forget that the profiles documents will take all the
capabilities and map them to specific environments.
Infrastructure Protection BCP (Darrel Lewis, Chris Morrow, Paul
Chris presented an idea to produce a document which will document some
recommended "best practices". This could provide an
introduction for newer, smaller providers or customers. Will be a
detailed guide of the capabilities.
Susan Hares: Is the capability document mainly a procurement
Merike: This maps well to the other documents
Darrel: This should be good just like BCP38
Ross: There may be some confusion between this proposed new document and
the existing document on current practices.
Paul Quinn: This would propose a bare minimum of practices as the survey
really a list of things that providers do.
Discussion on whether this as a BCP will map to the other
Pat: Let's wait for some text before we figure out what type of
this is. Ross: It will be easier to know whether this document is best
its own (and separate from the current practices and profile documents)
we see the text. Thus it makes sense to see a draft of this document.
Pat: It may be useful to send a message to the list with a synopsis of
the proposed document.
Randy Preshin: Make sure we're compliant with rfc2026
Chris: Structure of doc:edge remarking, edge access control, core
route filtering. Not covered: Logging evaluation, net mgt, customer
End of working group