[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: draft-zhao-opsec-routing-capabilities-00

At 7:24 AM -0700 10/25/05, Barry Greene \(bgreene\) wrote:
This draft needs to be re-titled to "routing protocol filtering and
policy control." It is not talking about Control Plane security. That
document would be 50% about protocols and 50% about the queuing and
compartmentization requirements to keep a control plane from being
disrupted by data plane activities.

I don't necessarily disagree. There may be another approach to stratifying a diffuse control plane.

Routing control and forwarding is, at the SP level, near-real-time to real-time and is likely to be hardware-assisted. Vulnerabilities here can be flooding, spoofing, and other mechanisms that interfere with packet delivery to control processors or ASICs.

Path determination and signaling may be at the order of seconds or below, and is most likely to be in reasonably general-purpose processes in the router. In this area, the vulnerabilities are apt to be in protocols or mechanisms (e.g., the various BGP security approaches) to validate the content of protocol messages.

Management, including IDS/statistical/flow alerts/alarms, response such as automatic blackholing and sinkholing, and general configuration, often needs statistical baselines of some length, and will operate in much longer time granules. A substantial amount of such servers can live on more general-purpose servers than routers, and be vulnerable to server-oriented attacks.

 -----Original Message-----
 From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On
 Behalf Of zhaoye
 Sent: Wednesday, October 19, 2005 6:55 PM
 To: opsec@ops.ietf.org
 Subject: draft-zhao-opsec-routing-capabilities-00

 Hi , folks

 Miao and I have finished a draft about security of the
 control plane. The document tries to sum up the capabilities
 of control plane for IP networks.
 The URL is
 All comments are appreciated.