[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Control Plane Security of ISP Network

To: <jbenedict@ca.safenet-inc.com>, "Bora Akyol \(bora\)" <bora@cisco.com>, <Donald.Smith@qwest.com>, <pmrn@mac.com>, <miaofy@huawei.com>
Subject: RE: Control Plane Security of ISP Network
From: "Robert Holley \(rholley\)" <rholley@cisco.com>
Date: Mon, 6 Jun 2005 11:21:28 -0400
Cc: <merike@doubleshotsecurity.com>, <opsec@ops.ietf.org>, <eludom@gmail.com>

The objective of out-of-band management is primarily to provide remote
access in case of a data-plane (e.g. user traffic) failure.

In order to accomplish that, a separate physical network would be the
required. Generally, this can be provided by existing Frame Relay, X.25,
ISDN lines or in some cases, a separate IP network.

Due to the cost restrictions on such designs, it is primarily deployed
in service provider networks. It is more rare in the enterprise space.

Note that the out-of-band networks for IP are almost always used to the
management plane. I don't believe we have ever seen an out-of-band
network for the control plane as in a traditional SS7 network.

Regards
Bob

> -----Original Message-----
> From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On 
> Behalf Of jbenedict@ca.safenet-inc.com
> Sent: Monday, June 06, 2005 11:09 AM
> To: Bora Akyol (bora); Donald.Smith@qwest.com; pmrn@mac.com; 
> miaofy@huawei.com
> Cc: merike@doubleshotsecurity.com; opsec@ops.ietf.org; 
> eludom@gmail.com
> Subject: RE: Control Plane Security of ISP Network
> 
> Does anyone have a clear definition of "in-band" vs. 
> "out-of-band" in this
> case?
> 
> For example, can we consider anything that contacts the same 
> interface as
> data traffic "in-band"?
> (i.e. IPSec or SSL connection for management)
> 
> Or can it be over the same network, just a different interface (VLAN)?
> 
> Or does it have to be separate interface/separate network (NOC)?
> 
> Or does it have to be completely non-ip (serial-port)?
> 
> All of these scenarios are in use today.  In my opinion, in-band would
> probably fall somewhere around VLANs (my theoretical half 
> says they're OOB,
> but my practical half can still connect the dots).
> 
> --
> James
> 
> -----Original Message-----
> From: Bora Akyol (bora) [mailto:bora@cisco.com]
> Sent: Monday, June 06, 2005 10:47 AM
> To: Smith, Donald; pmrn; Miao Fuyou
> Cc: Merike Kaeo; opsec@ops.ietf.org; eludom@gmail.com
> Subject: RE: Control Plane Security of ISP Network
> 
> 
> May want to i
> 
> May want to include a requirement to the document:
> 
> Under no circumstance will there be a separation of faith between the
> control and the data planes; that is, control plane thinks 
> everything is
> solid, and the data plane is out cold, or vice versa.
> 
> Personally, I think we can do a lot to protect the control 
> traffic even
> when it is in-band that such a separation is unnecessary.
> 
> Bora
> 
> The information contained in this electronic mail 
> transmission may be privileged and confidential, and 
> therefore, protected from disclosure. If you have received 
> this communication in error, please notify us immediately by 
> replying to this message and deleting it from your computer 
> without copying or disclosing it.
>

Prev by Date: RE: Control Plane Security of ISP Network
Next by Date: RE: Control Plane Security of ISP Network
Previous by thread: RE: Control Plane Security of ISP Network
Next by thread: RE: Control Plane Security of ISP Network
Index(es):
- Date
- Thread