RE: Control Plane Security of ISP Network

[Miao Fuyou <miaofy@huawei.com>]

Maybe it is tedious Work, but it is now happenning, anyway there is a
working group in IETF is working on FORCES, despite the focus is
control/forwarding plane seperation of router, not Internet. 

-----Original Message-----
From: Barry Greene (bgreene) [mailto:bgreene@cisco.com] 
Sent: Wednesday, June 08, 2005 1:00 AM
To: Miao Fuyou; gmj@pobox.com; David Barak
Cc: J.A. Terranson; opsec@ops.ietf.org
Subject: RE: Control Plane Security of ISP Network


 

> On 6/6/05, David Barak <thegameiam@yahoo.com> wrote:
> 
> > Let me nitpick meaningfully: I think that what we want is not
> > separation, but rather the situation where the control plane can 
> > affect the workings of the data plane, but not the reverse, right?

Not true. Our IP data plane uses the data plane to do its job. Miss too many
hellos, miss an update, miss an LSA, and the control plane takes action. The
reality is today, the control and data planes are designed from bottom up to
interact. Pulling them apart is going to be tedious work. 

So new security techniques which could minimize the direct and collateral
impact of an accidental or intentional impact is where we should focus.

For example, one of the primary reasons several SPs have moved to ISIS over
these last few years is security. In addition to ISIS not being IP, it has
some interesting properties that allows from more resistance to be built
into the network:

	http://www.nanog.org/mtg-0405/mcdowell.html