[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Control Plane Security of ISP Network

The work trying to be achieved with FORCES has more to do with
commoditizing the market than the security of the control plane. For
example, are you going to see FORCES change the way OSPF works? OSPF's
link to the data plane needs to change for it to work in a separated
control plane. I do not think that is in FORCE's charter.  

> -----Original Message-----
> From: Miao Fuyou [mailto:miaofy@huawei.com] 
> Sent: Wednesday, June 08, 2005 3:12 AM
> To: Barry Greene (bgreene); gmj@pobox.com; 'David Barak'
> Cc: 'J.A. Terranson'; opsec@ops.ietf.org
> Subject: RE: Control Plane Security of ISP Network
> Maybe it is tedious Work, but it is now happenning, anyway 
> there is a working group in IETF is working on FORCES, 
> despite the focus is control/forwarding plane seperation of 
> router, not Internet. 
> -----Original Message-----
> From: Barry Greene (bgreene) [mailto:bgreene@cisco.com]
> Sent: Wednesday, June 08, 2005 1:00 AM
> To: Miao Fuyou; gmj@pobox.com; David Barak
> Cc: J.A. Terranson; opsec@ops.ietf.org
> Subject: RE: Control Plane Security of ISP Network
> > On 6/6/05, David Barak <thegameiam@yahoo.com> wrote:
> > 
> > > Let me nitpick meaningfully: I think that what we want is not
> > > separation, but rather the situation where the control plane can 
> > > affect the workings of the data plane, but not the reverse, right?
> Not true. Our IP data plane uses the data plane to do its 
> job. Miss too many
> hellos, miss an update, miss an LSA, and the control plane 
> takes action. The
> reality is today, the control and data planes are designed 
> from bottom up to
> interact. Pulling them apart is going to be tedious work. 
> So new security techniques which could minimize the direct 
> and collateral
> impact of an accidental or intentional impact is where we 
> should focus.
> For example, one of the primary reasons several SPs have 
> moved to ISIS over
> these last few years is security. In addition to ISIS not 
> being IP, it has
> some interesting properties that allows from more resistance 
> to be built
> into the network:
> 	http://www.nanog.org/mtg-0405/mcdowell.html