[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
At 7:24 AM -0700 10/25/05, Barry Greene \(bgreene\) wrote:
This draft needs to be re-titled to "routing protocol filtering and
policy control." It is not talking about Control Plane security. That
document would be 50% about protocols and 50% about the queuing and
compartmentization requirements to keep a control plane from being
disrupted by data plane activities.
I don't necessarily disagree. There may be another approach to
stratifying a diffuse control plane.
Routing control and forwarding is, at the SP level, near-real-time to
real-time and is likely to be hardware-assisted. Vulnerabilities here
can be flooding, spoofing, and other mechanisms that interfere with
packet delivery to control processors or ASICs.
Path determination and signaling may be at the order of seconds or
below, and is most likely to be in reasonably general-purpose
processes in the router. In this area, the vulnerabilities are apt
to be in protocols or mechanisms (e.g., the various BGP security
approaches) to validate the content of protocol messages.
Management, including IDS/statistical/flow alerts/alarms, response
such as automatic blackholing and sinkholing, and general
configuration, often needs statistical baselines of some length, and
will operate in much longer time granules. A substantial amount of
such servers can live on more general-purpose servers than routers,
and be vulnerable to server-oriented attacks.
From: firstname.lastname@example.org [mailto:email@example.com] On
Behalf Of zhaoye
Sent: Wednesday, October 19, 2005 6:55 PM
Hi , folks
Miao and I have finished a draft about security of the
control plane. The document tries to sum up the capabilities
of control plane for IP networks.
The URL is
All comments are appreciated.