[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Comments on draft-zhao-opsec-routing-capabilities-01.txt
- To: "Merike Kaeo" <merike@doubleshotsecurity.com>, <gmj@pobox.com>
- Subject: RE: Comments on draft-zhao-opsec-routing-capabilities-01.txt
- From: "Barry Greene \(bgreene\)" <bgreene@cisco.com>
- Date: Thu, 1 Jun 2006 23:54:35 -0700
- Authentication-results: sj-dkim-1.cisco.com; header.From=bgreene@cisco.com; dkim=pass ( sig from cisco.com verified; );
- Cc: <opsec@ops.ietf.org>
- Dkim-signature: a=rsa-sha1; q=dns; l=2910; t=1149231289; x=1150095289; c=relaxed/simple; s=sjdkim1001; h=From:Subject; d=cisco.com; i=bgreene@cisco.com; z=From:=22Barry=20Greene=20\(bgreene\)=22=20<bgreene@cisco.com> |Subject:RE=3A=20Comments=20on=20draft-zhao-opsec-routing-capabilities-01.txt; X=v=3Dcisco.com=3B=20h=3Dzl4bbpBLJug3/SP1fjRqki5Ovxc=3D; b=IdjF7jOMnIp1IUEJsOHZ71StHBUJn440hv1X2uiaXOpf/ysHLYga6qYGIDXWd8jErYtC8E36 5hguUX7S/csBZEdVhifx963rJIqH9aOyfiT4tWG1skJTEugajeVyOi53;
All IP routing protocols send traffic a prec6. Routers then use that precedence value to make judgments on which packets to drop during a congested event - minimizing the dropping of control plane packets.
It just so happens that DOS is a "congested event," turning QOS in the router into the #1 most critical security tool.
> -----Original Message-----
> From: Merike Kaeo [mailto:merike@doubleshotsecurity.com]
> Sent: Thursday, June 01, 2006 3:25 PM
> To: gmj@pobox.com
> Cc: opsec@ops.ietf.org; Barry Greene (bgreene)
> Subject: Re: Comments on draft-zhao-opsec-routing-capabilities-01.txt
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I'm not aware of prec6 and would gladly talk to folks who are
> deploying/using it and incorporate into my current practices
> doc. I'll be at NANOG and although I am leaving Tuesday at
> 1PM, I would make myself available for any discussions on
> Sunday eve through the time I leave. Note that there is an
> OPsec BoF scheduled for 2-3:30 on Tuesday and despite
> requesting a timeslot that doesn't conflict with my leaving
> it wasn't in the cards. Someone else will be presenting my
> slides.....essentially just a synopsis of current document
> and request for input if things are missing......
>
> - - merike
>
> On Jun 1, 2006, at 9:23 AM, George Jones wrote:
>
> > On 6/1/06, Barry Greene (bgreene) <bgreene@cisco.com> wrote:
> >>
> >> Why I'm I not seeing level set discussion around Prec6 as
> the primary
> >> defense tool used to protocol routing protocols? Is this something
> >> that people even realize is happening - live - operationally on
> >> networks right this minute?
> >
> > Suggest you take that up with the authors (cc here for more
> > discussion), I'm just the framework guy here now.
> >
> > If there are practices that are current, they can be added
> either to
> > Merike's doc (current practices) or to the capabilities drafts (if
> > her's gets published and something needs to be added later).
> >
> > I suggest if you have something to add you write up a quick
> > suggestion in the standard format:
> >
> > Capability:
> >
> > The devce is able to...
> >
> > Supported Practice:
> >
> > Operators currently do FOO...
> >
> > Current Implemetnations:
> >
> > Cite, hopefully in a generic/vendor neutral way, how
> this is done
> > in products today
> >
> > Issues:
> >
> > This may cause the end of the world if....
> >
> > Thanks,
> > ---George
> >
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (Darwin)
>
> iD8DBQFEf2lGReOZMB6zE7IRAm5cAKCH5mmVXHEX7hmqOO2f1FGSJYOn5wCghAbU
> ZekcadC7O6mR0qOuKHOXLcQ=
> =bola
> -----END PGP SIGNATURE-----
>