[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Comments on draft-zhao-opsec-routing-capabilities-01.txt
On Thu, 1 Jun 2006, Barry Greene (bgreene) wrote:
>
> All IP routing protocols send traffic a prec6. Routers then use that
> precedence value to make judgments on which packets to drop during a
> congested event - minimizing the dropping of control plane packets.
>
> It just so happens that DOS is a "congested event," turning QOS in the
> router into the #1 most critical security tool.
are you referring to QOS on ingress interface (possibly ALL), or QOS
(policing) to/from RP?
there is a huge distintcion and diff in BW required.
just asking for clarification. :)
-ted
>
>
>
> > -----Original Message-----
> > From: Merike Kaeo [mailto:merike@doubleshotsecurity.com]
> > Sent: Thursday, June 01, 2006 3:25 PM
> > To: gmj@pobox.com
> > Cc: opsec@ops.ietf.org; Barry Greene (bgreene)
> > Subject: Re: Comments on draft-zhao-opsec-routing-capabilities-01.txt
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > I'm not aware of prec6 and would gladly talk to folks who are
> > deploying/using it and incorporate into my current practices
> > doc. I'll be at NANOG and although I am leaving Tuesday at
> > 1PM, I would make myself available for any discussions on
> > Sunday eve through the time I leave. Note that there is an
> > OPsec BoF scheduled for 2-3:30 on Tuesday and despite
> > requesting a timeslot that doesn't conflict with my leaving
> > it wasn't in the cards. Someone else will be presenting my
> > slides.....essentially just a synopsis of current document
> > and request for input if things are missing......
> >
> > - - merike
> >
> > On Jun 1, 2006, at 9:23 AM, George Jones wrote:
> >
> > > On 6/1/06, Barry Greene (bgreene) <bgreene@cisco.com> wrote:
> > >>
> > >> Why I'm I not seeing level set discussion around Prec6 as
> > the primary
> > >> defense tool used to protocol routing protocols? Is this something
> > >> that people even realize is happening - live - operationally on
> > >> networks right this minute?
> > >
> > > Suggest you take that up with the authors (cc here for more
> > > discussion), I'm just the framework guy here now.
> > >
> > > If there are practices that are current, they can be added
> > either to
> > > Merike's doc (current practices) or to the capabilities drafts (if
> > > her's gets published and something needs to be added later).
> > >
> > > I suggest if you have something to add you write up a quick
> > > suggestion in the standard format:
> > >
> > > Capability:
> > >
> > > The devce is able to...
> > >
> > > Supported Practice:
> > >
> > > Operators currently do FOO...
> > >
> > > Current Implemetnations:
> > >
> > > Cite, hopefully in a generic/vendor neutral way, how
> > this is done
> > > in products today
> > >
> > > Issues:
> > >
> > > This may cause the end of the world if....
> > >
> > > Thanks,
> > > ---George
> > >
> > >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.4 (Darwin)
> >
> > iD8DBQFEf2lGReOZMB6zE7IRAm5cAKCH5mmVXHEX7hmqOO2f1FGSJYOn5wCghAbU
> > ZekcadC7O6mR0qOuKHOXLcQ=
> > =bola
> > -----END PGP SIGNATURE-----
> >
>
Ted Seely
Principal Network Design Engineer
Internet Engineering - SprintLink
(W) 703.689.6425
(M) 703.967.3289
AIM - wanpro00
Yahoo IM - tseely01
"Serious damage and router meltdown could be avoided by strict
configuration validation"