[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
comments on current practices doc
- To: "Merike Kaeo" <merike@doubleshotsecurity.com>
- Subject: comments on current practices doc
- From: "George Jones" <eludom@gmail.com>
- Date: Tue, 13 Jun 2006 15:45:28 -0400
- Cc: opsec@ops.ietf.org
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:mime-version:content-type; b=O6Z0aiO3a4N07Qki1yt7ql0x48n5D/LabAAT1czMn4ZsjzC2xAKDtvB5ItU/MQxFkM3LtlTD7VuqNYgfpctFV3xn7J+5KucV5/MWsqdwgoCZ1AtaYeGRdu830mBjLzSs0KwRTbGb27UvPD/WVGYzTh66pGmK8NJHqyWF6x21RFk=
- Reply-to: gmj@pobox.com
Very good. A few comments, mostly about more citations.
I think it's close to being ready to go.
---George
1.6. Definitions
RFC 2119 Keywords
...
gmj> We're probably going to add some WG boilerplate to all the capabilities
gmj> drafts, but I don't think you need it. You don't really use these
gmj> keywords and you're descdribing much more "people do this now" than
gmj> people SHOULD/MUST...
Kaeo Expires November 25, 2006 [Page 8]
�
Internet-Draft OPSEC Practices May 2006
2. Protected Operational Functions
2.1. Device Physical Access
gmj> You may want to note somewhre near the start of this section that
gmj> a) These are best practices aimed largely at stopping an intruder
gmj> with physical access from gaining operational control of the devices
gmj> b) Noting will stop an attacker with physical access from effecting
gmj> a denial of service attack
gmj> c) Physical security is a large field of study/practice in and of itself,
gmj> arguably the largest, oldest and most well understood area of security.
2.3.4. Additional Considerations
Password selection for any OOB device management protocol used is
critical to ensure that the passwords are hard to guess or break
using a brute-force attack.
IPsec is considered too difficult to deploy and the common protocol
to provide for confidential OOB management access is SSH.
gmj> Some duplication of text here. Any way to just say "here are the
gmj> diffs between in-band and OOB ?
2.4.2. Security Practices
Filtering and rate limiting are the primary mechanism to provide risk
mitigation of malicious traffic rendering the ISP services
unavailable. However, filtering and rate limiting of data path
traffic is deployed in a variety of ways depending on how automated
the process is and what the capabilities and performance limitations
of existing deployed hardware are.
The ISPs which do not have performance issues with their equipment
follow BCP38 [BCP38] guidelines. Null routes and black-hole
filtering are used to deter any detected malicious traffic streams.
gmj> Are there any good citations (nanog ?) for black-holeing ?
gmj> use of null routes ?
Most ISPs consider layer 4 filtering useful but it is only
implemented if there is no performance limitations on the devices.
gmj> good.
Netflow is used for tracking traffic flows but there is some concern
whether sampling is good enough to detect malicious behavior.
Unicast RPF is not consistently implemented. Some ISPs are in
process of doing so while other ISPs think that the perceived benefit
of knowing that spoofed traffic comes from legitimate addresses are
not worth the operational complexity. Some providers have a policy
of implementing uRPF at link speeds of DS3 and below.
gmj> You shold see if Pekka is going to publish this:
gmj> http://www.ietf.org/internet-drafts/draft-savola-bcp84-urpf-experiences-00.txt
gmj> and maybe cite it.
gmj>
gmj> You should certinaly cite BCP34/RFC3704 here.
2.5.7. Security Practices
Securing the routing control plane takes many features which are
generally deployed as a system. MD5 authentication is used by some
ISPs to validate the sending peer and to ensure that the data in
transit has not been altered. Some ISPs only deploy MD-5
authentication at customer's request. Additional sanity checks to
ensure with reasonable certainty that the received routing update was
originated by a valid routing peer include route filters and the BTSH
feature [BTSH]. Note that validating whether a legitimate peer has
gmj> Where's the reference ? RFC3682 ?
the authority to send the contents of the routing update is a
difficult problem that needs yet to be resolved.
In the case of BGP routing, a variety of policies are deployed to
limit the propagation of invalid routing information. These include:
incoming and outgoing prefix filters for BGP customers, incoming and
outgoing prefix filters for peers and upstream neighbors, incoming
AS-PATH filter for BGP customers, outgoing AS-PATH filter towards
peers and upstream neighbors, route dampening and rejecting selected
attributes and communities. Consistency between these policies
varies greatly although there is a trend to start depending on AS-
PATH filters because they are much more manageable than the large
numbers of prefix filters that would need to be maintained. Many
ISPs also do not propagate interface IP addresses to further reduce
attack vectors on routers and connected customers.
gmj> This is clearly a big area with unsolved problems as witnessed
gmj> by the existence of the SIDR WG.
2.5.9. Additional Considerations
Route filters are used to limit what routes are believed from a valid
peer. Packet filters are used to limit which systems can appear as a
valid peer. Due to the operational constraints of maintaining large
prefix filter lists, many ISPs are starting to depend on BGP AS-PATh
^
gmj> "PATH" ?
filters to/from their peers and upstream neighbors.
IPsec is not deployed since the operational management aspects of
ensuring interoperability and reliable configurations is too complex
and time consuming to be operationally viable.
gmj> The truth hurts...
2.6.7. Security Practices
Images and configurations are stored on specific hosts which have
limited access. All access and activity relating to these hosts are
authenticated and logged via AAA services. When uploaded/downloading
any system software or configuration files, either TFTP, FTP or SCP
can be used. Where possible, SCP is used to secure the data transfer
and FTP is generally never used. All TFTP and SCP access is
username/password authenticated
gmj> TFTP is NOT password authenticated.
and in most environments scripts are
used for maintaining a large number of routers. To ensure the
integrity of the configurations, every hour the configuration files
are polled and compared to the previously polled version to find
discrepancies. In at least one environment these tools are
Kerberized to take advantage of automated authentication (not
confidentiality).
Kaeo Expires November 25, 2006 [Page 26]
�
Internet-Draft OPSEC Practices May 2006
Filters are used to limit access to uploading/downloading
configuration files and system images to specific IP addresses and
protocols.
The software images perform CRC-checks but many ISPs expressed
interest in having software image integrity validation based on the
MD5 algorithm for enhanced security.
gmj> I would cut out "but many...". We're dealing here with what is.
The system binaries use the MD5
algorithm to validate integrity.
2.7.1.1. Confidentiality Violations
Confidentiality violations can occur when a miscreant intercepts any
of the logging data which is in transit on the network. This could
lead to privacy violations if some of the logged data has not been
sanitized to disallow any data that could be a violation of privacy
to be included in the logged data.
gmj> Somewhat out of place here, but one thing you don't address is
gmj> secure key distirbution...enable/root passwords, ssh keys, ipsec,
gmj> ?secure syslog?...what are people doing ? Ignoring the problem ?
gmj> This is a big part of what makes IPSec hard/not used, I think.
2.9.1. Sink Hole Routing
Sink hole routing refers to injecting a more specific route for any
known attack traffic which will ensure that the malicious traffic is
redirected to a valid subnet or specific IP address where it can be
analyzed.
2.9.2. Black-Hole Triggered Routing
Black-hole triggered routing is a technique where the BGP routing
protocol is used to propagate static routes which in turn redirects
attack traffic to the null interface where it is effectively dropped.
This technique is often used in large routing infrastructures since
BGP can propagate the information in a fast effective manner as
opposed to using any packet-based filtering techniques on hundreds or
thousands of routers.
gmj> Cite ?
2.9.3. Unicast Reverse Path Forwarding
Unicast Reverse Path Forwarding (uRPF) is a mechanism for validating
whether an incoming packet has a legitimate source address or not.
It has two modes: strict mode and loose mode. In strict mode, uRPF
Kaeo Expires November 25, 2006 [Page 32]
�
Internet-Draft OPSEC Practices May 2006
checks whether the incoming packet has a source address that matches
a prefix in the routing table, and whether the interface expects to
receive a packet with this source address prefix. If the incoming
packet fails the unicast RPF check, the packet is not accepted on the
incoming interface. Loose mode uRPF is not as specific and the
incoming packet is accepted if there is any route in the routing
table for the source address.
uRPF is not used on interfaces that are likely to have routing
asymmetry, meaning multiple routes to the source of a packet.
Usually for ISPs, uRPF is placed at the customer edge of a network.
gmj> Cite ?
B.2. IPv4 Attacks
gmj> either fill these out a bit or drop them. If you fill them out
gmj> try to give citations (CERT references, maybe vendor advisories, etc.)
gmj> I don't think you would loose too much by dropping this section
gmj> if it's too much work.
o IP Stream Option
o IP Address Spoofing
....