[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: draft-ietf-opsec--infrastructure-security-00.txt
- To: <gmj@pobox.com>, "Ross Callon" <rcallon@juniper.net>
- Subject: RE: draft-ietf-opsec--infrastructure-security-00.txt
- From: "Darrel Lewis \(darlewis\)" <darlewis@cisco.com>
- Date: Mon, 11 Sep 2006 13:43:04 -0700
- Authentication-results: sj-dkim-4.cisco.com; header.From=darlewis@cisco.com; dkim=pass ( 59 extraneous bytes; sig from cisco.com verified; );
- Cc: <opsec@ops.ietf.org>, <pcain@coopercain.com>
- Dkim-signature: a=rsa-sha1; q=dns; l=6217; t=1158007386; x=1158871386; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=darlewis@cisco.com; z=From:=22Darrel=20Lewis=20\(darlewis\)=22=20<darlewis@cisco.com> |Subject:RE=3A=20draft-ietf-opsec--infrastructure-security-00.txt; X=v=3Dcisco.com=3B=20h=3DFmVjABXO8w9SjAijwbdgtX4+Lto=3D; b=s7QyhWqk8CSlm4x7BBs+7ZiOQs0Fhxu1w4LiB2gIt/qzDWq2mdfrWusKmdxLsBytKbni6+O0 cepii7cMclF0w6fsOX+ylgXuOJCOOqxmb2RjhUVy2zNqbSF5YMw+OZgi;
Thanks
for the pointers on the references - we will indeed update them for the next
revision of the draft.
My
feeling is that the operator community views things like 2267 as a goal to get
to, and uses the fact that its a BCP as a lever to get their management and
their vendors to work towards enabling it.
We've
been very selective in trying to limit the advice here to what's actually behind
done in a (majority?) of operators networks. The exception might be the
IPv6 section - if anything I'd be in favor of reducing the amount of content
there to make sure it fits with the practical tone of the rest of the
document.
I
pretty much view draft-ietf-opsec-current-practice-07.txt as a broad survey that
operators can use to get an understanding of all of their options for practical
security measures. *-infrastructure-security-00.txt is a sort of 'best of'
where we hammer home a baseline of what they should be doing.
Thoughts?
-Darrel
I guess my main question/comment is, is whats in this
draft
(draft-ietf-opsec-infrastructure-security-00.txt) actual,
current
practice or is it a good set of "shoulds" ? 2267 (ingress
filtering)
is a good idea, but I think it's still far from a universal
practice.
On the other hand, I think
draft-ietf-opsec-current-practices-07.txt
was the result of an extensive
survey of *actual* *current* *practices*
of operators.
If I had to vote between the two, I'd vote for the latter being
BCP....but
both are fine docs.
One small comment on
*-infrastrucure-security-00.txt, you need to add
references for all your
citatoins (e.g. 2267, 3704 are cited but not listed
in the
references). xml2rfc will catch stuff like this for you.
---George Jones