IETF Logo Mail Archive

Re: [OPSEC] OPSEC control plane protection draft

Rodney Dunn <rodunn@cisco.com> Tue, 17 August 2010 20:02 UTC

Return-Path: <rodunn@cisco.com>
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0FF333A685C for <opsec@core3.amsl.com>; Tue, 17 Aug 2010 13:02:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XqFqxEMsPgFc for <opsec@core3.amsl.com>; Tue, 17 Aug 2010 13:02:50 -0700 (PDT)
Received: from av-tac-rtp.cisco.com (hen.cisco.com [64.102.19.198]) by core3.amsl.com (Postfix) with ESMTP id 8AEE13A67F3 for <opsec@ietf.org>; Tue, 17 Aug 2010 13:02:50 -0700 (PDT)
X-TACSUNS: Virus Scanned
Received: from rooster.cisco.com (localhost.cisco.com [127.0.0.1]) by av-tac-rtp.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id o7HK3PtX006144; Tue, 17 Aug 2010 16:03:25 -0400 (EDT)
Received: from dhcp-64-102-220-209.cisco.com (dhcp-64-102-220-209.cisco.com [64.102.220.209]) by rooster.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id o7HK3OPh006942; Tue, 17 Aug 2010 16:03:24 -0400 (EDT)
Message-ID: <4C6AEB97.2010501@cisco.com>
Date: Tue, 17 Aug 2010 16:05:43 -0400
From: Rodney Dunn <rodunn@cisco.com>
Organization: Cisco Systems Inc.
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2
MIME-Version: 1.0
To: Christopher Morrow <morrowc.lists@gmail.com>
References: <45c8c21a1003260906j41580868p12466e6ed42ef3d0@mail.gmail.com> <4BACE777.3010000@juniper.net> <ba2fbc6f1003261027u5c62b7b4od135d00144a83a02@mail.gmail.com> <B01905DA0C7CDC478F42870679DF0F10091D90BD15@qtdenexmbm24.AD.QINTRA.COM> <4C69E72F.6090608@cisco.com> <AANLkTikJHA8O4EbL43nHGYfEdt2k0-V0Tv2uy390soeD@mail.gmail.com>
In-Reply-To: <AANLkTikJHA8O4EbL43nHGYfEdt2k0-V0Tv2uy390soeD@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "opsec@ietf.org" <opsec@ietf.org>
Subject: Re: [OPSEC] OPSEC control plane protection draft
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: rodunn@cisco.com
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2010 20:02:55 -0000

We agree that the end goal should be to lock the device down to the most 
granular degree possible. We made an effort to highlight that at various 
places in the document. I like your suggestion to add an additional 
paragraph specifically highlighting the importance of getting to a point 
where the default traffic would be a drop. Could you review the 
paragraph below between *-*'s and make suggestions to wording if it's 
not explicit or clear enough?

Thanks,
Rodney

Some references already in the document are...

ie: Section 3.2 Filter Design

..By adjusting the granularity and order of the filters more
    granular forensics can be performed...

In addition to the filters, rate-limiters for certain classes of
    traffic are also installed in the forwarding plane as defined in
    Section 3.1.  These rate limiters help futher control the traffic
    that will reach the control plane for each filtered class as well as
    all traffic not matching an explicit class.  The actual rates
    selected for various classes is network deployment specific and
    analysis of required rates for stability should be done periodically.

and the note for the catch all:

Syntactically, these filters explicitly define "allowed" traffic
    (including IP addresses, protocols, and ports), define acceptable
    actions for these acceptable traffic profiles (e.g., rate-limit or
    simply permit the traffic), and then drop to the bit bucket all
    traffic destined to the router control plane that is not within the
    specifications of the policy definition.


and in Section 3.3 we wanted to articulate the importance of locking it 
down as granular as possible:

...The goal of the method for protecting the router control plane is to
    minimize the possibility for disruptions by reducing the vulnerable
    surface.  The latter is inversely proportional to the granularity of
    the filter design.  The finer the granularity of the filter design
    (e.g., isolating a more targeted subset of traffic from the rest of
    the policed traffic, or isolating valid source addresses into a
    different class or classes) the smaller the probability of
    disruption.
...

What about if we add this in the Design
Trade-Off section to address the concern so we will be more precise.

*In addition to the traffic matching explicit classes care should be 
taken on the policy decision that governs the handling of traffic that 
would fall through the policy. Typically that traffic is referred to as 
traffic falling in the default class. It may also be traffic that 
matches a generic protocol specific class where previous classes that 
have more granular matching did not match all packets for that specific 
protocol. The ideal policy would have explicit classes to match only the 
traffic specifically required at the control plane and drop all other 
traffic. This approach requires rigorous traffic pattern identification 
such that a default drop policy does not break existing functionality of 
the device. The approach defined in this document allows the default 
traffic and rate limits it rather than just dropping it. This approach 
was highlighted as a way to give time to the implementer to evaluate the 
traffic in a production scenario prior to dropping all traffic not 
explicitly matched and permitted. However, it is highly recommended that 
after monitoring the traffic matching the default class explicit classes 
should be defined such that the default class could be configured to 
drop traffic falling through the policy.*


Rodney



On 8/16/10 9:58 PM, Christopher Morrow wrote:
> On Mon, Aug 16, 2010 at 9:34 PM, Rodney Dunn<rodunn@cisco.com>  wrote:
>> Donald,
>>
>> First thanks for the comment. It's a good one. We actually originally had it
>> with a default drop for the all IP and default classes. However, after a
>> good bit of discussion we (both Cisco and Juniper) felt that we should
>> soften it up just a bit. We agreed to add the explicit match for the ALLIP
>> class so it could be monitored and then tightened down further.
>>
>> We realized there were various opinions on how that should be done.
>
> can we get a 'first verify complete COPP coverage, then deny all
> remaining traffic with $INSERT_PROPER_DENY_HERE' paragraph?
>
> It sounds like someone with a legal degree got to your final
> recommendation :) that, operationally, leaves the network with a whole
> to plug, and I can guarantee that someone with a scanning virus is
> gonna fill it for you :(
>
> -chris
>
>> ie:
>>
>> http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
>>
>>
>> Thanks,
>> Rodney
>>
>>
>>
>>
>>
>> On 8/16/10 5:16 PM, Smith, Donald wrote:
>>>
>>> For undesirables in JTK's paper here he specifically did a deny ip any any
>>> at the end of the cpp policy for that.
>>>
>>> http://aharp.ittns.northwestern.edu/papers/copp.html
>>>
>>> The default term for juniper is log and discard.
>>>
>>> There isn't a deny ip any any in the draft.
>>>
>>>
>>>
>>> (coffee != sleep)&    (!coffee == sleep)
>>> Donald.Smith@qwest.com gcia
>>>
>>>> -----Original Message-----
>>>> From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org]
>>>> On Behalf Of Rob Bird
>>>> Sent: Friday, March 26, 2010 11:28 AM
>>>> To: David Dugal
>>>> Cc: draft-dugal-opsec-protect-control-plane@tools.ietf.org;
>>>> opsec@ietf.org
>>>> Subject: Re: [OPSEC] OPSEC control plane protection draft
>>>>
>>>> This is most excellent. I was just advising a customer this
>>>> morning on this very issue (again).
>>>>
>>>> I look forward to working on this.
>>>> Rob
>>>>
>>>> -
>>>> Rob Bird, Chief Technology Officer
>>>> Red Lambda, Inc.
>>>> "Network security at global scale"
>>>> www.redlambda.com
>>>>
>>>>        On Mar 26, 2010 1:03 PM, "David Dugal"
>>>> <ddugal@juniper.net>    wrote:
>>>>
>>>>        -----BEGIN PGP SIGNED MESSAGE-----
>>>>        Hash: SHA1
>>>>
>>>>        Hi Richard.
>>>>
>>>>        Thank you very much for the scrutiny, analysis and feedback.  As
>>>>        mentioned during my brief presentation, our hope is that this
>>>>        recommendation by example will provide awareness of a
>>>> possible attack
>>>>        surface occasionally overlooked, especially by smaller or newer
>>>>        installations.
>>>>
>>>>        I appreciate the feedback and will enhance the draft to
>>>> make reference
>>>>        to cryptographic security, as well as attempt to make
>>>> the document IP
>>>>        version agnostic.
>>>>
>>>>        Thank you for your support, both in carefully reading
>>>> the document, and
>>>>        for your willingness to have our draft taken under the
>>>> OPSEC WG wing.
>>>>
>>>>        - ---
>>>>        David G. Dugal                           Support:
>>>> +1-408-745-9500
>>>>        Security Incident Response Team          Direct:
>>>> +1-978-589-0719
>>>>        Juniper Networks                         Mobile:
>>>> +1-603-377-1162
>>>>        Westford, MA, USA                        PGP Key: 0xAB6E02A5
>>>>
>>>>
>>>>        On Fri Mar 26 2010 09:06:40 GMT-0700 (Pacific Daylight
>>>> Time), Richard
>>>>        Graveman<rfgraveman@gmail.com>    proclaimed ...
>>>>
>>>>
>>>>        >    David,
>>>>        >
>>>>        >    I read the draft carefully after the meeting and
>>>> realize that my
>>>>        >    comments missed the...
>>>>
>>>>        >    .
>>>>        >
>>>>        -----BEGIN PGP SIGNATURE-----
>>>>        Version: GnuPG v1.4.10 (MingW32)
>>>>
>>>>        iEYEARECAAYFAkus53cACgkQh59lzatuAqVE9wCgh53mgxNRPWUztlI27aOITHRr
>>>>        2zMAoPb5y3phm260P1zSoDu0LSbUjNcN
>>>>        =kitD
>>>>        -----END PGP SIGNATURE-----
>>>>
>>>>
>>>>        _______________________________________________
>>>>        OPSEC mailing list
>>>>        OPSEC@ietf.org
>>>>        https://www.ietf.o...
>>>>
>>>>
>>>
>>> This communication is the property of Qwest and may contain confidential
>>> or
>>> privileged information. Unauthorized use of this communication is strictly
>>> prohibited and may be unlawful.  If you have received this communication
>>> in error, please immediately notify the sender by reply e-mail and destroy
>>> all copies of the communication and any attachments.
>>> _______________________________________________
>>> OPSEC mailing list
>>> OPSEC@ietf.org
>>> https://www.ietf.org/mailman/listinfo/opsec
>>
>> _______________________________________________
>> OPSEC mailing list
>> OPSEC@ietf.org
>> https://www.ietf.org/mailman/listinfo/opsec
>>

v2.23.0 | Report a Bug | By Email