IETF Logo Mail Archive

Re: [OPSEC] OPSEC control plane protection draft

"Smith, Donald" <Donald.Smith@qwest.com> Tue, 17 August 2010 15:29 UTC

Return-Path: <Donald.Smith@qwest.com>
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1BAE33A69E7 for <opsec@core3.amsl.com>; Tue, 17 Aug 2010 08:29:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.351
X-Spam-Level:
X-Spam-Status: No, score=-2.351 tagged_above=-999 required=5 tests=[AWL=0.248, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z3H4cZq1wzNi for <opsec@core3.amsl.com>; Tue, 17 Aug 2010 08:29:50 -0700 (PDT)
Received: from sudnp799.qwest.com (sudnp799.qwest.com [155.70.32.99]) by core3.amsl.com (Postfix) with ESMTP id 4FB593A6862 for <opsec@ietf.org>; Tue, 17 Aug 2010 08:29:49 -0700 (PDT)
Received: from suomp60i.qintra.com (suomp60i.qintra.com [151.117.69.27]) by sudnp799.qwest.com (8.14.4/8.14.4) with ESMTP id o7HFUMxn010000 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 17 Aug 2010 09:30:22 -0600 (MDT)
Received: from qtdenexhtm21.AD.QINTRA.COM (localhost [127.0.0.1]) by suomp60i.qintra.com (8.14.4/8.14.4) with ESMTP id o7HFUGoo019514; Tue, 17 Aug 2010 10:30:16 -0500 (CDT)
Received: from qtdenexmbm24.AD.QINTRA.COM ([151.119.91.226]) by qtdenexhtm21.AD.QINTRA.COM ([151.119.91.230]) with mapi; Tue, 17 Aug 2010 09:30:16 -0600
From: "Smith, Donald" <Donald.Smith@qwest.com>
To: 'Christopher Morrow' <morrowc.lists@gmail.com>, "'rodunn@cisco.com'" <rodunn@cisco.com>
Date: Tue, 17 Aug 2010 09:30:15 -0600
Thread-Topic: [OPSEC] OPSEC control plane protection draft
Thread-Index: Acs9r7pt/v6zn+1RQhOkR4PDhs7HXwAcFy8w
Message-ID: <B01905DA0C7CDC478F42870679DF0F10091D90BD71@qtdenexmbm24.AD.QINTRA.COM>
References: <45c8c21a1003260906j41580868p12466e6ed42ef3d0@mail.gmail.com> <4BACE777.3010000@juniper.net> <ba2fbc6f1003261027u5c62b7b4od135d00144a83a02@mail.gmail.com> <B01905DA0C7CDC478F42870679DF0F10091D90BD15@qtdenexmbm24.AD.QINTRA.COM> <4C69E72F.6090608@cisco.com> <AANLkTikJHA8O4EbL43nHGYfEdt2k0-V0Tv2uy390soeD@mail.gmail.com>
In-Reply-To: <AANLkTikJHA8O4EbL43nHGYfEdt2k0-V0Tv2uy390soeD@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "'draft-dugal-opsec-protect-control-plane@tools.ietf.org'" <draft-dugal-opsec-protect-control-plane@tools.ietf.org>, "'opsec@ietf.org'" <opsec@ietf.org>
Subject: Re: [OPSEC] OPSEC control plane protection draft
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2010 15:29:52 -0000

While difficult to get right leaving a hole to allow "unknown stuff" to go to the control plane is counter-intuitive if we are talking about protecting the control plane.

When I write about mitigations for router vulnerabilities within our network one of the things I often include in the mitigations is the fact that the services and control plane of the routers is locked down. Almost locked down with a hole that may or may not allow something that could trigger the vulnerability is not as good:)

This is one of the reasons we had that whole logging of exceptions/dropped traffic discussion a while back.
Not just a counter actual logging (sampled ok, syslog or snmp ... ok ... but some logging of traffic similar to a netflow record would be helpful).

(coffee != sleep) & (!coffee == sleep)
Donald.Smith@qwest.com gcia

> -----Original Message-----
> From: christopher.morrow@gmail.com
> [mailto:christopher.morrow@gmail.com] On Behalf Of Christopher Morrow
> Sent: Monday, August 16, 2010 7:59 PM
> To: rodunn@cisco.com
> Cc: Smith, Donald;
> draft-dugal-opsec-protect-control-plane@tools.ietf.org; opsec@ietf.org
> Subject: Re: [OPSEC] OPSEC control plane protection draft
>
> On Mon, Aug 16, 2010 at 9:34 PM, Rodney Dunn <rodunn@cisco.com> wrote:
> > Donald,
> >
> > First thanks for the comment. It's a good one. We actually
> originally had it
> > with a default drop for the all IP and default classes.
> However, after a
> > good bit of discussion we (both Cisco and Juniper) felt
> that we should
> > soften it up just a bit. We agreed to add the explicit
> match for the ALLIP
> > class so it could be monitored and then tightened down further.
> >
> > We realized there were various opinions on how that should be done.
>
> can we get a 'first verify complete COPP coverage, then deny all
> remaining traffic with $INSERT_PROPER_DENY_HERE' paragraph?
>
> It sounds like someone with a legal degree got to your final
> recommendation :) that, operationally, leaves the network with a whole
> to plug, and I can guarantee that someone with a scanning virus is
> gonna fill it for you :(
>
> -chris
>
> > ie:
> >
> > http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
> >
> >
> > Thanks,
> > Rodney
> >
> >
> >
> >
> >
> > On 8/16/10 5:16 PM, Smith, Donald wrote:
> >>
> >> For undesirables in JTK's paper here he specifically did a
> deny ip any any
> >> at the end of the cpp policy for that.
> >>
> >> http://aharp.ittns.northwestern.edu/papers/copp.html
> >>
> >> The default term for juniper is log and discard.
> >>
> >> There isn't a deny ip any any in the draft.
> >>
> >>
> >>
> >> (coffee != sleep)&  (!coffee == sleep)
> >> Donald.Smith@qwest.com gcia
> >>
> >>> -----Original Message-----
> >>> From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org]
> >>> On Behalf Of Rob Bird
> >>> Sent: Friday, March 26, 2010 11:28 AM
> >>> To: David Dugal
> >>> Cc: draft-dugal-opsec-protect-control-plane@tools.ietf.org;
> >>> opsec@ietf.org
> >>> Subject: Re: [OPSEC] OPSEC control plane protection draft
> >>>
> >>> This is most excellent. I was just advising a customer this
> >>> morning on this very issue (again).
> >>>
> >>> I look forward to working on this.
> >>> Rob
> >>>
> >>> -
> >>> Rob Bird, Chief Technology Officer
> >>> Red Lambda, Inc.
> >>> "Network security at global scale"
> >>> www.redlambda.com
> >>>
> >>>       On Mar 26, 2010 1:03 PM, "David Dugal"
> >>> <ddugal@juniper.net>  wrote:
> >>>
> >>>       -----BEGIN PGP SIGNED MESSAGE-----
> >>>       Hash: SHA1
> >>>
> >>>       Hi Richard.
> >>>
> >>>       Thank you very much for the scrutiny, analysis and
> feedback.  As
> >>>       mentioned during my brief presentation, our hope is
> that this
> >>>       recommendation by example will provide awareness of a
> >>> possible attack
> >>>       surface occasionally overlooked, especially by
> smaller or newer
> >>>       installations.
> >>>
> >>>       I appreciate the feedback and will enhance the draft to
> >>> make reference
> >>>       to cryptographic security, as well as attempt to make
> >>> the document IP
> >>>       version agnostic.
> >>>
> >>>       Thank you for your support, both in carefully reading
> >>> the document, and
> >>>       for your willingness to have our draft taken under the
> >>> OPSEC WG wing.
> >>>
> >>>       - ---
> >>>       David G. Dugal                           Support:
> >>> +1-408-745-9500
> >>>       Security Incident Response Team          Direct:
> >>> +1-978-589-0719
> >>>       Juniper Networks                         Mobile:
> >>> +1-603-377-1162
> >>>       Westford, MA, USA                        PGP Key: 0xAB6E02A5
> >>>
> >>>
> >>>       On Fri Mar 26 2010 09:06:40 GMT-0700 (Pacific Daylight
> >>> Time), Richard
> >>>       Graveman<rfgraveman@gmail.com>  proclaimed ...
> >>>
> >>>
> >>>       >  David,
> >>>       >
> >>>       >  I read the draft carefully after the meeting and
> >>> realize that my
> >>>       >  comments missed the...
> >>>
> >>>       >  .
> >>>       >
> >>>       -----BEGIN PGP SIGNATURE-----
> >>>       Version: GnuPG v1.4.10 (MingW32)
> >>>
> >>>
> iEYEARECAAYFAkus53cACgkQh59lzatuAqVE9wCgh53mgxNRPWUztlI27aOITHRr
> >>>       2zMAoPb5y3phm260P1zSoDu0LSbUjNcN
> >>>       =kitD
> >>>       -----END PGP SIGNATURE-----
> >>>
> >>>
> >>>       _______________________________________________
> >>>       OPSEC mailing list
> >>>       OPSEC@ietf.org
> >>>       https://www.ietf.o...
> >>>
> >>>
> >>
> >> This communication is the property of Qwest and may
> contain confidential
> >> or
> >> privileged information. Unauthorized use of this
> communication is strictly
> >> prohibited and may be unlawful.  If you have received this
> communication
> >> in error, please immediately notify the sender by reply
> e-mail and destroy
> >> all copies of the communication and any attachments.
> >> _______________________________________________
> >> OPSEC mailing list
> >> OPSEC@ietf.org
> >> https://www.ietf.org/mailman/listinfo/opsec
> >
> > _______________________________________________
> > OPSEC mailing list
> > OPSEC@ietf.org
> > https://www.ietf.org/mailman/listinfo/opsec
> >
>

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

v2.23.0 | Report a Bug | By Email