Re: [OPSEC] Fwd: ID Tracker State Update Notice: <draft-ietf-opsec-protect-control-plane-06.txt>

["Smith, Donald" <Donald.Smith@qwest.com>]

We do that kind of testing:)
Testing methods and practices are nearly forgotten amongst many shops today but we still find enough to do fairly through testing (and reap the benefits of it:)


(coffee != sleep) & (!coffee == sleep)
 Donald.Smith@qwest.com<mailto:Donald.Smith@qwest.com>

________________________________
From: opsec-bounces@ietf.org [opsec-bounces@ietf.org] On Behalf Of Ronald Bonica [rbonica@juniper.net]
Sent: Thursday, January 06, 2011 1:41 PM
To: George Jones; John Kristoff
Cc: opsec@ietf.org mailing list; Warren Kumari
Subject: Re: [OPSEC] Fwd: ID Tracker State Update Notice: <draft-ietf-opsec-protect-control-plane-06.txt>

Response inline……

From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of George Jones
Sent: Tuesday, January 04, 2011 6:34 PM
To: John Kristoff
Cc: opsec@ietf.org mailing list; Warren Kumari
Subject: Re: [OPSEC] Fwd: ID Tracker State Update Notice: <draft-ietf-opsec-protect-control-plane-06.txt>


On Tue, Jan 4, 2011 at 10:22 AM, John Kristoff <jtk@cymru.com<mailto:jtk@cymru.com>> wrote:
On Thu, 23 Dec 2010 15:22:22 -0500
Warren Kumari <warren@kumari.net<mailto:warren@kumari.net>> wrote:
> So, our active queue is beginning to look very sparse... I have a
> draft that I started writing a while ago that Chris Morrow and Danny
> McPherson have agreed to fix / update (poke...), does anyone have
> anything else that they are working on?
I had started a port filtering draft.  A second revision has been
started, but we haven't spent much time on it lately.  I can endeavor
to get this work going again this week.

 <http://tools.ietf.org/html/draft-kristoff-opsec-port-filtering-00>

This is very important work! Please continue.


Looks like you were tackling the "what to filter and why" + gotchas.   Noble.  Useful.
But if the device just can't do it, not sufficient.

I recommend that you continue on these lines. If the device can’t fulfill you requirements, maybe the RFC will motivate the vendors to enhance the device’s filtering capabilities.


Again, what I had in mind was as series of docs that provide testable security features,
possibly paired with a test methodology.

Before diving into any serious work, though, it would be worth asking the question,
would anybody care/be positively impacted if the docs were finished.

I believe that this would be helpful both to the operator and vendor communities, New operators would learn what to filter. Application and protocol developers would learn what is likely to be filtered.

                           Ron

Does anybody
do this sort of testing?  Would they?   Would a list in the form of RFCs help ?

----George Jones

________________________________
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.