Re: [OPSEC] noted: draft-dugal-opsec-protect-control-plane-00
"Smith, Donald" <Donald.Smith@qwest.com> Mon, 08 February 2010 16:32 UTC
Return-Path: <Donald.Smith@qwest.com>
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8961E28C149 for <opsec@core3.amsl.com>; Mon, 8 Feb 2010 08:32:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DRDajGlGVnb2 for <opsec@core3.amsl.com>; Mon, 8 Feb 2010 08:32:44 -0800 (PST)
Received: from suomp64i.qwest.com (suomp64i.qwest.com [155.70.16.237]) by core3.amsl.com (Postfix) with ESMTP id 5D84428C147 for <opsec@ietf.org>; Mon, 8 Feb 2010 08:32:42 -0800 (PST)
Received: from sudnp796.qintra.com (sudnp796.qintra.com [151.116.2.212]) by suomp64i.qwest.com (8.14.0/8.14.0) with ESMTP id o18GXgns008855; Mon, 8 Feb 2010 10:33:43 -0600 (CST)
Received: from qtdenexhtm21.AD.QINTRA.COM (localhost [127.0.0.1]) by sudnp796.qintra.com (8.14.0/8.14.0) with ESMTP id o18GXRCE003353; Mon, 8 Feb 2010 09:33:37 -0700 (MST)
Received: from qtdenexmbm24.AD.QINTRA.COM ([151.119.91.226]) by qtdenexhtm21.AD.QINTRA.COM ([151.119.91.230]) with mapi; Mon, 8 Feb 2010 09:33:32 -0700
From: "Smith, Donald" <Donald.Smith@qwest.com>
To: Christopher Morrow <morrowc.lists@gmail.com>, "rodunn@cisco.com" <rodunn@cisco.com>
Content-Class: urn:content-classes:message
Date: Mon, 08 Feb 2010 09:33:26 -0700
Thread-Topic: [OPSEC] noted: draft-dugal-opsec-protect-control-plane-00
Thread-Index: AcqmzaCQZaBizM+ZRgSFHe6dGlNU9gCDSbrWAABqNPE=
Message-ID: <619972AE-EB58-4A0B-85B6-3F712F2AEEE5@mimectl>
References: <4B42CE9B.8070505@bogus.com> <20100203224113.2a79333f@t61p> <75cb24521002041924g5cab7594xff7a12e995768831@mail.gmail.com> <4B6CC665.7070909@cisco.com>, <75cb24521002051742n75442ebas365882f7d7bd9bbc@mail.gmail.com>
In-Reply-To: <75cb24521002051742n75442ebas365882f7d7bd9bbc@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-mimectl: Produced By Microsoft Exchange V8.1.348.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "opsec@ietf.org" <opsec@ietf.org>
Subject: Re: [OPSEC] noted: draft-dugal-opsec-protect-control-plane-00
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2010 16:32:45 -0000
I think a counter per rule is the minimum. An snmp trap with the FIRST hit in X minutes with X being defined via configuration would be helpful in that we could notify the NOC of the issue, get them looking at it and could set levels. If an not snmp trap, some way to get the counters exported (netflow, syslog, something) would be helpful. Then if a counter is getting hit it would be nice to be able to "request" additional information something like netflow v5 fields is probably good enough. Log vs count with options for different reporting methods. (coffee != sleep) & (!coffee == sleep) Donald.Smith@qwest.com<mailto:Donald.Smith@qwest.com> ________________________________ From: opsec-bounces@ietf.org [opsec-bounces@ietf.org] On Behalf Of Christopher Morrow [morrowc.lists@gmail.com] Sent: Friday, February 05, 2010 6:42 PM To: rodunn@cisco.com Cc: opsec@ietf.org Subject: Re: [OPSEC] noted: draft-dugal-opsec-protect-control-plane-00 On Fri, Feb 5, 2010 at 8:31 PM, Rodney Dunn <rodunn@cisco.com> wrote: > Thanks a lot for the feedback. We'll go back and see if/where/how we can > work something around that in. > > It is a valid point for sure. > > On a side note...what if there were netflow on the control plane per class > with drop codes in the export data? ;) > sure, seems like netflow would be more heavyweight than the just logging... and I think I'd rather have logs (less sampling I'd hope?) -chris > > On 2/4/10 10:24 PM, Christopher Morrow wrote: >> >> On Wed, Feb 3, 2010 at 11:41 PM, John Kristoff<jtk@cymru.com> wrote: >>> >>> On Mon, 04 Jan 2010 21:31:07 -0800 >>> Joel Jaeggli<joelja@bogus.com> wrote: >>> >>>> I notes with interest today the initial publication of: >>>> >>>> http://tools.ietf.org/html/draft-dugal-opsec-protect-control-plane-00 >>>> >>>> for which I am certain review and feedback would be greatly >>>> appreciated. >>> >>> I realize there is a -01 version of this draft. Nonetheless, this >>> comment still applies. >>> >>> One of the major stumbling blocks in managing control plane filtering >>> in my experience has been when a platform lacks sufficient diagnostic >> >> yes, if you can block/limit it, you MUST be able to log that fact, and >> count that fact. Otherwise it because exceptionally difficult to get a >> tcpdump on that sonet link to your neighbor... >> >>> capability such as control plane filter logging. Perhaps some mention >>> of this in the Design Trade-offs section might include some text >>> highlighting this concern. Rate limiting can be particularly >>> troublesome when "bad" traffic starves the "good". >> >> it might be nice to have special macros for 'bgp neighbors' or 'local >> interfaces' or 'connected networks'. to make configuration management >> easier... of course those could be called 'implementation details' but >> :) >> >> now I'll go read the doc, and hopefully provide some comments. >> >> -Chris >> >>> >>> John >>> >>> _______________________________________________ >>> OPSEC mailing list >>> OPSEC@ietf.org >>> https://www.ietf.org/mailman/listinfo/opsec >>> >> _______________________________________________ >> OPSEC mailing list >> OPSEC@ietf.org >> https://www.ietf.org/mailman/listinfo/opsec > _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec ________________________________ This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
- [OPSEC] noted: draft-dugal-opsec-protect-control-… Joel Jaeggli
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… Glen Kent
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… Smith, Donald
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… Rodney Dunn
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… Rodney Dunn
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… John Kristoff
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… Christopher Morrow
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… Rodney Dunn
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… Christopher Morrow
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… John Kristoff
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… Smith, Donald