Re: [OPSEC] noted: draft-dugal-opsec-protect-control-plane-00
Christopher Morrow <morrowc.lists@gmail.com> Fri, 05 February 2010 03:23 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 989923A6A97 for <opsec@core3.amsl.com>; Thu, 4 Feb 2010 19:23:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.25
X-Spam-Level:
X-Spam-Status: No, score=-2.25 tagged_above=-999 required=5 tests=[AWL=0.349, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d4omKuJPzcAY for <opsec@core3.amsl.com>; Thu, 4 Feb 2010 19:23:43 -0800 (PST)
Received: from mail-iw0-f184.google.com (mail-iw0-f184.google.com [209.85.223.184]) by core3.amsl.com (Postfix) with ESMTP id ADA8B3A6A7F for <opsec@ietf.org>; Thu, 4 Feb 2010 19:23:43 -0800 (PST)
Received: by iwn14 with SMTP id 14so3643138iwn.17 for <opsec@ietf.org>; Thu, 04 Feb 2010 19:24:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=g3INlsJU2XWbMf6PWtx87P2/6cCnnG8Jct3l/gO0CNw=; b=SP21yj5aemc72jzw/Jb7fLsPdekMhm6i5thaq0lXAOb9JXrSJsrwmxWZBtqNjgQZu5 GM/FmYJk4GNUBH+zEHsIQVzUe0k8EGlWdEY62jY422dllA+iTv/xJj6V/sgJJAhnsTt1 VJEgaeHJKzFkmaH5JyEokTAcizA3Cz/zikxdQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=ac1rwZsJPwjR+02+QnvDYeXkrK+SrpVaCeCTJj9DI31n/ecjE2DGXyLoNJYoYmJ9uL BxMK7SDQLR34aHQUpHWwppmCjQ1/KCM8/QE5sliINAD64Vtfkb1wESCcglYbza+lcchT CMNTNEyb3NqV4X3PkegxRmZoyGOm4kcn5I5hk=
MIME-Version: 1.0
Sender: christopher.morrow@gmail.com
Received: by 10.231.162.9 with SMTP id t9mr615387ibx.5.1265340264560; Thu, 04 Feb 2010 19:24:24 -0800 (PST)
In-Reply-To: <20100203224113.2a79333f@t61p>
References: <4B42CE9B.8070505@bogus.com> <20100203224113.2a79333f@t61p>
Date: Thu, 04 Feb 2010 22:24:24 -0500
X-Google-Sender-Auth: 652897d35cfe57e8
Message-ID: <75cb24521002041924g5cab7594xff7a12e995768831@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: John Kristoff <jtk@cymru.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: opsec@ietf.org
Subject: Re: [OPSEC] noted: draft-dugal-opsec-protect-control-plane-00
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2010 03:23:44 -0000
On Wed, Feb 3, 2010 at 11:41 PM, John Kristoff <jtk@cymru.com> wrote: > On Mon, 04 Jan 2010 21:31:07 -0800 > Joel Jaeggli <joelja@bogus.com> wrote: > >> I notes with interest today the initial publication of: >> >> http://tools.ietf.org/html/draft-dugal-opsec-protect-control-plane-00 >> >> for which I am certain review and feedback would be greatly >> appreciated. > > I realize there is a -01 version of this draft. Nonetheless, this > comment still applies. > > One of the major stumbling blocks in managing control plane filtering > in my experience has been when a platform lacks sufficient diagnostic yes, if you can block/limit it, you MUST be able to log that fact, and count that fact. Otherwise it because exceptionally difficult to get a tcpdump on that sonet link to your neighbor... > capability such as control plane filter logging. Perhaps some mention > of this in the Design Trade-offs section might include some text > highlighting this concern. Rate limiting can be particularly > troublesome when "bad" traffic starves the "good". it might be nice to have special macros for 'bgp neighbors' or 'local interfaces' or 'connected networks'. to make configuration management easier... of course those could be called 'implementation details' but :) now I'll go read the doc, and hopefully provide some comments. -Chris > > John > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec >
- [OPSEC] noted: draft-dugal-opsec-protect-control-… Joel Jaeggli
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… Glen Kent
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… Smith, Donald
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… Rodney Dunn
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… Rodney Dunn
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… John Kristoff
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… Christopher Morrow
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… Rodney Dunn
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… Christopher Morrow
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… John Kristoff
- Re: [OPSEC] noted: draft-dugal-opsec-protect-cont… Smith, Donald