Re: [OPSEC] OPSEC control plane protection draft

["Smith, Donald" <Donald.Smith@qwest.com>]

(coffee != sleep) & (!coffee == sleep)
Donald.Smith@qwest.com gcia

> -----Original Message-----
> From: Rodney Dunn [mailto:rodunn@cisco.com]
> Sent: Tuesday, August 17, 2010 2:06 PM
> To: Christopher Morrow
> Cc: Smith, Donald; opsec@ietf.org; opsec@ietf.org
> Subject: Re: [OPSEC] OPSEC control plane protection draft
>
> We agree that the end goal should be to lock the device down
> to the most
> granular degree possible. We made an effort to highlight that
> at various
> places in the document. I like your suggestion to add an additional
> paragraph specifically highlighting the importance of getting
> to a point
> where the default traffic would be a drop. Could you review the
> paragraph below between *-*'s and make suggestions to wording if it's
> not explicit or clear enough?
>
> Thanks,
> Rodney
>
> Some references already in the document are...
>
> ie: Section 3.2 Filter Design
>
> ..By adjusting the granularity and order of the filters more
>     granular forensics can be performed...
>
> In addition to the filters, rate-limiters for certain classes of
>     traffic are also installed in the forwarding plane as defined in
>     Section 3.1.  These rate limiters help futher control the traffic
>     that will reach the control plane for each filtered class
> as well as
>     all traffic not matching an explicit class.  The actual rates
>     selected for various classes is network deployment specific and
>     analysis of required rates for stability should be done
> periodically.
>
> and the note for the catch all:
>
> Syntactically, these filters explicitly define "allowed" traffic
>     (including IP addresses, protocols, and ports), define acceptable
>     actions for these acceptable traffic profiles (e.g., rate-limit or
>     simply permit the traffic), and then drop to the bit bucket all
>     traffic destined to the router control plane that is not
> within the
>     specifications of the policy definition.
>
>
> and in Section 3.3 we wanted to articulate the importance of
> locking it
> down as granular as possible:
>
> ...The goal of the method for protecting the router control
> plane is to
>     minimize the possibility for disruptions by reducing the
> vulnerable
>     surface.  The latter is inversely proportional to the
> granularity of
>     the filter design.  The finer the granularity of the filter design
>     (e.g., isolating a more targeted subset of traffic from
> the rest of
>     the policed traffic, or isolating valid source addresses into a
>     different class or classes) the smaller the probability of
>     disruption.
> ...
>
> What about if we add this in the Design
> Trade-Off section to address the concern so we will be more precise.
>
> *In addition to the traffic matching explicit classes care should be
> taken on the policy decision that governs the handling of
> traffic that
> would fall through the policy.
Do we need to say that by convention there is no default deny at the end of a cpp policy?



>Typically that traffic is
> referred to as
> traffic falling in the default class. It may also be traffic that
into the default ...
> matches a generic protocol specific class where previous classes that
> have more granular matching did not match all packets for
> that specific
> protocol. The ideal policy would have explicit classes to
> match only the
> traffic specifically required at the control plane and drop all other
> traffic. This approach requires rigorous traffic pattern
> identification
> such that a default drop policy does not break existing
> functionality of
> the device. The approach defined in this document allows the default
> traffic and rate limits it rather than just dropping it. This
> approach
> was highlighted as a way to give time to the implementer to
> evaluate the
> traffic in a production scenario prior to dropping all traffic not
> explicitly matched and permitted. However, it is highly
> recommended that
> after monitoring the traffic matching the default class
> explicit classes
> should be defined such that the default class could be configured to
> drop traffic falling through the policy.*

Can we add a COMMENTED OUT deny ip any any in the default policy with a
"do not enable until throughly tested in production ..." type statement.

>
>
> Rodney
>
>
>
> On 8/16/10 9:58 PM, Christopher Morrow wrote:
> > On Mon, Aug 16, 2010 at 9:34 PM, Rodney
> Dunn<rodunn@cisco.com>  wrote:
> >> Donald,
> >>
> >> First thanks for the comment. It's a good one. We actually
> originally had it
> >> with a default drop for the all IP and default classes.
> However, after a
> >> good bit of discussion we (both Cisco and Juniper) felt
> that we should
> >> soften it up just a bit. We agreed to add the explicit
> match for the ALLIP
> >> class so it could be monitored and then tightened down further.
> >>
> >> We realized there were various opinions on how that should be done.
> >
> > can we get a 'first verify complete COPP coverage, then deny all
> > remaining traffic with $INSERT_PROPER_DENY_HERE' paragraph?
> >
> > It sounds like someone with a legal degree got to your final
> > recommendation :) that, operationally, leaves the network
> with a whole
> > to plug, and I can guarantee that someone with a scanning virus is
> > gonna fill it for you :(
> >
> > -chris
> >
> >> ie:
> >>
> >> http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
> >>
> >>
> >> Thanks,
> >> Rodney
> >>
> >>
> >>
> >>
> >>
> >> On 8/16/10 5:16 PM, Smith, Donald wrote:
> >>>
> >>> For undesirables in JTK's paper here he specifically did
> a deny ip any any
> >>> at the end of the cpp policy for that.
> >>>
> >>> http://aharp.ittns.northwestern.edu/papers/copp.html
> >>>
> >>> The default term for juniper is log and discard.
> >>>
> >>> There isn't a deny ip any any in the draft.
> >>>
> >>>
> >>>
> >>> (coffee != sleep)&    (!coffee == sleep)
> >>> Donald.Smith@qwest.com gcia
> >>>
> >>>> -----Original Message-----
> >>>> From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org]
> >>>> On Behalf Of Rob Bird
> >>>> Sent: Friday, March 26, 2010 11:28 AM
> >>>> To: David Dugal
> >>>> Cc: draft-dugal-opsec-protect-control-plane@tools.ietf.org;
> >>>> opsec@ietf.org
> >>>> Subject: Re: [OPSEC] OPSEC control plane protection draft
> >>>>
> >>>> This is most excellent. I was just advising a customer this
> >>>> morning on this very issue (again).
> >>>>
> >>>> I look forward to working on this.
> >>>> Rob
> >>>>
> >>>> -
> >>>> Rob Bird, Chief Technology Officer
> >>>> Red Lambda, Inc.
> >>>> "Network security at global scale"
> >>>> www.redlambda.com
> >>>>
> >>>>        On Mar 26, 2010 1:03 PM, "David Dugal"
> >>>> <ddugal@juniper.net>    wrote:
> >>>>
> >>>>        -----BEGIN PGP SIGNED MESSAGE-----
> >>>>        Hash: SHA1
> >>>>
> >>>>        Hi Richard.
> >>>>
> >>>>        Thank you very much for the scrutiny, analysis
> and feedback.  As
> >>>>        mentioned during my brief presentation, our hope
> is that this
> >>>>        recommendation by example will provide awareness of a
> >>>> possible attack
> >>>>        surface occasionally overlooked, especially by
> smaller or newer
> >>>>        installations.
> >>>>
> >>>>        I appreciate the feedback and will enhance the draft to
> >>>> make reference
> >>>>        to cryptographic security, as well as attempt to make
> >>>> the document IP
> >>>>        version agnostic.
> >>>>
> >>>>        Thank you for your support, both in carefully reading
> >>>> the document, and
> >>>>        for your willingness to have our draft taken under the
> >>>> OPSEC WG wing.
> >>>>
> >>>>        - ---
> >>>>        David G. Dugal                           Support:
> >>>> +1-408-745-9500
> >>>>        Security Incident Response Team          Direct:
> >>>> +1-978-589-0719
> >>>>        Juniper Networks                         Mobile:
> >>>> +1-603-377-1162
> >>>>        Westford, MA, USA                        PGP Key:
> 0xAB6E02A5
> >>>>
> >>>>
> >>>>        On Fri Mar 26 2010 09:06:40 GMT-0700 (Pacific Daylight
> >>>> Time), Richard
> >>>>        Graveman<rfgraveman@gmail.com>    proclaimed ...
> >>>>
> >>>>
> >>>>        >    David,
> >>>>        >
> >>>>        >    I read the draft carefully after the meeting and
> >>>> realize that my
> >>>>        >    comments missed the...
> >>>>
> >>>>        >    .
> >>>>        >
> >>>>        -----BEGIN PGP SIGNATURE-----
> >>>>        Version: GnuPG v1.4.10 (MingW32)
> >>>>
> >>>>
> iEYEARECAAYFAkus53cACgkQh59lzatuAqVE9wCgh53mgxNRPWUztlI27aOITHRr
> >>>>        2zMAoPb5y3phm260P1zSoDu0LSbUjNcN
> >>>>        =kitD
> >>>>        -----END PGP SIGNATURE-----
> >>>>
> >>>>
> >>>>        _______________________________________________
> >>>>        OPSEC mailing list
> >>>>        OPSEC@ietf.org
> >>>>        https://www.ietf.o...
> >>>>
> >>>>
> >>>
> >>> This communication is the property of Qwest and may
> contain confidential
> >>> or
> >>> privileged information. Unauthorized use of this
> communication is strictly
> >>> prohibited and may be unlawful.  If you have received
> this communication
> >>> in error, please immediately notify the sender by reply
> e-mail and destroy
> >>> all copies of the communication and any attachments.
> >>> _______________________________________________
> >>> OPSEC mailing list
> >>> OPSEC@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/opsec
> >>
> >> _______________________________________________
> >> OPSEC mailing list
> >> OPSEC@ietf.org
> >> https://www.ietf.org/mailman/listinfo/opsec
> >>
>

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.