Re: [OPSEC] charter skeleton rev5
Joel Jaeggli <joelja@bogus.com> Mon, 21 January 2008 03:02 UTC
Return-path: <opsec-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JGmvu-0000oL-5x; Sun, 20 Jan 2008 22:02:46 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JGmvs-0000oF-Jp for opsec@ietf.org; Sun, 20 Jan 2008 22:02:44 -0500
Received: from nagasaki.bogus.com ([147.28.0.81]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1JGmvr-00083I-K0 for opsec@ietf.org; Sun, 20 Jan 2008 22:02:44 -0500
Received: from [192.168.11.104] (c-24-23-195-240.hsd1.mn.comcast.net [24.23.195.240]) (authenticated bits=0) by nagasaki.bogus.com (8.14.1/8.13.8) with ESMTP id m0L32c4O072452; Mon, 21 Jan 2008 03:02:39 GMT (envelope-from joelja@bogus.com)
Message-ID: <47940B48.2050001@bogus.com>
Date: Sun, 20 Jan 2008 19:02:32 -0800
From: Joel Jaeggli <joelja@bogus.com>
User-Agent: Thunderbird 2.0.0.9 (X11/20071115)
MIME-Version: 1.0
To: opsec wg mailing list <opsec@ietf.org>, Merike Kaeo <merike@doubleshotsecurity.com>
Subject: Re: [OPSEC] charter skeleton rev5
References: <47855CF6.9060104@bogus.com> <61EE7556-BFFF-46AD-82F0-A2A9D85E65FB@doubleshotsecurity.com>
In-Reply-To: <61EE7556-BFFF-46AD-82F0-A2A9D85E65FB@doubleshotsecurity.com>
X-Enigmail-Version: 0.95.5
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.91.1/5505/Sun Jan 20 23:48:59 2008 on nagasaki.bogus.com
X-Virus-Status: Clean
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 20f22c03b5c66958bff5ef54fcda6e48
Cc:
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: opsec wg mailing list <opsec@ietf.org>
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Errors-To: opsec-bounces@ietf.org
Merike Kaeo wrote: > I just re-read all discussion from charter skeleton 3 onwards and here > is some input from me: > > - regarding work with other wg's. Can we have a paragraph in the > charter that says something like (and I take some wording from Dan > Roascanu's comment as well as IPPM wg (where I remember this came up > when I was co-chair there): > > " The principal input of the Working Group are operational experience > and needs. The intended output of the wg is to provide guidance to the > operators community as well as to Working Groups that develop protocols > or the community of protocol developers at large to promote consistent > approaches for supporting existing operational security practices and to > promote new approaches where operationally desired. Within the IETF > process, OPsec security practice documents will be subject to as > rigorous a scrutiny for usefulness, clarity, and accuracy as other > protocol standards. The OPsec WG will interact with other areas of IETF > activity whose scope intersect with the requirement of these specific > practices. These include working groups such as BMWG, v6ops, and <insert > others?>". I like the tenor of this, but I am also in favor of compactness, and I think rev 5 is quite attractive in the extent to which it is pared back to a minimalist core. would you consider it incomplete without this sentiment? > - in v6ops there's discussion on > draft-ietf-v6ops-rfc3330-for-ipv6-04.txt .......specific to which > prefixes should get filtered.......we probably want to support/comment > on that work?!? One of the concerns I have with enterprise networks in general but also with forwarding and control plane protection is the congruence of policy between ipv4 and ipv6 configuration. So I would agree and if possible amplify that sentiment. > - Some work items I see as relevant: > > -- IPv6 specific operational security concerns (despite common 'it's no > different than v4' comments) I think there's things like RA > advertisement suppression and some similar things that may need some > consideration. Indeed... Operationally it's easy enough to respond to and mitigate sources of rogue's RA's but can you suppress them a priori without features that may/probably do not exist in your switch platform? Practice wise there's something be said for not relying on RA's when your devices are going to be statically configured. > -- logging document...definitely needs to be included somehow....is Tina > signed up for the work? [I totally am in sync with George's comment a > few weeks ago that getting operator input was tough.......especially as > doc editors.........it is important to get people signed up for the > writing part....and no, I'm not volunteering right now.......] Tina has expressed interest I know she's busy so I have avoided hasseling her. > -- AAA related things...how devices get authenticated to and how > activities get logged/audited > > One thing that I see in practice is that things that are a 'duh - of > course you would do that' is not something that's second nature to all > operators, especially the ones with less experience. And make that > ditto for new equipment vendors. I have a story where I had to explain > a year ago why NTP was important for timestamping of logs :) > Anyhow.....just some thoughts.....sorry for late contribution........ > > - merike > > On Jan 9, 2008, at 3:47 PM, Joel Jaeggli wrote: > >> This version incorporates comments from: >> >> Ron Bonica >> Danny McPherson >> Dan Romascanu >> George Jones >> >> >> ---- >> >> Goals: >> >> The OPSEC WG will document best current practices with regard to network >> security. In particular an effort will be made to clarify the rational >> supporting current operational practice, address gaps in currently >> understood best practices for forwarding, control plane, and management >> plane security and make clear the liabilities inherent in security >> practices where they exist. >> >> Scope: >> >> The scope of the OPSEC WG is intended to include the protection and >> secure operation of the forwarding, control and management planes. >> >> Documentation of best common practices, revision of existing operational >> security practices documents and proposals for new approaches to >> operational challenges are in scope. >> >> Method: >> >> It is expected that the work product of the working group will >> fall into the category of best current practices documents. Taxonomy or >> problem statement documents may provide a basis for best current >> practices documents. >> >> Best Current Practices Document >> >> For each topic addressed, a document will be produced that attempts to >> capture current practices related to secure operation. This will be >> primarily based on operational experience. Each entry will list: >> >> * threats addressed, >> >> * current practices for addressing the threat, >> >> * protocols, tools and technologies extant at the time of >> writing that are used to address the threat, >> >> * the possibility that a solution does not exist within existing tools >> or technologies. >> >> Taxonomy and Problem Statement Documents >> >> A document which attempts to describe the scope of particular >> operational security challenge or problem space without necessarily >> coming to a conclusion or proposing a solution. Such a document might be >> a precursor to a best common practices document. >> >> While the principal input of the Working Group are operational >> experience and needs, the output should be directed both to provide >> guidance to the operators community as well as to Working Groups that >> develop protocols or the community of protocol developers at large, as >> well as to the implementers of these protocols. >> >> Non-Goals: >> >> The Operations security working group is not the place to do new >> protocols or requirements documents. >> >> New protocol development or requirements work should be addressed in a >> working group chartered in the appropriate area or as individual >> submissions. The OPSEC WG may take on documents related to >> the practices of using such work. >> >> >> >> >> >> _______________________________________________ >> OPSEC mailing list >> OPSEC@ietf.org >> https://www1.ietf.org/mailman/listinfo/opsec >> > > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www1.ietf.org/mailman/listinfo/opsec > _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www1.ietf.org/mailman/listinfo/opsec
- [OPSEC] charter skeleton rev5 Joel Jaeggli
- Re: [OPSEC] charter skeleton rev5 George M Jones
- Re: [OPSEC] charter skeleton rev5 Ron Bonica
- Re: [OPSEC] charter skeleton rev5 Joe Abley
- ICMP filtering (was Re: [OPSEC] charter skeleton … George M Jones
- Re: [OPSEC] charter skeleton rev5 Joel Jaeggli
- Re: ICMP filtering (was Re: [OPSEC] charter skele… John Kristoff
- Re: ICMP filtering (was Re: [OPSEC] charter skele… George M Jones
- Re: ICMP filtering (was Re: [OPSEC] charter skele… Fernando Gont
- Re: ICMP filtering (was Re: [OPSEC] charter skele… Fernando Gont
- Re: ICMP filtering (was Re: [OPSEC] charter skele… Fernando Gont
- RE: ICMP filtering (was Re: [OPSEC] charter skele… Smith, Donald
- RE: ICMP filtering (was Re: [OPSEC] charter skele… Fernando Gont
- RE: [OPSEC] charter skeleton rev5 Smith, Donald
- Re: [OPSEC] charter skeleton rev5 Joe Abley
- RE: [OPSEC] charter skeleton rev5 Smith, Donald
- Re: [OPSEC] charter skeleton rev5 Joe Abley
- Re: [OPSEC] charter skeleton rev5 Joel Jaeggli
- Re: [OPSEC] charter skeleton rev5 George M Jones
- Re: ICMP filtering (was Re: [OPSEC] charter skele… Fernando Gont
- Re: ICMP filtering (was Re: [OPSEC] charter skele… George M Jones
- Re: ICMP filtering (was Re: [OPSEC] charter skele… Fernando Gont
- Re: [OPSEC] charter skeleton rev5 Merike Kaeo
- Re: [OPSEC] charter skeleton rev5 Joel Jaeggli
- Re: [OPSEC] charter skeleton rev5 Merike Kaeo
- Re: ICMP filtering (was Re: [OPSEC] charter skele… Danny McPherson
- Re: ICMP filtering (was Re: [OPSEC] charter skele… George M Jones
- RE: ICMP filtering (was Re: [OPSEC] charter skele… Smith, Donald
- Re: ICMP filtering (was Re: [OPSEC] charter skele… John Kristoff
- RE: ICMP filtering (was Re: [OPSEC] charter skele… Smith, Donald
- RE: ICMP filtering (was Re: [OPSEC] charter skele… Barry Greene (bgreene)
- Re: ICMP filtering (was Re: [OPSEC] charter skele… John Kristoff
- Re: [OPSEC] ICMP filtering (was Re: charter skele… Fernando Gont
- Re: [OPSEC] ICMP filtering (was Re: charter skele… Smith, Donald
- Re: [OPSEC] ICMP filtering (was Re: charter skele… Fernando Gont
- Re: [OPSEC] ICMP filtering (was Re: charter skele… Roland Dobbins
- Re: [OPSEC] ICMP filtering (was Re: charter skele… Fernando Gont
- Re: [OPSEC] ICMP filtering (was Re: charter skele… Roland Dobbins