Re: [OPSEC] OPSEC control plane protection draft
Christopher Morrow <morrowc.lists@gmail.com> Wed, 08 September 2010 04:10 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 931203A692B for <opsec@core3.amsl.com>; Tue, 7 Sep 2010 21:10:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.67
X-Spam-Level:
X-Spam-Status: No, score=-100.67 tagged_above=-999 required=5 tests=[AWL=-0.671, BAYES_50=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wl6+U2ns4vpi for <opsec@core3.amsl.com>; Tue, 7 Sep 2010 21:10:22 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id F11EB3A6AEA for <opsec@ietf.org>; Tue, 7 Sep 2010 21:10:21 -0700 (PDT)
Received: by iwn3 with SMTP id 3so6844384iwn.31 for <opsec@ietf.org>; Tue, 07 Sep 2010 21:10:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=9leD1TiB6hP1um8/vJVhNjYdqlyUdAJSPxxOGoldCyg=; b=wamLZ18uWFh5+LpgR06E0RBLf4cJXvulM93aowuXZEYm4ANRJam5J4mXYEkPHXUfQY nIvFtPAKgCg9aDIv9Amkbx3LJaMARLXMG8EuSFMRNmzXrICFXIk6o0Z3on4vh8dxMPXk H8rbHAqeSq+3wK/y8RZNfHWJEo5J/txH1hwJ8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=fzlj/bJ9Qptwt6GYhPlXG0EVSW/jP7UcyXXHkE1eLWMvmVNroDVBl9xxqoWWvy8wLx de6EETo2QQ7ep3wUB0pKq7mMH81vGN7WjbWBrufRNig1+jfS314y9cOxkPUAEA21UPo5 F508Un7OTchEE5Za3CnG4aCcJZUWftwDGGJPI=
MIME-Version: 1.0
Received: by 10.231.11.9 with SMTP id r9mr7826033ibr.47.1283919049889; Tue, 07 Sep 2010 21:10:49 -0700 (PDT)
Sender: christopher.morrow@gmail.com
Received: by 10.231.117.155 with HTTP; Tue, 7 Sep 2010 21:10:49 -0700 (PDT)
In-Reply-To: <B01905DA0C7CDC478F42870679DF0F10091D90C043@qtdenexmbm24.AD.QINTRA.COM>
References: <45c8c21a1003260906j41580868p12466e6ed42ef3d0@mail.gmail.com> <4BACE777.3010000@juniper.net> <ba2fbc6f1003261027u5c62b7b4od135d00144a83a02@mail.gmail.com> <B01905DA0C7CDC478F42870679DF0F10091D90BD15@qtdenexmbm24.AD.QINTRA.COM> <4C69E72F.6090608@cisco.com> <AANLkTikJHA8O4EbL43nHGYfEdt2k0-V0Tv2uy390soeD@mail.gmail.com> <4C6AEB97.2010501@cisco.com> <B01905DA0C7CDC478F42870679DF0F10091D90BDD9@qtdenexmbm24.AD.QINTRA.COM> <4C6AF600.8030504@cisco.com> <4C6D9725.4080505@cisco.com> <B01905DA0C7CDC478F42870679DF0F10091D90C043@qtdenexmbm24.AD.QINTRA.COM>
Date: Wed, 08 Sep 2010 00:10:49 -0400
X-Google-Sender-Auth: _juipV9nwRoAOYdvG0fLi639s8E
Message-ID: <AANLkTi=Ym59n9tnct5QiLM1FiY9BXYJ=9QO6PDiHYRLK@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: "Smith, Donald" <Donald.Smith@qwest.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "opsec@ietf.org" <opsec@ietf.org>
Subject: Re: [OPSEC] OPSEC control plane protection draft
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2010 04:10:28 -0000
X-List-Received-Date: Wed, 08 Sep 2010 04:10:28 -0000
On Thu, Aug 19, 2010 at 5:18 PM, Smith, Donald <Donald.Smith@qwest.com> wrote: > Rodney, this looks good to me. You have addressed all of my concerns. > Thank you. me as well, and thanks! > > (coffee != sleep) & (!coffee == sleep) > Donald.Smith@qwest.com gcia > >> -----Original Message----- >> From: Rodney Dunn [mailto:rodunn@cisco.com] >> Sent: Thursday, August 19, 2010 2:42 PM >> To: rodunn@cisco.com >> Cc: Smith, Donald; 'opsec@ietf.org' >> Subject: Re: [OPSEC] OPSEC control plane protection draft >> >> The current proposal on the table is the additional paragraph >> in Section >> 3.3 "Design Trade-offs" section to add the following >> paragraph between >> *-*'s. The purpose of this paragraph is to highlight that the >> end goal >> would be to have a COPP policy that is as explicit as >> possible on what >> to permit and dropping all other traffic. Does the list agree >> that this >> paragraph accurately reflects that desire? >> >> >> Section 3.3 "Design Trade-offs" >> >> >> ... >> The goal of the method for protecting the router control plane is to >> minimize the possibility for disruptions by reducing the vulnerable >> surface. The latter is inversely proportional to the granularity of >> the filter design. The finer the granularity of the filter design >> (e.g., isolating a more targeted subset of traffic from the rest of >> the policed traffic, or isolating valid source addresses into a >> different class or classes) the smaller the probability of >> disruption. >> >> *In addition to the traffic matching explicit classes care should be >> taken on the policy decision that governs the handling of >> traffic that >> would fall through the policy. Typically that traffic is >> referred to as >> traffic that gets matched in a default class. It may also be traffic >> that matches a protocol specific class where previous classes >> that have >> more granular matching did not match all packets for that specific >> protocol. The ideal policy would have explicit classes to >> match only the >> traffic specifically required at the control plane and drop all other >> traffic that does not mach a predefined class. As most vendor >> implementations permit all traffic hitting the default class >> an explicit >> drop action would need to be configured in the policy such that the >> traffic hitting that default class would be dropped versus >> permitted and >> then delivered to the control plane. This approach requires rigorous >> traffic pattern identification such that a default drop >> policy does not >> break existing functionality of the device. The approach >> defined in this >> document allows the default traffic and rate limits it rather >> than just >> dropping it. This approach was highlighted as a way to give >> time for the >> implementer to evaluate the traffic in a production scenario prior to >> dropping all traffic not explicitly matched and permitted. >> However, it >> is highly recommended that after monitoring the traffic matching the >> default class that explicit classes be defined to catch the >> legitimate >> traffic. After all legitimate traffic is being explicitly matched the >> default class should be configured to drop any remaining traffic. * >> >> >> Additionally, the baselining and monitoring of traffic flows to the >> router's control plane are critical in determining both the rates and >> granularity of the policies being applied. This is important to >> validate the existing policies and rules or update them as the >> network evolves and its traffic dynamics change. Some possible ways >> to achieve this include individual policy counters that can be >> exported or retrieved for example via SNMP, and logging of filtering >> actions. >> >> .... >> >> >> >> >> On 8/17/10 4:50 PM, Rodney Dunn wrote: >> > >> >>> What about if we add this in the Design >> >>> Trade-Off section to address the concern so we will be >> more precise. >> >>> >> >>> *In addition to the traffic matching explicit classes >> care should be >> >>> taken on the policy decision that governs the handling of >> >>> traffic that >> >>> would fall through the policy. >> >> Do we need to say that by convention there is no default >> deny at the >> >> end of a cpp policy? >> >> >> >> >> > >> > Another good catch...how about this: >> > >> > ....Typically that traffic is referred to as traffic falling in the >> > default class. It may also be traffic that matches a >> generic protocol >> > specific class where previous classes that have more >> granular matching >> > did not match all packets for that specific protocol. The >> ideal policy >> > would have explicit classes to match only the traffic specifically >> > required at the control plane and drop all other traffic. *As most >> > vendor implementations permit all traffic hitting the >> default class an >> > explicit drop action would need to be configured in the >> policy such that >> > the traffic hitting that default class would be dropped versus being >> > delivered up to the control plane.* This approach requires rigorous >> > traffic pattern identification such that a default drop >> policy does not >> > break existing functionality of the device..... >> > >> > >> > >> >>> after monitoring the traffic matching the default class >> >>> explicit classes >> >>> should be defined such that the default class could be >> configured to >> >>> drop traffic falling through the policy.* >> >> >> >> Can we add a COMMENTED OUT deny ip any any in the default >> policy with a >> >> "do not enable until throughly tested in production ..." >> type statement. >> >> >> > >> > I would prefer we cover it in the text section because that >> would make >> > it harder to link the Legitimate Traffic (Section 3.1) >> definition to the >> > actual configuration in the document. >> > >> > Rodney >> > >> > >> >>> >> >>> >> >>> Rodney >> >>> >> >>> >> >>> >> >>> On 8/16/10 9:58 PM, Christopher Morrow wrote: >> >>>> On Mon, Aug 16, 2010 at 9:34 PM, Rodney >> >>> Dunn<rodunn@cisco.com> wrote: >> >>>>> Donald, >> >>>>> >> >>>>> First thanks for the comment. It's a good one. We actually >> >>> originally had it >> >>>>> with a default drop for the all IP and default classes. >> >>> However, after a >> >>>>> good bit of discussion we (both Cisco and Juniper) felt >> >>> that we should >> >>>>> soften it up just a bit. We agreed to add the explicit >> >>> match for the ALLIP >> >>>>> class so it could be monitored and then tightened down further. >> >>>>> >> >>>>> We realized there were various opinions on how that >> should be done. >> >>>> >> >>>> can we get a 'first verify complete COPP coverage, then deny all >> >>>> remaining traffic with $INSERT_PROPER_DENY_HERE' paragraph? >> >>>> >> >>>> It sounds like someone with a legal degree got to your final >> >>>> recommendation :) that, operationally, leaves the network >> >>> with a whole >> >>>> to plug, and I can guarantee that someone with a >> scanning virus is >> >>>> gonna fill it for you :( >> >>>> >> >>>> -chris >> >>>> >> >>>>> ie: >> >>>>> >> >>>>> >> http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html >> >>>>> >> >>>>> >> >>>>> Thanks, >> >>>>> Rodney >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> On 8/16/10 5:16 PM, Smith, Donald wrote: >> >>>>>> >> >>>>>> For undesirables in JTK's paper here he specifically did >> >>> a deny ip any any >> >>>>>> at the end of the cpp policy for that. >> >>>>>> >> >>>>>> http://aharp.ittns.northwestern.edu/papers/copp.html >> >>>>>> >> >>>>>> The default term for juniper is log and discard. >> >>>>>> >> >>>>>> There isn't a deny ip any any in the draft. >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> (coffee != sleep)& (!coffee == sleep) >> >>>>>> Donald.Smith@qwest.com gcia >> >>>>>> >> >>>>>>> -----Original Message----- >> >>>>>>> From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] >> >>>>>>> On Behalf Of Rob Bird >> >>>>>>> Sent: Friday, March 26, 2010 11:28 AM >> >>>>>>> To: David Dugal >> >>>>>>> Cc: draft-dugal-opsec-protect-control-plane@tools.ietf.org; >> >>>>>>> opsec@ietf.org >> >>>>>>> Subject: Re: [OPSEC] OPSEC control plane protection draft >> >>>>>>> >> >>>>>>> This is most excellent. I was just advising a customer this >> >>>>>>> morning on this very issue (again). >> >>>>>>> >> >>>>>>> I look forward to working on this. >> >>>>>>> Rob >> >>>>>>> >> >>>>>>> - >> >>>>>>> Rob Bird, Chief Technology Officer >> >>>>>>> Red Lambda, Inc. >> >>>>>>> "Network security at global scale" >> >>>>>>> www.redlambda.com >> >>>>>>> >> >>>>>>> On Mar 26, 2010 1:03 PM, "David Dugal" >> >>>>>>> <ddugal@juniper.net> wrote: >> >>>>>>> >> >>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >> >>>>>>> Hash: SHA1 >> >>>>>>> >> >>>>>>> Hi Richard. >> >>>>>>> >> >>>>>>> Thank you very much for the scrutiny, analysis >> >>> and feedback. As >> >>>>>>> mentioned during my brief presentation, our hope >> >>> is that this >> >>>>>>> recommendation by example will provide awareness of a >> >>>>>>> possible attack >> >>>>>>> surface occasionally overlooked, especially by >> >>> smaller or newer >> >>>>>>> installations. >> >>>>>>> >> >>>>>>> I appreciate the feedback and will enhance the draft to >> >>>>>>> make reference >> >>>>>>> to cryptographic security, as well as attempt to make >> >>>>>>> the document IP >> >>>>>>> version agnostic. >> >>>>>>> >> >>>>>>> Thank you for your support, both in carefully reading >> >>>>>>> the document, and >> >>>>>>> for your willingness to have our draft taken under the >> >>>>>>> OPSEC WG wing. >> >>>>>>> >> >>>>>>> - --- >> >>>>>>> David G. Dugal Support: >> >>>>>>> +1-408-745-9500 >> >>>>>>> Security Incident Response Team Direct: >> >>>>>>> +1-978-589-0719 >> >>>>>>> Juniper Networks Mobile: >> >>>>>>> +1-603-377-1162 >> >>>>>>> Westford, MA, USA PGP Key: >> >>> 0xAB6E02A5 >> >>>>>>> >> >>>>>>> >> >>>>>>> On Fri Mar 26 2010 09:06:40 GMT-0700 (Pacific Daylight >> >>>>>>> Time), Richard >> >>>>>>> Graveman<rfgraveman@gmail.com> proclaimed ... >> >>>>>>> >> >>>>>>> >> >>>>>>> > David, >> >>>>>>> > >> >>>>>>> > I read the draft carefully after the meeting and >> >>>>>>> realize that my >> >>>>>>> > comments missed the... >> >>>>>>> >> >>>>>>> > . >> >>>>>>> > >> >>>>>>> -----BEGIN PGP SIGNATURE----- >> >>>>>>> Version: GnuPG v1.4.10 (MingW32) >> >>>>>>> >> >>>>>>> >> >>> iEYEARECAAYFAkus53cACgkQh59lzatuAqVE9wCgh53mgxNRPWUztlI27aOITHRr >> >>>>>>> 2zMAoPb5y3phm260P1zSoDu0LSbUjNcN >> >>>>>>> =kitD >> >>>>>>> -----END PGP SIGNATURE----- >> >>>>>>> >> >>>>>>> >> >>>>>>> _______________________________________________ >> >>>>>>> OPSEC mailing list >> >>>>>>> OPSEC@ietf.org >> >>>>>>> https://www.ietf.o... >> >>>>>>> >> >>>>>>> >> >>>>>> >> >>>>>> This communication is the property of Qwest and may >> >>> contain confidential >> >>>>>> or >> >>>>>> privileged information. Unauthorized use of this >> >>> communication is strictly >> >>>>>> prohibited and may be unlawful. If you have received >> >>> this communication >> >>>>>> in error, please immediately notify the sender by reply >> >>> e-mail and destroy >> >>>>>> all copies of the communication and any attachments. >> >>>>>> _______________________________________________ >> >>>>>> OPSEC mailing list >> >>>>>> OPSEC@ietf.org >> >>>>>> https://www.ietf.org/mailman/listinfo/opsec >> >>>>> >> >>>>> _______________________________________________ >> >>>>> OPSEC mailing list >> >>>>> OPSEC@ietf.org >> >>>>> https://www.ietf.org/mailman/listinfo/opsec >> >>>>> >> >>> >> >> >> >> This communication is the property of Qwest and may contain >> >> confidential or >> >> privileged information. Unauthorized use of this communication is >> >> strictly >> >> prohibited and may be unlawful. If you have received this >> communication >> >> in error, please immediately notify the sender by reply e-mail and >> >> destroy >> >> all copies of the communication and any attachments. >> > _______________________________________________ >> > OPSEC mailing list >> > OPSEC@ietf.org >> > https://www.ietf.org/mailman/listinfo/opsec >> > > This communication is the property of Qwest and may contain confidential or > privileged information. Unauthorized use of this communication is strictly > prohibited and may be unlawful. If you have received this communication > in error, please immediately notify the sender by reply e-mail and destroy > all copies of the communication and any attachments. > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec >
- [OPSEC] OPSEC control plane protection draft Richard Graveman
- Re: [OPSEC] OPSEC control plane protection draft David Dugal
- Re: [OPSEC] OPSEC control plane protection draft Rob Bird
- Re: [OPSEC] OPSEC control plane protection draft Carlos Pignataro (cpignata)
- Re: [OPSEC] OPSEC control plane protection draft Smith, Donald
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn
- Re: [OPSEC] OPSEC control plane protection draft Christopher Morrow
- Re: [OPSEC] OPSEC control plane protection draft Smith, Donald
- Re: [OPSEC] OPSEC control plane protection draft Christopher Morrow
- Re: [OPSEC] OPSEC control plane protection draft Jared Mauch
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn
- Re: [OPSEC] OPSEC control plane protection draft Smith, Donald
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn
- Re: [OPSEC] OPSEC control plane protection draft Smith, Donald
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn
- Re: [OPSEC] OPSEC control plane protection draft Christopher Morrow
- Re: [OPSEC] OPSEC control plane protection draft Joel Jaeggli
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn