IETF Logo Mail Archive

Re: [OPSEC] Fwd: ID Tracker State Update Notice: <draft-ietf-opsec-protect-control-plane-06.txt>

Ronald Bonica <rbonica@juniper.net> Thu, 06 January 2011 20:42 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A85F53A6CFF for <opsec@core3.amsl.com>; Thu, 6 Jan 2011 12:42:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.498
X-Spam-Level:
X-Spam-Status: No, score=-106.498 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HZ1kVDx3Pn+8 for <opsec@core3.amsl.com>; Thu, 6 Jan 2011 12:42:13 -0800 (PST)
Received: from exprod7og122.obsmtp.com (exprod7og122.obsmtp.com [64.18.2.22]) by core3.amsl.com (Postfix) with ESMTP id 3E1653A6A94 for <opsec@ietf.org>; Thu, 6 Jan 2011 12:42:10 -0800 (PST)
Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob122.postini.com ([64.18.6.12]) with SMTP ID DSNKTSYpoQ0WjmoI/qVS61NxlMEOM7wKijD4@postini.com; Thu, 06 Jan 2011 12:44:20 PST
Received: from p-emfe02-wf.jnpr.net (172.28.145.25) by P-EMHUB03-HQ.jnpr.net (172.24.192.37) with Microsoft SMTP Server (TLS) id 8.2.254.0; Thu, 6 Jan 2011 12:41:14 -0800
Received: from EMBX01-WF.jnpr.net ([fe80::8002:d3e7:4146:af5f]) by p-emfe02-wf.jnpr.net ([fe80::c126:c633:d2dc:8090%11]) with mapi; Thu, 6 Jan 2011 15:41:13 -0500
From: Ronald Bonica <rbonica@juniper.net>
To: George Jones <fooologist@gmail.com>, John Kristoff <jtk@cymru.com>
Date: Thu, 06 Jan 2011 15:41:12 -0500
Thread-Topic: [OPSEC] Fwd: ID Tracker State Update Notice: <draft-ietf-opsec-protect-control-plane-06.txt>
Thread-Index: AcusZ94Jq//Jq/+uQ4SFHxYKlNWARgBeYg0A
Message-ID: <13205C286662DE4387D9AF3AC30EF456B03C23767C@EMBX01-WF.jnpr.net>
References: <20101223193418.26547.34582.idtracker@localhost> <64E1A73D-2221-4035-8E77-79A6515A0DC3@kumari.net> <20110104092257.2ff16390@t61p> <AANLkTinsOZrbJ2+5pSVnTxFXcw0QLuPR5Q5guN6ZWE8n@mail.gmail.com>
In-Reply-To: <AANLkTinsOZrbJ2+5pSVnTxFXcw0QLuPR5Q5guN6ZWE8n@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_13205C286662DE4387D9AF3AC30EF456B03C23767CEMBX01WFjnprn_"
MIME-Version: 1.0
Cc: "opsec@ietf.org mailing list" <opsec@ietf.org>, Warren Kumari <warren@kumari.net>
Subject: Re: [OPSEC] Fwd: ID Tracker State Update Notice: <draft-ietf-opsec-protect-control-plane-06.txt>
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jan 2011 20:42:18 -0000

Response inline......

From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of George Jones
Sent: Tuesday, January 04, 2011 6:34 PM
To: John Kristoff
Cc: opsec@ietf.org mailing list; Warren Kumari
Subject: Re: [OPSEC] Fwd: ID Tracker State Update Notice: <draft-ietf-opsec-protect-control-plane-06.txt>


On Tue, Jan 4, 2011 at 10:22 AM, John Kristoff <jtk@cymru.com<mailto:jtk@cymru.com>> wrote:
On Thu, 23 Dec 2010 15:22:22 -0500
Warren Kumari <warren@kumari.net<mailto:warren@kumari.net>> wrote:
> So, our active queue is beginning to look very sparse... I have a
> draft that I started writing a while ago that Chris Morrow and Danny
> McPherson have agreed to fix / update (poke...), does anyone have
> anything else that they are working on?
I had started a port filtering draft.  A second revision has been
started, but we haven't spent much time on it lately.  I can endeavor
to get this work going again this week.

 <http://tools.ietf.org/html/draft-kristoff-opsec-port-filtering-00>

This is very important work! Please continue.


Looks like you were tackling the "what to filter and why" + gotchas.   Noble.  Useful.
But if the device just can't do it, not sufficient.

I recommend that you continue on these lines. If the device can't fulfill you requirements, maybe the RFC will motivate the vendors to enhance the device's filtering capabilities.


Again, what I had in mind was as series of docs that provide testable security features,
possibly paired with a test methodology.

Before diving into any serious work, though, it would be worth asking the question,
would anybody care/be positively impacted if the docs were finished.

I believe that this would be helpful both to the operator and vendor communities, New operators would learn what to filter. Application and protocol developers would learn what is likely to be filtered.

                           Ron

Does anybody
do this sort of testing?  Would they?   Would a list in the form of RFCs help ?

----George Jones

v2.23.0 | Report a Bug | By Email