Re: [OPSEC] Comments on draft-dugal-opsec-protect-control-plane-02
Joel Jaeggli <joelja@bogus.com> Thu, 01 April 2010 05:29 UTC
Return-Path: <joelja@bogus.com>
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CD5C13A693A for <opsec@core3.amsl.com>; Wed, 31 Mar 2010 22:29:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.131
X-Spam-Level: *
X-Spam-Status: No, score=1.131 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1PHi3l3tdBBv for <opsec@core3.amsl.com>; Wed, 31 Mar 2010 22:29:34 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [147.28.0.81]) by core3.amsl.com (Postfix) with ESMTP id 329A53A6950 for <opsec@ietf.org>; Wed, 31 Mar 2010 22:26:35 -0700 (PDT)
Received: from [192.168.1.151] (c-98-234-104-156.hsd1.ca.comcast.net [98.234.104.156]) (authenticated bits=0) by nagasaki.bogus.com (8.14.3/8.14.3) with ESMTP id o315R4LA038104 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Thu, 1 Apr 2010 05:27:05 GMT (envelope-from joelja@bogus.com)
Message-ID: <4BB42EA7.6010807@bogus.com>
Date: Wed, 31 Mar 2010 22:27:03 -0700
From: Joel Jaeggli <joelja@bogus.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100322 Lightning/1.0b1 Thunderbird/3.0.3
MIME-Version: 1.0
To: Danny McPherson <danny@tcb.net>
References: <C629017C-E5CF-4FD8-8B60-99901293423F@tcb.net>
In-Reply-To: <C629017C-E5CF-4FD8-8B60-99901293423F@tcb.net>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.2 (nagasaki.bogus.com [147.28.0.81]); Thu, 01 Apr 2010 05:27:06 +0000 (UTC)
Cc: opsec wg mailing list <opsec@ietf.org>
Subject: Re: [OPSEC] Comments on draft-dugal-opsec-protect-control-plane-02
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2010 05:29:34 -0000
Thanks Danny, test for inclusion will likely follow the publishing of the minutes. joel On 03/30/2010 05:18 AM, Danny McPherson wrote: > > I support this document becoming an OPSEC WG item. A few > mostly trivial comments below. I do believe the document > would benefit from an overwrite for readability, but it > seems to be in pretty good shape (and that's the purpose of > making it a WG item). > > One substantive item is that I believe it needs to be a lot > more detailed on IPv6 examples, in particular as they relate > to ICMP. This is where lots of operators really need extra > guidance today. > > Also, it should be clear about how transit traffic with TTL > expiry isn't necessarily addressed to the device, but might get > punted to the control plane. There is some text that touches > on this, but this issue is not clear from the text. > > Finally, after giving RFC 1812 another read (phew), my comments > at the microphone about references to that document aren't > really useful. I had thought it had more detailed information > on what it terms "in-band" access, however, the guidance there > isn't particular useful in this context. > > -danny > > > --- > S 1. > > s/as as/as/ > > s/traffic unwanted traffic/unwanted traffic/ > > --- > S 2. > > I think the document would benefit from IPv6 examples as well, and > should reference that use case here and provide it further along in > parallel to IPv6 examples. > > --- > S 3. > > s/sample router introduced/sample router is introduced/ > > --- > S 3.1. > > While I realize it's for example only, it might well be useful to > add some sort of authentication packets to that example, so that > folks can login if they have non-local auth models. > > Also, does anyone have recent rates of ICMP traffic destined to the > control plane of high-end routers? 2 Mbps of ICMP seems pretty > high to me.. > > --- > S 3.2 > > It might be useful for the document, or the appendices to recommend > allowing all traffic initially and auditing what hits the control > plane before applying explicit filters or rate limits. Additionally, > use of flow-based behavioral analysis or even CLI functions to > identify what client/server functions a given control plane handles > would be very useful during initial policy development phases (and > certainly for forensics afterwards). Perhaps this belongs at the > end of S 3.3, in the last graf where you touch on some of this. > > --- > S 3.3 > > I'm not sure what "sub-traffic" is.. > > It might be worth expanding this a bit to say that an astute operator > would likely define varying rate limits for ICMP such than internal > traffic (i.e., from internal address blocks) obtains uninhibited > access to the control plane, while traffic from external blocks is > rate limited. I think you meant to allude to this, but don't really > make it clear in the current text. > > > --- > S 4. > > I believe it'd be worthwhile to mention that while in the inter-domain > context express ingress anti-spoofing policies may be difficult, > operators should apply ingress infrastructure ACLs to limit access to > infrastructure from external source address spoofing of internal address > space. I.e., allow no packet into the perimeter of the network that > has a source address of internal prefixes. Of course, iACLs and GTSM > might well be a new section to this document, or a document entirely > themselves. > > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec >
- [OPSEC] Comments on draft-dugal-opsec-protect-con… Danny McPherson
- Re: [OPSEC] Comments on draft-dugal-opsec-protect… Warren Kumari
- Re: [OPSEC] Comments on draft-dugal-opsec-protect… Joel Jaeggli
- Re: [OPSEC] Comments on draft-dugal-opsec-protect… Ron Bonica
- Re: [OPSEC] Comments on draft-dugal-opsec-protect… Smith, Donald