Re: [OPSEC] OPSEC control plane protection draft
Christopher Morrow <morrowc.lists@gmail.com> Tue, 17 August 2010 01:58 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 083AC3A6876 for <opsec@core3.amsl.com>; Mon, 16 Aug 2010 18:58:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.455
X-Spam-Level:
X-Spam-Status: No, score=-102.455 tagged_above=-999 required=5 tests=[AWL=0.144, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id npRFSODn-m1i for <opsec@core3.amsl.com>; Mon, 16 Aug 2010 18:58:08 -0700 (PDT)
Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com [209.85.215.172]) by core3.amsl.com (Postfix) with ESMTP id 3B8333A689C for <opsec@ietf.org>; Mon, 16 Aug 2010 18:58:08 -0700 (PDT)
Received: by eyb7 with SMTP id 7so3048485eyb.31 for <opsec@ietf.org>; Mon, 16 Aug 2010 18:58:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=nWW4oNCgNCM+bI5gBWYd+f6VY7zfYqlnW2O1ZhU1jWQ=; b=KP/vedAn0hXW0BgM1ilj7b2idjzgSaV2wCxF4yy6XoXMwFMxqs2vrNqeax0eMWBRph PTHgALA1dNoS2dz+xAyIJV2zva1v8wX9hFUJWSrVkkWgCOZQKIHhuuR48zq35yCRXZU0 3iP8d7fIkezro6xlj+6P+38hvCsFRqu7eSl/I=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=gX94VERvpT66CHVsgF4piHJ378NOrzSjwTDXzqCkDxDtTB7N/0T9tzc6hKRLFQYQma Z3rvXaG6kDw0ZWMbqtI6gPlCiOgw4CJFViy59l75ACHEAFCejC73UEqzEy87y5AzhIyh Ik5qrIidN91Xc+wFZfmBq2g/IsAZIgCa1BfjY=
MIME-Version: 1.0
Received: by 10.213.112.201 with SMTP id x9mr1474501ebp.56.1282010323172; Mon, 16 Aug 2010 18:58:43 -0700 (PDT)
Sender: christopher.morrow@gmail.com
Received: by 10.213.106.4 with HTTP; Mon, 16 Aug 2010 18:58:43 -0700 (PDT)
In-Reply-To: <4C69E72F.6090608@cisco.com>
References: <45c8c21a1003260906j41580868p12466e6ed42ef3d0@mail.gmail.com> <4BACE777.3010000@juniper.net> <ba2fbc6f1003261027u5c62b7b4od135d00144a83a02@mail.gmail.com> <B01905DA0C7CDC478F42870679DF0F10091D90BD15@qtdenexmbm24.AD.QINTRA.COM> <4C69E72F.6090608@cisco.com>
Date: Mon, 16 Aug 2010 21:58:43 -0400
X-Google-Sender-Auth: RIJwwZPHOx_V0dHGcDgp_wjZ0gM
Message-ID: <AANLkTikJHA8O4EbL43nHGYfEdt2k0-V0Tv2uy390soeD@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: rodunn@cisco.com
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "draft-dugal-opsec-protect-control-plane@tools.ietf.org" <draft-dugal-opsec-protect-control-plane@tools.ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
Subject: Re: [OPSEC] OPSEC control plane protection draft
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2010 01:58:10 -0000
On Mon, Aug 16, 2010 at 9:34 PM, Rodney Dunn <rodunn@cisco.com> wrote: > Donald, > > First thanks for the comment. It's a good one. We actually originally had it > with a default drop for the all IP and default classes. However, after a > good bit of discussion we (both Cisco and Juniper) felt that we should > soften it up just a bit. We agreed to add the explicit match for the ALLIP > class so it could be monitored and then tightened down further. > > We realized there were various opinions on how that should be done. can we get a 'first verify complete COPP coverage, then deny all remaining traffic with $INSERT_PROPER_DENY_HERE' paragraph? It sounds like someone with a legal degree got to your final recommendation :) that, operationally, leaves the network with a whole to plug, and I can guarantee that someone with a scanning virus is gonna fill it for you :( -chris > ie: > > http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html > > > Thanks, > Rodney > > > > > > On 8/16/10 5:16 PM, Smith, Donald wrote: >> >> For undesirables in JTK's paper here he specifically did a deny ip any any >> at the end of the cpp policy for that. >> >> http://aharp.ittns.northwestern.edu/papers/copp.html >> >> The default term for juniper is log and discard. >> >> There isn't a deny ip any any in the draft. >> >> >> >> (coffee != sleep)& (!coffee == sleep) >> Donald.Smith@qwest.com gcia >> >>> -----Original Message----- >>> From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] >>> On Behalf Of Rob Bird >>> Sent: Friday, March 26, 2010 11:28 AM >>> To: David Dugal >>> Cc: draft-dugal-opsec-protect-control-plane@tools.ietf.org; >>> opsec@ietf.org >>> Subject: Re: [OPSEC] OPSEC control plane protection draft >>> >>> This is most excellent. I was just advising a customer this >>> morning on this very issue (again). >>> >>> I look forward to working on this. >>> Rob >>> >>> - >>> Rob Bird, Chief Technology Officer >>> Red Lambda, Inc. >>> "Network security at global scale" >>> www.redlambda.com >>> >>> On Mar 26, 2010 1:03 PM, "David Dugal" >>> <ddugal@juniper.net> wrote: >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Hi Richard. >>> >>> Thank you very much for the scrutiny, analysis and feedback. As >>> mentioned during my brief presentation, our hope is that this >>> recommendation by example will provide awareness of a >>> possible attack >>> surface occasionally overlooked, especially by smaller or newer >>> installations. >>> >>> I appreciate the feedback and will enhance the draft to >>> make reference >>> to cryptographic security, as well as attempt to make >>> the document IP >>> version agnostic. >>> >>> Thank you for your support, both in carefully reading >>> the document, and >>> for your willingness to have our draft taken under the >>> OPSEC WG wing. >>> >>> - --- >>> David G. Dugal Support: >>> +1-408-745-9500 >>> Security Incident Response Team Direct: >>> +1-978-589-0719 >>> Juniper Networks Mobile: >>> +1-603-377-1162 >>> Westford, MA, USA PGP Key: 0xAB6E02A5 >>> >>> >>> On Fri Mar 26 2010 09:06:40 GMT-0700 (Pacific Daylight >>> Time), Richard >>> Graveman<rfgraveman@gmail.com> proclaimed ... >>> >>> >>> > David, >>> > >>> > I read the draft carefully after the meeting and >>> realize that my >>> > comments missed the... >>> >>> > . >>> > >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.10 (MingW32) >>> >>> iEYEARECAAYFAkus53cACgkQh59lzatuAqVE9wCgh53mgxNRPWUztlI27aOITHRr >>> 2zMAoPb5y3phm260P1zSoDu0LSbUjNcN >>> =kitD >>> -----END PGP SIGNATURE----- >>> >>> >>> _______________________________________________ >>> OPSEC mailing list >>> OPSEC@ietf.org >>> https://www.ietf.o... >>> >>> >> >> This communication is the property of Qwest and may contain confidential >> or >> privileged information. Unauthorized use of this communication is strictly >> prohibited and may be unlawful. If you have received this communication >> in error, please immediately notify the sender by reply e-mail and destroy >> all copies of the communication and any attachments. >> _______________________________________________ >> OPSEC mailing list >> OPSEC@ietf.org >> https://www.ietf.org/mailman/listinfo/opsec > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec >
- [OPSEC] OPSEC control plane protection draft Richard Graveman
- Re: [OPSEC] OPSEC control plane protection draft David Dugal
- Re: [OPSEC] OPSEC control plane protection draft Rob Bird
- Re: [OPSEC] OPSEC control plane protection draft Carlos Pignataro (cpignata)
- Re: [OPSEC] OPSEC control plane protection draft Smith, Donald
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn
- Re: [OPSEC] OPSEC control plane protection draft Christopher Morrow
- Re: [OPSEC] OPSEC control plane protection draft Smith, Donald
- Re: [OPSEC] OPSEC control plane protection draft Christopher Morrow
- Re: [OPSEC] OPSEC control plane protection draft Jared Mauch
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn
- Re: [OPSEC] OPSEC control plane protection draft Smith, Donald
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn
- Re: [OPSEC] OPSEC control plane protection draft Smith, Donald
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn
- Re: [OPSEC] OPSEC control plane protection draft Christopher Morrow
- Re: [OPSEC] OPSEC control plane protection draft Joel Jaeggli
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn