IETF Logo Mail Archive

Re: [OPSEC] OPSEC control plane protection draft

Christopher Morrow <morrowc.lists@gmail.com> Tue, 17 August 2010 01:58 UTC

Return-Path: <christopher.morrow@gmail.com>
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 083AC3A6876 for <opsec@core3.amsl.com>; Mon, 16 Aug 2010 18:58:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.455
X-Spam-Level:
X-Spam-Status: No, score=-102.455 tagged_above=-999 required=5 tests=[AWL=0.144, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id npRFSODn-m1i for <opsec@core3.amsl.com>; Mon, 16 Aug 2010 18:58:08 -0700 (PDT)
Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com [209.85.215.172]) by core3.amsl.com (Postfix) with ESMTP id 3B8333A689C for <opsec@ietf.org>; Mon, 16 Aug 2010 18:58:08 -0700 (PDT)
Received: by eyb7 with SMTP id 7so3048485eyb.31 for <opsec@ietf.org>; Mon, 16 Aug 2010 18:58:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=nWW4oNCgNCM+bI5gBWYd+f6VY7zfYqlnW2O1ZhU1jWQ=; b=KP/vedAn0hXW0BgM1ilj7b2idjzgSaV2wCxF4yy6XoXMwFMxqs2vrNqeax0eMWBRph PTHgALA1dNoS2dz+xAyIJV2zva1v8wX9hFUJWSrVkkWgCOZQKIHhuuR48zq35yCRXZU0 3iP8d7fIkezro6xlj+6P+38hvCsFRqu7eSl/I=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=gX94VERvpT66CHVsgF4piHJ378NOrzSjwTDXzqCkDxDtTB7N/0T9tzc6hKRLFQYQma Z3rvXaG6kDw0ZWMbqtI6gPlCiOgw4CJFViy59l75ACHEAFCejC73UEqzEy87y5AzhIyh Ik5qrIidN91Xc+wFZfmBq2g/IsAZIgCa1BfjY=
MIME-Version: 1.0
Received: by 10.213.112.201 with SMTP id x9mr1474501ebp.56.1282010323172; Mon, 16 Aug 2010 18:58:43 -0700 (PDT)
Sender: christopher.morrow@gmail.com
Received: by 10.213.106.4 with HTTP; Mon, 16 Aug 2010 18:58:43 -0700 (PDT)
In-Reply-To: <4C69E72F.6090608@cisco.com>
References: <45c8c21a1003260906j41580868p12466e6ed42ef3d0@mail.gmail.com> <4BACE777.3010000@juniper.net> <ba2fbc6f1003261027u5c62b7b4od135d00144a83a02@mail.gmail.com> <B01905DA0C7CDC478F42870679DF0F10091D90BD15@qtdenexmbm24.AD.QINTRA.COM> <4C69E72F.6090608@cisco.com>
Date: Mon, 16 Aug 2010 21:58:43 -0400
X-Google-Sender-Auth: RIJwwZPHOx_V0dHGcDgp_wjZ0gM
Message-ID: <AANLkTikJHA8O4EbL43nHGYfEdt2k0-V0Tv2uy390soeD@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: rodunn@cisco.com
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "draft-dugal-opsec-protect-control-plane@tools.ietf.org" <draft-dugal-opsec-protect-control-plane@tools.ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
Subject: Re: [OPSEC] OPSEC control plane protection draft
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2010 01:58:10 -0000

On Mon, Aug 16, 2010 at 9:34 PM, Rodney Dunn <rodunn@cisco.com> wrote:
> Donald,
>
> First thanks for the comment. It's a good one. We actually originally had it
> with a default drop for the all IP and default classes. However, after a
> good bit of discussion we (both Cisco and Juniper) felt that we should
> soften it up just a bit. We agreed to add the explicit match for the ALLIP
> class so it could be monitored and then tightened down further.
>
> We realized there were various opinions on how that should be done.

can we get a 'first verify complete COPP coverage, then deny all
remaining traffic with $INSERT_PROPER_DENY_HERE' paragraph?

It sounds like someone with a legal degree got to your final
recommendation :) that, operationally, leaves the network with a whole
to plug, and I can guarantee that someone with a scanning virus is
gonna fill it for you :(

-chris

> ie:
>
> http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
>
>
> Thanks,
> Rodney
>
>
>
>
>
> On 8/16/10 5:16 PM, Smith, Donald wrote:
>>
>> For undesirables in JTK's paper here he specifically did a deny ip any any
>> at the end of the cpp policy for that.
>>
>> http://aharp.ittns.northwestern.edu/papers/copp.html
>>
>> The default term for juniper is log and discard.
>>
>> There isn't a deny ip any any in the draft.
>>
>>
>>
>> (coffee != sleep)&  (!coffee == sleep)
>> Donald.Smith@qwest.com gcia
>>
>>> -----Original Message-----
>>> From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org]
>>> On Behalf Of Rob Bird
>>> Sent: Friday, March 26, 2010 11:28 AM
>>> To: David Dugal
>>> Cc: draft-dugal-opsec-protect-control-plane@tools.ietf.org;
>>> opsec@ietf.org
>>> Subject: Re: [OPSEC] OPSEC control plane protection draft
>>>
>>> This is most excellent. I was just advising a customer this
>>> morning on this very issue (again).
>>>
>>> I look forward to working on this.
>>> Rob
>>>
>>> -
>>> Rob Bird, Chief Technology Officer
>>> Red Lambda, Inc.
>>> "Network security at global scale"
>>> www.redlambda.com
>>>
>>>       On Mar 26, 2010 1:03 PM, "David Dugal"
>>> <ddugal@juniper.net>  wrote:
>>>
>>>       -----BEGIN PGP SIGNED MESSAGE-----
>>>       Hash: SHA1
>>>
>>>       Hi Richard.
>>>
>>>       Thank you very much for the scrutiny, analysis and feedback.  As
>>>       mentioned during my brief presentation, our hope is that this
>>>       recommendation by example will provide awareness of a
>>> possible attack
>>>       surface occasionally overlooked, especially by smaller or newer
>>>       installations.
>>>
>>>       I appreciate the feedback and will enhance the draft to
>>> make reference
>>>       to cryptographic security, as well as attempt to make
>>> the document IP
>>>       version agnostic.
>>>
>>>       Thank you for your support, both in carefully reading
>>> the document, and
>>>       for your willingness to have our draft taken under the
>>> OPSEC WG wing.
>>>
>>>       - ---
>>>       David G. Dugal                           Support:
>>> +1-408-745-9500
>>>       Security Incident Response Team          Direct:
>>> +1-978-589-0719
>>>       Juniper Networks                         Mobile:
>>> +1-603-377-1162
>>>       Westford, MA, USA                        PGP Key: 0xAB6E02A5
>>>
>>>
>>>       On Fri Mar 26 2010 09:06:40 GMT-0700 (Pacific Daylight
>>> Time), Richard
>>>       Graveman<rfgraveman@gmail.com>  proclaimed ...
>>>
>>>
>>>       >  David,
>>>       >
>>>       >  I read the draft carefully after the meeting and
>>> realize that my
>>>       >  comments missed the...
>>>
>>>       >  .
>>>       >
>>>       -----BEGIN PGP SIGNATURE-----
>>>       Version: GnuPG v1.4.10 (MingW32)
>>>
>>>       iEYEARECAAYFAkus53cACgkQh59lzatuAqVE9wCgh53mgxNRPWUztlI27aOITHRr
>>>       2zMAoPb5y3phm260P1zSoDu0LSbUjNcN
>>>       =kitD
>>>       -----END PGP SIGNATURE-----
>>>
>>>
>>>       _______________________________________________
>>>       OPSEC mailing list
>>>       OPSEC@ietf.org
>>>       https://www.ietf.o...
>>>
>>>
>>
>> This communication is the property of Qwest and may contain confidential
>> or
>> privileged information. Unauthorized use of this communication is strictly
>> prohibited and may be unlawful.  If you have received this communication
>> in error, please immediately notify the sender by reply e-mail and destroy
>> all copies of the communication and any attachments.
>> _______________________________________________
>> OPSEC mailing list
>> OPSEC@ietf.org
>> https://www.ietf.org/mailman/listinfo/opsec
>
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/opsec
>

v2.23.0 | Report a Bug | By Email