Re: [OPSEC] OPSEC control plane protection draft
Christopher Morrow <morrowc.lists@gmail.com> Tue, 17 August 2010 17:42 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 66DCB3A6845 for <opsec@core3.amsl.com>; Tue, 17 Aug 2010 10:42:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HohwnavplvV4 for <opsec@core3.amsl.com>; Tue, 17 Aug 2010 10:42:50 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 159023A6988 for <opsec@ietf.org>; Tue, 17 Aug 2010 10:42:38 -0700 (PDT)
Received: by gwb20 with SMTP id 20so44674gwb.31 for <opsec@ietf.org>; Tue, 17 Aug 2010 10:43:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=O9OFh9tv1x+0RlEHTnDwW3eHOb1ibI7X9/j9+C7xDXM=; b=dNTpO3F7NHepiSQ7Tf7qYSEXmKun7mWoHVywNqaziy9af5zTBCkmJYJP1RDU8r5wcg qx8blQbiXVUui+JGrsrEkD7DbAQpH/jDm9wtb7b4dfDMy1jqgCYrePBxwmutqHaNip1A WrIuUevSBNEQ0Knd//zNbJ/jayr+SrpYUzrDk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=ekdZL5GzMSyNswQZbe0VFRhVcls9/gj/XCYfkBYSppO4p/OG2Tel7cgNhyUr18yRYR DyCiy4ZrBP9ooUMxY61tAZ73+/V0otp6u4KwEXjeJUcTi9woUWJWZZ2qnWPa1Qq1YZBM rewGo/+C3j76SdPGH1Y0baThDABlqP3fIcQD8=
MIME-Version: 1.0
Received: by 10.231.174.72 with SMTP id s8mr8068447ibz.41.1282066993040; Tue, 17 Aug 2010 10:43:13 -0700 (PDT)
Sender: christopher.morrow@gmail.com
Received: by 10.231.156.203 with HTTP; Tue, 17 Aug 2010 10:43:12 -0700 (PDT)
In-Reply-To: <B01905DA0C7CDC478F42870679DF0F10091D90BD71@qtdenexmbm24.AD.QINTRA.COM>
References: <45c8c21a1003260906j41580868p12466e6ed42ef3d0@mail.gmail.com> <4BACE777.3010000@juniper.net> <ba2fbc6f1003261027u5c62b7b4od135d00144a83a02@mail.gmail.com> <B01905DA0C7CDC478F42870679DF0F10091D90BD15@qtdenexmbm24.AD.QINTRA.COM> <4C69E72F.6090608@cisco.com> <AANLkTikJHA8O4EbL43nHGYfEdt2k0-V0Tv2uy390soeD@mail.gmail.com> <B01905DA0C7CDC478F42870679DF0F10091D90BD71@qtdenexmbm24.AD.QINTRA.COM>
Date: Tue, 17 Aug 2010 13:43:12 -0400
X-Google-Sender-Auth: o9prawHORO4JffT3OZ8LBzWC4rg
Message-ID: <AANLkTim7672ampzNJw-dcjqG7CL5DS+c2pPW=i0=GR+5@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: "Smith, Donald" <Donald.Smith@qwest.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "draft-dugal-opsec-protect-control-plane@tools.ietf.org" <draft-dugal-opsec-protect-control-plane@tools.ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
Subject: Re: [OPSEC] OPSEC control plane protection draft
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2010 17:42:51 -0000
On Tue, Aug 17, 2010 at 11:30 AM, Smith, Donald <Donald.Smith@qwest.com> wrote: > While difficult to get right leaving a hole to allow "unknown stuff" to go to the control plane is counter-intuitive if we are talking about protecting the control plane. > > When I write about mitigations for router vulnerabilities within our network one of the things I often include in the mitigations is the fact that the services and control plane of the routers is locked down. Almost locked down with a hole that may or may not allow something that could trigger the vulnerability is not as good:) > > This is one of the reasons we had that whole logging of exceptions/dropped traffic discussion a while back. > Not just a counter actual logging (sampled ok, syslog or snmp ... ok ... but some logging of traffic similar to a netflow record would be helpful). +1 to the entire message here... you just don't want to leave open holes, ever, in critical infrastructure. -chris > (coffee != sleep) & (!coffee == sleep) > Donald.Smith@qwest.com gcia > >> -----Original Message----- >> From: christopher.morrow@gmail.com >> [mailto:christopher.morrow@gmail.com] On Behalf Of Christopher Morrow >> Sent: Monday, August 16, 2010 7:59 PM >> To: rodunn@cisco.com >> Cc: Smith, Donald; >> draft-dugal-opsec-protect-control-plane@tools.ietf.org; opsec@ietf.org >> Subject: Re: [OPSEC] OPSEC control plane protection draft >> >> On Mon, Aug 16, 2010 at 9:34 PM, Rodney Dunn <rodunn@cisco.com> wrote: >> > Donald, >> > >> > First thanks for the comment. It's a good one. We actually >> originally had it >> > with a default drop for the all IP and default classes. >> However, after a >> > good bit of discussion we (both Cisco and Juniper) felt >> that we should >> > soften it up just a bit. We agreed to add the explicit >> match for the ALLIP >> > class so it could be monitored and then tightened down further. >> > >> > We realized there were various opinions on how that should be done. >> >> can we get a 'first verify complete COPP coverage, then deny all >> remaining traffic with $INSERT_PROPER_DENY_HERE' paragraph? >> >> It sounds like someone with a legal degree got to your final >> recommendation :) that, operationally, leaves the network with a whole >> to plug, and I can guarantee that someone with a scanning virus is >> gonna fill it for you :( >> >> -chris >> >> > ie: >> > >> > http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html >> > >> > >> > Thanks, >> > Rodney >> > >> > >> > >> > >> > >> > On 8/16/10 5:16 PM, Smith, Donald wrote: >> >> >> >> For undesirables in JTK's paper here he specifically did a >> deny ip any any >> >> at the end of the cpp policy for that. >> >> >> >> http://aharp.ittns.northwestern.edu/papers/copp.html >> >> >> >> The default term for juniper is log and discard. >> >> >> >> There isn't a deny ip any any in the draft. >> >> >> >> >> >> >> >> (coffee != sleep)& (!coffee == sleep) >> >> Donald.Smith@qwest.com gcia >> >> >> >>> -----Original Message----- >> >>> From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] >> >>> On Behalf Of Rob Bird >> >>> Sent: Friday, March 26, 2010 11:28 AM >> >>> To: David Dugal >> >>> Cc: draft-dugal-opsec-protect-control-plane@tools.ietf.org; >> >>> opsec@ietf.org >> >>> Subject: Re: [OPSEC] OPSEC control plane protection draft >> >>> >> >>> This is most excellent. I was just advising a customer this >> >>> morning on this very issue (again). >> >>> >> >>> I look forward to working on this. >> >>> Rob >> >>> >> >>> - >> >>> Rob Bird, Chief Technology Officer >> >>> Red Lambda, Inc. >> >>> "Network security at global scale" >> >>> www.redlambda.com >> >>> >> >>> On Mar 26, 2010 1:03 PM, "David Dugal" >> >>> <ddugal@juniper.net> wrote: >> >>> >> >>> -----BEGIN PGP SIGNED MESSAGE----- >> >>> Hash: SHA1 >> >>> >> >>> Hi Richard. >> >>> >> >>> Thank you very much for the scrutiny, analysis and >> feedback. As >> >>> mentioned during my brief presentation, our hope is >> that this >> >>> recommendation by example will provide awareness of a >> >>> possible attack >> >>> surface occasionally overlooked, especially by >> smaller or newer >> >>> installations. >> >>> >> >>> I appreciate the feedback and will enhance the draft to >> >>> make reference >> >>> to cryptographic security, as well as attempt to make >> >>> the document IP >> >>> version agnostic. >> >>> >> >>> Thank you for your support, both in carefully reading >> >>> the document, and >> >>> for your willingness to have our draft taken under the >> >>> OPSEC WG wing. >> >>> >> >>> - --- >> >>> David G. Dugal Support: >> >>> +1-408-745-9500 >> >>> Security Incident Response Team Direct: >> >>> +1-978-589-0719 >> >>> Juniper Networks Mobile: >> >>> +1-603-377-1162 >> >>> Westford, MA, USA PGP Key: 0xAB6E02A5 >> >>> >> >>> >> >>> On Fri Mar 26 2010 09:06:40 GMT-0700 (Pacific Daylight >> >>> Time), Richard >> >>> Graveman<rfgraveman@gmail.com> proclaimed ... >> >>> >> >>> >> >>> > David, >> >>> > >> >>> > I read the draft carefully after the meeting and >> >>> realize that my >> >>> > comments missed the... >> >>> >> >>> > . >> >>> > >> >>> -----BEGIN PGP SIGNATURE----- >> >>> Version: GnuPG v1.4.10 (MingW32) >> >>> >> >>> >> iEYEARECAAYFAkus53cACgkQh59lzatuAqVE9wCgh53mgxNRPWUztlI27aOITHRr >> >>> 2zMAoPb5y3phm260P1zSoDu0LSbUjNcN >> >>> =kitD >> >>> -----END PGP SIGNATURE----- >> >>> >> >>> >> >>> _______________________________________________ >> >>> OPSEC mailing list >> >>> OPSEC@ietf.org >> >>> https://www.ietf.o... >> >>> >> >>> >> >> >> >> This communication is the property of Qwest and may >> contain confidential >> >> or >> >> privileged information. Unauthorized use of this >> communication is strictly >> >> prohibited and may be unlawful. If you have received this >> communication >> >> in error, please immediately notify the sender by reply >> e-mail and destroy >> >> all copies of the communication and any attachments. >> >> _______________________________________________ >> >> OPSEC mailing list >> >> OPSEC@ietf.org >> >> https://www.ietf.org/mailman/listinfo/opsec >> > >> > _______________________________________________ >> > OPSEC mailing list >> > OPSEC@ietf.org >> > https://www.ietf.org/mailman/listinfo/opsec >> > >> > > This communication is the property of Qwest and may contain confidential or > privileged information. Unauthorized use of this communication is strictly > prohibited and may be unlawful. If you have received this communication > in error, please immediately notify the sender by reply e-mail and destroy > all copies of the communication and any attachments. >
- [OPSEC] OPSEC control plane protection draft Richard Graveman
- Re: [OPSEC] OPSEC control plane protection draft David Dugal
- Re: [OPSEC] OPSEC control plane protection draft Rob Bird
- Re: [OPSEC] OPSEC control plane protection draft Carlos Pignataro (cpignata)
- Re: [OPSEC] OPSEC control plane protection draft Smith, Donald
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn
- Re: [OPSEC] OPSEC control plane protection draft Christopher Morrow
- Re: [OPSEC] OPSEC control plane protection draft Smith, Donald
- Re: [OPSEC] OPSEC control plane protection draft Christopher Morrow
- Re: [OPSEC] OPSEC control plane protection draft Jared Mauch
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn
- Re: [OPSEC] OPSEC control plane protection draft Smith, Donald
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn
- Re: [OPSEC] OPSEC control plane protection draft Smith, Donald
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn
- Re: [OPSEC] OPSEC control plane protection draft Christopher Morrow
- Re: [OPSEC] OPSEC control plane protection draft Joel Jaeggli
- Re: [OPSEC] OPSEC control plane protection draft Rodney Dunn