[OPSEC] Comments on draft-dugal-opsec-protect-control-plane-02
Danny McPherson <danny@tcb.net> Tue, 30 March 2010 12:18 UTC
Return-Path: <danny@tcb.net>
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E43063A6821 for <opsec@core3.amsl.com>; Tue, 30 Mar 2010 05:18:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -98.25
X-Spam-Level:
X-Spam-Status: No, score=-98.25 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_SORBS_WEB=0.619, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nYzyEA-BTFNM for <opsec@core3.amsl.com>; Tue, 30 Mar 2010 05:18:12 -0700 (PDT)
Received: from dog.tcb.net (dog.tcb.net [64.78.150.133]) by core3.amsl.com (Postfix) with ESMTP id 03D613A6984 for <opsec@ietf.org>; Tue, 30 Mar 2010 05:18:09 -0700 (PDT)
Received: by dog.tcb.net (Postfix, from userid 0) id F1B702684E1; Tue, 30 Mar 2010 06:18:37 -0600 (MDT)
Received: from [10.255.255.140] (66.46.153.245 [66.46.153.245]) (authenticated-user smtp) (TLSv1/SSLv3 AES128-SHA 128/128) by dog.tcb.net with SMTP; for opsec@ietf.org; Tue, 30 Mar 2010 06:18:37 -0600 (MDT) (envelope-from danny@tcb.net)
X-Avenger: version=0.7.8; receiver=dog.tcb.net; client-ip=66.46.153.245; client-port=57320; client-dnsfail=66.46.153.245: name server failure; syn-fingerprint=65535:55:1:64:M1460,N,W3,N,N,T,S MacOS 10.4.8; data-bytes=0
From: Danny McPherson <danny@tcb.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Date: Tue, 30 Mar 2010 06:18:22 -0600
Message-Id: <C629017C-E5CF-4FD8-8B60-99901293423F@tcb.net>
To: opsec wg mailing list <opsec@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1077)
X-Mailer: Apple Mail (2.1077)
Subject: [OPSEC] Comments on draft-dugal-opsec-protect-control-plane-02
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Mar 2010 12:18:13 -0000
I support this document becoming an OPSEC WG item. A few mostly trivial comments below. I do believe the document would benefit from an overwrite for readability, but it seems to be in pretty good shape (and that's the purpose of making it a WG item). One substantive item is that I believe it needs to be a lot more detailed on IPv6 examples, in particular as they relate to ICMP. This is where lots of operators really need extra guidance today. Also, it should be clear about how transit traffic with TTL expiry isn't necessarily addressed to the device, but might get punted to the control plane. There is some text that touches on this, but this issue is not clear from the text. Finally, after giving RFC 1812 another read (phew), my comments at the microphone about references to that document aren't really useful. I had thought it had more detailed information on what it terms "in-band" access, however, the guidance there isn't particular useful in this context. -danny --- S 1. s/as as/as/ s/traffic unwanted traffic/unwanted traffic/ --- S 2. I think the document would benefit from IPv6 examples as well, and should reference that use case here and provide it further along in parallel to IPv6 examples. --- S 3. s/sample router introduced/sample router is introduced/ --- S 3.1. While I realize it's for example only, it might well be useful to add some sort of authentication packets to that example, so that folks can login if they have non-local auth models. Also, does anyone have recent rates of ICMP traffic destined to the control plane of high-end routers? 2 Mbps of ICMP seems pretty high to me.. --- S 3.2 It might be useful for the document, or the appendices to recommend allowing all traffic initially and auditing what hits the control plane before applying explicit filters or rate limits. Additionally, use of flow-based behavioral analysis or even CLI functions to identify what client/server functions a given control plane handles would be very useful during initial policy development phases (and certainly for forensics afterwards). Perhaps this belongs at the end of S 3.3, in the last graf where you touch on some of this. --- S 3.3 I'm not sure what "sub-traffic" is.. It might be worth expanding this a bit to say that an astute operator would likely define varying rate limits for ICMP such than internal traffic (i.e., from internal address blocks) obtains uninhibited access to the control plane, while traffic from external blocks is rate limited. I think you meant to allude to this, but don't really make it clear in the current text. --- S 4. I believe it'd be worthwhile to mention that while in the inter-domain context express ingress anti-spoofing policies may be difficult, operators should apply ingress infrastructure ACLs to limit access to infrastructure from external source address spoofing of internal address space. I.e., allow no packet into the perimeter of the network that has a source address of internal prefixes. Of course, iACLs and GTSM might well be a new section to this document, or a document entirely themselves.
- [OPSEC] Comments on draft-dugal-opsec-protect-con… Danny McPherson
- Re: [OPSEC] Comments on draft-dugal-opsec-protect… Warren Kumari
- Re: [OPSEC] Comments on draft-dugal-opsec-protect… Joel Jaeggli
- Re: [OPSEC] Comments on draft-dugal-opsec-protect… Ron Bonica
- Re: [OPSEC] Comments on draft-dugal-opsec-protect… Smith, Donald