[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Scope, Profiles
"gmj" == George M Jones <gmjones@mitre.org> writes:
>> Well, things that I want for my powerstrips apply to anything with an
>> IP. So it's not really profiles, but more "if you supply this
>> capability (IP stack, MPLS, etc), you must implement these features."
>>
gmj> So you're basicly suggesting:
gmj> If you implement IP, then
Yes. So for my current pet peeve, it would look like:
"If you implement password protected logins:
Implement network AAA
... "
"If you provide a configuration service (not you can configure the
device but the "config" of the device is accessible in some form):
Implement ASCII configs
Provide the grammar for those configs
Implement config sanitization (open can of worms here)
..."
These are baseline requirements that every "secure" (or "securable"?)
device must supply. Then there are more advanced requirements that
only apply in certain profiles. E.g. if it's an edge device, it must
supply these capabilities (which are going to include more invasive
and CPU intensive things than a core device, even though both provide
roughly the same features (IP stack, packet forwarding, ...)).
>> So at the front, there are some capability => feature mappings, then
>> as you dig deeper you get to stuff like "if you use the device this
>> way, you should configure it this way".
gmj> When you say "configure" do you mean things like "turn of directed
gmj> broadcasts"
Yeah, kinda. This document is aimed at two seperate entities:
1) Vendors. They must provide the knobs and dials to tweak. Perhaps
also with sane defaults, depending on the outcome of several
religious debates.
2) Users. These range from kinda clueful to really lost. (Clueful
users are either working on this document, or unemployed)
So the capabilities that must exist are addressed to the vendors and
purchasers of devices.
How to twist those knobs and dials is addressed at the network
engineers who actually design, deploy and manage the devices.
gmj> or "include this group of capabilities" ? I can see groupings like
gmj> Edge Device
gmj> 1. Filtering of traffic trough the device
gmj> 2. Filtering of traffic to the device
gmj> 3. Support rate-limiting
gmj> Core Device
gmj> 1. Filtering of traffic to the device
These would fall into the "more advanced requirements" section.
So you have:
Baseline requirements
Device provides service (IP addr, packet forwarding, etc),
device must provide capability (IP filtering TO, AAA, etc)
Advanced requirements
Device is used in a certain profile (customer aggregation,
CPE, core router), device must provide this (filtering
THROUGH, etc)
Configuration guidelines
Given a device with certain baseline and advanced
capabilities, you, the user, should configure it thusly. This
section will further act as justification for the requirements
above. Here, we'll describe why the knobs should be turned
just so.
Basically, I like the idea of profiles, I just think that the common
requirements and config bits should be factored out. Common
requirements (baseline) are a strong line to hold, things we can push
for from vendors with serious effort. Maybe filtering THROUGH at
OC192 isn't possible, but you'd BETTER implement filtering TO.
ericb