[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-jones-opsec-01.txt comments: in-band management

To: Merike Kaeo <kaeo@merike.com>
Subject: Re: draft-jones-opsec-01.txt comments: in-band management
From: George Jones <gmj@pobox.com>
Date: Fri, 24 Oct 2003 17:22:14 -0400 (EDT)
Cc: "Joel N. Weber II" <ietf-opsec@joelweber.com>, opsec@ops.ietf.org
In-reply-to: <5.2.1.1.2.20031023002110.027b3398@mail.merike.com>
References: <Pine.LNX.4.53.0309180944000.14813@mall.pulltheplug.com> <E19pxTV-0004du-00@xanthine.gratuitous.org> <Pine.LNX.4.53.0308261246570.12054@mall.pulltheplug.com> <E19zpMk-0007kg-00@xanthine.gratuitous.org> <Pine.LNX.4.53.0309180944000.14813@mall.pulltheplug.com> <5.2.1.1.2.20031023002110.027b3398@mail.merike.com>
Reply-to: gmj@pobox.com

> I had been wondering whether it would be possible to recommend a default
> IPsec profile for in-band management traffic to make it more probable to
> have something usable and interoperable...

Sounds like a fine draft for an IPsec working group.  I'd love to cite
it...

> Anyway...I thought I'd put it out there.  In any event, I would agree with
> Joel though that if we skip the IPsec 'recommended' profile then it would
> be useful to be more specific in how management traffic would be secured so
> that it's practical.

Right.   So give me some examples.  Right now, most of the entries are
of the form:

  Requirement: general, not-tech-sepcific, not-likely-to-change-over-time

  Justification: why, what context, threat/risk info

  Example: citation of existing technologies that meet the reqs.


How would you say

  "secure in-band managemnt => SSH"
  "secure time sync => BGP w/MD5"
  "secure routing protocols => BGP w/?"
  "secure [insecure protocol] => tunnled over XXX"

???

I think 2.1.1 is going to get a *lot* smaller and could
wind up with a table (similar to the existing one) listing
mappings and required options.

Thoughts ?  rough stabs at the table ?

Thanks,
---George

References:
- Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
  - From: George Jones <gmj@pobox.com>
- Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
  - From: George Jones <gmj@pobox.com>
- Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
  - From: "Joel N. Weber II" <ietf-opsec@joelweber.com>
- Re: draft-jones-opsec-01.txt comments: in-band management
  - From: Merike Kaeo <kaeo@merike.com>

Prev by Date: Re: draft-jones-opsec-01.txt comments: in-band management
Next by Date: RE: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
Previous by thread: Re: draft-jones-opsec-01.txt comments: in-band management
Next by thread: Re: draft-jones-opsec-01.txt comments: in-band management
Index(es):
- Date
- Thread