[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-jones-opsec-01.txt comments: in-band management
> I had been wondering whether it would be possible to recommend a default
> IPsec profile for in-band management traffic to make it more probable to
> have something usable and interoperable...
Sounds like a fine draft for an IPsec working group. I'd love to cite
it...
> Anyway...I thought I'd put it out there. In any event, I would agree with
> Joel though that if we skip the IPsec 'recommended' profile then it would
> be useful to be more specific in how management traffic would be secured so
> that it's practical.
Right. So give me some examples. Right now, most of the entries are
of the form:
Requirement: general, not-tech-sepcific, not-likely-to-change-over-time
Justification: why, what context, threat/risk info
Example: citation of existing technologies that meet the reqs.
How would you say
"secure in-band managemnt => SSH"
"secure time sync => BGP w/MD5"
"secure routing protocols => BGP w/?"
"secure [insecure protocol] => tunnled over XXX"
???
I think 2.1.1 is going to get a *lot* smaller and could
wind up with a table (similar to the existing one) listing
mappings and required options.
Thoughts ? rough stabs at the table ?
Thanks,
---George