[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fwd: Re: Last Call: draft-jones-opsec "Operational Security Requirements for IP Network Infrastructure"
- To: Alex Zinin <zinin@psg.com>
- Subject: Re: Fwd: Re: Last Call: draft-jones-opsec "Operational Security Requirements for IP Network Infrastructure"
- From: George Jones <gmj@pobox.com>
- Date: Wed, 17 Mar 2004 06:38:38 -0800 (PST)
- Cc: opsec@ops.ietf.org, "" <rtg-dir@ietf.org>
- In-reply-to: <41564806378.20040316123251@psg.com>
- References: <12758206266.20040122142453@psg.com> <359318435.20040122144325@psg.com> <20040123102655.C15406@nexthop.com> <20040123155830.GA13311@1-4-5.net> <20040123151216.D15406@nexthop.com> <41564806378.20040316123251@psg.com>
- Reply-to: gmj@pobox.com
On Tue, 16 Mar 2004, Alex Zinin wrote:
>
> --
> Alex
> http://www.psg.com/~zinin/
>
> This is a forwarded message
> From: Jeffrey Haas
> To: David Meyer
> Cc: Alex Zinin <zinin@psg.com>, rtg-dir@ietf.org
> Date: Friday, January 23, 2004, 12:12:16 PM
> Subject: Last Call: draft-jones-opsec "Operational Security Requirements for IP Network Infrastructure"
>
> ===8<==============Original message text===============
> On Fri, Jan 23, 2004 at 07:58:30AM -0800, David Meyer wrote:
> > >> I would suggest that it would be a Good Thing to make recommendations
> > >> that the console interface support some common data transfer protocol,
> > >> e.g. XMODEM. This seems partially addressed in the section that covers
> > >> "support software installation", however that section seems to
> > >> deal more with non-console mechanisms.
> >
> > I had though of that, but that would seem to violate
> > "secure channel" requirement. Or does it?
>
> Did the document require a secure channel at the console? The
> profile is obviously different. I believe one of the requirements
> (without looking again) was that we be able to use it in plain text mode.
>
> Also, the presence of encryption would take a low-bandwidth medium
> and make it even lower bandwidth in many cases and more prone to
> issues due to line noise.
See if this clears it up:
04> 2.3 Out-of-Band (OoB) Management Requirements
04>
04> See Section 2.2 for a discussion of the advantages and
04> disadvantages of In-band vs. Out-of-Band management.
04>
04> These requirements assume two different possible Out-of-Band
04> topologies:
04>
04> o Serial line (or equivalent) console connections using a CLI.
04>
04> o Network interfaces connected to a separate network dedicated to
04> management.
04>
04> In both cases the security of in-band communications beyond the management
04> interface (e.g. console port, management network interface) is
04> assumed. It is assumed, for instance, that there are physical
04> security measures in place and that there is no need for encryption
04> of communication on a serial connection between a terminal server
04> and a device's console port. It is assumed that the out-of-band
04> management network is secure. There is no requirement that
04> management traffic on a secure management network be encrypted,
04> though it would be wise, as an application of defense-in-depth, to
04> apply the in-band requirements (e.g. encryption) to out-of-band
04> interfaces.
Thanks,
---George Jones