[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: survey of isp security practices
On Nov 9, 2004, at 5:52 AM, Pekka Savola wrote:
lOn Tue, 9 Nov 2004, Merike Kaeo wrote:
4. Authentication / Authorization
4.1 Threat Description
4.2 Best Current Practice
4.2.1 Device Access
4.2.2 Routing
4.2.3 MAC Address
What do you mean by "Routing" here? The legitimacy of the exchanged
routing update messages?
Yes, peer authentication when exchanging routing updates
This is likely a very different approach than device access auth, so
I'm not sure how well it fits here. (Ditto with MAC address).
Classification is according to security function.....the categoies can
be changed so you would have for example Device Access, Routing as top
level categories and then have filtering, authentication, etc. as
sub-categories for each.
Actually maybe the whole auth section could be part of section 3? Is
there any other significant auth except for login access? Or are you
referring to how BGP MD5 secrets or various IGP secrets are
maintained? Seems like something under Procedural considerations
instead if so..
5. Filtering
5.1 Threat Description
5.2 Best Current Practice
5.2.1 General Inbound Traffic Filters
5.2.2 General Outbound Traffic Filters
5.2.3 Device Access Filters
5.2.4 Route Filters
5.2.5 MAC Address Filters
5.2.6 DoS Mitigation Filtering
5.2.7 SinkHole / Blackhole
5.2.8 uRPF
How does 4.2 compare to 5.2.3 - 5.2.5? Maybe the titles are not
sufficient to convey what exactly you mean in section 4 ?
Categorization is the hardest part :) 4.2 is specific to peer
authentication.....providing with reasonable certainty validation of
correct peer..........filtering is a mechanism of access control
(whether or not you have reasonable validation of address source is
orthogonal).
- merike
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings