[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: survey of isp security practices
> -----Original Message-----
> From: Merike Kaeo [mailto:kaeo@merike.com]
> Sent: Tuesday, November 09, 2004 11:04 AM
> To: Howard C. Berkowitz
> Cc: opsec@ops.ietf.org
> Subject: Re: survey of isp security practices
>
>
>
> On Nov 9, 2004, at 6:25 AM, Howard C. Berkowitz wrote:
>
> > At 6:16 AM -0800 11/9/04, David Barak wrote:
> >> --- "Howard C. Berkowitz" <hcb@gettcomm.com> wrote:
> >>
> >>> I need to think some more about exactly where it
> >>> would go and what
> >>> would be in it, but my initial reaction is that
> >>> there needs to be a
> >>> section on "routing". I'd move blackholes/sinkholes
> >>> out of
> >>> filtering, as well as uRPF, and add the issues of
> >>> routing protocol
> >>> security, sanity checks on routing (correlation with
> >>> routing
> >>> registries, prefix limits, etc.), and
> >>> information-gathering from such
> >>> things as flaps and generic changes-from-baseline of
> >>> routing protocol
> >>> specifics.
> >>
> >> I agree with Howard that "routing" should be a major
> >> heading, but I think that it has two major categories:
> >> source validation, and information validation.
> >>
> >>
> > Good points, but there perhaps should be a third -- altering the
> > routing/forwarding tables as part of a security mechanism such as
> > blackholes, sinkhole attractors, and the effect of
> blackholes on uRPF.
>
> I am not yet convinced that routing should be a separate category but
> instead the security practices that are currently employed for
> authentication, filtering, logging, etc can use a
> sub-category for what
> is specific to routing. However....I'm still thinking about it.....
>
I would like to see the "on-path" vs. "off-path" categorization. At the
very least, it helps qualify other categories. A category such as
Authentication/Authorization will likely have threat profiles for both.
> - merike
> >
> >
>
>