Re: survey of isp security practices

["Howard C. Berkowitz" <hcb@gettcomm.com>]

At 1:14 PM -0500 11/17/04, George Jones wrote:
> On Sun, 14 Nov 2004 18:54:58 -0800, Randy Presuhn
> <randy_presuhn@mindspring.com> wrote:
> >  Hi -
> >
> >  > From: "Merike Kaeo" <kaeo@merike.com>
> >  > To: <opsec@ops.ietf.org>
> >  > Sent: Tuesday, November 09, 2004 4:03 AM
> >  > Subject: survey of isp security practices
> >  ...
> >  >     4.  Authentication / Authorization
> >  >       4.1   Threat Description
> >  >       4.2   Best Current Practice
> >  >         4.2.1   Device Access
> >  >         4.2.2   Routing
> >  >         4.2.3   MAC Address
> >  ...
> >
> >  In this, or the updated structure, any discussion of authentication
> >  and authorization would be incomplete if it didn't address user,
> >  access control list, and key management.
>
> The scope here is core network device capabilities.
> I would submit that, given protocols such as RADIUS (Diameter, TACACS)
> that user mangement is largely an external issue (it happens on the
> RADIUS server, etc).   The important bit is that the device needs to
> be able to talk to the  [radius] server, be sure which server it's talking
> to, and be able to get authentication and authorization data (per 
> command...your
> "access control lists ?") from the server.
>
> ---George

Would it be fair to say, then, that while the authentication server 
itself is out of scope, denial of service on the connectivity between 
edge routers, router console functions, etc., would be within scope? 
In other words, it would be in scope to identify secure protocol 
mechanisms and protection against DoS, but as seen by the core 
network element?