[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Control Plane Security of ISP Network



On 6/2/05, Miao Fuyou <miaofy@huawei.com> wrote:
> 
> Hi, All:
> 
> In the Pratices document(draft-ietf-opsec-current-practices-00.txt) routing
> control plane security is explicitly identified as an important aspect of
> network security. Sp network is comprised of the most essential assets and
> facilities to provide service for customer. IP is liable to attack on
> control plane and the consequences of such attack usually are very serious.
> So, it is the foremost concern for ISP to protect control plane from attack
> inside or outside. In order to mitigate security risk on control plane, we
> need a lot of work to do on standardization except filtering, logging or dos
> tracing. 

If you've got ideas for practices in these areas, send them to Meike.
If you want to help with any of them, let us know which ones you're
interested in.

Actually some security mechnisms are identified in Pratices
> document for control plane, BGP MD5 for example, but I think there are still
> other important aspect to identify. For example, quite a few SP use VPN to
> seperate user/customer traffice from core network keep the attack on SP core
> from user/customer away from control plane.
> 
> So I suggest following change,  (1) to add more text to Pratice document to
> reflect more security pratices on protecting control plane of SP network 

What do yo have in mind beyond VPNs and what's already listed in the
practices doc ?


(2)
> we need another Capabilty document to cover control plane security of SP
> network wihtout confliction on content with other Capabilty documents, such
> as filtering.

Are there capabilities needed for protection of the control plane that you don't
think would fit into the cagegories of capability documents already listed ?

Thanks,
---George Jones