[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Control Plane Security of ISP Network

Feels like going back to the old days of SS7, ISDN........ It possible to separate the management network and adequately secure it. As person who has implemented very large scale service provider networks, I understand the importance and concern about security but, going back to yesterady may not be ideal solution. 

The plane separation you are describing is generally known as out-of-band management and generally implemented in large carrier scale networks for security reasons and to alleviate many traffic engineering issues. 

Pall Ramanathan

Learn like you will live for ever and Live like you will die tomorrow-Gandhi

On Jun 6, 2005, at 5:42 AM, Miao Fuyou wrote:

Hi Merike:

In the past1.5 years I was involved in development of standard of router
security requirement. During the development there are a lot of discussions
on security of control plane. Quite a few professionals from SPs gave much
concerns and ideas on planes seperation, which is to seperate control and/or
manage plane from end user/data plane physically or logically. Actually OOB
management is one such solution with physical/logical seperation mechanism
to seperate management traffic from end user data, which makes it impossible
for attack on data plane to launch an attack to management interfaces or
systems. As for control plane, while some SPs are practicing plane
seperation by VPN or other technology, it is much more sophisticated than
management plane. I think planes seperation should be considered in
Practices draft, specifically section 2.5.7. 

Route authentication, which is identified in Practices draft section 2.5.7,
is extremely important security aspect of  control plane in spite of
criticism for MD5 weaks and cumbersome configuration. Sometimes Filtering
helps control plane security,  but it is not complete. So a new Capability
draft is required to describing security capabilty of route authentication
and control plane seperation. I will trying to write a very initial draft
before IETF 63 meeting to give primary idea.

Wish the same also answers questions of Mr. George Jones in another mail.

Miao Fuyou

-----Original Message-----
Sent: Friday, June 03, 2005 1:08 PM
To: Miao Fuyou
Subject: Re: Control Plane Security of ISP Network

Hello Miao.

Yes,  more text needed to be added to address current control plane 
practices and in the next version of the document you will see this 

As to having another capabilities document, that depends on how much 
there is with filtering.  Were you proposing to author such a document?

- merike

On Jun 2, 2005, at 7:49 PM, Miao Fuyou wrote:

Hi, All:

In the Pratices document(draft-ietf-opsec-current-practices-00.txt)
control plane security is explicitly identified as an important aspect 
network security. Sp network is comprised of the most essential assets 
facilities to provide service for customer. IP is liable to attack on
control plane and the consequences of such attack usually are very 
So, it is the foremost concern for ISP to protect control plane from 
inside or outside. In order to mitigate security risk on control 
plane, we
need a lot of work to do on standardization except filtering, logging 
or dos
tracing. Actually some security mechnisms are identified in Pratices
document for control plane, BGP MD5 for example, but I think there are 
other important aspect to identify. For example, quite a few SP use 
VPN to
seperate user/customer traffice from core network keep the attack on 
SP core
from user/customer away from control plane.

So I suggest following change,  (1) to add more text to Pratice
document to
reflect more security pratices on protecting control plane of SP 
network (2)
we need another Capabilty document to cover control plane security of 
network wihtout confliction on content with other Capabilty documents, 
as filtering.

Miao Fuyou
Data Communication, Wireline Research
Huawei Technologies Co., Ltd.
TEL: 86-10-8288 2502

This e-mail and its attachments contain confidential information from 
HUAWEI, which is intended only for the person or entity whose address 
is listed above. Any use of the information contained herein in any 
way (including, but not limited to, total or partial disclosure,
or dissemination) by persons other than the intended recipient(s) is
prohibited. If you receive this e-mail in error, please notify the 
sender by
phone or email immediately and delete it