[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Control Plane Security of ISP Network

Data plane and control plane separation is a large and significant topic in
GMPLS in CCAMP.  The separation there can be total - data plane is optical
switches, control plane is copper Ethernet - this terminology litters the RFC
and I-Ds and has been incidental to a lot of discussion.  And they liaise
closely with ITU-T Study Group 15.

So I think their usage will come to dominate, whatever else is in use at
present.  It's not an area I find easy to summarise and is still work in
progress but I notice that when I look in the mail archives and I-Ds, among the
interesting contirbutions are those of 'Brungard, Deborah A' and 'Kohei

I cannot recall seeing any mention of management plane.

Tom Petch

----- Original Message -----
From: "Barry Greene (bgreene)" <bgreene@cisco.com>
To: <jbenedict@ca.safenet-inc.com>; "Bora Akyol (bora)" <bora@cisco.com>;
<Donald.Smith@qwest.com>; <pmrn@mac.com>; <miaofy@huawei.com>
Cc: <merike@doubleshotsecurity.com>; <opsec@ops.ietf.org>; <eludom@gmail.com>
Sent: Monday, June 06, 2005 5:43 PM
Subject: RE: Control Plane Security of ISP Network

I've defined in-band as anything that is in the same RIB/FIB structure.
You are out of band if you are using a RIB/FIB structure that is
isolated from the other. So a VRF, while providing a tool for
compartmentization, does not provide "control plane separation." Since
the VRF is using the same RIB/FIB structure you have a tie point - which
breaks separation.

So today, the only "out of band" we have in practice are the networks
which plug into the console ports. Some vendors have an option on their
equipment where the "management FE/GE" is on a separate RIB/FIB, but
since this is not everywhere, it is hard to build an OOB network which
has complete seperation. ACLed and compartmentized, yes. But not two
separate planes.

So having a clear industry definition of in-band and out-of-band would
be helpful.

> -----Original Message-----
> From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On
> Behalf Of jbenedict@ca.safenet-inc.com
> Sent: Monday, June 06, 2005 8:09 AM
> To: Bora Akyol (bora); Donald.Smith@qwest.com; pmrn@mac.com;
> miaofy@huawei.com
> Cc: merike@doubleshotsecurity.com; opsec@ops.ietf.org;
> eludom@gmail.com
> Subject: RE: Control Plane Security of ISP Network
> Does anyone have a clear definition of "in-band" vs.
> "out-of-band" in this case?
> For example, can we consider anything that contacts the same
> interface as data traffic "in-band"?
> (i.e. IPSec or SSL connection for management)
> Or can it be over the same network, just a different interface (VLAN)?
> Or does it have to be separate interface/separate network (NOC)?
> Or does it have to be completely non-ip (serial-port)?
> All of these scenarios are in use today.  In my opinion,
> in-band would probably fall somewhere around VLANs (my
> theoretical half says they're OOB, but my practical half can
> still connect the dots).
> --
> James
> -----Original Message-----
> From: Bora Akyol (bora) [mailto:bora@cisco.com]
> Sent: Monday, June 06, 2005 10:47 AM
> To: Smith, Donald; pmrn; Miao Fuyou
> Cc: Merike Kaeo; opsec@ops.ietf.org; eludom@gmail.com
> Subject: RE: Control Plane Security of ISP Network
> May want to i
> May want to include a requirement to the document:
> Under no circumstance will there be a separation of faith
> between the control and the data planes; that is, control
> plane thinks everything is solid, and the data plane is out
> cold, or vice versa.
> Personally, I think we can do a lot to protect the control
> traffic even when it is in-band that such a separation is unnecessary.
> Bora
> The information contained in this electronic mail
> transmission may be privileged and confidential, and
> therefore, protected from disclosure. If you have received
> this communication in error, please notify us immediately by
> replying to this message and deleting it from your computer
> without copying or disclosing it.