[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Draft opsec working group minutes

Here are draft minutes from the OPSEC working group in Paris. Please
send corrections to Pat and me. If you commented or spoke, then please
check that we didn't mangle either your name or what you said.

Thanks, Ross

Operational Security Capabilities for IP Network Infrastructure (opsec)
August 3rd, 2005 (at Paris IETF)

Chairs:        Pat Cain
                   Ross Callon

  - Administrivia / agenda bashing
  - working group and document status (Pat)
  - Current Documents
        - Framework (Ross)
        - Survey of Service Provider Current Practices (Merike Kaeo)
        - Filtering Capabilities for IP Net Infrastructure (Chris Morrow)
  - Proposed New Document
        - A proposed new document on Best Practices (Chris Morrow)

Administrivia / Agenda Bashing

Ross and Pat agreed to take minutes (with help from Matthew Zekauskas).
(no jabber scribe)

Current document / working group status (Pat)
  - there are four classes of documents
    (take from slides)
  - four documents are currently out
        - framework
        - survey of other security efforts
        - current provider practices
        - filtering capabilities
  - The charter calls for quite a few documents. Some may be combined.
  - Some volunteers have gotten their work done. Some have not. Some
    volunteers have disappeared. We are still looking for people willing
    to work on documents. If you have volunteered in the past, expect us
    to bug you. ;-) 

Framework status (Ross Callon)

  - This is a roadmap of the working group effort.
  - update coming
  - not much different. This is primarily just a re-issue to keep the draft
    from timing out.

Current Practices document (Merike Kaeo)

  - Documents the security practices currently used in SP networks.
  - document is almost done
  - deleted filtering section, since felt that this would be redundant with the
    existing filtering capabilities draft.
  - added text for DOS mitigation but this still needs work. Added appendix
    to detail some common packet mangling attacks.

Merike intends to submit a -02 version within the next month which will include DoS mitigation section with more detail. She will also solicit input from the mailing list.


Ross; What about large enterprises? This might for example include things like firewalls and perhaps intrusion detection and/or prevention. Merike: Interested. Chris Morrow: this is a large can of worms. Merike: If it is this large a can of worms, it might be worth putting this into a different document (allowing us to finish this document). This would imply a change in the title of this document to limit it to service providers. Merike volunteered to work on the large enterprise network security practices document.

Packet Filtering Capabilities (Chris Morrow)

Chris Morrow briefly discussed the packet filtering capabilities draft.

This document is cut'n'paste of multiple inputs (including RFC3871)

Draft -01 is out. The change is mainly structure regarding data plane versus mgt/control plane.

Filter traffic through the device, but also filter snmp, bgp, telnet to the device
-Need to filter non-transit traffic
-Trying to protect the lower speed customer traffic
-Map functions back to the current practices document
  - in some cases rate limiting is useful (eg, to reduce size of problems)
  - work at line rate

The capabilities in this document should map back to the current practices document (which implies that it might be useful to have a filtering section in the current practices document).

Added some layer2 functionality
-MAC address, ATM, SONET, etc

(I think that Chris said that he would be adding more text on this based on input)

Darrel Lewis: Does the mgt plane include control plane?

A: Yes, it's really a combination, includes BGP, control, login, etc.

Ross: To me the term "control plane" normally includes both routing and management (which I believe is the intent here, and thus the term "control plane" fits).

Darrel: Maybe we should use the X.805 definitions for consistency

Next steps
- Need to map doc sections to practice document.
- Validate current structure and subsections are valid

Barbara Fraser: Is there any new functionality in the document (ie, capabilities which are not currently widely deployed)?

A (Chris). Not really. Some deployed devices do all the functions, but there are some devices that don't do all of them.

Merike: Don't forget that the profiles documents will take all the
capabilities and map them to specific environments.

Infrastructure Protection BCP (Darrel Lewis, Chris Morrow, Paul Quinn)

Chris presented an idea to produce a document which will document some recommended "best practices". This could provide an introduction for newer, smaller providers or customers.  Will be a detailed guide of the capabilities.

Susan Hares: Is the capability document mainly a procurement document

Merike: This maps well to the other documents

Darrel: This should be good just like BCP38

Ross: There may be some confusion between this proposed new document and the existing document on current practices.

Paul Quinn: This would propose a bare minimum of practices as the survey is
really a list of things that providers do.

Discussion on whether this as a BCP will map to the other documents.

Pat: Let's wait for some text before we figure out what type of document
this is. Ross: It will be easier to know whether this document is best kept on
its own (and separate from the current practices and profile documents) after
we see the text. Thus it makes sense to see a draft of this document.

Pat: It may be useful to send a message to the list with a synopsis of the proposed document.

Randy Preshin: Make sure we're compliant with rfc2026

Chris: Structure of doc:edge remarking, edge access control, core hiding,
route filtering.  Not covered: Logging evaluation, net mgt, customer security, service

End of working group