[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Comments on: draft-ietf-opsec-infrastructure-security-01

To: darlewis@cisco.com, paulq@cisco.com, pds@ntt.net
Subject: Comments on: draft-ietf-opsec-infrastructure-security-01
From: Warren Kumari <warren@kumari.net>
Date: Wed, 11 Apr 2007 17:45:06 -0400
Cc: opsec@ops.ietf.org

Hi,

Thank you for writing this -- I feel that having this publishedwould go a long way towards helping people secure theirinfrastructure -- all to often operators are not really aware of theimprotance of this, or, if they are, are not sure where to begin.


I did have some comments on the draft, here are some of my thoughts:

Abstract:
RFCs 2267 and 3704 -- can this be changed to standard quoting syntax?

--------
1.  Introduction

"take many forms, including bandwidth saturation to crafted packets"-- including -> from


"non spoofed" -> "non-spoofed"

The introduction section is a little tricky to read -- the "Thetechniques outlined" sentence in particular is a run-on.


------
2.  Overview of Infrastructure Protection Techniques

I like this overview....

2.3.  Infrastructure Hiding

"If the destination of an attack is to an infrastructure address thatis unreachable, attacks become far more difficult. "

perhaps this could be changed to:

"Attacks to infrastructure addresses that are unreachable are muchmore dofficult"

or

"It is much more difficult to attack infrastructure addresses thatare unreachable" ?


----------------
4. Edge Rewrite/Remarking

To me this seems to be a bad approach -- unless a transit network isproviding some sort of prioritization on traffic I do not feel thatit should be touching DSCP bits. Apart from certain bits that arerequired to change (TTL, checksum) I like my packets to look the samewhen they pop out as they did when I put them in. If you are onlyrewriting packets that are destined to network infrastructure thisisn't as much of a concern for me, but if you have some way toidentify those packets, you can deal with them in other ways (as youalready outline). Yes, many networks already scribble over DSCP, butunless that is do provide differentiated service I feel that it isbad form.


-------
5.2.1.  IP Fragments

This scares me somewhat -- in some cases traffic *is* fragmented (eg,Multihop BGP sessions, some SNMP, etc) for example:


show system statistics | match fra
        228832 fragments received
        0 fragments dropped (dup or out of space)
        0 fragments dropped (queue overflow)
        211 fragments dropped after timeout
        0 fragments dropped due to over limit
        158065 output datagrams fragmented
        0 fragments created
  [SNIP]
        0 fragmentation prohibited
        8823235 fragmented packets received
        0 fragments dropped
        1 fragment reassembly queue flushes
        1365293 fragmented packets sent
        0 fragments dropped


blocking fragments would cause fun troubleshooting issues.

------------------
6.  Infrastructure Hiding

Unless infrastructure hiding is implemented VERY VERY carefully itcan lead to severe unhappiness -- numbering out of RFC1918 space canbreak traceroute in fun ways (peers won't accept your ICMP messages),path MTU discovery breaks, etc. In fact, I would suggest that it ismuch harder to correctly implement infrastructure hiding than it isto correctly block traffic at the border.


6.3.  IGP Configuration

Many (most?) providers using IS-IS still number their point-to-pointlinks, primarily for monitoring / troubleshooting.


6.5.  Further obfuscation

"Should they find access to the infrastructure equipment in someway." -- fragmented sentence.Possibly it is just me, but I feel that this is very much securitythrough obscurity and is more likely to give a false sense ofsecurity than actually prevent exploits -- I also do not know ofanyone who does this (although I suspect that wouldn't advertise ifif they did), so I do not think it sounds as a Best CURRENT Practice.


--------
7: IPv6

"Because IPv6 uses a longer address space the scaling, andperformance characteristics of ACLs maybe lower for IPv6 vs IPv4." --extra comma.

I read the draft a few times before noticing (under 5.2) "Manyvendors leverage this simplified view to allow for the policy to beimplemented in hardware, protecting the device's control plane.". Ifeel that receive / loopback ACLs are one of the MOST important toolsin protecting infrastructure -- could they be given a little morerecognition?



W

--

It is impossible to sharpen a pencil with a blunt axe. It is equallyvain

to try to do it with ten blunt axes instead
    --  E.W Dijkstra, 1930-2002

Follow-Ups:
- RE: Comments on: draft-ietf-opsec-infrastructure-security-01
  - From: "Darrel Lewis \(darlewis\)" <darlewis@cisco.com>

Prev by Date: draft-ietf-opsec-infrastructure-security-01
Next by Date: RE: Comments on: draft-ietf-opsec-infrastructure-security-01
Previous by thread: draft-ietf-opsec-infrastructure-security-01
Next by thread: RE: Comments on: draft-ietf-opsec-infrastructure-security-01
Index(es):
- Date
- Thread