Operational Security Capabilities for IP Network Infrastructure (opsec)

Last Modified: 2008-09-16

Additional information is available at tools.ietf.org/wg/opsec

Chair(s):

  • Joe Abley <jabley@ca.afilias.info>

  • Joel Jaeggli <joelja@bogus.com>

    Operations and Management Area Director(s):

  • Dan Romascanu <dromasca@avaya.com>
  • Ronald Bonica <rbonica@juniper.net>

    Operations and Management Area Advisor:

  • Ronald Bonica <rbonica@juniper.net>

    Mailing Lists:

    General Discussion: opsec@ietf.org
    To Subscribe: https://www.ietf.org/mailman/listinfo/opsec
    In Body: In Body: subscribe
    Archive: 2008 and later: http://www.ietf.org/mail-archive/web/opsec/current/maillist.html 2007 and prior: http://ops.ietf.org/lists/opsec/

    Description of Working Group:

    Goals:

    The OPSEC WG will document best current practices with regard to network
    security. In particular an effort will be made to clarify the rationale
    supporting current operational practice, address gaps in currently
    understood best practices for forwarding, control plane, and management
    plane security and make clear the liabilities inherent in security
    practices where they exist.

    Scope:

    The scope of the OPSEC WG is intended to include the protection and
    secure operation of the forwarding, control and management planes.

    Documentation of best common practices, revision of existing operational
    security practices documents and proposals for new approaches to
    operational challenges are in scope.

    Method:

    It is expected that the work product of the working group will fall into
    the category of best current practices documents. Taxonomy or problem
    statement documents may provide a basis for best current practices
    documents.

    Best Current Practices Document

    For each topic addressed, a document will be produced that attempts to
    capture current practices related to secure operation. This will be
    primarily based on operational experience. Each entry will list:

    * threats addressed,
    * current practices for addressing the threat,
    * protocols, tools and technologies extant at the time of writing that
    are used to address the threat,
    * the possibility that a solution does not exist within existing tools
    or technologies.

    Taxonomy and Problem Statement Documents

    A document which attempts to describe the scope of particular
    operational security challenge or problem space without necessarily
    coming to a conclusion or proposing a solution. Such a document might be
    a precursor to a best common practices document.

    While the principal input of the Working Group are operational
    experience and needs, the output should be directed both to provide
    guidance to the operators community as well as to Working Groups that
    develop protocols or the community of protocol developers at large, as
    well as to the implementers of these protocols.

    Non-Goals:

    The Operations security working group is not the place to do new
    protocols.

    New protocol work should be addressed in a working group chartered in
    the appropriate area or as individual submissions. The OPSEC WG may take
    on documents related to the practices of using such work.

    Goals and Milestones:

    Done  Complete Charter
    Done  First draft of Framework Document as Internet Draft
    Done  First draft of Standards Survey Document as Internet Draft
    Done  First draft of Packet Filtering Capabilities
    Done  First draft of Event Logging Capabilities
    Done  First draft of Network Operator Current Security Practices
    Done  First draft of In-Band management capabilities
    Done  First draft of Out-of-Band management capabilities
    Done  First draft of Configuration and Management Interface Capabilities
    Feb 2005  First draft of Authentication, Authorization, and Accounting (AAA) Capabilities
    Feb 2005  First draft of Documentation and Assurance capabilities
    Done  First draft of Miscellaneous capabilities
    Mar 2005  First draft of Deliberations Summary document
    Mar 2005  Submit Framework to IESG
    Mar 2005  Submit Standards Survey to IESG
    Done  Submit Network Operator Current Security Practices to IESG
    May 2005  First draft of ISP Operational Security Capabilities Profile
    May 2005  First draft of Enterprise Operational Security Capabilities Profile
    Jun 2005  Submit Packet Filtering capabilities to IESG
    Jun 2005  Submit Event Logging Capabilities document to IESG
    Jul 2005  Submit In-Band management capabilities to IESG
    Jul 2005  Submit Out-of-Band management capabilities to IESG
    Aug 2005  Submit Configuration and Management Interface Capabilities to IESG
    Aug 2005  Submit Authentication, Authorization and Accounting (AAA) capabilities document to IESG
    Sep 2005  Submit Documentation and Assurance capabilities to IESG
    Sep 2005  Submit Miscellaneous capabilities document to IESG
    Dec 2005  Submit ISP Operational Security Capabilities Profile to IESG
    Dec 2005  Submit Large Enterprise Operational Security Capabilities Profile to IESG
    Dec 2005  Submit OPSEC Deliberation Summary document to IESG
    Nov 2008  Submit a draft to the IESG regarding filtering of ICMP messages in the backbone
    Mar 2009  Submit a draft to the IESG regarding backbone threats and mitigations
    Mar 2009  Submit a draft to the IESG regarding BGP Session Security

    Internet-Drafts:

    Security Best Practices Efforts and Documents (59461 bytes)
    Recommendations for filtering ICMP messages (76777 bytes)
    Issues with existing Cryptographic Protection Methods for Routing Protocols (39882 bytes)
    Remote Triggered Black Hole filtering with uRPF (22132 bytes)

    Request For Comments:

    Operational Security Current Practices in Internet Service Provider Environments (RFC 4778) (88344 bytes)
    IETF Secretariat - Please send questions, comments, and/or suggestions to ietf-web@ietf.org.

    Return to working group directory.

    Return to IETF home page.