Last Modified: 2005-01-24
|Done||First draft of Framework Document as Internet Draft|
|Done||First draft of Standards Survey Document as Internet Draft|
|Oct 04||First draft of Packet Filtering Capabilities|
|Oct 04||First draft of Event Logging Capabilities|
|Nov 04||First draft of Network Operator Current Security Practices|
|Jan 05||First draft of In-Band management capabilities|
|Jan 05||First draft of Out-of-Band management capabilities|
|Jan 05||First draft of Configuration and Management Interface Capabilities|
|Feb 05||First draft of Authentication, Authorization, and Accounting (AAA) Capabilities|
|Feb 05||First draft of Documentation and Assurance capabilities|
|Feb 05||First draft of Miscellaneous capabilities|
|Mar 05||First draft of Deliberations Summary document|
|Mar 05||Submit Framework to IESG|
|Mar 05||Submit Standards Survey to IESG|
|May 05||Submit Network Operator Current Security Practices to IESG|
|May 05||First draft of ISP Operational Security Capabilities Profile|
|May 05||First draft of Enterprise Operational Security Capabilities Profile|
|Jun 05||Submit Packet Filtering capabilities to IESG|
|Jun 05||Submit Event Logging Capabilities document to IESG|
|Jul 05||Submit In-Band management capabilities to IESG|
|Jul 05||Submit Out-of-Band management capabilities to IESG|
|Aug 05||Submit Configuration and Management Interface Capabilities to IESG|
|Aug 05||Submit Authentication, Authorization and Accounting (AAA) capabilities document to IESG|
|Sep 05||Submit Documentation and Assurance capabilities to IESG|
|Sep 05||Submit Miscellaneous capabilities document to IESG|
|Dec 05||Submit ISP Operational Security Capabilities Profile to IESG|
|Dec 05||Submit Large Enterprise Operational Security Capabilities Profile to IESG|
|Dec 05||Submit OPSEC Deliberation Summary document to IESG|
MINUTES OF OPSEC WORKING GROUP
IETF 62, Minneapolis
Wednesday March 9, 2005
Minutes by Ross Callon, with help from George Jones' Jabber minutes.
Pat Cain presented the agenda:
- Administrivia and Agenda Bashing (Pat, Ross)
- Brief Working Group Status (Pat, Ross)
- Survey of Service Provider Security Practices (Merike Kaeo)
- Filtering Capabilities for IP Network Infrastructure (Chris Morrow)
- TMOC Liaison (Joe Saloway, Chris Lonvick)
Brief Working Group Status (Pat)
- The currently available documents are: Framework <draft-ietf-opsec-framework-00>, Survey of other security efforts <draft-ietf-opsec-efforts-00.txt>, Survey of Current Practices <draft-ietf-opsec-current-practices-00>, and filtering capabilities <draft-morrow-filter-caps-00>.
- Frame work document: Is stable, it outlines working group plan, scope, etc.
- Individual capability documents: We have a draft of one of these (filtering), and have some authors signed up for a few more. However, we are still looking for input and/or authors for some of the capabilities documents.
- Profile documents are a future item (it makes sense to start them when the capabilities documents are nearly complete).
Survey of Operational Service Provider Practices (Merike Kaeo)
Merike gave an overview of the Survey of Current Service Provider Security Practices where she described the organization of the document and the sections requiring more input. She mentioned that the Filtering and Denial of Service Mitigation sections will be the hardest to complete since current practices vary quite a bit between service providers.
For the next version:
- will fill in filtering and DOS mitigation sections
- intends to add an appendix which enumerates known common attacks (eg, TCP attacks)
- be more specific about core security versus customer side security. This is in particular relevant to filtering.
At this point Merike has talked to 6 large tier 1 ISPs, as well as other smaller ISPs. She encourages people to read the document, send comments, and in particular let her know if you have additional practices to tell her about. Merike and Ross pointed out that there are ways to contribute and remain anonymous if you want to do this: You can talk to Merike off line. Alternatively, if you want to contribute to the list anonymously, you can send comments to the chairs who can remove identification of where it came from and then forward to the list.
George asked about layer 2 equipment and specifically whether layer 2 filtering practices will be included (which is not explicitly discussed in the current document but is in scope). Merike replied that this will be specifically addressed since it is important at the customer edges for certain scenarios.
Packet Filtering Capabilities Document (Chris Morrow)
Chris Morrow apologize for the roughness of draft and lack of slides for this presentation. The goal for the filtering capabilities document, from his perspective, is to make it clear to vendors what service providers need. He has heard vendors say "you are the only person asking for this" when he didn't believe that this was true (and other service providers have reportedly heard the same). He would rather have a document that he can reference to aid discussion with vendors. He felt that George's document was a very good start, and his document (which was largely taken from George's RFC 3871), was a first rough start at fleshing out the filtering section of George's document. Chris welcome's comments.
Chris Lonvick mentioned that TMOC has a document on packet filtering for the prevention of unwanted traffic and wanted to know whether we have looked at this.
Pat noted that the document was put out a bit quickly.
The intent is to update the draft and then put it out as a working group document. Are there any objections? (no objections)
ATIS Liaison Pre-Letter Ballow Review, TMOC Issue 56 (Chris Lonvick)
ATIS/TMOC has appointed Chris Lonvick as official liaison and is asking for feedback.
Chris sent email to the Opsec list (March 8, the day before the working group meeting) with a pointer to a Liaison statement from ATIS asking for comments on a paper "Guidelines and Requirements for Network Security Management". We can send comments back to Chris and Joe. The pointer is also on the IETF liaision page.
One person (Richard Graveman) said "it needs a lot of work, many of the references are out of date". Chris agreed that the references are out of date.
Points of interest: Section 4 contains the best summary of what the document is about, and how it correlates to security in ISP networks. The document addresses Security Management Operational Support Systems. Relationship with other documents is described. In section 5, the document goes through four major areas that need to be addressed wrt security. Defines some security points. Does not reference how this document relates back to an old ITU M3016, recommendation describing threats, requirements, and services. But this does use the requirements and services of 3016. In section 5 it discusses some security requirements. Chris asks: Are these issues clear, and do they address the correct set of security requirements? Does it make it clear who should be paying attention to these security requirements? Section 6 discusses additional requirements. Please comment on whether these are clear and address real security requirements. Please send comments to Joe and Chris. Please also respond on whether this document should become an ANSI standard. The process that the document is currently being progressed through will end with an ANSI document. Also, if you feel that the document should continue to be progressed, please also comment on improvements that would be appropriate. Are there any questions on this? no questions.
Pat: We have completed our originally scheduled agenda. Are there other issues that people want to address? No.
Pat: Please comment. Please volunteer to be an author. Thanks.
The meeting was ajourned.