Last Modified: 2005-06-02
|Done||First draft of Framework Document as Internet Draft|
|Done||First draft of Standards Survey Document as Internet Draft|
|Done||First draft of Packet Filtering Capabilities|
|Oct 04||First draft of Event Logging Capabilities|
|Done||First draft of Network Operator Current Security Practices|
|Jan 05||First draft of In-Band management capabilities|
|Jan 05||First draft of Out-of-Band management capabilities|
|Jan 05||First draft of Configuration and Management Interface Capabilities|
|Feb 05||First draft of Authentication, Authorization, and Accounting (AAA) Capabilities|
|Feb 05||First draft of Documentation and Assurance capabilities|
|Feb 05||First draft of Miscellaneous capabilities|
|Mar 05||First draft of Deliberations Summary document|
|Mar 05||Submit Framework to IESG|
|Mar 05||Submit Standards Survey to IESG|
|May 05||Submit Network Operator Current Security Practices to IESG|
|May 05||First draft of ISP Operational Security Capabilities Profile|
|May 05||First draft of Enterprise Operational Security Capabilities Profile|
|Jun 05||Submit Packet Filtering capabilities to IESG|
|Jun 05||Submit Event Logging Capabilities document to IESG|
|Jul 05||Submit In-Band management capabilities to IESG|
|Jul 05||Submit Out-of-Band management capabilities to IESG|
|Aug 05||Submit Configuration and Management Interface Capabilities to IESG|
|Aug 05||Submit Authentication, Authorization and Accounting (AAA) capabilities document to IESG|
|Sep 05||Submit Documentation and Assurance capabilities to IESG|
|Sep 05||Submit Miscellaneous capabilities document to IESG|
|Dec 05||Submit ISP Operational Security Capabilities Profile to IESG|
|Dec 05||Submit Large Enterprise Operational Security Capabilities Profile to IESG|
|Dec 05||Submit OPSEC Deliberation Summary document to IESG|
Operational Security Capabilities for IP Network Infrastructure (opsec)
August 3rd, 2005 (at Paris IETF)
Chairs: Pat Cain
Administrivia / Agenda Bashing
Ross and Pat agreed to take minutes (with help from Matthew Zekauskas). (no jabber scribe)
Current document / working group status (Pat)
Framework status (Ross Callon)
- This is a roadmap of the working group effort.
- update coming
- not much different. This is primarily just a re-issue to keep the draft from timing out.
Current Practices document (Merike Kaeo)
- Documents the security practices currently used in SP networks.
- document is almost done
- deleted filtering section, since felt that this would be redundant with the existing filtering capabilities draft.
- added text for DOS mitigation but this still needs work. Added appendix to detail some common packet mangling attacks.
Merike intends to submit a -02 version within the next month which will include DoS mitigation section with more detail. She will also solicit input from the mailing list.
Ross; What about large enterprises? This might for example include things like firewalls and perhaps intrusion detection and/or prevention. Merike: Interested. Chris Morrow: this is a large can of worms. Merike: If it is this large a can of worms, it might be worth putting this into a different document (allowing us to finish this document). This would imply a change in the title of this document to limit it to service providers. Merike volunteered to work on the large enterprise network security practices document.
Packet Filtering Capabilities (Chris Morrow)
Chris Morrow briefly discussed the packet filtering capabilities draft.
This document is cut'n'paste of multiple inputs (including RFC3871)
Draft -01 is out. The change is mainly structure regarding data plane versus mgt/control plane.
Filter traffic through the device, but also filter snmp, bgp, telnet to the device
-Need to filter non-transit traffic
-Trying to protect the lower speed customer traffic
-Map functions back to the current practices document
- in some cases rate limiting is useful (eg, to reduce size of problems)
- work at line rate
The capabilities in this document should map back to the current practices document (which implies that it might be useful to have a filtering section in the current practices document).
Added some layer2 functionality
-MAC address, ATM, SONET, etc
(I think that Chris said that he would be adding more text on this based on input)
Darrel Lewis: Does the mgt plane include control plane?
A: Yes, it's really a combination, includes BGP, control, login, etc.
Ross: To me the term "control plane" normally includes both routing and management (which I believe is the intent here, and thus the term "control plane" fits).
Darrel: Maybe we should use the X.805 definitions for consistency
- Need to map doc sections to practice document.
- Validate current structure and subsections are valid
Barbara Fraser: Is there any new functionality in the document (ie, capabilities which are not currently widely deployed)?
A (Chris). Not really. Some deployed devices do all the functions, but there are some devices that don't do all of them.
Merike: Don't forget that the profiles documents will take all the capabilities and map them to specific environments.
Infrastructure Protection BCP (Darrel Lewis, Chris Morrow, Paul Quinn)
Chris presented an idea to produce a document which will document some recommended "best practices". This could provide an introduction for newer, smaller providers or customers. Will be a detailed guide of the capabilities.
Susan Hares: Is the capability document mainly a procurement document
Merike: This maps well to the other documents
Darrel: This should be good just like BCP38
Ross: There may be some confusion between this proposed new document and the existing document on current practices.
Paul Quinn: This would propose a bare minimum of practices as the survey is really a list of things that providers do.
Discussion on whether this as a BCP will map to the other documents.
Pat: Let's wait for some text before we figure out what type of document this is. Ross: It will be easier to know whether this document is best kept on its own (and separate from the current practices and profile documents) after we see the text. Thus it makes sense to see a draft of this document.
Pat: It may be useful to send a message to the list with a synopsis of the proposed document.
Randy Preshin: Make sure we're compliant with rfc2026
Chris: Structure of doc:edge remarking, edge access control, core hiding,
route filtering. Not covered: Logging evaluation, net mgt, customer security, service protection
End of working group