2.4.9 Operational Security Capabilities for IP Network Infrastructure (opsec)

NOTE: This charter is a snapshot of the 65th IETF Meeting in Dallas, TX USA. It may now be out-of-date.

Last Modified: 2005-11-11


Ross Callon <rcallon@juniper.net>
Patrick Cain <pcain@coopercain.com>

Operations and Management Area Director(s):

Bert Wijnen <bwijnen@lucent.com>
David Kessens <david.kessens@nokia.com>

Operations and Management Area Advisor:

David Kessens <david.kessens@nokia.com>

Technical Advisor(s):

George Jones <gmj@pobox.com>

Mailing Lists:

General Discussion: opsec@ops.ietf.org
To Subscribe: opsec-request@ops.ietf.org
In Body: In Body: subscribe
Archive: http://ops.ietf.org/lists/opsec/

Description of Working Group:


The goal of the Operational Security Working Group is to codify
knowledge gained through operational experience about feature sets
that are needed to securely deploy and operate managed network
elements providing transit services at the data link and IP

It is anticipated that the codification of this knowledge will be
an aid to vendors in producing more securable network elements,
and an aid to operators in increasing security by deploying and
configuring more secure network elements.


The working group will list capabilities appropriate for
devices use in:

* Internet Service Provider (ISP) Networks
* Enterprise Networks

The following areas are excluded from the charter at this time:

* Wireless devices
* Small-Office-Home-Office (SOHO) devices
* Security devices (firewalls, Intrusion Detection Systems,
Authentication Servers)
* Hosts


Framework Document

A framework document will be produced describing the scope,
format, intended use and documents to be produced.

Current Practices Document

A single document will be produced that attempts to capture
current practices related to secure operation. This will be
primarily based on operational experience. Each entry will

* threats addressed,

* current practices for addressing the threat,

* protocols, tools and technologies extant at the time of writing
that are used to address the threat.

Individual Capability Documents

A series of documents will be produced covering various groupings
of security management capabilities needed to operate network elements
in a secure fashion. The capabilities will be described in terms that
allow implementations to change over time and will attempt to avoid
requiring any particular implementation.

The capabilities documents will cite the Current Practices document
where possible for justification.

Profile Documents

Profiles documents will be produced, which cite the capabilities
relevant to different operating environments.

Operator Outreach

Much of the operational security knowledge that needs to be
codified resides with operators. In order to access their
knowledge and reach the working group goal, informal BoFs will be
held at relevant operator fora.

RFC3871 will be used as a jumping off point.

Goals and Milestones:

Done  Complete Charter
Done  First draft of Framework Document as Internet Draft
Done  First draft of Standards Survey Document as Internet Draft
Done  First draft of Packet Filtering Capabilities
Oct 2004  First draft of Event Logging Capabilities
Done  First draft of Network Operator Current Security Practices
Done  First draft of In-Band management capabilities
Done  First draft of Out-of-Band management capabilities
Jan 2005  First draft of Configuration and Management Interface Capabilities
Feb 2005  First draft of Authentication, Authorization, and Accounting (AAA) Capabilities
Feb 2005  First draft of Documentation and Assurance capabilities
Done  First draft of Miscellaneous capabilities
Mar 2005  First draft of Deliberations Summary document
Mar 2005  Submit Framework to IESG
Mar 2005  Submit Standards Survey to IESG
May 2005  Submit Network Operator Current Security Practices to IESG
May 2005  First draft of ISP Operational Security Capabilities Profile
May 2005  First draft of Enterprise Operational Security Capabilities Profile
Jun 2005  Submit Packet Filtering capabilities to IESG
Jun 2005  Submit Event Logging Capabilities document to IESG
Jul 2005  Submit In-Band management capabilities to IESG
Jul 2005  Submit Out-of-Band management capabilities to IESG
Aug 2005  Submit Configuration and Management Interface Capabilities to IESG
Aug 2005  Submit Authentication, Authorization and Accounting (AAA) capabilities document to IESG
Sep 2005  Submit Documentation and Assurance capabilities to IESG
Sep 2005  Submit Miscellaneous capabilities document to IESG
Dec 2005  Submit ISP Operational Security Capabilities Profile to IESG
Dec 2005  Submit Large Enterprise Operational Security Capabilities Profile to IESG
Dec 2005  Submit OPSEC Deliberation Summary document to IESG


  • draft-ietf-opsec-framework-02.txt
  • draft-ietf-opsec-efforts-02.txt
  • draft-ietf-opsec-current-practices-02.txt
  • draft-ietf-opsec-filter-caps-00.txt
  • draft-ietf-opsec-misc-cap-00.txt
  • draft-ietf-opsec-nmasc-00.txt

    No Request For Comments

    Meeting Minutes


    Status & Housekeeping & Discussion