2.4.11 Operational Security Capabilities for IP Network Infrastructure (opsec)

NOTE: This charter is a snapshot of the 77th IETF Meeting in Anaheim, California USA. It may now be out-of-date.

Last Modified: 2009-04-20


Joel Jaeggli <joelja@bogus.com>
Joe Abley <jabley@ca.afilias.info>

Operations and Management Area Director(s):

Dan Romascanu <dromasca@avaya.com>
Ronald Bonica <rbonica@juniper.net>

Operations and Management Area Advisor:

Ronald Bonica <rbonica@juniper.net>

Mailing Lists:

General Discussion: opsec@ietf.org
To Subscribe: https://www.ietf.org/mailman/listinfo/opsec
In Body: In Body: subscribe
Archive: http://www.ietf.org/mail-archive/web/opsec/current/maillist.html

Description of Working Group:


The OPSEC WG will document best current practices with regard to network
security. In particular an effort will be made to clarify the rationale
supporting current operational practice, address gaps in currently
understood best practices for forwarding, control plane, and management
plane security and make clear the liabilities inherent in security
practices where they exist.


The scope of the OPSEC WG is intended to include the protection and
secure operation of the forwarding, control and management planes.

Documentation of best common practices, revision of existing operational
security practices documents and proposals for new approaches to
operational challenges are in scope.


It is expected that the work product of the working group will fall into
the category of best current practices documents. Taxonomy or problem
statement documents may provide a basis for best current practices

Best Current Practices Document

For each topic addressed, a document will be produced that attempts to
capture current practices related to secure operation. This will be
primarily based on operational experience. Each entry will list:

* threats addressed,
* current practices for addressing the threat,
* protocols, tools and technologies extant at the time of writing that
are used to address the threat,
* the possibility that a solution does not exist within existing tools
or technologies.

Taxonomy and Problem Statement Documents

A document which attempts to describe the scope of particular
operational security challenge or problem space without necessarily
coming to a conclusion or proposing a solution. Such a document might be
a precursor to a best common practices document.

While the principal input of the Working Group are operational
experience and needs, the output should be directed both to provide
guidance to the operators community as well as to Working Groups that
develop protocols or the community of protocol developers at large, as
well as to the implementers of these protocols.


The Operations security working group is not the place to do new

New protocol work should be addressed in a working group chartered in
the appropriate area or as individual submissions. The OPSEC WG may take
on documents related to the practices of using such work.

Goals and Milestones:

Done  Complete Charter
Done  First draft of Framework Document as Internet Draft
Done  First draft of Standards Survey Document as Internet Draft
Done  First draft of Packet Filtering Capabilities
Done  First draft of Event Logging Capabilities
Done  First draft of Network Operator Current Security Practices
Done  First draft of In-Band management capabilities
Done  First draft of Out-of-Band management capabilities
Done  First draft of Configuration and Management Interface Capabilities
Feb 2005  First draft of Authentication, Authorization, and Accounting (AAA) Capabilities
Feb 2005  First draft of Documentation and Assurance capabilities
Done  First draft of Miscellaneous capabilities
Mar 2005  First draft of Deliberations Summary document
Mar 2005  Submit Framework to IESG
Mar 2005  Submit Standards Survey to IESG
Done  Submit Network Operator Current Security Practices to IESG
May 2005  First draft of ISP Operational Security Capabilities Profile
May 2005  First draft of Enterprise Operational Security Capabilities Profile
Jun 2005  Submit Packet Filtering capabilities to IESG
Jun 2005  Submit Event Logging Capabilities document to IESG
Jul 2005  Submit In-Band management capabilities to IESG
Jul 2005  Submit Out-of-Band management capabilities to IESG
Aug 2005  Submit Configuration and Management Interface Capabilities to IESG
Aug 2005  Submit Authentication, Authorization and Accounting (AAA) capabilities document to IESG
Sep 2005  Submit Documentation and Assurance capabilities to IESG
Sep 2005  Submit Miscellaneous capabilities document to IESG
Dec 2005  Submit ISP Operational Security Capabilities Profile to IESG
Dec 2005  Submit Large Enterprise Operational Security Capabilities Profile to IESG
Dec 2005  Submit OPSEC Deliberation Summary document to IESG
Nov 2008  Submit a draft to the IESG regarding filtering of ICMP messages in the backbone
Mar 2009  Submit a draft to the IESG regarding backbone threats and mitigations
Mar 2009  Submit a draft to the IESG regarding BGP Session Security


  • draft-ietf-opsec-efforts-12.txt
  • draft-ietf-opsec-routing-protocols-crypto-issues-05.txt
  • draft-ietf-opsec-ip-security-03.txt
  • draft-ietf-opsec-igp-crypto-requirements-00.txt

    Request For Comments:

    RFC4778 I Operational Security Current Practices in Internet Service Provider Environments
    RFC5635 I Remote Triggered Black Hole Filtering with Unicast Reverse Path Forwarding (uRPF)

    Meeting Minutes


    OPSEC ietf77 WG chairs presentation
    Protecting The Router Control Plane