idnits 2.17.1 draft-jones-opsec-profile-guide-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 251. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 262. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 269. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 275. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (August 28, 2006) is 6452 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-01) exists of draft-cain-logging-caps-00 == Outdated reference: A later version (-07) exists of draft-ietf-opsec-current-practices-06 == Outdated reference: A later version (-09) exists of draft-ietf-opsec-filter-caps-02 == Outdated reference: A later version (-02) exists of draft-zhao-opsec-routing-capabilities-01 Summary: 4 errors (**), 0 flaws (~~), 5 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 OPSEC Working Group G. Jones 3 Internet-Draft The MITRE Corporation 4 Intended status: Informational August 28, 2006 5 Expires: March 1, 2007 7 Guide to Writing Security Capability Profiles 8 draft-jones-opsec-profile-guide-00 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on March 1, 2007. 35 Copyright Notice 37 Copyright (C) The Internet Society (2006). 39 Abstract 41 This document provides guidelines for creating security capability 42 profiles. A profile is a list of features that are required to 43 operate a device in a a secure manner in a specific environment. 45 It is anticipated that what is required in a profile will vary over 46 time and, across different classes of devices (e.g. a network edge 47 device may need to filter customer traffic whereas core network 48 devices may not), and in different organizations. This document does 49 not define a profile or specify requirements, but rather gives 50 guidance for their creation. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 56 3. Non-Normative References . . . . . . . . . . . . . . . . . . . 5 57 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 6 58 Appendix B. Sample Profile . . . . . . . . . . . . . . . . . . . . 7 59 B.1. Required Capabilities for Edge Routers . . . . . . . . . . 7 60 B.1.1. Packet Filtering Profile . . . . . . . . . . . . . . . 7 61 B.1.2. Logging . . . . . . . . . . . . . . . . . . . . . . . . 7 62 B.2. Recommended Capabilities . . . . . . . . . . . . . . . . . 7 63 B.2.1. Packet Filtering Profile . . . . . . . . . . . . . . . 7 64 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8 65 Intellectual Property and Copyright Statements . . . . . . . . . . 9 67 1. Introduction 69 [RFC3871] defined a list of operational security requirements for the 70 infrastructure of large IP networks (composed of routers and 71 switches) with a goal to provide network operators a clear, concise 72 way of communicating their security requirements to equipment 73 vendors. Additionally, [I-D.ietf-opsec-current-practices] documented 74 current network operator practices in protecting their networks. 76 The IETF OPSEC working group refined the items identified in those 77 two documents to produce a series of documents describing security 78 capabilities needed to support those practices . 80 These documents include 82 o traffic filtering [I-D.ietf-opsec-filter-caps], 84 o route-filtering [I-D.zhao-opsec-routing-capabilities], 86 o logging [I-D.cain-logging-caps],, 88 o miscellaneous capabilities [I-D.ietf-opsec-misc-cap], 90 o and operation security [I-D.lewis-infrastructure-security]. 92 One of the intended uses of these capability documents is the 93 creation of profiles. Profiles are lists of capabilities that apply 94 to certain classes of equipment (network edge, network core, 95 enterprise network, etc). A profile may also be used as a list of 96 requirements for equipment selection and in defining operational 97 policies and procedures. 99 The determination of which capabilities are requirements is a local 100 decision driven by policy and operational need. In addition, the 101 needed capabilities is likely to change over time as operational 102 requirements and security threats change. 104 It is likely that there are or will be other sources of capabilities 105 that could be cited in developing a profile. For example, 106 [draft-security-efforts] could be used to identify industry-specific 107 standards or regulations that a specific network would need to 108 support. 110 2. Security Considerations 112 Security is the entire focus of this document. 114 This document describes an activity to define a set of device 115 capabilities to operate a network securely. Since there is no 116 universal definition of "securely", it is possible that novice 117 profile crafters will inadvertently omit an operationally useful 118 capability in their profile. Profile writes are encouraged to share 119 their output with the broader Internet community to learn from 120 others' experiences. 122 The use of other IETF RFCs that define secure operation like 123 [I-D.lewis-infrastructure-security] and [RFC2827] by profile authors 124 is heavily encouraged so as to not miss critical or useful 125 capabilities. 127 3. Non-Normative References 129 [I-D.cain-logging-caps] 130 Cain, P., "Logging Capabilities for IP Network 131 Infrastructure", draft-cain-logging-caps-00 (work in 132 progress), July 2006. 134 [I-D.ietf-opsec-current-practices] 135 Kaeo, M., "Operational Security Current Practices", 136 draft-ietf-opsec-current-practices-06 (work in progress), 137 July 2006. 139 [I-D.ietf-opsec-filter-caps] 140 Jones, G. and C. Morrow, "Filtering and Rate Limiting 141 Capabilities for IP Network Infrastructure", 142 draft-ietf-opsec-filter-caps-02 (work in progress), 143 July 2006. 145 [I-D.ietf-opsec-misc-cap] 146 Callon, R. and G. Jones, "Miscellaneous Capabilities for 147 IP Network Infrastructure", draft-ietf-opsec-misc-cap-00 148 (work in progress), February 2006. 150 [I-D.lewis-infrastructure-security] 151 Lewis, D., "Service Provider Infrastructure Security", 152 draft-lewis-infrastructure-security-00 (work in progress), 153 June 2006. 155 [I-D.zhao-opsec-routing-capabilities] 156 Ye, Z., "Routing Control Plane Security Capabilities", 157 draft-zhao-opsec-routing-capabilities-01 (work in 158 progress), May 2006. 160 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: 161 Defeating Denial of Service Attacks which employ IP Source 162 Address Spoofing", BCP 38, RFC 2827, May 2000. 164 [RFC3871] Jones, G., "Operational Security Requirements for Large 165 Internet Service Provider (ISP) IP Network 166 Infrastructure", RFC 3871, September 2004. 168 Appendix A. Acknowledgments 170 The author gratefully acknowledges the contributions of: 172 o Pat Cain who agitated for creation of this document and provided 173 feedback on the pre -00 draft. 175 o The MITRE Corporation for supporting development of this document. 176 NOTE: The author's affiliation with The MITRE Corporation is 177 provided for identification purposes only, and is not intended to 178 convey or imply MITRE's concurrence with, or support for, the 179 positions, opinions or viewpoints expressed by the author. 181 Appendix B. Sample Profile 183 This sectoin gives a smaple of a profile: 185 B.1. Required Capabilities for Edge Routers 187 o Name: Edge Router Profile 189 o Description: This profile defines the capabilities necessary for a 190 network edge device 192 o Context: Large NSP/ISP network providing transit services. 194 The following are requirements (MUST) for edge routers: 196 B.1.1. Packet Filtering Profile 198 o Select by Protocol, [I-D.ietf-opsec-filter-caps] Section 3.5 200 o Select by Addresses, [I-D.ietf-opsec-filter-caps] Section 3.6 202 o Select by Protocol Header Fields, [I-D.ietf-opsec-filter-caps] 203 Section 3.7 205 B.1.2. Logging 207 o Logs Sent To Remote Servers, [I-D.cain-logging-caps] Section 2.2 209 o Ability to Select Reliable Delivery, [I-D.cain-logging-caps] 210 Section 2.3 212 o Ability to Remotely Log Securely, [I-D.cain-logging-caps] Section 213 2.4 215 o Ability to Log Locally, [I-D.cain-logging-caps] Section 2.5 217 B.2. Recommended Capabilities 219 The following are desired capabilities (SHOULD) for edge routers: 221 B.2.1. Packet Filtering Profile 223 o Minimal Performance Degradation, [I-D.ietf-opsec-filter-caps] 224 Section 6 226 Author's Address 228 George M. Jones 229 The MITRE Corporation 230 7515 Colshire Drive, M/S WEST 231 McLean, Virginia 22102-7508 232 U.S.A. 234 Phone: +1 703 488 9740 235 Email: gmjones@mitre.org 237 Full Copyright Statement 239 Copyright (C) The Internet Society (2006). 241 This document is subject to the rights, licenses and restrictions 242 contained in BCP 78, and except as set forth therein, the authors 243 retain all their rights. 245 This document and the information contained herein are provided on an 246 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 247 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 248 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 249 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 250 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 251 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 253 Intellectual Property 255 The IETF takes no position regarding the validity or scope of any 256 Intellectual Property Rights or other rights that might be claimed to 257 pertain to the implementation or use of the technology described in 258 this document or the extent to which any license under such rights 259 might or might not be available; nor does it represent that it has 260 made any independent effort to identify any such rights. Information 261 on the procedures with respect to rights in RFC documents can be 262 found in BCP 78 and BCP 79. 264 Copies of IPR disclosures made to the IETF Secretariat and any 265 assurances of licenses to be made available, or the result of an 266 attempt made to obtain a general license or permission for the use of 267 such proprietary rights by implementers or users of this 268 specification can be obtained from the IETF on-line IPR repository at 269 http://www.ietf.org/ipr. 271 The IETF invites any interested party to bring to its attention any 272 copyrights, patents or patent applications, or other proprietary 273 rights that may cover technology that may be required to implement 274 this standard. Please address the information to the IETF at 275 ietf-ipr@ietf.org. 277 Acknowledgment 279 Funding for the RFC Editor function is provided by the IETF 280 Administrative Support Activity (IASA).