draft-ietf-opsec-routing-capabilities-02.txt		draft-ietf-opsec-routing-capabilities-03.txt
	OPSEC Working Group Y. Zhao		OPSEC Working Group Y. Zhao
	Internet-Draft F. Miao		Internet-Draft F. Miao
	Intended status: Best Current Huawei Technologies		Intended status: Best Current Huawei Technologies
	Practice R. Callon		Practice R. Callon
	Expires: October 7, 2007 Juniper Networks		Expires: December 17, 2007 Juniper Networks
	April 5, 2007		June 15, 2007
	Routing Control Plane Security Capabilities		Routing Control Plane Security Capabilities
	draft-ietf-opsec-routing-capabilities-02.txt		draft-ietf-opsec-routing-capabilities-03.txt
	Status of this Memo		Status of this Memo
	By submitting this Internet-Draft, each author represents that any		By submitting this Internet-Draft, each author represents that any
	applicable patent or other IPR claims of which he or she is aware		applicable patent or other IPR claims of which he or she is aware
	have been or will be disclosed, and any of which he or she becomes		have been or will be disclosed, and any of which he or she becomes
	aware will be disclosed, in accordance with Section 6 of BCP 79.		aware will be disclosed, in accordance with Section 6 of BCP 79.
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF), its areas, and its working groups. Note that		Task Force (IETF), its areas, and its working groups. Note that
	skipping to change at page 1, line 36		skipping to change at page 1, line 36
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	The list of current Internet-Drafts can be accessed at		The list of current Internet-Drafts can be accessed at
	http://www.ietf.org/ietf/1id-abstracts.txt.		http://www.ietf.org/ietf/1id-abstracts.txt.
	The list of Internet-Draft Shadow Directories can be accessed at		The list of Internet-Draft Shadow Directories can be accessed at
	http://www.ietf.org/shadow.html.		http://www.ietf.org/shadow.html.
	This Internet-Draft will expire on October 7, 2007.		This Internet-Draft will expire on December 17, 2007.
	Copyright Notice		Copyright Notice
	Copyright (C) The IETF Trust (2007).		Copyright (C) The IETF Trust (2007).
	Abstract		Abstract
	The document lists the security capabilities needed for the routing		The document lists the security capabilities needed for the routing
	control plane of an IP infrastructure to support the practices		control plane of an IP infrastructure to support the practices
	defined in Operational Security Current Practices. In particular		defined in Operational Security Current Practices. In particular
	skipping to change at page 2, line 13		skipping to change at page 2, line 13
	control functions.		control functions.
	Table of Contents		Table of Contents
	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3		1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
	1.1. Threat model . . . . . . . . . . . . . . . . . . . . . . . 3		1.1. Threat model . . . . . . . . . . . . . . . . . . . . . . . 3
	1.2. Format and Definition of Capabilities . . . . . . . . . . 3		1.2. Format and Definition of Capabilities . . . . . . . . . . 3
	1.3. Packet Filtering versus Route Filtering . . . . . . . . . 3		1.3. Packet Filtering versus Route Filtering . . . . . . . . . 3
	2. Route Filtering Capabilities . . . . . . . . . . . . . . . . . 4		2. Route Filtering Capabilities . . . . . . . . . . . . . . . . . 4
	2.1. General Route Filtering Capabilities . . . . . . . . . . . 4		2.1. General Route Filtering Capabilities . . . . . . . . . . . 4
	2.1.1. Ability to Filter Inbound or Outbound Routes . . . . . 4		2.1.1. Ability to Filter Inbound or Outbound Routes . . . . . 5
	2.1.2. Ability to Filter Routes by Prefix . . . . . . . . . . 5		2.1.2. Ability to Filter Routes by Prefix . . . . . . . . . . 6
	2.2. Route Filtering of Exterior Gateway Protocol . . . . . . . 6		2.2. Route Filtering of Exterior Gateway Protocol . . . . . . . 6
	2.2.1. Ability to Filter Routes by Route Attributes . . . . . 6		2.2.1. Ability to Filter Routes by Route Attributes . . . . . 6
	2.2.2. Ability to Filter Routing Update by TTL . . . . . . . 7		2.2.2. Ability to Filter Routing Update by TTL . . . . . . . 7
	2.2.3. Ability to Limit the Number of Routes from a Peer . . 8		2.2.3. Ability to Limit the Number of Routes from a Peer . . 8
	2.2.4. Ability to Limit the Length of Prefixes . . . . . . . 9		2.2.4. Ability to Limit the Length of Prefixes . . . . . . . 9
	2.2.5. Ability to Cooperate in Outbound Route Filtering . . . 9		2.2.5. Ability to Cooperate in Outbound Route Filtering . . . 9
	2.3. Route Filtering of Interior Gateway Protocols . . . . . . 10		2.3. Route Filtering of Interior Gateway Protocols . . . . . . 10
	2.3.1. Route Filtering Within an IGP Area . . . . . . . . . . 10		2.3.1. Route Filtering Within an IGP Area . . . . . . . . . . 10
	2.3.2. Route Filtering Between IGP Areas . . . . . . . . . . 10		2.3.2. Route Filtering Between IGP Areas . . . . . . . . . . 10
	2.4. Route Filtering during Redistribution . . . . . . . . . . 11		2.4. Route Filtering during Redistribution . . . . . . . . . . 11
	3. Route Authentication Capabilities . . . . . . . . . . . . . . 11		3. Route Authentication Capabilities . . . . . . . . . . . . . . 11
	3.1. Ability to configure an authentication mechanism . . . . . 11		3.1. Ability to configure an authentication mechanism . . . . . 11
	3.2. Ability to support authentication key chains . . . . . . . 12		3.2. Ability to support authentication key chains . . . . . . . 12
	4. Ability to Damp Route Flap . . . . . . . . . . . . . . . . . . 12		4. Ability to Damp Route Flap . . . . . . . . . . . . . . . . . . 13
	5. Resource Availability for Router Control Functions . . . . . . 13		5. Resource Availability for Router Control Functions . . . . . . 13
	5.1. Ensure Resources for Management Functions . . . . . . . . 13		5.1. Ensure Resources for Management Functions . . . . . . . . 13
	5.2. Ensure Resources for Routing Functions . . . . . . . . . . 14		5.2. Ensure Resources for Routing Functions . . . . . . . . . . 14
	5.3. Limit Resources used by IP Multicast . . . . . . . . . . . 15		5.3. Limit Resources used by IP Multicast . . . . . . . . . . . 16
	6. Security Considerations . . . . . . . . . . . . . . . . . . . 16		6. Security Considerations . . . . . . . . . . . . . . . . . . . 16
	7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16		7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
	8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16		8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17
	9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17		9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
	9.1. Normative References . . . . . . . . . . . . . . . . . . . 17		9.1. Normative References . . . . . . . . . . . . . . . . . . . 17
	9.2. Informative References . . . . . . . . . . . . . . . . . . 17		9.2. Informative References . . . . . . . . . . . . . . . . . . 17
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18		Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18
	Intellectual Property and Copyright Statements . . . . . . . . . . 20		Intellectual Property and Copyright Statements . . . . . . . . . . 20
	1. Introduction		1. Introduction
	This document is defined in the context of [I-D.ietf-opsec-framework]		This document is defined in the context of Operational Security
	and [RFC4778].		Current Practices in Internet Service Provider Environments,
			[RFC4778].
	This document lists the security capabilities needed for the routing		This document lists the security capabilities needed for the routing
	control plane of IP infrastructure to support the practices defined		control plane of IP infrastructure to support the practices defined
	in [I-D.ietf-opsec-framework]. In particular this includes		in [RFC4778]. In particular this includes capabilities for route
	capabilities for route filtering and for authentication of routing		filtering and for authentication of routing protocol packets.
	protocol packets.
	Note that this document lists capabilities that can reasonably be		Note that this document lists capabilities that can reasonably be
	expected to be currently deployed in the context of existing		expected to be currently deployed in the context of existing
	standards. Extensions to existing protocol standards and development		standards. Extensions to existing protocol standards and development
	of new protocol standards are outside of the scope of this effort.		of new protocol standards are outside of the scope of this effort.
	The preferred capabilities needed for securing the routing		The preferred capabilities needed for securing the routing
	infrastructure may evolve over time.		infrastructure may evolve over time.
	There will be other capabilities which are needed to fully secure a		There will be other capabilities which are needed to fully secure a
	router infrastructure. [RFC4778] defines the goals, motivation,		router infrastructure. [RFC4778] defines the goals, motivation,
	scope, definitions, intended audience, threat model, potential		scope, definitions, intended audience, threat model, potential
	attacks and give justifications for each of the practices.		attacks and give justifications for each of the practices.
	1.1. Threat model		1.1. Threat model
	The capabilities listed in this document are intended to aid in		The capabilities listed in this document are intended to aid in
	preventing or mitigating the threats outlined in		preventing or mitigating the threats outlined in [RFC4778].
	[I-D.ietf-opsec-framework].
	1.2. Format and Definition of Capabilities		1.2. Format and Definition of Capabilities
	Each individual capability will be defined using the four elements,		Each individual capability will be defined using the four elements,
	"Capability", "Supported Practices", "Current Implementations", and		"Capability", "Supported Practices", "Current Implementations", and
	"Considerations", as explained in section 1.7 of		"Considerations". The Capability section describes a feature to be
	[I-D.ietf-opsec-framework].		supported by the device. The Supported Practice section cites
			practices described in [RFC4778] that are supported by this
			capability. The Current Implementation section is intended to give
			examples of implementations of the capability, citing technology and
			standards current at the time of writing. It is expected that the
			choice of features to implement the capabilities will change over
			time. The Considerations section lists operational and resource
			constraints, limitations of current implementations, and trade-offs.
	1.3. Packet Filtering versus Route Filtering		1.3. Packet Filtering versus Route Filtering
	It is useful to make a distinction between Packet Filtering versus		It is useful to make a distinction between Packet Filtering versus
	Route Filtering.		Route Filtering.
	The term "packet filter" is used to refer to the filter that a router		The term "packet filter" is used to refer to the filter that a router
	applies to network layer packets passing through or destined to it.		applies to network layer packets passing through or destined to it.
	In general packet filters are based on contents of the network (IP)		In general packet filters are based on contents of the network (IP)
	and transport (TCP, UDP) layers, and are mostly stateless, in the		and transport (TCP, UDP) layers, and are mostly stateless, in the
	skipping to change at page 17, line 46		skipping to change at page 18, line 12
	[RFC2196] Fraser, B., "Site Security Handbook", RFC 2196,		[RFC2196] Fraser, B., "Site Security Handbook", RFC 2196,
	September 1997.		September 1997.
	[RFC3682] Gill, V., Heasley, J., and D. Meyer, "The Generalized TTL		[RFC3682] Gill, V., Heasley, J., and D. Meyer, "The Generalized TTL
	Security Mechanism (GTSM)", RFC 3682, February 2004.		Security Mechanism (GTSM)", RFC 3682, February 2004.
	[RFC4778] Kaeo, M., "Operational Security Current Practices in		[RFC4778] Kaeo, M., "Operational Security Current Practices in
	Internet Service Provider Environments", RFC 4778,		Internet Service Provider Environments", RFC 4778,
	January 2007.		January 2007.
	[I-D.ietf-opsec-framework]
	Jones, G., "Framework for Operational Security
	Capabilities for IP Network Infrastructure",
	draft-ietf-opsec-framework-05 (work in progress),
	April 2007.
	[I-D.ietf-opsec-filter-caps]		[I-D.ietf-opsec-filter-caps]
	Morrow, C., "Filtering and Rate Limiting Capabilities for		Morrow, C., "Filtering and Rate Limiting Capabilities for
	IP Network Infrastructure",		IP Network Infrastructure",
	draft-ietf-opsec-filter-caps-06 (work in progress),		draft-ietf-opsec-filter-caps-08 (work in progress),
	April 2007.		June 2007.
	[I-D.ietf-idr-route-filter]		[I-D.ietf-idr-route-filter]
	Chen, E. and Y. Rekhter, "Outbound Route Filtering		Chen, E. and Y. Rekhter, "Outbound Route Filtering
	Capability for BGP-4", draft-ietf-idr-route-filter-16		Capability for BGP-4", draft-ietf-idr-route-filter-16
	(work in progress), September 2006.		(work in progress), September 2006.
	[IANA] IANA, "INTERNET PROTOCOL V4 ADDRESS SPACE",		[IANA] IANA, "INTERNET PROTOCOL V4 ADDRESS SPACE",
	http://www.iana.org/assignments/ipv4-address-space , 2007.		http://www.iana.org/assignments/ipv4-address-space , 2007.
	[MAO] Mao, Z., Govindan, R., Varghese, G., and R. Katz, "Route		[MAO] Mao, Z., Govindan, R., Varghese, G., and R. Katz, "Route
End of changes. 13 change blocks.
	27 lines changed or deleted		27 lines changed or added
This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/