--- 1/draft-ietf-opsec-routing-capabilities-02.txt 2007-06-16 01:12:05.000000000 +0200 +++ 2/draft-ietf-opsec-routing-capabilities-03.txt 2007-06-16 01:12:05.000000000 +0200 @@ -1,20 +1,20 @@ OPSEC Working Group Y. Zhao Internet-Draft F. Miao Intended status: Best Current Huawei Technologies Practice R. Callon -Expires: October 7, 2007 Juniper Networks - April 5, 2007 +Expires: December 17, 2007 Juniper Networks + June 15, 2007 Routing Control Plane Security Capabilities - draft-ietf-opsec-routing-capabilities-02.txt + draft-ietf-opsec-routing-capabilities-03.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -25,21 +25,21 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on October 7, 2007. + This Internet-Draft will expire on December 17, 2007. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract The document lists the security capabilities needed for the routing control plane of an IP infrastructure to support the practices defined in Operational Security Current Practices. In particular @@ -48,84 +48,90 @@ control functions. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Threat model . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Format and Definition of Capabilities . . . . . . . . . . 3 1.3. Packet Filtering versus Route Filtering . . . . . . . . . 3 2. Route Filtering Capabilities . . . . . . . . . . . . . . . . . 4 2.1. General Route Filtering Capabilities . . . . . . . . . . . 4 - 2.1.1. Ability to Filter Inbound or Outbound Routes . . . . . 4 - 2.1.2. Ability to Filter Routes by Prefix . . . . . . . . . . 5 + 2.1.1. Ability to Filter Inbound or Outbound Routes . . . . . 5 + 2.1.2. Ability to Filter Routes by Prefix . . . . . . . . . . 6 2.2. Route Filtering of Exterior Gateway Protocol . . . . . . . 6 2.2.1. Ability to Filter Routes by Route Attributes . . . . . 6 2.2.2. Ability to Filter Routing Update by TTL . . . . . . . 7 2.2.3. Ability to Limit the Number of Routes from a Peer . . 8 2.2.4. Ability to Limit the Length of Prefixes . . . . . . . 9 2.2.5. Ability to Cooperate in Outbound Route Filtering . . . 9 2.3. Route Filtering of Interior Gateway Protocols . . . . . . 10 2.3.1. Route Filtering Within an IGP Area . . . . . . . . . . 10 2.3.2. Route Filtering Between IGP Areas . . . . . . . . . . 10 2.4. Route Filtering during Redistribution . . . . . . . . . . 11 3. Route Authentication Capabilities . . . . . . . . . . . . . . 11 3.1. Ability to configure an authentication mechanism . . . . . 11 3.2. Ability to support authentication key chains . . . . . . . 12 - 4. Ability to Damp Route Flap . . . . . . . . . . . . . . . . . . 12 + 4. Ability to Damp Route Flap . . . . . . . . . . . . . . . . . . 13 5. Resource Availability for Router Control Functions . . . . . . 13 5.1. Ensure Resources for Management Functions . . . . . . . . 13 5.2. Ensure Resources for Routing Functions . . . . . . . . . . 14 - 5.3. Limit Resources used by IP Multicast . . . . . . . . . . . 15 + 5.3. Limit Resources used by IP Multicast . . . . . . . . . . . 16 6. Security Considerations . . . . . . . . . . . . . . . . . . . 16 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 - 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 + 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 9.1. Normative References . . . . . . . . . . . . . . . . . . . 17 9.2. Informative References . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18 Intellectual Property and Copyright Statements . . . . . . . . . . 20 1. Introduction - This document is defined in the context of [I-D.ietf-opsec-framework] - and [RFC4778]. + This document is defined in the context of Operational Security + Current Practices in Internet Service Provider Environments, + [RFC4778]. This document lists the security capabilities needed for the routing control plane of IP infrastructure to support the practices defined - in [I-D.ietf-opsec-framework]. In particular this includes - capabilities for route filtering and for authentication of routing - protocol packets. + in [RFC4778]. In particular this includes capabilities for route + filtering and for authentication of routing protocol packets. Note that this document lists capabilities that can reasonably be expected to be currently deployed in the context of existing standards. Extensions to existing protocol standards and development of new protocol standards are outside of the scope of this effort. The preferred capabilities needed for securing the routing infrastructure may evolve over time. There will be other capabilities which are needed to fully secure a router infrastructure. [RFC4778] defines the goals, motivation, scope, definitions, intended audience, threat model, potential attacks and give justifications for each of the practices. 1.1. Threat model The capabilities listed in this document are intended to aid in - preventing or mitigating the threats outlined in - [I-D.ietf-opsec-framework]. + preventing or mitigating the threats outlined in [RFC4778]. 1.2. Format and Definition of Capabilities Each individual capability will be defined using the four elements, "Capability", "Supported Practices", "Current Implementations", and - "Considerations", as explained in section 1.7 of - [I-D.ietf-opsec-framework]. + "Considerations". The Capability section describes a feature to be + supported by the device. The Supported Practice section cites + practices described in [RFC4778] that are supported by this + capability. The Current Implementation section is intended to give + examples of implementations of the capability, citing technology and + standards current at the time of writing. It is expected that the + choice of features to implement the capabilities will change over + time. The Considerations section lists operational and resource + constraints, limitations of current implementations, and trade-offs. 1.3. Packet Filtering versus Route Filtering It is useful to make a distinction between Packet Filtering versus Route Filtering. The term "packet filter" is used to refer to the filter that a router applies to network layer packets passing through or destined to it. In general packet filters are based on contents of the network (IP) and transport (TCP, UDP) layers, and are mostly stateless, in the @@ -780,31 +786,25 @@ [RFC2196] Fraser, B., "Site Security Handbook", RFC 2196, September 1997. [RFC3682] Gill, V., Heasley, J., and D. Meyer, "The Generalized TTL Security Mechanism (GTSM)", RFC 3682, February 2004. [RFC4778] Kaeo, M., "Operational Security Current Practices in Internet Service Provider Environments", RFC 4778, January 2007. - [I-D.ietf-opsec-framework] - Jones, G., "Framework for Operational Security - Capabilities for IP Network Infrastructure", - draft-ietf-opsec-framework-05 (work in progress), - April 2007. - [I-D.ietf-opsec-filter-caps] Morrow, C., "Filtering and Rate Limiting Capabilities for IP Network Infrastructure", - draft-ietf-opsec-filter-caps-06 (work in progress), - April 2007. + draft-ietf-opsec-filter-caps-08 (work in progress), + June 2007. [I-D.ietf-idr-route-filter] Chen, E. and Y. Rekhter, "Outbound Route Filtering Capability for BGP-4", draft-ietf-idr-route-filter-16 (work in progress), September 2006. [IANA] IANA, "INTERNET PROTOCOL V4 ADDRESS SPACE", http://www.iana.org/assignments/ipv4-address-space , 2007. [MAO] Mao, Z., Govindan, R., Varghese, G., and R. Katz, "Route