draft-ietf-opsec-filter-caps-05.txt   draft-ietf-opsec-filter-caps-06.txt 
None. C. Morrow None. C. Morrow
Internet-Draft UUNET Technologies Internet-Draft UUNET Technologies
Intended status: Informational G. Jones Intended status: Informational G. Jones
Expires: September 2, 2007 Expires: September 22, 2007
V. Manral V. Manral
IP Infusion IP Infusion
March 1, 2007 March 21, 2007
Filtering and Rate Limiting Capabilities for IP Network Infrastructure Filtering and Rate Limiting Capabilities for IP Network Infrastructure
draft-ietf-opsec-filter-caps-05 draft-ietf-opsec-filter-caps-06
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 37 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 2, 2007. This Internet-Draft will expire on September 22, 2007.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
Abstract Abstract
[RFC4778] lists operator practices related to securing networks. [RFC4778] lists operator practices related to securing networks.
This document lists filtering and rate limiting capabilities needed This document lists filtering and rate limiting capabilities needed
to support those practices. Capabilities are limited to filtering to support those practices. Capabilities are limited to filtering
skipping to change at page 3, line 38 skipping to change at page 3, line 38
5.3. Filter Hits are Counted . . . . . . . . . . . . . . . . . 18 5.3. Filter Hits are Counted . . . . . . . . . . . . . . . . . 18
5.4. Filter Counters are Accurate . . . . . . . . . . . . . . . 19 5.4. Filter Counters are Accurate . . . . . . . . . . . . . . . 19
6. Minimal Performance Degradation . . . . . . . . . . . . . . . 20 6. Minimal Performance Degradation . . . . . . . . . . . . . . . 20
7. Additional Operational Practices . . . . . . . . . . . . . . . 22 7. Additional Operational Practices . . . . . . . . . . . . . . . 22
7.1. Profile Current Traffic . . . . . . . . . . . . . . . . . 22 7.1. Profile Current Traffic . . . . . . . . . . . . . . . . . 22
7.2. Block Malicious Packets . . . . . . . . . . . . . . . . . 22 7.2. Block Malicious Packets . . . . . . . . . . . . . . . . . 22
7.3. Limit Sources of Management . . . . . . . . . . . . . . . 22 7.3. Limit Sources of Management . . . . . . . . . . . . . . . 22
7.4. Respond to Incidents Based on Accurate Data . . . . . . . 22 7.4. Respond to Incidents Based on Accurate Data . . . . . . . 22
7.5. Implement Filters Where Necessary . . . . . . . . . . . . 23 7.5. Implement Filters Where Necessary . . . . . . . . . . . . 23
8. Security Considerations . . . . . . . . . . . . . . . . . . . 24 8. Security Considerations . . . . . . . . . . . . . . . . . . . 24
9. Non-normative References . . . . . . . . . . . . . . . . . . . 25 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 26 10. Non-normative References . . . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 27
Intellectual Property and Copyright Statements . . . . . . . . . . 28 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28
Intellectual Property and Copyright Statements . . . . . . . . . . 29
1. Introduction 1. Introduction
This document is defined in the context of [RFC4778]. [RFC4778] This document is defined in the context of [RFC4778]. [RFC4778]
defines the goals, motivation, scope, definitions, intended audience, defines the goals, motivation, scope, definitions, intended audience,
threat model, potential attacks and give justifications for each of threat model, potential attacks and give justifications for each of
the practices. Many of the capabilities listed here refine or add to the practices. Many of the capabilities listed here refine or add to
capabilities listed in [RFC3871]. capabilities listed in [RFC3871].
Also see [I-D.lewis-infrastructure-security] for a useful description Also see [I-D.lewis-infrastructure-security] for a useful description
skipping to change at page 7, line 22 skipping to change at page 7, line 22
Capability. Capability.
The device provides a means to filter IP packets on any interface The device provides a means to filter IP packets on any interface
implementing IP. implementing IP.
Supported Practices. Supported Practices.
* Security Practices for Device Management ([RFC4778], Section * Security Practices for Device Management ([RFC4778], Section
2.2.2) 2.2.2)
* Security Practices for Data Path ([I-D.ietf-opsec-current- * Security Practices for Data Path ([RFC4778], Section 2.3.2)
practices], Section 2.3.2)
* Security Practices for Software Upgrades and Configuration * Security Practices for Software Upgrades and Configuration
Integrity/Validation ([I-D.ietf-opsec-current-practices], Integrity/Validation ([RFC4778], Section 2.5.2)
Section 2.5.2)
* Data Plane Filtering ([RFC4778], Section 2.7.1) * Data Plane Filtering ([RFC4778], Section 2.7.1)
* Management Plane Filtering ([RFC4778], Section 2.7.2) * Management Plane Filtering ([RFC4778], Section 2.7.2)
* Profile Current Traffic (Section 7.1) * Profile Current Traffic (Section 7.1)
* Block Malicious Packets (Section 7.2) * Block Malicious Packets (Section 7.2)
Current Implementations. Current Implementations.
skipping to change at page 25, line 5 skipping to change at page 25, line 5
policies. policies.
8. Security Considerations 8. Security Considerations
General General
Security is the subject matter of this entire memo. The Security is the subject matter of this entire memo. The
capabilities listed cite practices in [RFC4778] that they are capabilities listed cite practices in [RFC4778] that they are
intended to support. [RFC4778] defines the threat model, intended to support. [RFC4778] defines the threat model,
practices and lists justifications for each practice. practices and lists justifications for each practice.
9. Non-normative References 9. IANA Considerations
This document has no actions for IANA.
10. Non-normative References
[I-D.lewis-infrastructure-security] [I-D.lewis-infrastructure-security]
Lewis, D., "Service Provider Infrastructure Security", Lewis, D., "Service Provider Infrastructure Security",
draft-lewis-infrastructure-security-00 (work in progress), draft-lewis-infrastructure-security-00 (work in progress),
June 2006. June 2006.
[I-D.savola-rtgwg-backbone-attacks] [I-D.savola-rtgwg-backbone-attacks]
Savola, P., "Backbone Infrastructure Attacks and Savola, P., "Backbone Infrastructure Attacks and
Protections", draft-savola-rtgwg-backbone-attacks-03 (work Protections", draft-savola-rtgwg-backbone-attacks-03 (work
in progress), January 2007. in progress), January 2007.
 End of changes. 8 change blocks. 
13 lines changed or deleted 16 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/