draft-ietf-opsec-framework-01.txt   draft-ietf-opsec-framework-02.txt 
OPSEC Working Group G. Jones OPSEC Working Group G. Jones
Internet-Draft The MITRE Corporation Internet-Draft The MITRE Corporation
Expires: April 20, 2006 R. Callon Expires: September 2, 2006 R. Callon
Juniper Networks Juniper Networks
M. Kaeo M. Kaeo
Double Shot Security Double Shot Security
October 17, 2005 March 1, 2006
Framework for Operational Security Capabilities for IP Network Framework for Operational Security Capabilities for IP Network
Infrastructure Infrastructure
draft-ietf-opsec-framework-01 draft-ietf-opsec-framework-02
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 38 skipping to change at page 1, line 38
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 20, 2006. This Internet-Draft will expire on September 2, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document outlines work to be done and documents to be produced This document outlines work to be done and documents to be produced
by the Operational Security Capabilities (OPSEC) Working Group. The by the Operational Security Capabilities (OPSEC) Working Group. The
goal of the working group is to codify knowledge gained through goal of the working group is to codify knowledge gained through
operational experience about feature sets that are needed to securely operational experience about feature sets that are needed to securely
deploy and operate managed network elements providing transit deploy and operate managed network elements providing transit
services at the data link and IP layers. The intent is to provide services at the data link and IP layers. The intent is to provide
clear, concise documentation of capabilities necessary for operating clear, concise documentation of capabilities necessary for operating
skipping to change at page 3, line 27 skipping to change at page 2, line 36
1.4.2. Eavesdropping/Sniffing . . . . . . . . . . . . . . . . 6 1.4.2. Eavesdropping/Sniffing . . . . . . . . . . . . . . . . 6
1.4.3. Off-line Cryptographic Attacks . . . . . . . . . . . . 7 1.4.3. Off-line Cryptographic Attacks . . . . . . . . . . . . 7
1.4.4. Active Attacks . . . . . . . . . . . . . . . . . . . . 7 1.4.4. Active Attacks . . . . . . . . . . . . . . . . . . . . 7
1.4.5. Replay Attacks . . . . . . . . . . . . . . . . . . . . 7 1.4.5. Replay Attacks . . . . . . . . . . . . . . . . . . . . 7
1.4.6. Message Insertion . . . . . . . . . . . . . . . . . . 7 1.4.6. Message Insertion . . . . . . . . . . . . . . . . . . 7
1.4.7. Message Modification . . . . . . . . . . . . . . . . . 8 1.4.7. Message Modification . . . . . . . . . . . . . . . . . 8
1.4.8. Message Deletion . . . . . . . . . . . . . . . . . . . 8 1.4.8. Message Deletion . . . . . . . . . . . . . . . . . . . 8
1.4.9. Man-In-The-Middle . . . . . . . . . . . . . . . . . . 8 1.4.9. Man-In-The-Middle . . . . . . . . . . . . . . . . . . 8
1.4.10. Invalid Message . . . . . . . . . . . . . . . . . . . 8 1.4.10. Invalid Message . . . . . . . . . . . . . . . . . . . 8
1.5. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.5. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.6. Intended Audience . . . . . . . . . . . . . . . . . . . . 9 1.6. Intended Audience . . . . . . . . . . . . . . . . . . . . 10
1.7. Format and Definition of Capabilities . . . . . . . . . . 10 1.7. Format and Definition of Capabilities . . . . . . . . . . 10
1.8. Applicability . . . . . . . . . . . . . . . . . . . . . . 11 1.8. Applicability . . . . . . . . . . . . . . . . . . . . . . 11
1.9. Intended Use . . . . . . . . . . . . . . . . . . . . . . . 11 1.9. Intended Use . . . . . . . . . . . . . . . . . . . . . . . 11
1.10. Definitions . . . . . . . . . . . . . . . . . . . . . . . 11 1.10. Definitions . . . . . . . . . . . . . . . . . . . . . . . 11
2. Documents . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2. Documents . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.1. Framework Document . . . . . . . . . . . . . . . . . . . . 17 2.1. Framework Document . . . . . . . . . . . . . . . . . . . . 17
2.2. Operator Practices Survey . . . . . . . . . . . . . . . . 17 2.2. Operator Practices Survey . . . . . . . . . . . . . . . . 17
2.3. Standards Survey . . . . . . . . . . . . . . . . . . . . . 17 2.3. Standards Survey . . . . . . . . . . . . . . . . . . . . . 17
2.4. Capabilities Documents . . . . . . . . . . . . . . . . . . 17 2.4. Capabilities Documents . . . . . . . . . . . . . . . . . . 17
2.5. Profile Documents . . . . . . . . . . . . . . . . . . . . 18 2.5. Profile Documents . . . . . . . . . . . . . . . . . . . . 18
2.6. Deliberations Document . . . . . . . . . . . . . . . . . . 18
3. Security Considerations . . . . . . . . . . . . . . . . . . . 19 3. Security Considerations . . . . . . . . . . . . . . . . . . . 19
4. Normative References . . . . . . . . . . . . . . . . . . . . . 19 4. Normative References . . . . . . . . . . . . . . . . . . . . . 19
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 20 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21
Intellectual Property and Copyright Statements . . . . . . . . . . 22 Intellectual Property and Copyright Statements . . . . . . . . . . 22
1. Introduction 1. Introduction
1.1. Goals 1.1. Goals
skipping to change at page 8, line 16 skipping to change at page 8, line 16
vulnerabilities in protocol software. Routers and switches implement vulnerabilities in protocol software. Routers and switches implement
protocols which in some cases make use of software which is well protocols which in some cases make use of software which is well
known and widely deployed. Malicious attackers therefore may be known and widely deployed. Malicious attackers therefore may be
familiar with the protocol software and be able to exploit known familiar with the protocol software and be able to exploit known
vulnerabilities. vulnerabilities.
1.4.7. Message Modification 1.4.7. Message Modification
In a message modification attack, the attacker removes a message from In a message modification attack, the attacker removes a message from
the wire, modifies it, and then resends it. The contents of the the wire, modifies it, and then resends it. The contents of the
message may be modified and/or the intended recipient. [need example message may be modified and/or the intended recipient. For example,
specific to network operations where this would be harmful] a hacker might try to modify a DNS response, in order to redirect a
client to the wrong server. [need example specific to network
operations where this would be harmful]
1.4.8. Message Deletion 1.4.8. Message Deletion
In a message deletion attack, the attacker simply removes a message In a message deletion attack, the attacker simply removes a message
from the wire. [need example specific to network operations where from the wire. [need example specific to network operations where
this is harmful] this is harmful]
1.4.9. Man-In-The-Middle 1.4.9. Man-In-The-Middle
A Man-In-The-Middle attack combines the above techniques in a special A Man-In-The-Middle attack combines the above techniques in a special
skipping to change at page 8, line 41 skipping to change at page 8, line 43
attacks the identity of the communicating parties, rather than the attacks the identity of the communicating parties, rather than the
data stream itself. Consequently, many techniques which provide data stream itself. Consequently, many techniques which provide
integrity of the communications stream are insufficient to protect integrity of the communications stream are insufficient to protect
against man-in-the-middle attacks. against man-in-the-middle attacks.
Man-in-the-middle attacks are possible whenever peer entity Man-in-the-middle attacks are possible whenever peer entity
authentication is not used. For example, it is trivial to mount man- authentication is not used. For example, it is trivial to mount man-
in-the-middle attacks on local networks via ARP spoofing where the in-the-middle attacks on local networks via ARP spoofing where the
attacker forges an ARP with the victim's IP address and his own MAC attacker forges an ARP with the victim's IP address and his own MAC
address to gain access to a network. The attacker can then do address to gain access to a network. The attacker can then do
further damage by sending forged messages. Imagine if the victim^Os further damage by sending forged messages. Imagine if the victims IP
IP address was that of a TFTP server. The attacker could potentially address was that of a TFTP server. The attacker could potentially
download invalid system images or configuration files to a network download invalid system images or configuration files to a network
device and subsequently compromise that network device. device and subsequently compromise that network device.
1.4.10. Invalid Message 1.4.10. Invalid Message
An invalid message attack refers to situations which can be either An invalid message attack refers to situations which can be either
deliberately invoked or are due to some non-malicious software or deliberately invoked or are due to some non-malicious software or
configuration error. This attack can be realized if vendors do not configuration error. This attack can be realized if vendors do not
conform to standards and send inappropriate control packets which can conform to standards and send inappropriate control packets which can
cause routing loops or neighboring routers to go down. Also, a cause routing loops or neighboring routers to go down. Also, a
skipping to change at page 10, line 21 skipping to change at page 10, line 26
Capability (what) Capability (what)
The capability describes a policy to be supported by the device. The capability describes a policy to be supported by the device.
Capabilities should not refer to specific technologies. It is Capabilities should not refer to specific technologies. It is
expected that desired capability will change little over time. expected that desired capability will change little over time.
Supported Practices (why) Supported Practices (why)
The Supported Practice section cites practices described in CITE- The Supported Practice section cites practices described in
OPERATOR-SURVEY-RFC that are supported by this capability. The [I-D.ietf-opsec-current-practices] that are supported by this
need to support the cited practices provides the justification for capability. The need to support the cited practices provides the
the feature. justification for the feature.
In a few cases, practices not listed in CITE-OPERATOR-SURVEY-RFC In a few cases, practices not listed in [I-D.ietf-opsec-current-
may be listed at the end of the capability document and cited as practices] may be listed at the end of the capability document and
justification for a capability. This may be necessary if a cited as justification for a capability. This may be necessary if
practice becomes common after CITE-OPERATOR-SURVEY-RFC is finished a practice becomes common after [I-D.ietf-opsec-current-practices]
or if there is widespread consensus that the practice would is finished or if there is widespread consensus that the practice
improve security but it is not, for whatever reason, in widespread would improve security but it is not, for whatever reason, in
deployment. widespread deployment.
Current Implementations (how) Current Implementations (how)
The Current Implementation section is intended to give examples of The Current Implementation section is intended to give examples of
implementations of the capability, citing technology and standards implementations of the capability, citing technology and standards
current at the time of writing. Examples of configuration and current at the time of writing. Examples of configuration and
usage may also be given. usage may also be given.
Considerations Considerations
skipping to change at page 17, line 23 skipping to change at page 17, line 23
2.1. Framework Document 2.1. Framework Document
Overview Overview
This document. This document.
2.2. Operator Practices Survey 2.2. Operator Practices Survey
Overview Overview
This document is intended to provide a survey of current operator This document provides a survey of current operator practices in
practices in the area of securing networks. It lists current the area of securing networks. It lists current practices that
practices that will be cited as justification for capabilities. will be cited as justification for capabilities. It defines a
It defines a general threat model and classes of attacks. general threat model and classes of attacks.
2.3. Standards Survey 2.3. Standards Survey
Overview Overview
This document provides an overview of other efforts in developing This document provides an overview of other efforts in developing
standards, guidelines, best practices, or other information standards, guidelines, best practices, or other information
intended to facilitate improvement in network security. Any intended to facilitate improvement in network security. Any
effort which is known, such as the ANSI T1.276, the NRIC V "Best effort which is known, such as the ANSI T1.276, the NRIC V "Best
Practices", ITU-T M.3016 and X.805, the T1S1 effort on securing Practices", ITU-T M.3016 and X.805, the T1S1 effort on securing
signalling will be included. The intent is to provide a clear signaling will be included. The intent is to provide a clear
understanding of which efforts are complementary and/or understanding of which efforts are complementary and/or
contradictory such that any efforts of future cross-certification contradictory such that any efforts of future cross-certification
of standards may be facilitated. of standards may be facilitated.
2.4. Capabilities Documents 2.4. Capabilities Documents
Overview Overview
Capability documents list capabilities needed to support security Capability documents list capabilities needed to support security
practices. Each capability document lists capabilities of one practices. Each capability document lists capabilities of one
skipping to change at page 18, line 15 skipping to change at page 19, line 5
2.5. Profile Documents 2.5. Profile Documents
Overview Overview
Profile documents list capabilities appropriate to different Profile documents list capabilities appropriate to different
operating environments such as large Network Service Provider operating environments such as large Network Service Provider
(NSP) core or edge devices or enterprise networks. These profiles (NSP) core or edge devices or enterprise networks. These profiles
MAY provide a good starting point for organizations to generate MAY provide a good starting point for organizations to generate
their own list of requirements. their own list of requirements.
2.6. Deliberations Document
Overview
The deliberations document is intended to capture discussion, list
reasons for choices made, and give reasons for the inclusion and
exclusion of certain capabilities form the documents. This is
intended to provide insight to future work.
3. Security Considerations 3. Security Considerations
Security is the entire focus of this document. Security is the entire focus of this document.
4. Normative References 4. Normative References
[I-D.ietf-opsec-current-practices]
Kaeo, M., "Operational Security Current Practices",
draft-ietf-opsec-current-practices-02 (work in progress),
October 2005.
[RFC1208] Jacobsen, O. and D. Lynch, "Glossary of networking terms", [RFC1208] Jacobsen, O. and D. Lynch, "Glossary of networking terms",
RFC 1208, March 1991. RFC 1208, March 1991.
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets", E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, February 1996. BCP 5, RFC 1918, February 1996.
[RFC2026] Bradner, S., "The Internet Standards Process -- Revision [RFC2026] Bradner, S., "The Internet Standards Process -- Revision
3", BCP 9, RFC 2026, October 1996. 3", BCP 9, RFC 2026, October 1996.
skipping to change at page 22, line 41 skipping to change at page 22, line 41
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 16 change blocks. 
37 lines changed or deleted 34 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/