draft-ietf-opsec-framework-03.txt   draft-ietf-opsec-framework-04.txt 
OPSEC Working Group G. Jones OPSEC Working Group G. Jones
Internet-Draft The MITRE Corporation Internet-Draft
Expires: September 2, 2006 R. Callon Intended status: Informational R. Callon
Juniper Networks Expires: September 4, 2007 Juniper Networks
M. Kaeo M. Kaeo
Double Shot Security Double Shot Security
March 1, 2006 March 3, 2007
Framework for Operational Security Capabilities for IP Network Framework for Operational Security Capabilities for IP Network
Infrastructure Infrastructure
draft-ietf-opsec-framework-03 draft-ietf-opsec-framework-04
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 38 skipping to change at page 1, line 38
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 2, 2006. This Internet-Draft will expire on September 4, 2007.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The IETF Trust (2007).
Abstract Abstract
This document outlines work to be done and documents to be produced This document outlines work to be done and documents to be produced
by the Operational Security Capabilities (OPSEC) Working Group. The by the Operational Security Capabilities (OPSEC) Working Group. The
goal of the working group is to codify knowledge gained through goal of the working group is to codify knowledge gained through
operational experience about feature sets that are needed to securely operational experience about feature sets that are needed to securely
deploy and operate managed network elements providing transit deploy and operate managed network elements providing transit
services at the data link and IP layers. The intent is to provide services at the data link and IP layers. The intent is to provide
clear, concise documentation of capabilities necessary for operating clear, concise documentation of capabilities necessary for operating
skipping to change at page 3, line 32 skipping to change at page 3, line 32
1.4.7. Message Modification . . . . . . . . . . . . . . . . . 8 1.4.7. Message Modification . . . . . . . . . . . . . . . . . 8
1.4.8. Message Deletion . . . . . . . . . . . . . . . . . . . 8 1.4.8. Message Deletion . . . . . . . . . . . . . . . . . . . 8
1.4.9. Man-In-The-Middle . . . . . . . . . . . . . . . . . . 8 1.4.9. Man-In-The-Middle . . . . . . . . . . . . . . . . . . 8
1.4.10. Invalid Message . . . . . . . . . . . . . . . . . . . 8 1.4.10. Invalid Message . . . . . . . . . . . . . . . . . . . 8
1.5. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.5. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.6. Intended Audience . . . . . . . . . . . . . . . . . . . . 10 1.6. Intended Audience . . . . . . . . . . . . . . . . . . . . 10
1.7. Format and Definition of Capabilities . . . . . . . . . . 10 1.7. Format and Definition of Capabilities . . . . . . . . . . 10
1.8. Applicability . . . . . . . . . . . . . . . . . . . . . . 11 1.8. Applicability . . . . . . . . . . . . . . . . . . . . . . 11
1.9. Intended Use . . . . . . . . . . . . . . . . . . . . . . . 11 1.9. Intended Use . . . . . . . . . . . . . . . . . . . . . . . 11
1.10. Definitions . . . . . . . . . . . . . . . . . . . . . . . 11 1.10. Definitions . . . . . . . . . . . . . . . . . . . . . . . 11
2. Documents . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2. Documents . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.1. Framework Document . . . . . . . . . . . . . . . . . . . . 17 2.1. Framework Document . . . . . . . . . . . . . . . . . . . . 16
2.2. Operator Practices Survey . . . . . . . . . . . . . . . . 17 2.2. Operator Practices Survey . . . . . . . . . . . . . . . . 16
2.3. Standards Survey . . . . . . . . . . . . . . . . . . . . . 17 2.3. Standards Survey . . . . . . . . . . . . . . . . . . . . . 16
2.4. Capabilities Documents . . . . . . . . . . . . . . . . . . 17 2.4. Capabilities Documents . . . . . . . . . . . . . . . . . . 16
2.5. Profile Documents . . . . . . . . . . . . . . . . . . . . 18 2.5. Profile Documents . . . . . . . . . . . . . . . . . . . . 17
3. Security Considerations . . . . . . . . . . . . . . . . . . . 19 3. Security Considerations . . . . . . . . . . . . . . . . . . . 18
4. Non-Normative References . . . . . . . . . . . . . . . . . . . 19 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 20 5. Non-Normative References . . . . . . . . . . . . . . . . . . . 20
Appendix B. Sample Capability Description . . . . . . . . . . . . 21 Appendix A. Sample Capability Description . . . . . . . . . . . . 21
B.1. Filtering TO the Device . . . . . . . . . . . . . . . . . 21 A.1. Filtering TO the Device . . . . . . . . . . . . . . . . . 21
B.1.1. Ability to Filter Traffic on All Interfaces TO the A.1.1. Ability to Filter Traffic on All Interfaces TO the
Device . . . . . . . . . . . . . . . . . . . . . . . . 21 Device . . . . . . . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22
Intellectual Property and Copyright Statements . . . . . . . . . . 23 Intellectual Property and Copyright Statements . . . . . . . . . . 23
1. Introduction 1. Introduction
1.1. Goals 1.1. Goals
The goal of the Operational Security Working Group is to codify The goal of the Operational Security Working Group is to codify
knowledge gained through operational experience about feature sets knowledge gained through operational experience about feature sets
skipping to change at page 10, line 30 skipping to change at page 10, line 30
Capabilities are described in terms of "The device is able to...". Capabilities are described in terms of "The device is able to...".
Capability descriptions do not use [RFC2119] keywords, e.g. they Capability descriptions do not use [RFC2119] keywords, e.g. they
are not phrased as "The device MUST...". are not phrased as "The device MUST...".
Capabilities should not refer to specific technologies. It is Capabilities should not refer to specific technologies. It is
expected that desired capability will change little over time. expected that desired capability will change little over time.
Supported Practices (why) Supported Practices (why)
The Supported Practice section cites practices described in The Supported Practice section cites practices described in
[I-D.ietf-opsec-current-practices] that are supported by this [RFC4778] that are supported by this capability. The need to
capability. The need to support the cited practices provides the support the cited practices provides the justification for the
justification for the feature. feature.
In a few cases, practices not listed in [I-D.ietf-opsec-current- In a few cases, practices not listed in [RFC4778] may be listed at
practices] may be listed at the end of the capability document and the end of the capability document and cited as justification for
cited as justification for a capability. This may be necessary if a capability. This may be necessary if a practice becomes common
a practice becomes common after [I-D.ietf-opsec-current-practices] after [RFC4778] is finished or if there is widespread consensus
is finished or if there is widespread consensus that the practice that the practice would improve security but it is not, for
would improve security but it is not, for whatever reason, in whatever reason, in widespread deployment.
widespread deployment.
Current Implementations (how) Current Implementations (how)
The Current Implementation section is intended to give examples of The Current Implementation section is intended to give examples of
implementations of the capability, citing technology and standards implementations of the capability, citing technology and standards
current at the time of writing. Examples of configuration and current at the time of writing. Examples of configuration and
usage may also be given. usage may also be given.
Considerations Considerations
skipping to change at page 19, line 9 skipping to change at page 19, line 5
Profile documents list capabilities appropriate to different Profile documents list capabilities appropriate to different
operating environments such as large Network Service Provider operating environments such as large Network Service Provider
(NSP) core or edge devices or enterprise networks. These profiles (NSP) core or edge devices or enterprise networks. These profiles
MAY provide a good starting point for organizations to generate MAY provide a good starting point for organizations to generate
their own list of requirements. their own list of requirements.
3. Security Considerations 3. Security Considerations
Security is the entire focus of this document. Security is the entire focus of this document.
4. Non-Normative References 4. IANA Considerations
[I-D.ietf-opsec-current-practices] This document has no actions for IANA.
Kaeo, M., "Operational Security Current Practices",
draft-ietf-opsec-current-practices-04 (work in progress), 5. Non-Normative References
June 2006.
[RFC1208] Jacobsen, O. and D. Lynch, "Glossary of networking terms", [RFC1208] Jacobsen, O. and D. Lynch, "Glossary of networking terms",
RFC 1208, March 1991. RFC 1208, March 1991.
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets", E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, February 1996. BCP 5, RFC 1918, February 1996.
[RFC2026] Bradner, S., "The Internet Standards Process -- Revision [RFC2026] Bradner, S., "The Internet Standards Process -- Revision
3", BCP 9, RFC 2026, October 1996. 3", BCP 9, RFC 2026, October 1996.
skipping to change at page 20, line 5 skipping to change at page 20, line 43
Text on Security Considerations", BCP 72, RFC 3552, Text on Security Considerations", BCP 72, RFC 3552,
July 2003. July 2003.
[RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed
Networks", BCP 84, RFC 3704, March 2004. Networks", BCP 84, RFC 3704, March 2004.
[RFC3871] Jones, G., "Operational Security Requirements for Large [RFC3871] Jones, G., "Operational Security Requirements for Large
Internet Service Provider (ISP) IP Network Internet Service Provider (ISP) IP Network
Infrastructure", RFC 3871, September 2004. Infrastructure", RFC 3871, September 2004.
Appendix A. Acknowledgments [RFC4778] Kaeo, M., "Operational Security Current Practices in
Internet Service Provider Environments", RFC 4778,
The authors gratefully acknowledge the contributions of: January 2007.
o The MITRE Corporation for supporting development of this document.
NOTE: The author's affiliation with The MITRE Corporation is
provided for identification purposes only, and is not intended to
convey or imply MITRE's concurrence with, or support for, the
positions, opinions or viewpoints expressed by the author.
Appendix B. Sample Capability Description Appendix A. Sample Capability Description
This appendix provides a sample capability description. Note the This appendix provides a sample capability description. Note the
lack of the use of "MUST", etc in the description of the capability. lack of the use of "MUST", etc in the description of the capability.
Also note that in the supported practices section it refers both to Also note that in the supported practices section it refers both to
the current practices document [I-D.ietf-opsec-current-practices] and the current practices document [RFC4778] and to sections of the same
to sections of the same document (xxx.1, xxx.2) that describe document (xxx.1, xxx.2) that describe practices that were not covered
practices that were not covered in the current practices document. in the current practices document.
B.1. Filtering TO the Device A.1. Filtering TO the Device
B.1.1. Ability to Filter Traffic on All Interfaces TO the Device A.1.1. Ability to Filter Traffic on All Interfaces TO the Device
Capability. Capability.
The device provides a means to filter IP packets on any interface The device provides a means to filter IP packets on any interface
implementing IP that are non-transit packets. implementing IP that are non-transit packets.
Supported Practices. Supported Practices.
* Profile Current Traffic (Section xxx.1) * Profile Current Traffic (Section xxx.1)
* Block Malicious Packets (Section xxx.2 ) * Block Malicious Packets (Section xxx.2 )
* Limit Sources of Management ([I-D.ietf-opsec-current- * Limit Sources of Management ([RFC4778], Section 2.8.2)
practices], Section 2.8.2)
Current Implementations. Current Implementations.
Many devices currently implement access control lists or filters Many devices currently implement access control lists or filters
that allow filtering based on protocol and/or source/destination that allow filtering based on protocol and/or source/destination
address and or source/destination port and allow these filters to address and or source/destination port and allow these filters to
be applied to interfaces. be applied to interfaces.
Considerations. Considerations.
None. None.
Authors' Addresses Authors' Addresses
George M. Jones George M. Jones
The MITRE Corporation
7515 Colshire Drive, M/S WEST
McLean, Virginia 22102-7508
U.S.A.
Phone: +1 703 488 9740 Phone: +1 703 488 9740
Email: gmjones@mitre.org Email: gmj3871@pobox.com
Ross Callon Ross Callon
Juniper Networks Juniper Networks
10 Technology Park Drive 10 Technology Park Drive
Westford, MA 01886 Westford, MA 01886
U.S.A. U.S.A.
Phone: +1 978 692 6724 Phone: +1 978 692 6724
Email: rcallon@juniper.net Email: rcallon@juniper.net
Merike Kaeo Merike Kaeo
Double Shot Security Double Shot Security
3518 Fremont Avenue North #363 3518 Fremont Avenue North #363
Seattle, WA 98103 Seattle, WA 98103
U.S.A. U.S.A.
Phone: +1 310 866 0165 Phone: +1 310 866 0165
Email: merike@doubleshotsecurity.com Email: merike@doubleshotsecurity.com
Intellectual Property Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
skipping to change at page 23, line 29 skipping to change at page 23, line 45
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is provided by the IETF
Internet Society. Administrative Support Activity (IASA).
 End of changes. 21 change blocks. 
73 lines changed or deleted 60 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/