draft-ietf-opsec-protect-control-plane-00.txt   draft-ietf-opsec-protect-control-plane-01.txt 
OPSEC D. Dugal OPSEC D. Dugal
Internet-Draft Juniper Networks Internet-Draft Juniper Networks
Intended status: Informational C. Pignataro Intended status: Informational C. Pignataro
Expires: December 31, 2010 R. Dunn Expires: January 8, 2011 R. Dunn
Cisco Systems Cisco Systems
June 29, 2010 July 7, 2010
Protecting The Router Control Plane Protecting The Router Control Plane
draft-ietf-opsec-protect-control-plane-00 draft-ietf-opsec-protect-control-plane-01
Abstract Abstract
This memo provides a method for protecting a router's control plane This memo provides a method for protecting a router's control plane
from undesired or malicious traffic. In this approach, all from undesired or malicious traffic. In this approach, all
legitimate router control plane traffic is identified. Once legitimate router control plane traffic is identified. Once
legitimate traffic has been identified, a filter is deployed in the legitimate traffic has been identified, a filter is deployed in the
router's forwarding plane. That filter prevents traffic not router's forwarding plane. That filter prevents traffic not
specifically identified as legitimate from reaching the router's specifically identified as legitimate from reaching the router's
control plane or rate limited to an acceptable level. control plane or rate limited to an acceptable level.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 31, 2010. This Internet-Draft will expire on January 8, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Applicability Statement . . . . . . . . . . . . . . . . . . . 4 2. Applicability Statement . . . . . . . . . . . . . . . . . . . 4
3. Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. Legitimate Traffic . . . . . . . . . . . . . . . . . . . . 4 3.1. Legitimate Traffic . . . . . . . . . . . . . . . . . . . . 5
3.2. Filter Design . . . . . . . . . . . . . . . . . . . . . . 5 3.2. Filter Design . . . . . . . . . . . . . . . . . . . . . . 6
3.3. Design Trade-offs . . . . . . . . . . . . . . . . . . . . 6 3.3. Design Trade-offs . . . . . . . . . . . . . . . . . . . . 7
4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9
7. Informative References . . . . . . . . . . . . . . . . . . . . 9 7. Informative References . . . . . . . . . . . . . . . . . . . . 9
Appendix A. Cisco Configuration . . . . . . . . . . . . . . . . . 10 Appendix A. Cisco Configuration . . . . . . . . . . . . . . . . . 10
Appendix B. Juniper Configuration . . . . . . . . . . . . . . . . 12 Appendix B. Juniper Configuration . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
skipping to change at page 4, line 18 skipping to change at page 4, line 18
It is advisable to protect the router control plane by implementing It is advisable to protect the router control plane by implementing
mechanisms to filter completely or rate limit traffic not required at mechanisms to filter completely or rate limit traffic not required at
the control plane level (i.e., unwanted traffic). Router Control the control plane level (i.e., unwanted traffic). Router Control
Plane Protection is the concept of filtering or rate limiting Plane Protection is the concept of filtering or rate limiting
unwanted traffic which would be diverted out of the forwarding plane unwanted traffic which would be diverted out of the forwarding plane
up to the router control plane. The closer to the forwarding plane up to the router control plane. The closer to the forwarding plane
and line-rate hardware the filters and rate-limiters are, the more and line-rate hardware the filters and rate-limiters are, the more
effective the protection is and the more resistant the system is to effective the protection is and the more resistant the system is to
DoS attacks. This memo demonstrates how to deploy an example policy DoS attacks. This memo demonstrates how to deploy an example policy
filter that satisfies a set of example traffic matching, filtering filter that satisfies a set of example traffic matching, filtering
and rate limiting criteria.. and rate limiting criteria.
2. Applicability Statement 2. Applicability Statement
The method described in Section 3 and depicted in Figure 1 The method described in Section 3 and depicted in Figure 1
illustrates how to protect the router control plane from unwanted illustrates how to protect the router control plane from unwanted
traffic. Recognizing that deployment scenarios will vary, the exact traffic. Recognizing that deployment scenarios will vary, the exact
implementation is not generally applicable in all situations. The implementation is not generally applicable in all situations. The
categorization of legitimate router control plane traffic is categorization of legitimate router control plane traffic is
critically important in a successful implementation. critically important in a successful implementation.
The examples given in this memo are simplified and minimalistic, The examples given in this memo are simplified and minimalistic,
designed to illustrate the concept of protecting the router's control designed to illustrate the concept of protecting the router's control
plane. From them, operators can extrapolate specifics based on their plane. From them, operators can extrapolate specifics based on their
unique configuration and environment. unique configuration and environment.
Additionally, there may be other vendor or implementation specific
protection mechanisms that are on-by-default or always-on. Those
approaches may apply in conjunction with or in addition to the method
described in Section 3 and illustrated in Appendices A and B. Those
implementations should be considered as part of an overall traffic
management plan but are outside the scope of this document.
This method is applicable for IPv4 as well as IPv6 address families. This method is applicable for IPv4 as well as IPv6 address families.
3. Method 3. Method
In this memo, the authors demonstrate how a filter protecting the In this memo, the authors demonstrate how a filter protecting the
router control plane can be deployed. In Section 3.1, a sample router control plane can be deployed. In Section 3.1, a sample
router is introduced and all traffic that its control plane must router is introduced and all traffic that its control plane must
process is identified. In Section 3.2, filter design concepts are process is identified. In Section 3.2, filter design concepts are
discussed. Cisco (Cisco IOS software) and Juniper (JUNOS) discussed. Cisco (Cisco IOS software) and Juniper (JUNOS)
implementations are provided in Appendices A and B, respectively. implementations are provided in Appendices A and B, respectively.
skipping to change at page 9, line 30 skipping to change at page 9, line 39
6. Acknowledgements 6. Acknowledgements
The authors would like to thank Ron Bonica for providing initial and The authors would like to thank Ron Bonica for providing initial and
ongoing review, suggestions, and valuable input. Pekka Savola, ongoing review, suggestions, and valuable input. Pekka Savola,
Warren Kumari, and Xu Chen provided very thorough and useful feedback Warren Kumari, and Xu Chen provided very thorough and useful feedback
that improved the document. Many thanks to John Kristoff, that improved the document. Many thanks to John Kristoff,
Christopher Morrow, and Donald Smith for a fruitful discussion around Christopher Morrow, and Donald Smith for a fruitful discussion around
the operational and manageability aspects of router control plane the operational and manageability aspects of router control plane
protection techniques. The authors would also like to thank Joel protection techniques. The authors would also like to thank Joel
Jaeggli, Richard Graveman, Danny McPherson, Gregg Schudel, and Eddie Jaeggli, Richard Graveman, Danny McPherson, Gregg Schudel, Eddie
Parra for providing thorough review, useful suggestions, and valuable Parra, and Manav Bhatia for providing thorough review, useful
input. suggestions, and valuable input.
7. Informative References 7. Informative References
[I-D.gont-opsec-ip-options-filtering] [I-D.gont-opsec-ip-options-filtering]
Gont, F. and S. Fouant, "IP Options Filtering Gont, F. and S. Fouant, "IP Options Filtering
Recommendations", draft-gont-opsec-ip-options-filtering-00 Recommendations", draft-gont-opsec-ip-options-filtering-00
(work in progress), March 2010. (work in progress), March 2010.
[I-D.ietf-intarea-router-alert-considerations] [I-D.ietf-intarea-router-alert-considerations]
Faucheur, F., "IP Router Alert Considerations and Usage", Faucheur, F., "IP Router Alert Considerations and Usage",
 End of changes. 8 change blocks. 
11 lines changed or deleted 18 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/