draft-ietf-opsec-routing-capabilities-02.txt   draft-ietf-opsec-routing-capabilities-03.txt 
OPSEC Working Group Y. Zhao OPSEC Working Group Y. Zhao
Internet-Draft F. Miao Internet-Draft F. Miao
Intended status: Best Current Huawei Technologies Intended status: Best Current Huawei Technologies
Practice R. Callon Practice R. Callon
Expires: October 7, 2007 Juniper Networks Expires: December 17, 2007 Juniper Networks
April 5, 2007 June 15, 2007
Routing Control Plane Security Capabilities Routing Control Plane Security Capabilities
draft-ietf-opsec-routing-capabilities-02.txt draft-ietf-opsec-routing-capabilities-03.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 36 skipping to change at page 1, line 36
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 7, 2007. This Internet-Draft will expire on December 17, 2007.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
Abstract Abstract
The document lists the security capabilities needed for the routing The document lists the security capabilities needed for the routing
control plane of an IP infrastructure to support the practices control plane of an IP infrastructure to support the practices
defined in Operational Security Current Practices. In particular defined in Operational Security Current Practices. In particular
skipping to change at page 2, line 13 skipping to change at page 2, line 13
control functions. control functions.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Threat model . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Threat model . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Format and Definition of Capabilities . . . . . . . . . . 3 1.2. Format and Definition of Capabilities . . . . . . . . . . 3
1.3. Packet Filtering versus Route Filtering . . . . . . . . . 3 1.3. Packet Filtering versus Route Filtering . . . . . . . . . 3
2. Route Filtering Capabilities . . . . . . . . . . . . . . . . . 4 2. Route Filtering Capabilities . . . . . . . . . . . . . . . . . 4
2.1. General Route Filtering Capabilities . . . . . . . . . . . 4 2.1. General Route Filtering Capabilities . . . . . . . . . . . 4
2.1.1. Ability to Filter Inbound or Outbound Routes . . . . . 4 2.1.1. Ability to Filter Inbound or Outbound Routes . . . . . 5
2.1.2. Ability to Filter Routes by Prefix . . . . . . . . . . 5 2.1.2. Ability to Filter Routes by Prefix . . . . . . . . . . 6
2.2. Route Filtering of Exterior Gateway Protocol . . . . . . . 6 2.2. Route Filtering of Exterior Gateway Protocol . . . . . . . 6
2.2.1. Ability to Filter Routes by Route Attributes . . . . . 6 2.2.1. Ability to Filter Routes by Route Attributes . . . . . 6
2.2.2. Ability to Filter Routing Update by TTL . . . . . . . 7 2.2.2. Ability to Filter Routing Update by TTL . . . . . . . 7
2.2.3. Ability to Limit the Number of Routes from a Peer . . 8 2.2.3. Ability to Limit the Number of Routes from a Peer . . 8
2.2.4. Ability to Limit the Length of Prefixes . . . . . . . 9 2.2.4. Ability to Limit the Length of Prefixes . . . . . . . 9
2.2.5. Ability to Cooperate in Outbound Route Filtering . . . 9 2.2.5. Ability to Cooperate in Outbound Route Filtering . . . 9
2.3. Route Filtering of Interior Gateway Protocols . . . . . . 10 2.3. Route Filtering of Interior Gateway Protocols . . . . . . 10
2.3.1. Route Filtering Within an IGP Area . . . . . . . . . . 10 2.3.1. Route Filtering Within an IGP Area . . . . . . . . . . 10
2.3.2. Route Filtering Between IGP Areas . . . . . . . . . . 10 2.3.2. Route Filtering Between IGP Areas . . . . . . . . . . 10
2.4. Route Filtering during Redistribution . . . . . . . . . . 11 2.4. Route Filtering during Redistribution . . . . . . . . . . 11
3. Route Authentication Capabilities . . . . . . . . . . . . . . 11 3. Route Authentication Capabilities . . . . . . . . . . . . . . 11
3.1. Ability to configure an authentication mechanism . . . . . 11 3.1. Ability to configure an authentication mechanism . . . . . 11
3.2. Ability to support authentication key chains . . . . . . . 12 3.2. Ability to support authentication key chains . . . . . . . 12
4. Ability to Damp Route Flap . . . . . . . . . . . . . . . . . . 12 4. Ability to Damp Route Flap . . . . . . . . . . . . . . . . . . 13
5. Resource Availability for Router Control Functions . . . . . . 13 5. Resource Availability for Router Control Functions . . . . . . 13
5.1. Ensure Resources for Management Functions . . . . . . . . 13 5.1. Ensure Resources for Management Functions . . . . . . . . 13
5.2. Ensure Resources for Routing Functions . . . . . . . . . . 14 5.2. Ensure Resources for Routing Functions . . . . . . . . . . 14
5.3. Limit Resources used by IP Multicast . . . . . . . . . . . 15 5.3. Limit Resources used by IP Multicast . . . . . . . . . . . 16
6. Security Considerations . . . . . . . . . . . . . . . . . . . 16 6. Security Considerations . . . . . . . . . . . . . . . . . . . 16
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
9.1. Normative References . . . . . . . . . . . . . . . . . . . 17 9.1. Normative References . . . . . . . . . . . . . . . . . . . 17
9.2. Informative References . . . . . . . . . . . . . . . . . . 17 9.2. Informative References . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18
Intellectual Property and Copyright Statements . . . . . . . . . . 20 Intellectual Property and Copyright Statements . . . . . . . . . . 20
1. Introduction 1. Introduction
This document is defined in the context of [I-D.ietf-opsec-framework] This document is defined in the context of Operational Security
and [RFC4778]. Current Practices in Internet Service Provider Environments,
[RFC4778].
This document lists the security capabilities needed for the routing This document lists the security capabilities needed for the routing
control plane of IP infrastructure to support the practices defined control plane of IP infrastructure to support the practices defined
in [I-D.ietf-opsec-framework]. In particular this includes in [RFC4778]. In particular this includes capabilities for route
capabilities for route filtering and for authentication of routing filtering and for authentication of routing protocol packets.
protocol packets.
Note that this document lists capabilities that can reasonably be Note that this document lists capabilities that can reasonably be
expected to be currently deployed in the context of existing expected to be currently deployed in the context of existing
standards. Extensions to existing protocol standards and development standards. Extensions to existing protocol standards and development
of new protocol standards are outside of the scope of this effort. of new protocol standards are outside of the scope of this effort.
The preferred capabilities needed for securing the routing The preferred capabilities needed for securing the routing
infrastructure may evolve over time. infrastructure may evolve over time.
There will be other capabilities which are needed to fully secure a There will be other capabilities which are needed to fully secure a
router infrastructure. [RFC4778] defines the goals, motivation, router infrastructure. [RFC4778] defines the goals, motivation,
scope, definitions, intended audience, threat model, potential scope, definitions, intended audience, threat model, potential
attacks and give justifications for each of the practices. attacks and give justifications for each of the practices.
1.1. Threat model 1.1. Threat model
The capabilities listed in this document are intended to aid in The capabilities listed in this document are intended to aid in
preventing or mitigating the threats outlined in preventing or mitigating the threats outlined in [RFC4778].
[I-D.ietf-opsec-framework].
1.2. Format and Definition of Capabilities 1.2. Format and Definition of Capabilities
Each individual capability will be defined using the four elements, Each individual capability will be defined using the four elements,
"Capability", "Supported Practices", "Current Implementations", and "Capability", "Supported Practices", "Current Implementations", and
"Considerations", as explained in section 1.7 of "Considerations". The Capability section describes a feature to be
[I-D.ietf-opsec-framework]. supported by the device. The Supported Practice section cites
practices described in [RFC4778] that are supported by this
capability. The Current Implementation section is intended to give
examples of implementations of the capability, citing technology and
standards current at the time of writing. It is expected that the
choice of features to implement the capabilities will change over
time. The Considerations section lists operational and resource
constraints, limitations of current implementations, and trade-offs.
1.3. Packet Filtering versus Route Filtering 1.3. Packet Filtering versus Route Filtering
It is useful to make a distinction between Packet Filtering versus It is useful to make a distinction between Packet Filtering versus
Route Filtering. Route Filtering.
The term "packet filter" is used to refer to the filter that a router The term "packet filter" is used to refer to the filter that a router
applies to network layer packets passing through or destined to it. applies to network layer packets passing through or destined to it.
In general packet filters are based on contents of the network (IP) In general packet filters are based on contents of the network (IP)
and transport (TCP, UDP) layers, and are mostly stateless, in the and transport (TCP, UDP) layers, and are mostly stateless, in the
skipping to change at page 17, line 46 skipping to change at page 18, line 12
[RFC2196] Fraser, B., "Site Security Handbook", RFC 2196, [RFC2196] Fraser, B., "Site Security Handbook", RFC 2196,
September 1997. September 1997.
[RFC3682] Gill, V., Heasley, J., and D. Meyer, "The Generalized TTL [RFC3682] Gill, V., Heasley, J., and D. Meyer, "The Generalized TTL
Security Mechanism (GTSM)", RFC 3682, February 2004. Security Mechanism (GTSM)", RFC 3682, February 2004.
[RFC4778] Kaeo, M., "Operational Security Current Practices in [RFC4778] Kaeo, M., "Operational Security Current Practices in
Internet Service Provider Environments", RFC 4778, Internet Service Provider Environments", RFC 4778,
January 2007. January 2007.
[I-D.ietf-opsec-framework]
Jones, G., "Framework for Operational Security
Capabilities for IP Network Infrastructure",
draft-ietf-opsec-framework-05 (work in progress),
April 2007.
[I-D.ietf-opsec-filter-caps] [I-D.ietf-opsec-filter-caps]
Morrow, C., "Filtering and Rate Limiting Capabilities for Morrow, C., "Filtering and Rate Limiting Capabilities for
IP Network Infrastructure", IP Network Infrastructure",
draft-ietf-opsec-filter-caps-06 (work in progress), draft-ietf-opsec-filter-caps-08 (work in progress),
April 2007. June 2007.
[I-D.ietf-idr-route-filter] [I-D.ietf-idr-route-filter]
Chen, E. and Y. Rekhter, "Outbound Route Filtering Chen, E. and Y. Rekhter, "Outbound Route Filtering
Capability for BGP-4", draft-ietf-idr-route-filter-16 Capability for BGP-4", draft-ietf-idr-route-filter-16
(work in progress), September 2006. (work in progress), September 2006.
[IANA] IANA, "INTERNET PROTOCOL V4 ADDRESS SPACE", [IANA] IANA, "INTERNET PROTOCOL V4 ADDRESS SPACE",
http://www.iana.org/assignments/ipv4-address-space , 2007. http://www.iana.org/assignments/ipv4-address-space , 2007.
[MAO] Mao, Z., Govindan, R., Varghese, G., and R. Katz, "Route [MAO] Mao, Z., Govindan, R., Varghese, G., and R. Katz, "Route
 End of changes. 13 change blocks. 
27 lines changed or deleted 27 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/