draft-lewis-infrastructure-security-00.txt

1
draft-lewis-infrastructure-security-00.txt

• Infrastructure Protection BCP
• Darrel Lewis, James Gill, Paul Quinn, Peter
  Schoenmaker

2
Introduction

• Infrastructure protection best practices
• List of what is being done today
• Expected beneficiaries are both operators and end
  customers
• Draft is mostly focused on traffic to the network
  rather than transit traffic
• Complements BCP 38/84

3
Edge Infrastructure ACLs

• Key for protecting the SP network from external
  attack traffic targeting the core infrastructure
• First line of defense commonly deployed and
  very effective in practice
• Draft describes ACL composition and provides a
  guide to implementation

4
Edge Remarking

• Ensures QoS policy supports security posture
• Advise edge remarking for ingress traffic
• Ex. Prec 6/7 should never be seen on transit
  traffic

5
Device Protection

• Allows for aggregate security policy
  implementation for control and management traffic
  sent to a device
• Used in addition to service specific security
  tools like VTY ACLs
• Draft describes policy composition and provides a
  guide to implementation

6
Infrastructure Hiding

• Advanced technique for protecting core resources
  by denying reachability
• You cant attack what you cant target
• Draft covers multiple mechanisms
• Use less IP
• MPLS techniques
• IGP configuration techniques
• Route advertisement filtering and control

7
IP V6

• This section discusses the applicability of the
  other sections to IPv6 Networks
• Network infrastructure is enabled with this today
• No new techniques

8
Multicast needs love too

• Often overlooked
• Multicast requires different techniques from
  unicast
• Covers techniques such as
• filtering protocol/data
• Rate limiting

9
Next Steps

• Incorporate feedback from list on next revision
  (01)
• Accept Draft as working group document?