Transcript PPT Version

draft-lewis-infrastructure-security-00.txt
Infrastructure Protection BCP
Darrel Lewis, James Gill, Paul Quinn, Peter
Schoenmaker
Introduction
• Infrastructure protection best practices
– List of what is being done today
• Expected beneficiaries are both operators
and end customers
• Draft is mostly focused on traffic to the
network rather than transit traffic
• Complements BCP 38/84
Edge Infrastructure ACLs
• Key for protecting the SP network from
external attack traffic targeting the core
infrastructure
• First line of defense – commonly deployed
and very effective in practice
• Draft describes ACL composition and
provides a guide to implementation
Edge Remarking
• Ensures QoS policy supports security
posture
• Advise edge remarking for ingress traffic
– Ex. Prec 6/7 should never be seen on transit
traffic
Device Protection
• Allows for aggregate security policy
implementation for control and
management traffic sent to a device
• Used in addition to service specific
security tools like VTY ACLs
• Draft describes policy composition and
provides a guide to implementation
Infrastructure Hiding
• Advanced technique for protecting core
resources by denying reachability
– You can’t attack what you can’t target
• Draft covers multiple mechanisms
– Use less IP
– MPLS techniques
– IGP configuration techniques
– Route advertisement filtering and control
IP V6
• This section discusses the applicability of
the other sections to IPv6 Networks
• Network infrastructure is enabled with this
today
• No new techniques
Multicast needs love too
• Often overlooked
• Multicast requires different techniques
from unicast
• Covers techniques such as:
– filtering protocol/data
– Rate limiting
Next Steps
• Incorporate feedback from list on next
revision (01)
• Accept Draft as working group document?