draft-lewis-infrastructure-security-00.txt

1. draft-lewis-infrastructure-security-00.txt Infrastructure Protection BCP Darrel Lewis, James Gill, Paul Quinn, Peter Schoenmaker

2. Introduction • Infrastructure protection best practices • List of what is being done today • Expected beneficiaries are both operators and end customers • Draft is mostly focused on traffic to the network rather than transit traffic • Complements BCP 38/84

3. Edge Infrastructure ACLs • Key for protecting the SP network from external attack traffic targeting the core infrastructure • First line of defense – commonly deployed and very effective in practice • Draft describes ACL composition and provides a guide to implementation

4. Edge Remarking • Ensures QoS policy supports security posture • Advise edge remarking for ingress traffic • Ex. Prec 6/7 should never be seen on transit traffic

5. Device Protection • Allows for aggregate security policy implementation for control and management traffic sent to a device • Used in addition to service specific security tools like VTY ACLs • Draft describes policy composition and provides a guide to implementation

6. Infrastructure Hiding • Advanced technique for protecting core resources by denying reachability • You can’t attack what you can’t target • Draft covers multiple mechanisms • Use less IP • MPLS techniques • IGP configuration techniques • Route advertisement filtering and control

7. IP V6 • This section discusses the applicability of the other sections to IPv6 Networks • Network infrastructure is enabled with this today • No new techniques

8. Multicast needs love too • Often overlooked • Multicast requires different techniques from unicast • Covers techniques such as: • filtering protocol/data • Rate limiting

9. Next Steps • Incorporate feedback from list on next revision (01) • Accept Draft as working group document?