The IESG has approved the following document: - 'Protecting The Router Control Plane' (draft-ietf-opsec-protect-control-plane-06.txt) as an Informational RFC This document is the product of the Operational Security Capabilities for IP Network Infrastructure Working Group. The IESG contact persons are Ron Bonica and Dan Romascanu. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-opsec-protect-control-plane/ Technical Summary This memo provides a method for protecting a router's control plane from undesired or malicious traffic. In this approach, all legitimate router control plane traffic is identified and then a filter is deployed in the router's forwarding plane. This filter prevents traffic not specifically identified as legitimate from reaching the router's control plane or rate limiting it to an acceptable level. Working Group Summary The document was accepted as a working group item on the mailing list on 4/30/2010. Working Group last call was performed for two weeks, ending on 9/15/2010, with no objections. Document Quality This document covers well understood and widely deployed methods for protecting the control plane of network devices from attack. It contains example configuration snippets for two vendors implementations. It is part of a set of work undertaken by the WG to provide guidelines to operators on how to secure their infrastructure from attack. Personnel Warren Kumari is document shepherd. RFC Editor Note OLD TEXT: This memo provides a method for protecting a router's control plane from undesired or malicious traffic. In this approach, all legitimate router control plane traffic is identified. Once legitimate traffic has been identified, a filter is deployed in the router's forwarding plane. That filter prevents traffic not specifically identified as legitimate from reaching the router's control plane, or rate limits such traffic to an acceptable level. NEW TEXT: This memo provides a method for protecting a router's control plane from undesired or malicious traffic. In this approach, all legitimate router control plane traffic is identified. Once legitimate traffic has been identified, a filter is deployed in the router's forwarding plane. That filter prevents traffic not specifically identified as legitimate from reaching the router's control plane, or rate limits such traffic to an acceptable level. Note that the filters described in this memo are applied only to traffic that is destined for the router, and not to all traffic that is passing through the router. OLD TEXT> It is advisable to protect the router control plane by implementing mechanisms to filter completely or rate limit traffic not required at the control plane level (i.e., unwanted traffic). Router Control Plane Protection is the concept of filtering or rate limiting unwanted traffic which would be diverted from the forwarding plane up to the router control plane. The closer to the forwarding plane and line-rate hardware the filters and rate-limiters are, the more effective the protection is and the more resistant the system is to DoS attacks. This memo demonstrates one example of how to deploy a policy filter that satisfies a set of sample traffic matching, filtering and rate limiting criteria. New Text> It is advisable to protect the router control plane by implementing mechanisms to filter completely or rate limit traffic not required at the control plane level (i.e., unwanted traffic). Router Control Plane Protection is the concept of filtering or rate limiting unwanted traffic which would be diverted from the forwarding plane up to the router control plane. The closer to the forwarding plane and line-rate hardware the filters and rate-limiters are, the more effective the protection is and the more resistant the system is to DoS attacks. This memo demonstrates one example of how to deploy a policy filter that satisfies a set of sample traffic matching, filtering and rate limiting criteria. Note that the filters described in this memo are applied only to traffic that is destined for the router, and not to all traffic that is passing through the router. Old Text> For network deployments where the protocols used do not rely on IP options New Text> For network deployments where the protocols do not use IP options _______________________________________________ IETF-Announce mailing list IETF-Announce@ietf.org https://www.ietf.org/mailman/listinfo/ietf-announce
