datatracker.ietf.org
Sign in
Version 5.6.2.p2, 2014-07-24
Report a bug

Protecting the Router Control Plane
draft-ietf-opsec-protect-control-plane-06

Approval Announcement

Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: Internet Architecture Board <iab@iab.org>,
    RFC Editor <rfc-editor@rfc-editor.org>,
    opsec mailing list <opsec@ietf.org>,
    opsec chair <opsec-chairs@tools.ietf.org>
Subject: Document Action: 'Protecting The Router Control Plane' to Informational RFC (draft-ietf-opsec-protect-control-plane-06.txt)

The IESG has approved the following document:
- 'Protecting The Router Control Plane'
  (draft-ietf-opsec-protect-control-plane-06.txt) as an Informational RFC

This document is the product of the Operational Security Capabilities for
IP Network Infrastructure Working Group.

The IESG contact persons are Ron Bonica and Dan Romascanu.

A URL of this Internet Draft is:
http://datatracker.ietf.org/doc/draft-ietf-opsec-protect-control-plane/


Technical Summary

This memo provides a method for protecting a router's control plane from
undesired or malicious traffic.  In this approach, all legitimate router
control plane traffic is identified and then a filter is deployed in the
router's forwarding plane. This filter prevents traffic not specifically
identified as legitimate from reaching the router's control plane or rate
limiting it to an acceptable level.

Working Group Summary
The document was accepted as a working group item on the mailing list on
4/30/2010. Working Group last call was performed for two weeks, ending on
9/15/2010, with no objections.

Document Quality
This document covers well understood and widely deployed methods for
protecting the control plane of network devices from attack. It contains
example configuration snippets for two vendors implementations.
It is part of a set of work undertaken by the WG to provide guidelines to
operators on how to secure their infrastructure from attack.

Personnel

Warren Kumari is document shepherd.

RFC Editor Note

OLD TEXT:
   This memo provides a method for protecting a router's control plane
   from undesired or malicious traffic.  In this approach, all
   legitimate router control plane traffic is identified.  Once
   legitimate traffic has been identified, a filter is deployed in the
   router's forwarding plane.  That filter prevents traffic not
   specifically identified as legitimate from reaching the router's
   control plane, or rate limits such traffic to an acceptable level.


NEW TEXT:

   This memo provides a method for protecting a router's control plane
   from undesired or malicious traffic.  In this approach, all
   legitimate router control plane traffic is identified.  Once
   legitimate traffic has been identified, a filter is deployed in the
   router's forwarding plane.  That filter prevents traffic not
   specifically identified as legitimate from reaching the router's
   control plane, or rate limits such traffic to an acceptable level.

   Note that the filters described in this memo are applied only to traffic that is
   destined for the router, and not to all traffic that is passing through the router.

OLD TEXT>

It is advisable to protect the router control plane by implementing
   mechanisms to filter completely or rate limit traffic not required at
   the control plane level (i.e., unwanted traffic).  Router Control
   Plane Protection is the concept of filtering or rate limiting
   unwanted traffic which would be diverted from the forwarding plane up
   to the router control plane.  The closer to the forwarding plane and
   line-rate hardware the filters and rate-limiters are, the more
   effective the protection is and the more resistant the system is to
   DoS attacks.  This memo demonstrates one example of how to deploy a
   policy filter that satisfies a set of sample traffic matching,
   filtering and rate limiting criteria.


New Text>
It is advisable to protect the router control plane by implementing
   mechanisms to filter completely or rate limit traffic not required at
   the control plane level (i.e., unwanted traffic).  Router Control
   Plane Protection is the concept of filtering or rate limiting
   unwanted traffic which would be diverted from the forwarding plane up
   to the router control plane.  The closer to the forwarding plane and
   line-rate hardware the filters and rate-limiters are, the more
   effective the protection is and the more resistant the system is to
   DoS attacks.  This memo demonstrates one example of how to deploy a
   policy filter that satisfies a set of sample traffic matching,
   filtering and rate limiting criteria.

  Note that the filters described in this memo are applied only to traffic that is
   destined for the router, and not to all traffic that is passing through the router.

Old Text>

For network deployments where the protocols  used do not rely on IP options

New Text> 

For network deployments where the protocols do not use  IP options