Operational Security Capabilities for IP Network Infrastructure (opsec)

Documents | Charter | History | List Archive » | Tools WG Page »

Group
Name:	Operational Security Capabilities for IP Network Infrastructure
Acronym:	opsec
Area:	Operations and Management Area (ops)
State:	Active
Charter:	charter-ietf-opsec-04 (Approved)
Personnel
Chairs:	Warren Kumari <warren@kumari.net> Gunter Van de Velde <gvandeve@cisco.com> KK Chittimaneni <kk@google.com>
Area Director:	Joel Jaeggli <joelja@bogus.com>
Mailing List
Address:	opsec@ietf.org
To Subscribe:	https://www.ietf.org/mailman/listinfo/opsec
Archive:	http://www.ietf.org/mail-archive/web/opsec/
Jabber Chat
Room Address:	xmpp:opsec@jabber.ietf.org
Logs:	http://jabber.ietf.org/logs/opsec/

Charter for Working Group

Goals:

The OPSEC WG will document best current practices with regard to network
security. In particular an effort will be made to clarify the rationale
supporting current operational practice, address gaps in currently
understood best practices for forwarding, control plane, and management
plane security and make clear the liabilities inherent in security
practices where they exist.

Scope:

The scope of the OPSEC WG is intended to include the protection and
secure operation of the forwarding, control and management planes.

Documentation of best common practices, revision of existing operational
security practices documents and proposals for new approaches to
operational challenges are in scope.

Method:

It is expected that the work product of the working group will fall into
the category of best current practices documents. Taxonomy or problem
statement documents may provide a basis for best current practices
documents.

Best Current Practices Document

For each topic addressed, a document will be produced that attempts to
capture current practices related to secure operation. This will be
primarily based on operational experience. Each entry will list:

* threats addressed,
* current practices for addressing the threat,
* protocols, tools and technologies extant at the time of writing that
are used to address the threat,
* the possibility that a solution does not exist within existing tools
or technologies.

Taxonomy and Problem Statement Documents

A document which attempts to describe the scope of particular
operational security challenge or problem space without necessarily
coming to a conclusion or proposing a solution. Such a document might be
a precursor to a best common practices document.

While the principal input of the Working Group are operational
experience and needs, the output should be directed both to provide
guidance to the operators community as well as to Working Groups that
develop protocols or the community of protocol developers at large, as
well as to the implementers of these protocols.

Non-Goals:

The Operations security working group is not the place to do new
protocols.

New protocol work should be addressed in a working group chartered in
the appropriate area or as individual submissions. The OPSEC WG may take
on documents related to the practices of using such work.

Milestones

Done	Complete Charter
Done	First draft of Framework Document as Internet Draft
Done	First draft of Standards Survey Document as Internet Draft
Done	First draft of Packet Filtering Capabilities
Done	First draft of Event Logging Capabilities
Done	First draft of Network Operator Current Security Practices
Done	First draft of In-Band management capabilities
Done	First draft of Out-of-Band management capabilities
Done	First draft of Configuration and Management Interface Capabilities
Done	Submit Network Operator Current Security Practices to IESG
Dec 2012	WG Adoption of 'BGP operations and security' document
Dec 2012	WG Adoption of 'Network Reconnaissance in IPv6 Networks' document
Dec 2012	WG Adoption of 'DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers' document
Dec 2012	WG Adoption of 'Virtual Private Network (VPN) traffic leakages in dual-stack hosts/networks' document
Jan 2013	WG Last Call for 'Operational Security Considerations for IPv6 Networks' document
Jan 2013	WG Last Call for 'Recommendations for filtering ICMP messages' document
Jan 2013	WG Last Call for 'Recommendations on filtering of IPv4 packets containing IPv4 options' document
Jan 2013	WG Last Call for 'Security Implications of IPv6 on IPv4 networks' document
Mar 2013	WG Last Call for 'Using Only Link-Local Addressing Inside an IPv6 Network' document
Mar 2013	Submit 'Recommendations for filtering ICMP messages' document to IESG
Mar 2013	Submit 'Recommendations on filtering of IPv4 packets containing IPv4 options' document to IESG
Mar 2013	Submit 'Operational Security Considerations for IPv6 Networks' document to IESG
Mar 2013	Submit 'Recommendations for filtering ICMP messages' document to IESG
May 2013	Submit 'Using Only Link-Local Addressing Inside an IPv6 Network' document to IESG
Jul 2013	WG Last Call for 'BGP operations and security' document
Jul 2013	WG Last Call for 'Network Reconnaissance in IPv6 Networks' document
Jul 2013	WG Last Call for 'DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers' document
Jul 2013	WG Last Call for 'Virtual Private Network (VPN) traffic leakages in dual-stack hosts/networks' document
Sep 2013	Submit 'Network Reconnaissance in IPv6 Networks' document to IESG
Sep 2013	Submit 'DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers' document to IESG
Sep 2013	Submit 'BGP operations and security' document to IESG