Operational Security Capabilities for IP Network Infrastructure (opsec)
-----------------------------------------------------------------------

 Charter
 Last Modified: 2010-08-23

 Current Status: Active Working Group

 Chair(s):
     Joe Abley  <jabley@hopcount.ca>
     Warren Kumari  <wkumari@google.com>

 Operations and Management Area Director(s):
     Dan Romascanu  <dromasca@avaya.com>
     Ronald Bonica  <rbonica@juniper.net>

 Operations and Management Area Advisor:
     Ronald Bonica  <rbonica@juniper.net>

 Mailing Lists: 
     General Discussion:opsec@ietf.org
     To Subscribe:      https://www.ietf.org/mailman/listinfo/opsec
         In Body:       In Body: subscribe
     Archive:           http://www.ietf.org/mail-archive/web/opsec/current/maillist.html

Description of Working Group:

Goals:

The OPSEC WG will document best current practices with regard to network
security. In particular an effort will be made to clarify the rationale
supporting current operational practice, address gaps in currently
understood best practices for forwarding, control plane, and management
plane security and make clear the liabilities inherent in security
practices where they exist.

Scope:

The scope of the OPSEC WG is intended to include the protection and
secure operation of the forwarding, control and management planes.

Documentation of best common practices, revision of existing operational
security practices documents and proposals for new approaches to
operational challenges are in scope.

Method:

It is expected that the work product of the working group will fall into
the category of best current practices documents. Taxonomy or problem
statement documents may provide a basis for best current practices
documents.

Best Current Practices Document

For each topic addressed, a document will be produced that attempts to
capture current practices related to secure operation. This will be
primarily based on operational experience. Each entry will list:

* threats addressed,
* current practices for addressing the threat,
* protocols, tools and technologies extant at the time of writing that
are used to address the threat,
* the possibility that a solution does not exist within existing tools
or technologies.

Taxonomy and Problem Statement Documents

A document which attempts to describe the scope of particular
operational security challenge or problem space without necessarily
coming to a conclusion or proposing a solution. Such a document might be
a precursor to a best common practices document.

While the principal input of the Working Group are operational
experience and needs, the output should be directed both to provide
guidance to the operators community as well as to Working Groups that
develop protocols or the community of protocol developers at large, as
well as to the implementers of these protocols.

Non-Goals:

The Operations security working group is not the place to do new
protocols.

New protocol work should be addressed in a working group chartered in
the appropriate area or as individual submissions. The OPSEC WG may take
on documents related to the practices of using such work.

 Goals and Milestones:

   Done         Complete Charter 

   Done         First draft of Framework Document as Internet Draft 

   Done         First draft of Standards Survey Document as Internet Draft 

   Done         First draft of Packet Filtering Capabilities 

   Done         First draft of Event Logging Capabilities 

   Done         First draft of Network Operator Current Security Practices 

   Done         First draft of In-Band management capabilities 

   Done         First draft of Out-of-Band management capabilities 

   Done         First draft of Configuration and Management Interface 
                Capabilities 

   Feb 2005       First draft of Authentication, Authorization, and Accounting 
                (AAA) Capabilities 

   Feb 2005       First draft of Documentation and Assurance capabilities 

   Done         First draft of Miscellaneous capabilities 

   Mar 2005       First draft of Deliberations Summary document 

   Mar 2005       Submit Framework to IESG 

   Mar 2005       Submit Standards Survey to IESG 

   Done         Submit Network Operator Current Security Practices to IESG 

   May 2005       First draft of ISP Operational Security Capabilities Profile 

   May 2005       First draft of Enterprise Operational Security Capabilities 
                Profile 

   Jun 2005       Submit Packet Filtering capabilities to IESG 

   Jun 2005       Submit Event Logging Capabilities document to IESG 

   Jul 2005       Submit In-Band management capabilities to IESG 

   Jul 2005       Submit Out-of-Band management capabilities to IESG 

   Aug 2005       Submit Configuration and Management Interface Capabilities to 
                IESG 

   Aug 2005       Submit Authentication, Authorization and Accounting (AAA) 
                capabilities document to IESG 

   Sep 2005       Submit Documentation and Assurance capabilities to IESG 

   Sep 2005       Submit Miscellaneous capabilities document to IESG 

   Dec 2005       Submit ISP Operational Security Capabilities Profile to IESG 

   Dec 2005       Submit Large Enterprise Operational Security Capabilities 
                Profile to IESG 

   Dec 2005       Submit OPSEC Deliberation Summary document to IESG 

   Nov 2008       Submit a draft to the IESG regarding filtering of ICMP messages 
                in the backbone 

   Mar 2009       Submit a draft to the IESG regarding backbone threats and 
                mitigations 

   Mar 2009       Submit a draft to the IESG regarding BGP Session Security 


 Internet-Drafts:

Posted Revised         I-D Title   <Filename>
------ ------- --------------------------------------------
Jan 2005 May 2010   <draft-ietf-opsec-efforts-12.txt>
                Security Best Practices Efforts and Documents 

Oct 2008 Aug 2010   <draft-ietf-opsec-routing-protocols-crypto-issues-07.txt>
                Issues with existing Cryptographic Protection Methods for 
                Routing Protocols 

Jan 2009 Apr 2010   <draft-ietf-opsec-ip-security-03.txt>
                Security Assessment of the Internet Protocol version 4 

Jan 2010 Jan 2010   <draft-ietf-opsec-igp-crypto-requirements-00.txt>
                Cryptographic Authentication Algorithm Implementation Best 
                Practices for Routing Protocols 

Jul 2010 Aug 2010   <draft-ietf-opsec-protect-control-plane-03.txt>
                Protecting The Router Control Plane 

 Request For Comments:

  RFC   Stat Published     Title
------- -- ----------- ------------------------------------
RFC4778 I    Jan 2007    Operational Security Current Practices in Internet 
                       Service Provider Environments 

RFC5635 I    Aug 2009    Remote Triggered Black Hole Filtering with Unicast 
                       Reverse Path Forwarding (uRPF)