Browse Prior Art Database

Operational Security Requirements for Large Internet Service Provider (ISP) IP Network Infrastructure (RFC3871)

IP.com Disclosure Number: IPCOM000031090D
Original Publication Date: 2004-Sep-01
Included in the Prior Art Database: 2019-Feb-11

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

G. Jones: AUTHOR

Related Documents

10.17487/RFC3871: DOI

Abstract

This document defines a list of operational security requirements for the infrastructure of large Internet Service Provider (ISP) IP networks (routers and switches). A framework is defined for specifying "profiles", which are collections of requirements applicable to certain network topology contexts (all, core-only, edge-only...). The goal is to provide network operators a clear, concise way of communicating their security requirements to vendors. This memo provides information for the Internet community.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 3% of the total text.

Network Working Group G. Jones, Ed. Request for Comments: 3871 The MITRE Corporation Category: Informational September 2004

Operational Security Requirements for Large Internet Service Provider (ISP) IP Network Infrastructure

Status of this Memo

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2004).

Abstract

This document defines a list of operational security requirements for the infrastructure of large Internet Service Provider (ISP) IP networks (routers and switches). A framework is defined for specifying "profiles", which are collections of requirements applicable to certain network topology contexts (all, core-only, edge-only...). The goal is to provide network operators a clear, concise way of communicating their security requirements to vendors.

Jones Informational [Page 1]

RFC 3871 Operational Security Requirements September 2004

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.1. Goals. . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2. Motivation . . . . . . . . . . . . . . . . . . . . . . . 5 1.3. Scope. . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.4. Definition of a Secure Network . . . . . . . . . . . . . 6 1.5. Intended Audience. . . . . . . . . . . . . . . . . . . . 6 1.6. Format . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.7. Intended Use . . . . . . . . . . . . . . . . . . . . . . 7 1.8. Definitions. . . . . . . . . . . . . . . . . . . . . . . 7 2. Functional Requirements . . . . . . . . . . . . . . . . . . . 11 2.1. Device Management Requirements . . . . . . . . . . . . . 11 2.1.1. Support Secure Channels For Management. . . . . 11 2.2. In-Band Management Requirements. . . . . . . . . . . . . 12 2.2.1. Use Cryptographic Algorithms Subject To Open Review . . . . . . . . . . . . . . . . . . 12 2.2.2. Use Strong Cryptography . . . . . . . . . . . . 13 2.2.3. Use Protocols Subject To Open Review For Management. . . . . . . . . . . . . . . . . . . 14 2.2.4. Allow Selection of Cryptographic Parameters . . 15 2.2.5. Management Functions Should Have Increased Priority. . . . . . . . . . . . . . . . . . . . 16 2.3. Out-of-Band (OoB) Management Requirements . . . . . . . 16 2.3.1. Support a ’Console’ Interface . . . . . . . . . 17 2.3.2. ’Console’ Communication Profile Must Support Reset . . . . . . . . . . . . . . . . . . . . . 19 2.3.3. ’Console’ Requires Minimal Functionality of Attached Devices. . . . . . . . . . . . . . . . 19 2.3.4. ’Console’ Supports Fall-back Authentication . . 20 2.3.5. Support Separate Management Plane IP Interfaces. . . . . . . . . . . . . . . . . . . 21 2.3.6. No Forwarding Between Management Plane And Other Interfaces. . . . . . . . . . . . . . . . . . . 21 2.4. Configuration and Management Interface Requirements. . . 22 2.4.1. ’CLI’ Provides Access to All Configuration and Management Fun...

Processing...
Loading...