[BCOP] BCOP on CPE Security requirements - decision points

Lucimara Desiderá lucimara at cert.br
Fri Sep 21 00:00:55 BRT 2018 

Hello

As I told in a previous message, there are a few crucial points we need
to decide in order to go for the final version of the BCOP on "Minimum
security requirements for CPEs acquisition".

During the meeting at the LACNIC29 we had some discussion on those
topics, but during the last period of comments, other people questioned
those points. So I think the best is bringing the discussion to the list
and try to reach consensus.

The two main issues are whether choosing MUST or SHOULD on requirements
regarding:


1) encryption for management interface from the WAN (MR-03 and FR-02)
----------------------------------------------------------------------

* Requiring MUST means:

- in case of remote shell connection, no Telnet, only SSH
- in case of other tools for remote management, it will have to
  support an be configured for encrypted channel (e.g. TR-069 must use
  TLS/HTTPS)

* Leaving as SHOULD

 - will keep the door open to sniff the credentials and any other
   management traffic. That will probably result on the compromise of
   the management password and consequently all the devices that uses
   the same password.


So:

- Does anybody DISAGREE on MUST?

- Does anybody AGREE on MUST?

===========================================================================

2) Anti-spoofing filtering (FR-15 and IF-08)
----------------------------------------------

- RFC 6092 (REC-5) states MUST for anti spoofing filtering
- the "IPv4 and IPv6 eRouter Specification" from CableLabs
  recommends that implementation as "critical".

- But RFC 7084 made a downgrade of that requirement
  S-2:  The IPv6 CE router SHOULD support ingress filtering
         accordance with BCP 38 [RFC2827].  Note that this requirement
         was downgraded from a MUST from RFC 6204 due to the difficulty
         of implementation in the CE router and the feature's redundancy
         with upstream router ingress filtering.

* Requiring MUST
 - unfortunately many (if not most) upstream does not run ingress
   filtering
 - the closest to the origin the better to kill spoofed traffic
 - possibly is less complex implementing the filters in single homed
   devices
 - less spoofed traffic means less DDoS attacks, and so less headache

* Leaving as SHOULD
 - will keep the door open to abuse for DDoS attacks
 - possibly the device will be cheaper upfront but probably will cost
   more latter with secondary costs (unwanted DDoS traffic)


So:

- Does anybody DISAGREE on MUST?

- Does anybody AGREE on MUST?



Best regards,
Lucimara

More information about the BCOP mailing list