[BCOP] BCOP on CPE Security requirements - decision points

JORDI PALET MARTINEZ jordi.palet at consulintel.es
Fri Sep 21 03:29:13 BRT 2018 

On 1), I think is not a global situation in the market that it is supported the level of encryption that we request, so having a MUST, even ideal, will exclude many products that are being used already.

On 2), even if an RFC ask for a SHOULD, it doesn't mean we can't ask for MUST. We may have the same situation as my comment on 1), but I don't think is the case in general in products in the market (today).

Saludos,
Jordi
 
 

-----Mensaje original-----
De: BCOP <bcop-bounces at lacnog.org> en nombre de Lucimara Desiderá <lucimara at cert.br>
Responder a: This list is to discuss BCOPs in LACNOG <bcop at lacnog.org>
Fecha: viernes, 21 de septiembre de 2018, 5:01
Para: BCOPs in LACNOG <bcop at lacnog.org>
Asunto: [BCOP] BCOP on CPE Security requirements - decision points

    Hello
    
    As I told in a previous message, there are a few crucial points we need
    to decide in order to go for the final version of the BCOP on "Minimum
    security requirements for CPEs acquisition".
    
    During the meeting at the LACNIC29 we had some discussion on those
    topics, but during the last period of comments, other people questioned
    those points. So I think the best is bringing the discussion to the list
    and try to reach consensus.
    
    The two main issues are whether choosing MUST or SHOULD on requirements
    regarding:
    
    
    1) encryption for management interface from the WAN (MR-03 and FR-02)
    ----------------------------------------------------------------------
    
    * Requiring MUST means:
    
    - in case of remote shell connection, no Telnet, only SSH
    - in case of other tools for remote management, it will have to
      support an be configured for encrypted channel (e.g. TR-069 must use
      TLS/HTTPS)
    
    * Leaving as SHOULD
    
     - will keep the door open to sniff the credentials and any other
       management traffic. That will probably result on the compromise of
       the management password and consequently all the devices that uses
       the same password.
    
    
    So:
    
    - Does anybody DISAGREE on MUST?
    
    - Does anybody AGREE on MUST?
    
    ===========================================================================
    
    2) Anti-spoofing filtering (FR-15 and IF-08)
    ----------------------------------------------
    
    - RFC 6092 (REC-5) states MUST for anti spoofing filtering
    - the "IPv4 and IPv6 eRouter Specification" from CableLabs
      recommends that implementation as "critical".
    
    - But RFC 7084 made a downgrade of that requirement
      S-2:  The IPv6 CE router SHOULD support ingress filtering
             accordance with BCP 38 [RFC2827].  Note that this requirement
             was downgraded from a MUST from RFC 6204 due to the difficulty
             of implementation in the CE router and the feature's redundancy
             with upstream router ingress filtering.
    
    * Requiring MUST
     - unfortunately many (if not most) upstream does not run ingress
       filtering
     - the closest to the origin the better to kill spoofed traffic
     - possibly is less complex implementing the filters in single homed
       devices
     - less spoofed traffic means less DDoS attacks, and so less headache
    
    * Leaving as SHOULD
     - will keep the door open to abuse for DDoS attacks
     - possibly the device will be cheaper upfront but probably will cost
       more latter with secondary costs (unwanted DDoS traffic)
    
    
    So:
    
    - Does anybody DISAGREE on MUST?
    
    - Does anybody AGREE on MUST?
    
    
    
    Best regards,
    Lucimara
    _______________________________________________
    BCOP mailing list
    BCOP at lacnog.org
    https://mail.lacnic.net/mailman/listinfo/bcop
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

More information about the BCOP mailing list