[BCOP] [EXTERNAL] BCOP on CPE Security requirements - decision points
Livingood, Jason
Jason_Livingood at comcast.com
Fri Sep 21 15:42:26 BRT 2018
Some feedback attached in redline (Word) since I do not have edit rights in Google Docs. Many of my edits are grammatical. Is this useful to the group? If so I can continue onto the rest of the document (and it is okay if it is not!).
Jason
On 9/20/18, 11:01 PM, "BCOP on behalf of Lucimara Desiderá" <bcop-bounces at lacnog.org on behalf of lucimara at cert.br> wrote:
Hello
As I told in a previous message, there are a few crucial points we need
to decide in order to go for the final version of the BCOP on "Minimum
security requirements for CPEs acquisition".
During the meeting at the LACNIC29 we had some discussion on those
topics, but during the last period of comments, other people questioned
those points. So I think the best is bringing the discussion to the list
and try to reach consensus.
The two main issues are whether choosing MUST or SHOULD on requirements
regarding:
1) encryption for management interface from the WAN (MR-03 and FR-02)
----------------------------------------------------------------------
* Requiring MUST means:
- in case of remote shell connection, no Telnet, only SSH
- in case of other tools for remote management, it will have to
support an be configured for encrypted channel (e.g. TR-069 must use
TLS/HTTPS)
* Leaving as SHOULD
- will keep the door open to sniff the credentials and any other
management traffic. That will probably result on the compromise of
the management password and consequently all the devices that uses
the same password.
So:
- Does anybody DISAGREE on MUST?
- Does anybody AGREE on MUST?
===========================================================================
2) Anti-spoofing filtering (FR-15 and IF-08)
----------------------------------------------
- RFC 6092 (REC-5) states MUST for anti spoofing filtering
- the "IPv4 and IPv6 eRouter Specification" from CableLabs
recommends that implementation as "critical".
- But RFC 7084 made a downgrade of that requirement
S-2: The IPv6 CE router SHOULD support ingress filtering
accordance with BCP 38 [RFC2827]. Note that this requirement
was downgraded from a MUST from RFC 6204 due to the difficulty
of implementation in the CE router and the feature's redundancy
with upstream router ingress filtering.
* Requiring MUST
- unfortunately many (if not most) upstream does not run ingress
filtering
- the closest to the origin the better to kill spoofed traffic
- possibly is less complex implementing the filters in single homed
devices
- less spoofed traffic means less DDoS attacks, and so less headache
* Leaving as SHOULD
- will keep the door open to abuse for DDoS attacks
- possibly the device will be cheaper upfront but probably will cost
more latter with secondary costs (unwanted DDoS traffic)
So:
- Does anybody DISAGREE on MUST?
- Does anybody AGREE on MUST?
Best regards,
Lucimara
_______________________________________________
BCOP mailing list
BCOP at lacnog.org
https://mail.lacnic.net/mailman/listinfo/bcop
-------------- next part --------------
A non-text attachment was scrubbed...
Name: BCOP-Minimum_Security_Requirements_CPEs_draft-03 - JL edits.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 41633 bytes
Desc: BCOP-Minimum_Security_Requirements_CPEs_draft-03 - JL edits.docx
URL: <https://mail.lacnic.net/pipermail/bcop/attachments/20180921/afdbdae9/attachment-0001.docx>
More information about the BCOP
mailing list