[BCOP] [EXTERNAL] BCOP on CPE Security requirements - decision points
Lucimara Desiderá
lucimara at cert.br
Fri Sep 21 16:56:33 BRT 2018
Hi Jason
On 09/21/18 15:42, Livingood, Jason wrote:
> Some feedback attached in redline (Word) since I do not have edit rights in Google Docs.
Strange... I gave you "comment" rights on Google docs. I authorized your
corporate email. Maybe you are authenticating with a different
credential on GD. If you want me to change that, let me know your
preferred email.
Many of my edits are grammatical. Is this useful to the group? If so I
can continue onto the rest of the document (and it is okay if it is not!).
Sure! as a native english speaker, those grammatical edits are
very welcome.
Additionally, from the technical perspective, one of the things I
think you could help us a lot due to your experience in the cable
industry, would be looking to the requirements to see if they are
also applicable to your industry/organization. I'm worried about
possible incompatibilities.
>
> Jason
Best,
Lucimara
>
> On 9/20/18, 11:01 PM, "BCOP on behalf of Lucimara Desiderá" <bcop-bounces at lacnog.org on behalf of lucimara at cert.br> wrote:
>
> Hello
>
> As I told in a previous message, there are a few crucial points we need
> to decide in order to go for the final version of the BCOP on "Minimum
> security requirements for CPEs acquisition".
>
> During the meeting at the LACNIC29 we had some discussion on those
> topics, but during the last period of comments, other people questioned
> those points. So I think the best is bringing the discussion to the list
> and try to reach consensus.
>
> The two main issues are whether choosing MUST or SHOULD on requirements
> regarding:
>
>
> 1) encryption for management interface from the WAN (MR-03 and FR-02)
> ----------------------------------------------------------------------
>
> * Requiring MUST means:
>
> - in case of remote shell connection, no Telnet, only SSH
> - in case of other tools for remote management, it will have to
> support an be configured for encrypted channel (e.g. TR-069 must use
> TLS/HTTPS)
>
> * Leaving as SHOULD
>
> - will keep the door open to sniff the credentials and any other
> management traffic. That will probably result on the compromise of
> the management password and consequently all the devices that uses
> the same password.
>
>
> So:
>
> - Does anybody DISAGREE on MUST?
>
> - Does anybody AGREE on MUST?
>
> ===========================================================================
>
> 2) Anti-spoofing filtering (FR-15 and IF-08)
> ----------------------------------------------
>
> - RFC 6092 (REC-5) states MUST for anti spoofing filtering
> - the "IPv4 and IPv6 eRouter Specification" from CableLabs
> recommends that implementation as "critical".
>
> - But RFC 7084 made a downgrade of that requirement
> S-2: The IPv6 CE router SHOULD support ingress filtering
> accordance with BCP 38 [RFC2827]. Note that this requirement
> was downgraded from a MUST from RFC 6204 due to the difficulty
> of implementation in the CE router and the feature's redundancy
> with upstream router ingress filtering.
>
> * Requiring MUST
> - unfortunately many (if not most) upstream does not run ingress
> filtering
> - the closest to the origin the better to kill spoofed traffic
> - possibly is less complex implementing the filters in single homed
> devices
> - less spoofed traffic means less DDoS attacks, and so less headache
>
> * Leaving as SHOULD
> - will keep the door open to abuse for DDoS attacks
> - possibly the device will be cheaper upfront but probably will cost
> more latter with secondary costs (unwanted DDoS traffic)
>
>
> So:
>
> - Does anybody DISAGREE on MUST?
>
> - Does anybody AGREE on MUST?
>
>
>
> Best regards,
> Lucimara
> _______________________________________________
> BCOP mailing list
> BCOP at lacnog.org
> https://mail.lacnic.net/mailman/listinfo/bcop
>
>
>
>
> _______________________________________________
> BCOP mailing list
> BCOP at lacnog.org
> https://mail.lacnic.net/mailman/listinfo/bcop
>
More information about the BCOP
mailing list