[BCOP] BCOP on CPE Security requirements - decision points
John Brown
john at citylinkfiber.com
Fri Sep 21 10:20:23 BRT 2018
> 1) encryption for management interface from the WAN (MR-03 and FR-02)
> ----------------------------------------------------------------------
>
> * Requiring MUST means:
>
> - in case of remote shell connection, no Telnet, only SSH
> - in case of other tools for remote management, it will have to
> support an be configured for encrypted channel (e.g. TR-069 must use
> TLS/HTTPS)
I agree that a MUST is required here. SSH is available on my iPhone, Android,
tablet, windows, MAC, and lots of other devices. So this isn't a problem.
Telnet should be killed. The box shouldn't even answer to port 23!
SSH should also have the ability to have its port number changed away from
port 22. It should support having the port number set to any valid 16bit number
Having operators use TLS/HTTPS for TR-069 isn't that hard of a problem.
In the end it will reduce their overall operational costs.
All configuration connections MUST use a secure / encrypted channel!
This is even more important for CPE devices that have VoIP / SIP ATA features.
You don't want SIP credentials stolen and then used for Toll Fraud!
> ===========================================================================
>
> 2) Anti-spoofing filtering (FR-15 and IF-08)
> ----------------------------------------------
>
> - RFC 6092 (REC-5) states MUST for anti spoofing filtering
> - the "IPv4 and IPv6 eRouter Specification" from CableLabs
> recommends that implementation as "critical".
I agree that this should be a MUST! Edge devices MUST NOT have the ability
to generate a source address that is not directly connected to the device.
To trust that the upstream will handle this has proven a failure
I support MUST
More information about the BCOP
mailing list