We (UUNET) have an internal document that we've been using for a few years as the basis for tests of security features of equipment to be connected to our backbone. We're interested in making it public so that it can be improved and so that others can use it. You can view the current draft at: http://www.port111.com/docs/draft-jones-netsec-reqs-00.html (HTML) or http://www.port111.com/docs/draft-jones-netsec-reqs-00.txt (text) the overall goal is an improvement in the security features of devices implementing IP. The means that this document tries to provide is a clear definition of security requirements that consumers/operators of networking gear can point to (in RFPs) to say "see, we want security and this is what it means". The current list of requirements is skewed to the needs of large networks (consider the source), but it does provide a means of defining "profiles" for specifying subsets of requirements for different classes of devices (core, edge, ... toasters.). Most of the requirements specify features that are generally implemented today (logging, aaa), though some of the requirements specify highly desirable features that are not implemented in current products (stealthing, monitoring, sampling, etc.) What we're requesting here is feedback network operators and vendors on how to make this document useful in achieving actual improvements in security. Specifically, we're requesting feedback/discussion on: * The requirements listed * Important requirements that are missing * Document structure * How to make it useful. The next step will likely be submission of an Internet draft- c.a. July 2. Input prior to that date stands a much better chance of being included :-) Feel free to reply to me <george@uu.net> or reply to the list. Thanks, ---George Jones