Re: Scaled Back Cybersecuruty
In article <103014.152131.21746@avi.netaxs.com> Pete wrote: : I'm trying to envision an RFP that awards business to one or : a few network operators, but requires that they interoperate : effectively with other operators who don't win any of the : business. I've only got a state-level purchasing : perspective, but I don't see it happening at any level. Let me be more clear :) If the next FTS or if all large Federal IP purchases mandated one of: - Routers must be configured by end of 2003 so that all packets to the control plane must be logically separated from user packets (or demonstrate the ability to take 200mb of attack traffic to the router CPU without having an effect) OR - All single-homed customers must be source-address filtered at ingress or egress. (Becoming multi-homed at ingress as a requirement over time) OR ... You get the idea. Something that IS possible, that matters MOST at the large end of the scale. And if we go a long way towards solving one beasty per year we'll at least be making MORE progress than we've been making to date, which is roughly zero. : Pete. Thanks, Avi
In article <103014.152131.21746@avi.netaxs.com> Pete wrote:
: I'm trying to envision an RFP that awards business to one or : a few network operators, but requires that they interoperate : effectively with other operators who don't win any of the : business. I've only got a state-level purchasing : perspective, but I don't see it happening at any level.
Let me be more clear :)
If the next FTS or if all large Federal IP purchases mandated one of:
- Routers must be configured by end of 2003 so that all packets to the control plane must be logically separated from user packets (or demonstrate the ability to take 200mb of attack traffic to the router CPU without having an effect)
OR
- All single-homed customers must be source-address filtered at ingress or egress. (Becoming multi-homed at ingress as a requirement over time)
OR
...
You get the idea. Something that IS possible, that matters MOST at the large end of the scale. And if we go a long way towards solving one beasty per year we'll at least be making MORE progress than we've been making to date, which is roughly zero.
The problem with these mandates by the Federal gov't is that they most often are not enforced once they're directed. There was a mandate that all operating systems installed on gov't networks meet a certain security minimum. I forget the name of the program now but Windows didn't and couldn't so it was wavered onto the program. I also seem to remember a drive to have all software development follow the Capability Maturity Model (at least in the Air Force) and a mandate that all software development should be done at CMM level 3 that lost steam as well. It's not a bad idea if you could get the gov't to truly enforce it. Thanks, Dave Olverson
Avi Freedman <freedman@freedman.net> writes:
- Routers must be configured by end of 2003 so that all packets to the control plane must be logically separated from user packets (or demonstrate the ability to take 200mb of attack traffic to the router CPU without having an effect)
This at least, we're working on actively. http://www.ietf.org/internet-drafts/draft-gill-btsh-01.txt Also, there will be a talk about this, as well as hardware features we'd like to see on RPs specifically addressing the router cpu attack. /vijay
participants (3)
-
Avi Freedman -
David Scott Olverson -
Vijay Gill