The Awards: Best network service provider security architecture
Owen DeLong
owen at delong.com
Tue Jan 21 21:19:47 UTC 2003
I absolutely agree with Item 3. Sure, IP itself doesn't protect against
those things, but if a BN doesn't provide service without delay,
misdelivery,
or nondelivery of otherwise adequately protected information (valid
packets),
then the BN isn't very useful.
If I met all the other criteria here, but blackholed half the traffic, my
BN wouldn't be very good.
Owen
--On Tuesday, January 21, 2003 15:07 -0500 Sean Donelan <sean at donelan.com>
wrote:
>
> I've been looking at a lot of different technical security architectures
> for network providers. Obviously many providers keep their security
> secret, so they may or may not have a decent security architecture.
> Nevertheless there is still a lot of good information available from
> government agency networks, academics and vendors.
>
> The best network service provider security architecture document
>
> First Place: Information Assurance Technical Framework
> Second Place: The ESNET unclassified Security Plan
> Third Place: University of Washington Network Security Credo
>
>> From the IATF document http://www.iatf.net/
>
> 5.1 Availability of Backbone Network
>
> I would disagree about item #3, IP is a datagram service, and does not
> protect against delay or packet drops (see item #1). Otherwise this is a
> decent list of functional security requirements for most Internet
> backbone providers. Its short, but covers the big items.
>
> 1. BNs must provide an agreed level of responsiveness, continuity of
> service and resistance to accidental or intentional corruption of the
> communications service. (The agreement is between the owners of the
> network and the users of the network.)
>
> 2. BNs are not required to provide security services of user data
> (such as confidentiality and integrity)that is the user's
> responsibility.
>
> 3. BNs must protect against the delay, misdelivery, or nondelivery of
> otherwise adequately protected information.
>
> 4. BNs, as a part of the end-to-end information transfer system, must
> provide the service transparently to the user.
>
> 5. As part of the transparency requirement, the BN must operate
> seamlessly with other backbones and local networks.
>
>
More information about the NANOG
mailing list