The Awards: Best network service provider security architecture

Owen DeLong owen at delong.com
Tue Jan 21 21:19:47 UTC 2003


I absolutely agree with Item 3.  Sure, IP itself doesn't protect against
those things, but if a BN doesn't provide service without delay, 
misdelivery,
or nondelivery of otherwise adequately protected information (valid 
packets),
then the BN isn't very useful.

If I met all the other criteria here, but blackholed half the traffic, my
BN wouldn't be very good.

Owen


--On Tuesday, January 21, 2003 15:07 -0500 Sean Donelan <sean at donelan.com> 
wrote:

>
> I've been looking at a lot of different technical security architectures
> for network providers.  Obviously many providers keep their security
> secret, so they may or may not have a decent security architecture.
> Nevertheless there is still a lot of good information available from
> government agency networks, academics and vendors.
>
> The best network service provider security architecture document
>
> First Place: Information Assurance Technical Framework
> Second Place: The ESNET unclassified Security Plan
> Third Place: University of Washington Network Security Credo
>
>> From the IATF document http://www.iatf.net/
>
> 5.1 Availability of Backbone Network
>
> I would disagree about item #3, IP is a datagram service, and does not
> protect against delay or packet drops (see item #1).  Otherwise this is a
> decent list of functional security requirements for most Internet
> backbone providers.  Its short, but covers the big items.
>
> 1. BNs must provide an agreed level of responsiveness, continuity of
>     service and resistance to accidental or intentional corruption of the
>     communications service.  (The agreement is between the owners of the
>     network and the users of the network.)
>
> 2. BNs are not required to provide security services of user data
>    (such as confidentiality and integrity)that is the user's
>    responsibility.
>
> 3. BNs must protect against the delay, misdelivery, or nondelivery of
>    otherwise adequately protected information.
>
> 4. BNs, as a part of the end-to-end information transfer system, must
>    provide the service transparently to the user.
>
> 5. As part of the transparency requirement, the BN must operate
>    seamlessly with other backbones and local networks.
>
>





More information about the NANOG mailing list