The Awards: Best network service provider security architecture

Tue Jan 21 21:54:54 UTC 2003

If you have done a good job negotiating Item 1, item 3 is redundant.  On
the other hand if you have choosen a crappy backbone in Item 1, using
VPN/SSL/whatever to secure your packets won't help delay or nondelivery
of packets.

On Tue, 21 Jan 2003, Owen DeLong wrote:

> I absolutely agree with Item 3.  Sure, IP itself doesn't protect against
> those things, but if a BN doesn't provide service without delay,
> misdelivery,
> or nondelivery of otherwise adequately protected information (valid
> packets),
> then the BN isn't very useful.
>
> If I met all the other criteria here, but blackholed half the traffic, my
> BN wouldn't be very good.
>
> Owen
>
>
> --On Tuesday, January 21, 2003 15:07 -0500 Sean Donelan <sean at donelan.com>
> wrote:
>
> >
> > I've been looking at a lot of different technical security architectures
> > for network providers.  Obviously many providers keep their security
> > secret, so they may or may not have a decent security architecture.
> > Nevertheless there is still a lot of good information available from
> > government agency networks, academics and vendors.
> >
> > The best network service provider security architecture document
> >
> > First Place: Information Assurance Technical Framework
> > Second Place: The ESNET unclassified Security Plan
> > Third Place: University of Washington Network Security Credo
> >
> >> From the IATF document http://www.iatf.net/
> >
> > 5.1 Availability of Backbone Network
> >
> > I would disagree about item #3, IP is a datagram service, and does not
> > protect against delay or packet drops (see item #1).  Otherwise this is a
> > decent list of functional security requirements for most Internet
> > backbone providers.  Its short, but covers the big items.
> >
> > 1. BNs must provide an agreed level of responsiveness, continuity of
> >     service and resistance to accidental or intentional corruption of the
> >     communications service.  (The agreement is between the owners of the
> >     network and the users of the network.)
> >
> > 2. BNs are not required to provide security services of user data
> >    (such as confidentiality and integrity)that is the user's
> >    responsibility.
> >
> > 3. BNs must protect against the delay, misdelivery, or nondelivery of
> >    otherwise adequately protected information.
> >
> > 4. BNs, as a part of the end-to-end information transfer system, must
> >    provide the service transparently to the user.
> >
> > 5. As part of the transparency requirement, the BN must operate
> >    seamlessly with other backbones and local networks.
> >
> >
>
>
>