Scaled Back Cybersecuruty

: I'm trying to envision an RFP that awards business to one or
: a few network operators, but requires that they interoperate
: effectively with other operators who don't win any of the
: business. I've only got a state-level purchasing
: perspective, but I don't see it happening at any level.

Let me be more clear :slight_smile:

If the next FTS or if all large Federal IP purchases mandated
one of:

- Routers must be configured by end of 2003 so that all packets
  to the control plane must be logically separated from user
  packets (or demonstrate the ability to take 200mb of attack
  traffic to the router CPU without having an effect)

OR

- All single-homed customers must be source-address filtered at
  ingress or egress. (Becoming multi-homed at ingress as a
  requirement over time)

OR

...

You get the idea. Something that IS possible, that matters MOST
at the large end of the scale. And if we go a long way towards
solving one beasty per year we'll at least be making MORE progress
than we've been making to date, which is roughly zero.

: Pete.

Thanks,

Avi

: I'm trying to envision an RFP that awards business to one or
: a few network operators, but requires that they interoperate
: effectively with other operators who don't win any of the
: business. I've only got a state-level purchasing
: perspective, but I don't see it happening at any level.

Let me be more clear :slight_smile:

If the next FTS or if all large Federal IP purchases mandated
one of:

- Routers must be configured by end of 2003 so that all packets
  to the control plane must be logically separated from user
  packets (or demonstrate the ability to take 200mb of attack
  traffic to the router CPU without having an effect)

OR

- All single-homed customers must be source-address filtered at
  ingress or egress. (Becoming multi-homed at ingress as a
  requirement over time)

OR

...

You get the idea. Something that IS possible, that matters MOST
at the large end of the scale. And if we go a long way towards
solving one beasty per year we'll at least be making MORE progress
than we've been making to date, which is roughly zero.

The problem with these mandates by the Federal gov't is that they most
often are not enforced once they're directed. There was a mandate that
all operating systems installed on gov't networks meet a certain security
minimum. I forget the name of the program now but Windows didn't and
couldn't so it was wavered onto the program. I also seem to remember a
drive to have all software development follow the Capability Maturity
Model (at least in the Air Force) and a mandate that all software
development should be done at CMM level 3 that lost steam as well.
It's not a bad idea if you could get the gov't to truly enforce it.

Thanks,

Dave Olverson

Avi Freedman <freedman@freedman.net> writes:

- Routers must be configured by end of 2003 so that all packets
  to the control plane must be logically separated from user
  packets (or demonstrate the ability to take 200mb of attack
  traffic to the router CPU without having an effect)

This at least, we're working on actively.

http://www.ietf.org/internet-drafts/draft-gill-btsh-01.txt

Also, there will be a talk about this, as well as hardware features
we'd like to see on RPs specifically addressing the router cpu
attack.

/vijay