Operational Security Capabilities for IP Network Infrastructure (opsec)
-----------------------------------------------------------------------

 Charter
 Last Modified: 2007-01-22

 Current Status: Active Working Group

 Chair(s):
     Ross Callon  <rcallon@juniper.net>
     Patrick Cain  <pcain@coopercain.com>

 Operations and Management Area Director(s):
     Dan Romascanu  <dromasca@avaya.com>
     Ronald Bonica  <rbonica@juniper.net>

 Operations and Management Area Advisor:
      TBD  <noreply@ietf.org>

 Technical Advisor(s):
     George Jones  <gmj@pobox.com>

 Mailing Lists: 
     General Discussion:opsec@ops.ietf.org
     To Subscribe:      opsec-request@ops.ietf.org
         In Body:       In Body: subscribe
     Archive:           http://ops.ietf.org/lists/opsec/

Description of Working Group:

Goals

The goal of the Operational Security Working Group is to codify
knowledge gained through operational experience about feature sets
that are needed to securely deploy and operate managed network
elements providing transit services at the data link and IP
layers.

It is anticipated that the codification of this knowledge will be
an aid to vendors in producing more securable network elements,
and an aid to operators in increasing security by deploying and
configuring more secure network elements.

Scope

The working group will list capabilities appropriate for
devices use in:

* Internet Service Provider (ISP) Networks
* Enterprise Networks

The following areas are excluded from the charter at this time:

* Wireless devices
* Small-Office-Home-Office (SOHO) devices
* Security devices (firewalls, Intrusion Detection Systems,
Authentication Servers)
* Hosts

Methods

Framework Document

A framework document will be produced describing the scope,
format, intended use and documents to be produced.

Current Practices Document

A single document will be produced that attempts to capture
current practices related to secure operation. This will be
primarily based on operational experience. Each entry will
list:

* threats addressed,

* current practices for addressing the threat,

* protocols, tools and technologies extant at the time of writing
that are used to address the threat.

Individual Capability Documents

A series of documents will be produced covering various groupings
of security management capabilities needed to operate network elements
in a secure fashion. The capabilities will be described in terms that
allow implementations to change over time and will attempt to avoid
requiring any particular implementation.

The capabilities documents will cite the Current Practices document
where possible for justification.

Profile Documents

Profiles documents will be produced, which cite the capabilities
relevant to different operating environments.

Operator Outreach

Much of the operational security knowledge that needs to be
codified resides with operators. In order to access their
knowledge and reach the working group goal, informal BoFs will be
held at relevant operator fora.

RFC3871 will be used as a jumping off point.

 Goals and Milestones:

   Done         Complete Charter 

   Done         First draft of Framework Document as Internet Draft 

   Done         First draft of Standards Survey Document as Internet Draft 

   Done         First draft of Packet Filtering Capabilities 

   Done         First draft of Event Logging Capabilities 

   Done         First draft of Network Operator Current Security Practices 

   Done         First draft of In-Band management capabilities 

   Done         First draft of Out-of-Band management capabilities 

   Done         First draft of Configuration and Management Interface 
                Capabilities 

   Feb 2005       First draft of Authentication, Authorization, and Accounting 
                (AAA) Capabilities 

   Feb 2005       First draft of Documentation and Assurance capabilities 

   Done         First draft of Miscellaneous capabilities 

   Mar 2005       First draft of Deliberations Summary document 

   Mar 2005       Submit Framework to IESG 

   Mar 2005       Submit Standards Survey to IESG 

   Done         Submit Network Operator Current Security Practices to IESG 

   May 2005       First draft of ISP Operational Security Capabilities Profile 

   May 2005       First draft of Enterprise Operational Security Capabilities 
                Profile 

   Jun 2005       Submit Packet Filtering capabilities to IESG 

   Jun 2005       Submit Event Logging Capabilities document to IESG 

   Jul 2005       Submit In-Band management capabilities to IESG 

   Jul 2005       Submit Out-of-Band management capabilities to IESG 

   Aug 2005       Submit Configuration and Management Interface Capabilities to 
                IESG 

   Aug 2005       Submit Authentication, Authorization and Accounting (AAA) 
                capabilities document to IESG 

   Sep 2005       Submit Documentation and Assurance capabilities to IESG 

   Sep 2005       Submit Miscellaneous capabilities document to IESG 

   Dec 2005       Submit ISP Operational Security Capabilities Profile to IESG 

   Dec 2005       Submit Large Enterprise Operational Security Capabilities 
                Profile to IESG 

   Dec 2005       Submit OPSEC Deliberation Summary document to IESG 


 Internet-Drafts:

Posted Revised         I-D Title   <Filename>
------ ------- --------------------------------------------
Jan 2005 Apr 2007   <draft-ietf-opsec-framework-05.txt>
                Framework for Operational Security Capabilities for IP Network 
                Infrastructure 

Jan 2005 Dec 2006   <draft-ietf-opsec-efforts-05.txt>
                Security Best Practices Efforts and Documents 

Oct 2005 Apr 2007   <draft-ietf-opsec-filter-caps-06.txt>
                Filtering and Rate Limiting Capabilities for IP Network 
                Infrastructure 

Sep 2006 Apr 2007   <draft-ietf-opsec-infrastructure-security-01.txt>
                Service Provider Infrastructure Security 

Oct 2006 Feb 2007   <draft-ietf-opsec-routing-capabilities-01.txt>
                Routing Control Plane Security Capabilities 

Oct 2006 Mar 2007   <draft-ietf-opsec-logging-caps-02.txt>
                Logging Capabilities for IP Network Infrastructure 

 Request For Comments:

  RFC   Stat Published     Title
------- -- ----------- ------------------------------------
RFC4778 I    Jan 2007    Operational Security Current Practices in Internet 
                       Service Provider Environments