RFC 3871 Operational Security Requirements September 2004
Warnings.
None.
2.2. In Band Management Requirements
This section lists security requirements that support secure in band
management. In band management has the advantage of lower cost (no
extra interfaces or lines), but has significant security
disadvantages:
o Saturation of customer lines or interfaces can make the device
unmanageable unless out of band management resources have been
reserved.
o Since public interfaces/channels are used, it is possible for
attackers to directly address and reach the device and to attempt
management functions.
o In band management traffic on public interfaces may be
intercepted, however this would typically require a significant
compromise in the routing system.
o Public interfaces used for in band management may become
unavailable due to bugs (e.g., buffer overflows being exploited)
while out of band interfaces (such as a serial console device)
remain available.
There are many situations where in band management makes sense, is
used, and/or is the only option. The following requirements are
meant to provide means of securing in band management traffic.
2.2.1. Use Cryptographic Algorithms Subject To Open Review
Requirement.
If cryptography is used to provide secure management functions,
then there MUST be an option to use algorithms that are subject to
"open review" as defined in Section 1.8 to provide these
functions. These SHOULD be used by default. The device MAY
optionally support algorithms that are not open to review.
Justification.
Cryptographic algorithms that have not been subjected to
widespread, extended public/peer review are more likely to have
undiscovered weaknesses or flaws than open standards and publicly
reviewed algorithms. Network operators may have need or desire to
Jones Informational [Page 12]
Unlimited Web Hosting
|
|
TotalRoute.net Business web hosting division of Vision Web Hosting Inc. All rights reserved. |