RFC 3871 Operational Security Requirements September 2004
2.2.5. Management Functions Should Have Increased Priority
Requirement.
Management functions SHOULD be processed at higher priority than
non management traffic. This SHOULD include ingress, egress,
internal transmission, and processing. This SHOULD include at
least protocols used for configuration, monitoring, configuration
backup, logging, time synchronization, authentication, and
routing.
Justification.
Certain attacks (and normal operation) can cause resource
saturation such as link congestion, memory exhaustion or CPU
overload. In these cases it is important that management
functions be prioritized to ensure that operators have the tools
needed to recover from the attack.
Examples.
Imagine a service provider with 1,000,000 DSL subscribers, most of
whom have no firewall protection. Imagine that a large portion of
these subscribers machines were infected with a new worm that
enabled them to be used in coordinated fashion as part of large
denial of service attack that involved flooding. It is entirely
possible that without prioritization such an attack would cause
link congestion resulting in routing adjacencies being lost. A
DoS attack against hosts has just become a DoS attack against the
network.
Warnings.
Prioritization is not a panacea. Routing update packets may not
make it across a saturated link. This requirement simply says
that the device should prioritize management functions within its
scope of control (e.g., ingress, egress, internal transit,
processing). To the extent that this is done across an entire
network, the overall effect will be to ensure that the network
remains manageable.
2.3. Out of Band (OoB) Management Requirements
See Section 2.2 for a discussion of the advantages and disadvantages
of In band vs. Out of Band management.
Jones Informational [Page 16]
Unlimited Web Hosting
|
|
TotalRoute.net Business web hosting division of Vision Web Hosting Inc. All rights reserved. |