RFC 3871           Operational Security Requirements      September 2004

      closed" is the correct stance.  The implications of "fail closed"

      (e.g., not being able to manage a device) should be fully

      considered.

      If the fall back mechanism is disabled, it is important that the

      failure of IP based authentication mechanism be reliably detected

      and the fall back mechanism automatically enabled...otherwise the

      operator may be left with no means to authenticate.

2.3.5.  Support Separate Management Plane IP Interfaces

   Requirement.

      The device MAY provide designated network interface(s) that are

      used for management plane traffic.

   Justification.

      A separate management plane interface allows management traffic to

      be segregated from other traffic (data/forwarding plane, control

      plane).  This reduces the risk that unauthorized individuals will

      be able to observe management traffic and/or compromise the

      device.

      This requirement applies in situations where a separate OoB

      management network exists.

   Examples.

      Ethernet port dedicated to management and isolated from customer

      traffic satisfies this requirement.

   Warnings.

      The use of this type of interface depends on proper functioning of

      both the operating system and the IP stack, as well as good, known

      configuration at least on the portions of the device dedicated to

      management.

2.3.6.  No Forwarding Between Management Plane And Other Interfaces

   Requirement.

      If the device implements separate network interface(s) for the

      management plane per Section 2.3.5 then the device MUST NOT

      forward traffic between the management plane and non management

      plane interfaces.

Jones                        Informational                     [Page 21]