23 October 2003 Fremont, CA Lightwave -- Members of the Optical Internetworking Forum (OIF) have approved an agreement defining security methods for management interfaces to Network Elements (NEs). The Implementation Agreement (IA) presents a model for securing Operations, Administration, Maintenance, & Provisioning (OAM&P) protocols at different layers; describes systems that are well-suited to secure these interfaces at various protocol layers; and provides specifications for using these security systems appropriately.
"The current state of world affairs obliges us to consider security as an essential element when building networks," explains Joe Berthold, CIENA Corp., president of the OIF. "This IA extends the OIF's previous security work on signaling and goes a long way towards ensuring that 'back doors' to network elements are inaccessible to hackers."
The new agreement from the OIF focuses on protocol security between Management Systems and NEs. The IA does not differentiate strongly among security attributes associated with human users, processes, applications, and systems. In many cases, there may be no direct human user involved in an operation, and many NEs and OAM&P systems do not distinguish different "user-IDs" or applications. As a result, in addition to authenticating the human user, more sophisticated protocol security is needed for OAM&P interfaces, especially when they are configured over TCP/IP stacks.
This is the second IA approved by the OIF members that focuses on security for optical networks. The OIF has also addressed security in its UNI and NNI specifications, which describe how NEs use various control protocols for signaling, routing, and discovery. NEs, however, typically have at least one and, in some cases, many OAM&P interfaces used for network management, billing and accounting, configuration, maintenance, and other administrative activities. NEs are an attractive target for hackers who want to disrupt or gain free access to telecommunications facilities. Careful access controls and password management are no longer a sufficient defense. Networks using the TCP/IP protocol suite are vulnerable to forged source addresses, packet sniffers that pick up passwords, re-routing of traffic to facilitate eavesdropping or tampering, active hijacking attacks on TCP connections, and a variety of denial of service attacks. This IA defines security objectives for OAM&P access to NEs and specifies how to use different security systems, depending on the OAM&P protocol and security requirements, to achieve these objectives.
The complete IA can be found at http://www.oiforum.com/public/impagreements.html#UNI.