IETF Logo Mail Archive

[OPSEC] ACLs on SP edge nodes

Ron Bonica <rbonica@juniper.net> Wed, 27 May 2020 21:20 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A14DE3A0C37 for <opsec@ietfa.amsl.com>; Wed, 27 May 2020 14:20:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=dr09c3QT; dkim=pass (1024-bit key) header.d=juniper.net header.b=K1wADgt0
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xKLnYFuqyZ9P for <opsec@ietfa.amsl.com>; Wed, 27 May 2020 14:20:13 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E55913A0C16 for <opsec@ietf.org>; Wed, 27 May 2020 14:20:12 -0700 (PDT)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04RLH5xi022026 for <opsec@ietf.org>; Wed, 27 May 2020 14:20:12 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : content-type : mime-version; s=PPS1017; bh=XMXja0Z+IEI0JAjxnLjxycNMuOxjT5ElaCjN/s4K4Qw=; b=dr09c3QTgU6cdiGOUw54wNYGZiRwJf/g0ASrGh8JkXnEqpclvntKki5bMHBzGHMS3QD3 2zLWZdu5oSBejdfY++c2jZBQ8xYUlOTcSkweK0Dibgpkmv7QiUCxExrNZoIncEd8FCLk YHV3p3aD04o98sbJAmO4ugX7yarr7cI6tMl2VGKslIfNGLsgFcZhWk+UqC1KZuK5TH8S Ysw3xcszAuXbmTzGYZXaQ9tZYPvlnz/o0PTLiGo4v879eY7dU5R/o3VBaY4oiOClXDcv wN7gr/qe6U+eqRLPGf75B1olDV6Jdb+Z6HfdJKXW2FVgO5rujIuuHf2IJEX2dVW9O5Nm Eg==
Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2041.outbound.protection.outlook.com [104.47.66.41]) by mx0b-00273201.pphosted.com with ESMTP id 319v6drdv7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <opsec@ietf.org>; Wed, 27 May 2020 14:20:12 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ACCeXrObQqp1qNvFftmZoBEDmil71m3GydZYqfxwNFsR3Ka3X8bjBihAf83vmzmlThSBWkVQLAs/O4oX/3yN4dp5/+iQAnQuv0sXQess6bTgFr+Ot8qHH+O6pn0Ug+/TfCwiexMw3TI08N58H3WhGrP4zWZcyE1MVKJQh4986a/5AfRHWgWhlmG1WKNyyJurcrwkNhRseqFbLCrKmoBqlGwglyNVkDOzxzRo25wuXenh2LmoRwR8r6wqsUa6PRcfUx3Q6Qc+xf9kLHA/GDDEQvQZAsz+uJSgmid8tlWn8sdwWqV/MyuLrLnX5WLlqkYc3xRGmwmfQ6s+h4a1LvO0KA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XMXja0Z+IEI0JAjxnLjxycNMuOxjT5ElaCjN/s4K4Qw=; b=kOsZEDY25x7I0NYmGwX+t5BEgM3ehTcZq0vuFvrYyebd0xzcCpJy/Vjwf3leX++qhsdBH2b8QzQZmzL/qgRXe9E2qBUMhKqyXB8lwbyaZH6pr59Z3RyGv+3HB688bezjZLmaUbQGiHp/99UT75/XNLA5AQf+MLknKT/4FrW3Pw28P31bD/W1qRf/LPuZBVXgkepx283GXF21SvcJHjpjs6UiwTz5xzb4zdFajKVm1NzqGMqhoO5D2CLcC4CCbmgfs3rr0KYH0ioQHagIbVv0eQ8Ic9NvpmaJEfmFzRBTz56MSd0hv6MYJyDc0Z4NidKGCdVb2aBs+6B/1Ow99VWlsg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XMXja0Z+IEI0JAjxnLjxycNMuOxjT5ElaCjN/s4K4Qw=; b=K1wADgt07dK0X+hwvEK5Tq0AKagfDNYDDjmqHiVnSd6OAyaqfUz5mgNcEhFvbcRkyh5fHjhthx498muih+LrrbB1xsLg8Rxo57xpJa0ITyQHufZgptUp6xQzA0wR3ZaTD2L5ny8cm3/a2gM6DMFu8+LumewSmvnAARTnnOKw72M=
Received: from DM6PR05MB6348.namprd05.prod.outlook.com (2603:10b6:5:122::15) by DM6PR05MB5385.namprd05.prod.outlook.com (2603:10b6:5:59::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3045.7; Wed, 27 May 2020 21:20:09 +0000
Received: from DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::c020:3bf5:7230:75e3]) by DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::c020:3bf5:7230:75e3%4]) with mapi id 15.20.3045.018; Wed, 27 May 2020 21:20:09 +0000
From: Ron Bonica <rbonica@juniper.net>
To: OPSEC <opsec@ietf.org>, John Scudder <jgs@juniper.net>
Thread-Topic: ACLs on SP edge nodes
Thread-Index: AdY0a/IpEOuk8tAlQFSwSjeTaHjy6w==
Date: Wed, 27 May 2020 21:20:09 +0000
Message-ID: <DM6PR05MB63482CC7CA9B536EF87FE830AEB10@DM6PR05MB6348.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2020-05-27T21:21:02Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=52afa6f4-df41-489a-ba64-fe6f248f3750; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=2
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [108.28.233.91]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 61c2919c-b1d8-4986-4c7f-08d80283bc6e
x-ms-traffictypediagnostic: DM6PR05MB5385:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DM6PR05MB5385864040C9BDD538E282A8AEB10@DM6PR05MB5385.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:3631;
x-forefront-prvs: 04163EF38A
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ntoQZOhDluGmGe7rEt/QKepna8U5TjEh6MYJymX8sjZBplU9dDCRHuCntDPvW3hb9fvNrPJsl6a36k/Xj7UkIujDggKp+DsyyfsarziiybLFeYorCezHseCN7CK+o9AMRksg2I1LBJG2JU/oUwtLBhFdJscEYO0vLxQK6UTd8juXG7kg6i33c5GGDYZN1DzExuGAsFm2Ha3+cCK4YNwZWny2QWVlzi/wSJxpet8DkZ/YPgMeyYg2cSM2u9j64EQPJ4iNdCevefb7rpFVSGW4wInKpQ4Sz1EELny3PQoz6KZwT4Kfr/GjdXp3TajUsUA4SPC+Ate8XXA03En4uueu+w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR05MB6348.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(136003)(396003)(346002)(366004)(376002)(478600001)(66446008)(66946007)(7696005)(6506007)(76116006)(64756008)(8936002)(66476007)(86362001)(71200400001)(66556008)(5660300002)(316002)(558084003)(52536014)(8676002)(110136005)(9686003)(2906002)(33656002)(6636002)(26005)(186003)(55016002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: KC+WfA2VHtP2jlfeJoc9o0EbDuUhmycGtfnV5cBKuetpt4/5Uqz0pOZJcWZXiAhY6kJgRn40wXlssUQ8Wh3wqPusn2bVDhoPFFio28T2jkpxNc06vBQsmUgPip1/i0pj4YFXSj+umSCXCrTobWAn9fqzTSVTAtd/OQrpM4v31J1iDELKcKRCJ/psBoOupNPuN0mIz6zup19dFvpbZtaY0omkptXD2F2ivTozhEno1shLov4Cp07y8g9Ax2FRi0tRR+tAR0rHQcsmVINrJmPpXPhFFioLL9rYGYV0lMpGVerTsRKrlGZl78CSti2n94hCmu6s6aH9u2igFWNjLK919KTYJpCTegvdXnK0tzrNvWoWahRv4S6qWbXV7TAEHC12ircb2cfwfRl07xsIQ0vgm0lQ93Ki662lAsCG2AuKc30lKVMX4kJj8BvifEJEBghXseUUZbWg5aai2wYMNRY/q8wQsJAHpBnguPm5luvX1sp9lRMFb2yBh15wctZ6liwZ
Content-Type: multipart/alternative; boundary="_000_DM6PR05MB63482CC7CA9B536EF87FE830AEB10DM6PR05MB6348namp_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 61c2919c-b1d8-4986-4c7f-08d80283bc6e
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 May 2020 21:20:09.6792 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wmZM60BQj9tmlLLmHuLvlxZDaH4mxK2J+OToU8+w0nh470JmRDq2eZML4TACQmG5om4fHD3giiKEwWP5/Z90kA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB5385
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.687 definitions=2020-05-27_03:2020-05-27, 2020-05-27 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 mlxscore=0 lowpriorityscore=0 cotscore=-2147483648 mlxlogscore=615 impostorscore=0 adultscore=0 phishscore=0 suspectscore=0 malwarescore=0 spamscore=0 bulkscore=0 clxscore=1015 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2005270164
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/6eN-iU3BK9VzsYzKpzMKJjwrlo4>
Subject: [OPSEC] ACLs on SP edge nodes
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 21:20:17 -0000

Folks,

Does anybody know of a document that provides general recommendations for ACL's to be implemented on service provider edge nodes?


                                                                                                            Ron



Juniper Business Use Only

v2.23.0 | Report a Bug | By Email