[OPSEC] [Technical Errata Reported] RFC6192 (4705)
RFC Errata System <rfc-editor@rfc-editor.org> Tue, 07 June 2016 08:56 UTC
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B694512B02F for <opsec@ietfa.amsl.com>; Tue, 7 Jun 2016 01:56:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -108.348
X-Spam-Level:
X-Spam-Status: No, score=-108.348 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m4lnHT4GP2r1 for <opsec@ietfa.amsl.com>; Tue, 7 Jun 2016 01:56:12 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92B1212B024 for <opsec@ietf.org>; Tue, 7 Jun 2016 01:56:12 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 502DFB80F07; Tue, 7 Jun 2016 01:56:12 -0700 (PDT)
To: dave@juniper.net, cpignata@cisco.com, rodunn@cisco.com, bclaise@cisco.com, joelja@bogus.com, gunter@vandevelde.cc, evyncke@cisco.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20160607085612.502DFB80F07@rfc-editor.org>
Date: Tue, 07 Jun 2016 01:56:12 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/QkKvxLNebYup-N4GAjpMrWQtQWM>
Cc: trond.endrestol@ximalas.info, opsec@ietf.org, rfc-editor@rfc-editor.org
Subject: [OPSEC] [Technical Errata Reported] RFC6192 (4705)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2016 08:56:13 -0000
The following errata report has been submitted for RFC6192, "Protecting the Router Control Plane". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=6192&eid=4705 -------------------------------------- Type: Technical Reported by: Trond Endrestøl <trond.endrestol@ximalas.info> Section: A.1 Original Text ------------- ipv6 access-list EBGPv6 permit tcp host 2001:DB8:100::25 eq bgp any permit tcp host 2001:DB8:100::25 any eq bgp permit tcp host 2001:DB8:100::27 eq bgp any permit tcp host 2001:DB8:100::27 any eq bgp permit tcp host 2001:DB8:100::29 eq bgp any permit tcp host 2001:DB8:100::29 any eq bgp permit tcp host 2001:DB8:100::31 eq bgp any permit tcp host 2001:DB8:100::31 any eq bgp ip access-list extended DNS permit udp 198.51.100.0 0.0.0.252 eq domain any ipv6 access-list DNSv6 permit udp 2001:DB8:100:1::/64 eq domain any permit tcp 2001:DB8:100:1::/64 eq domain any ip access-list extended NTP Corrected Text -------------- ipv6 access-list EBGPv6 permit tcp host 2001:DB8:100::25 eq bgp any permit tcp host 2001:DB8:100::25 any eq bgp permit tcp host 2001:DB8:100::27 eq bgp any permit tcp host 2001:DB8:100::27 any eq bgp permit tcp host 2001:DB8:100::29 eq bgp any permit tcp host 2001:DB8:100::29 any eq bgp permit tcp host 2001:DB8:100::31 eq bgp any permit tcp host 2001:DB8:100::31 any eq bgp ip access-list extended DNS permit udp 198.51.100.0 0.0.0.252 eq domain any permit tcp 198.51.100.0 0.0.0.252 eq domain any ipv6 access-list DNSv6 permit udp 2001:DB8:100:1::/64 eq domain any permit tcp 2001:DB8:100:1::/64 eq domain any ip access-list extended NTP Notes ----- DNS is transported sometimes over UDP and sometimes over TCP. The Cisco example fails to demonstrate this behaviour in the case of IPv4. The Cisco example clearly shows this behaviour in the case of IPv6. The Juniper example in Section A.2 should be amended in the same fashion, however I'm unfamiliar with the proper JunOS syntax. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party (IESG) can log in to change the status and edit the report, if necessary. -------------------------------------- RFC6192 (draft-ietf-opsec-protect-control-plane-06) -------------------------------------- Title : Protecting the Router Control Plane Publication Date : March 2011 Author(s) : D. Dugal, C. Pignataro, R. Dunn Category : INFORMATIONAL Source : Operational Security Capabilities for IP Network Infrastructure Area : Operations and Management Stream : IETF Verifying Party : IESG
- [OPSEC] [Technical Errata Reported] RFC6192 (4705) RFC Errata System