Re: [OPSEC] [Technical Errata Reported] RFC6192 (3906)
"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Mon, 03 March 2014 17:03 UTC
Return-Path: <cpignata@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1147A1A027E for <opsec@ietfa.amsl.com>; Mon, 3 Mar 2014 09:03:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.048
X-Spam-Level:
X-Spam-Status: No, score=-15.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 91klbz8GQ7G8 for <opsec@ietfa.amsl.com>; Mon, 3 Mar 2014 09:03:09 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id BCBB71A0259 for <opsec@ietf.org>; Mon, 3 Mar 2014 09:03:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4618; q=dns/txt; s=iport; t=1393866186; x=1395075786; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=MXjQRSBtKe1CLmnclrY7lKKp/lcpm8oEgapzELBzqYk=; b=iuBHln3drmBSQAwRPSMxu7D1CySK1M5KOWNIQysKTNHF+85kaNYAnkXU XRozGBxojdKxY91yYDySftS1+bCR/KfQ0DU834y9wUYRNYZiBH/gt4iRE 5ZT8wxnyvveZoHtzJwHubjU6M919DBkiutg9FRxh4szdsgdvXzaG2vn/D Q=;
X-Files: signature.asc : 203
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhcFAKC0FFOtJV2a/2dsb2JhbABAGoMGO1fAUIEiFnSCJQEBAQMBeQULAgEIRjIlAgQOBQ6HYwgNNst0F45ZB4MkgRQEkEiBNIZAkiuDLXmBMQ
X-IronPort-AV: E=Sophos; i="4.97,578,1389744000"; d="asc'?scan'208"; a="307788684"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-4.cisco.com with ESMTP; 03 Mar 2014 17:02:57 +0000
Received: from xhc-aln-x06.cisco.com (xhc-aln-x06.cisco.com [173.36.12.80]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id s23H2vre004817 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 3 Mar 2014 17:02:57 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.205]) by xhc-aln-x06.cisco.com ([173.36.12.80]) with mapi id 14.03.0123.003; Mon, 3 Mar 2014 11:02:56 -0600
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Thread-Topic: [Technical Errata Reported] RFC6192 (3906)
Thread-Index: AQHPNguA5hXB8Sz+yEO4I42pLv+4o5rP/VeA
Date: Mon, 03 Mar 2014 17:02:56 +0000
Message-ID: <478FE875-1AAB-4A40-9635-F70D38E7E0B4@cisco.com>
References: <20140302113520.EBEC87FC39B@rfc-editor.org>
In-Reply-To: <20140302113520.EBEC87FC39B@rfc-editor.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.21.80.107]
Content-Type: multipart/signed; boundary="Apple-Mail=_BCC645E8-7505-4B98-8EEC-6F093E1A90FC"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/Ql4sijJ07osyx_B3EFK6fL_aUR0
Cc: "opsec@ietf.org" <opsec@ietf.org>, "Rodney Dunn (rodunn)" <rodunn@cisco.com>, "nick@foobar.org" <nick@foobar.org>
Subject: Re: [OPSEC] [Technical Errata Reported] RFC6192 (3906)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 17:03:12 -0000
Hi, Thank you for the report, Nick! You are correct in the four corrections you reported, and the errata can be marked as Verified. Thanks, -- Carlos. On Mar 2, 2014, at 11:35 AM, RFC Errata System <rfc-editor@rfc-editor.org> wrote: > The following errata report has been submitted for RFC6192, > "Protecting the Router Control Plane". > > -------------------------------------- > You may review the report below and at: > http://www.rfc-editor.org/errata_search.php?rfc=6192&eid=3906 > > -------------------------------------- > Type: Technical > Reported by: Nick Hilliard <nick@foobar.org> > > Section: A.1 > > Original Text > ------------- > [...] > > ip access-list extended DNS > > permit udp 198.51.100.0 0.0.0.252 eq domain any > > ipv6 access-list DNSv6 > > permit udp 2001:DB8:100:1::/64 eq domain any > > permit tcp 2001:DB8:100:1::/64 eq domain any > > ip access-list extended NTP > > permit udp 198.51.100.4 255.255.255.252 any eq ntp > > ipv6 access-list NTPv6 > > permit udp 2001:DB8:100:2::/64 any eq ntp > > ip access-list extended SSH > > permit tcp 198.51.100.128 0.0.0.128 any eq 22 > > ipv6 access-list SSHv6 > > permit tcp 2001:DB8:100:3::/64 any eq 22 > > ip access-list extended SNMP > > permit udp 198.51.100.128 0.0.0.128 any eq snmp > > [...] > > > > Corrected Text > -------------- > [...] > > ip access-list extended DNS > > permit udp 198.51.100.0 0.0.0.3 eq domain any > > ipv6 access-list DNSv6 > > permit udp 2001:DB8:100:1::/64 eq domain any > > permit tcp 2001:DB8:100:1::/64 eq domain any > > ip access-list extended NTP > > permit udp 198.51.100.4 0.0.0.3 any eq ntp > > ipv6 access-list NTPv6 > > permit udp 2001:DB8:100:2::/64 any eq ntp > > ip access-list extended SSH > > permit tcp 198.51.100.128 0.0.0.127 any eq 22 > > ipv6 access-list SSHv6 > > permit tcp 2001:DB8:100:3::/64 any eq 22 > > ip access-list extended SNMP > > permit udp 198.51.100.128 0.0.0.127 any eq snmp > > [...] > > Notes > ----- > The bitfield masks in the Cisco Configuration example in section A.1 look incorrect. The authors may have intended the following meanings: > > > > ip access-list extended DNS > > all hosts between 198.51.100.0 and 198.51.100.3 instead of all addresses in the range 198.51.100.0/24 which are evenly divisible by 4 > > > > ip access-list extended NTP > > all hosts between 198.51.100.4 and 198.51.100.7 instead of all addresses in the range 0.0.0.0/0 which are evenly divisible by 4 > > > > ip access-list extended SSH > > all hosts between 198.51.100.128 and 198.51.100.255 instead of 198.51.100.128/32 > > > > ip access-list extended SNMP > > all hosts between 198.51.100.128 and 198.51.100.255 instead of 198.51.100.128/32 > > Instructions: > ------------- > This errata is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party (IESG) > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC6192 (draft-ietf-opsec-protect-control-plane-06) > -------------------------------------- > Title : Protecting the Router Control Plane > Publication Date : March 2011 > Author(s) : D. Dugal, C. Pignataro, R. Dunn > Category : INFORMATIONAL > Source : Operational Security Capabilities for IP Network Infrastructure > Area : Operations and Management > Stream : IETF > Verifying Party : IESG
- [OPSEC] [Technical Errata Reported] RFC6192 (3906) RFC Errata System
- Re: [OPSEC] [Technical Errata Reported] RFC6192 (… Carlos Pignataro (cpignata)
- [OPSEC] [Errata Verified] RFC6192 (3906) RFC Errata System