[OPSEC] [Errata Verified] RFC6192 (4705)
RFC Errata System <rfc-editor@rfc-editor.org> Mon, 19 December 2016 10:46 UTC
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30FBC129880; Mon, 19 Dec 2016 02:46:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.302
X-Spam-Level:
X-Spam-Status: No, score=-7.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H6yGXBXP5YtF; Mon, 19 Dec 2016 02:46:27 -0800 (PST)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86EF61296F5; Mon, 19 Dec 2016 02:43:31 -0800 (PST)
Received: by rfc-editor.org (Postfix, from userid 30) id 7764DB8002E; Mon, 19 Dec 2016 02:43:31 -0800 (PST)
To: trond.endrestol@ximalas.info, dave@juniper.net, cpignata@cisco.com, rodunn@cisco.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20161219104331.7764DB8002E@rfc-editor.org>
Date: Mon, 19 Dec 2016 02:43:31 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/SuA9dAVKx3l08g7yedNQSExYBhE>
Cc: opsec@ietf.org, iesg@ietf.org, rfc-editor@rfc-editor.org
Subject: [OPSEC] [Errata Verified] RFC6192 (4705)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2016 10:46:29 -0000
The following errata report has been verified for RFC6192, "Protecting the Router Control Plane". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=6192&eid=4705 -------------------------------------- Status: Verified Type: Technical Reported by: Trond Endrestøl <trond.endrestol@ximalas.info> Date Reported: 2016-06-07 Verified by: Benoit Claise (IESG) Section: A.1 Original Text ------------- ipv6 access-list EBGPv6 permit tcp host 2001:DB8:100::25 eq bgp any permit tcp host 2001:DB8:100::25 any eq bgp permit tcp host 2001:DB8:100::27 eq bgp any permit tcp host 2001:DB8:100::27 any eq bgp permit tcp host 2001:DB8:100::29 eq bgp any permit tcp host 2001:DB8:100::29 any eq bgp permit tcp host 2001:DB8:100::31 eq bgp any permit tcp host 2001:DB8:100::31 any eq bgp ip access-list extended DNS permit udp 198.51.100.0 0.0.0.252 eq domain any ipv6 access-list DNSv6 permit udp 2001:DB8:100:1::/64 eq domain any permit tcp 2001:DB8:100:1::/64 eq domain any ip access-list extended NTP Corrected Text -------------- ipv6 access-list EBGPv6 permit tcp host 2001:DB8:100::25 eq bgp any permit tcp host 2001:DB8:100::25 any eq bgp permit tcp host 2001:DB8:100::27 eq bgp any permit tcp host 2001:DB8:100::27 any eq bgp permit tcp host 2001:DB8:100::29 eq bgp any permit tcp host 2001:DB8:100::29 any eq bgp permit tcp host 2001:DB8:100::31 eq bgp any permit tcp host 2001:DB8:100::31 any eq bgp ip access-list extended DNS permit udp 198.51.100.0 0.0.0.252 eq domain any permit tcp 198.51.100.0 0.0.0.252 eq domain any ipv6 access-list DNSv6 permit udp 2001:DB8:100:1::/64 eq domain any permit tcp 2001:DB8:100:1::/64 eq domain any ip access-list extended NTP Notes ----- DNS is transported sometimes over UDP and sometimes over TCP. The Cisco example fails to demonstrate this behaviour in the case of IPv4. The Cisco example clearly shows this behaviour in the case of IPv6. The Juniper example in Section A.2 should be amended in the same fashion, however I'm unfamiliar with the proper JunOS syntax. -------------------------------------- RFC6192 (draft-ietf-opsec-protect-control-plane-06) -------------------------------------- Title : Protecting the Router Control Plane Publication Date : March 2011 Author(s) : D. Dugal, C. Pignataro, R. Dunn Category : INFORMATIONAL Source : Operational Security Capabilities for IP Network Infrastructure Area : Operations and Management Stream : IETF Verifying Party : IESG
- [OPSEC] [Errata Verified] RFC6192 (4705) RFC Errata System