IETF Logo Mail Archive

Re: [OPSEC] ACLs on SP edge nodes

tom petch <ietfa@btconnect.com> Fri, 12 June 2020 10:00 UTC

Return-Path: <ietfa@btconnect.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A64F3A0ED9 for <opsec@ietfa.amsl.com>; Fri, 12 Jun 2020 03:00:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ute39NgcoVU9 for <opsec@ietfa.amsl.com>; Fri, 12 Jun 2020 03:00:21 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2095.outbound.protection.outlook.com [40.107.20.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D8AF3A0DF6 for <opsec@ietf.org>; Fri, 12 Jun 2020 03:00:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SSw6zc9nBDZkxpzvvvRGfHY8HGnah6EfPrcp6OJKQWOcE22jPTZcfQbxoxjs0AbPS2aBycg3iR4rSPS/UlBTcxrQrku5z70naYxhjVAXRZ3O3Y5bUHUaH+IhdIfZzL6LfxfGYapT1TsiD8TCFWkVTubyz+qSc0xAi3z7QobRGh4ImbcXMbS2+2hZFxxDc44dJsqytZGuXqs8dK2z4x/Nm9wmYbLVurElljSaGQONliOXZRv37Hcx6zriN5hcpdEU4sKGW8z/qFMoO0mw6ZTNeKCeXYaX+I/5CTlJwChpOlnJTc9D086kkVTEMAZItXbJowa5aTobcdxTxusb33t3kA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1uwcb/shJE5bLzlzmC0OCoI9Njzvk8yYwj1YYW7dgZ4=; b=J3AWs6TXul2LZy3EgcxdGUOfuWTIQDDnxD23N5yXH+KG3yXGyDtriZ5aS/+jNJnHun6e6sRwnaBtLUOXGBJWe/M+FvP7NevdqSk5V1QjqzfRIBkdXi6vjNoduqqp+QYG0539HANlgvz4Bt5fj2DZ0zJyxCaPs9NEIe+l6ph+pHbfApNJvCngj2cmT7li+N66+UIqbx/DCe40g0bgBs1i7zzrrQJDgaQzR7TU7MuLrAOrznagqmrZ7jpod0DD0p+CBn3XwSTeB3dWmV7iotEuatw1PGJTRZc4u4QanjHYmt931AXJLGKlZBr8LIeQRmkWdo4WW7ZfOe98Lqg5dgr2Ew==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1uwcb/shJE5bLzlzmC0OCoI9Njzvk8yYwj1YYW7dgZ4=; b=OCL7ZD/SCnt0jH48kuGdI6ydXnM+YYXURBdLfk3gUtE9Ir2pOHOh9agE/MuU1vVRPf4Rdfm6JFJbcp4MQFptitKapsj8VtQSDx9gEoFLdfiPS1ybjDz1GDSDE8V4hjMr+Ja8HT7GwUq1zmYA/756yYJHPqY+UvVg7J1Z3MLmB14=
Received: from DB7PR07MB5340.eurprd07.prod.outlook.com (2603:10a6:10:69::25) by DBAPR07MB6790.eurprd07.prod.outlook.com (2603:10a6:10:191::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.12; Fri, 12 Jun 2020 10:00:18 +0000
Received: from DB7PR07MB5340.eurprd07.prod.outlook.com ([fe80::6d73:b879:b380:bed4]) by DB7PR07MB5340.eurprd07.prod.outlook.com ([fe80::6d73:b879:b380:bed4%7]) with mapi id 15.20.3088.019; Fri, 12 Jun 2020 10:00:18 +0000
From: tom petch <ietfa@btconnect.com>
To: John Scudder <jgs=40juniper.net@dmarc.ietf.org>, Melchior Aelmans <melchior@aelmans.eu>
CC: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>, OPSEC <opsec@ietf.org>
Thread-Topic: [OPSEC] ACLs on SP edge nodes
Thread-Index: AQHWQANJEOuk8tAlQFSwSjeTaHjy66jTkE0AgAEvFFM=
Date: Fri, 12 Jun 2020 10:00:18 +0000
Message-ID: <DB7PR07MB5340D81F292025FD811190DFA2810@DB7PR07MB5340.eurprd07.prod.outlook.com>
References: <DM6PR05MB63482CC7CA9B536EF87FE830AEB10@DM6PR05MB6348.namprd05.prod.outlook.com>, <CALxNLBidp7kqankaNx89fmC1Ky9D=vB-QZ3rNxH-iFXipn6jUA@mail.gmail.com>, <48B555CD-9375-4BD1-B7BB-C8AB4C6A8859@juniper.net>
In-Reply-To: <48B555CD-9375-4BD1-B7BB-C8AB4C6A8859@juniper.net>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.139.211.47]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e7ae7fc1-67e4-4d1c-f5bb-08d80eb76964
x-ms-traffictypediagnostic: DBAPR07MB6790:
x-microsoft-antispam-prvs: <DBAPR07MB679091E526681115AEB564BAA2810@DBAPR07MB6790.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 0432A04947
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yZbXf4AWfHKd+h6Jm5JuWdIweHNcA9xyQNhAe23Ydt1d9UaENn/2UdEw+v7ZobeiSX9Dd4FTLVH8pry6cgb7QJS5NR5sLK5vLJysdzbHzrsUv41q7HWI/Oi96gV7o05Xg9b+ZZkIOhgbbREvJmgJ8cEdJC+YA1Vbdvji88SB55OIrD7Z9KYwCMtB3ibWn70x5A9/KShRK69g3861fUbztDLx2c7l9pARp1m3RTPKf3utR1ure8ojAZFbvevwFWCmDYL2yANouM0K6XAqB9+p/xHFSkd5TAld7kfII1nzzGGwHd52sJGuOR9ZYb/ZLgqm0i4wcuhpWkcoZZE5hsnWDTAk1/zjPqiJW5YWCQYgH0t2bYBwItcu9HKh1a4qrMk/4En/S+qkHHthqDlHbRyX5A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR07MB5340.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(366004)(346002)(39860400002)(376002)(136003)(396003)(66446008)(64756008)(66556008)(66476007)(66946007)(76116006)(91956017)(53546011)(6506007)(7696005)(71200400001)(52536014)(5660300002)(478600001)(4326008)(966005)(83380400001)(54906003)(9686003)(55016002)(8676002)(316002)(110136005)(26005)(2906002)(86362001)(186003)(8936002)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: bOMdjg5ikTeXFdactcoqy0Xfk3TNYwCNcNKcJlGPb9zlKKV4Q6sBmw7yyGvxPlfA1rUK4JEpxcGjkslcYWgKAdGOOPzFT68S7a7MeKTi6mgQ89YGqKACjHuiyhMD2lUq3bpuK/fmF13+9nLG4WL5NdDirwjUnZ1jvSlSEBHuxqKVuzipS1Z1OEMc/bAqpdI+ef0TU6PV07HRZZdQlhdrfdt1aufGrTrHx9UcbDE/q6ieMwHNvSDrBpOYB78jL0iaxvj9laia9OKOBODqCcsPbfbMWWrvhJX7s4cZLllkeaTwi+EB+gM8RqQemJ5dE34YLVbSzaG6ELzyJe7W1NIZnY5HRqp4Q7iWUU+73Vw0k7nLKWPoejhHF+d1F+97pO85i16I/A2bMJ/k1JA9CpX/uFKytmSZD277cAvM5TH+M9Z7O+MtZa/3zAZUQ+miXSPM0/sJGf2tVvzp+vsY0Mvz/cmZm7w4+nwQx9DAnAbt0zo=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e7ae7fc1-67e4-4d1c-f5bb-08d80eb76964
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jun 2020 10:00:18.1740 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: eHo5AXz6h3qUZJzAALwa5IW/rBC/kaJIjOOoLKPhTqrdFay/EPmOjqNyCDYPwVz/nkqPuTASEeqkrj0wtXdgZA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR07MB6790
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/qse6Vz9L1TZZBT8ltFMIOLciMlw>
Subject: Re: [OPSEC] ACLs on SP edge nodes
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jun 2020 10:00:23 -0000

From: OPSEC <opsec-bounces@ietf.org> on behalf of John Scudder <jgs=40juniper.net@dmarc.ietf.org>
Sent: 11 June 2020 16:51

I think it was a question from me to Ron that kicked off his question to Opsec. For my question, no, it doesn’t help — what I was looking for was a citable RFC that said the equivalent of “thou shalt filter thy infrastructure addresses”. Because everyone knows you should do this, but apparently nobody has bothered to say so in a standard; this creates awkwardness when writing Security Considerations sections.

I see Ron said “document” and your reply does indeed fill the bill. To fix my problem I’d really need an IETF (or equivalent body, I suppose) standard or BCP, though, IMO.

<tp>

John

The reference I use is BCP84 and BCP38; the former seems to come close,

Tom Petch




Thanks,

—John

On Jun 11, 2020, at 11:16 AM, Melchior Aelmans <melchior@aelmans.eu> wrote:

Hi Ron!

Does this help? https://www.juniper.net/documentation/en_US/day-one-books/DO_BGP_SecureRouting2.0.pdf

Cheers,
Melchior

On Wed, May 27, 2020 at 11:21 PM Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org<mailto:40juniper.net@dmarc.ietf.org>> wrote:
Folks,

Does anybody know of a document that provides general recommendations for ACL’s to be implemented on service provider edge nodes?


                                                                                                            Ron



Juniper Business Use Only

_______________________________________________
OPSEC mailing list
OPSEC@ietf.org<mailto:OPSEC@ietf.org>
https://www.ietf.org/mailman/listinfo/opsec<https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/opsec__;!!NEt6yMaO-gk!UPSCEqGPw30dB1eBx48HvNXmnDLaXxL3w6ZLfU2gqOJ8n1LRT5GKqCEyBn6eEA$>

v2.23.0 | Report a Bug | By Email