IETF Logo Mail Archive

Re: [OPSEC] ACLs on SP edge nodes

John Scudder <jgs@juniper.net> Thu, 11 June 2020 15:51 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDA3A3A0803; Thu, 11 Jun 2020 08:51:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=Z3gJyayo; dkim=pass (1024-bit key) header.d=juniper.net header.b=B4agFQQL
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cbe3pehhZIvp; Thu, 11 Jun 2020 08:51:29 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4B923A03F6; Thu, 11 Jun 2020 08:51:29 -0700 (PDT)
Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 05BFlE5Q017988; Thu, 11 Jun 2020 08:51:28 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=cFJqB3KqXqt885BskcjvicfoeOnz6L5liyOq1MBylVs=; b=Z3gJyayo3JiLfpeqRVrGVpoi8iLYll8oYfSRRFoImnixVU+7DDkxDNUNfky7SeQFgnbG QkT6/7adCfwiYbEM90CpDW8Nzwc8Bhy1dT+3be6R/5zO1PzlE+5ft7mGvU9u1owPIQiU 11AGLp6C5X/kjTHl1kr3418aGThYtoxW2NeOa4+ZlojJHZgcdsP+eZ6UZzAVZXl4aQsc YXzlG8cnVELjgdq0cWwztEVnns9XOzvcn4D5puapNU7TovdHVJHpRekua3pJMGEfZPsS mn/2fHWqRJACGC3V1KAzB3Y4b8eKLcYmlV5qQTTzWFmQTgokidWOTesKcBtZESLUzGva +A==
Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2177.outbound.protection.outlook.com [104.47.59.177]) by mx0a-00273201.pphosted.com with ESMTP id 31k2tqt366-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Jun 2020 08:51:28 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KWdtM9mbWwwrylM9DRjITIFpmQ7Joda0+8y1P9yw9g/0/nCDIzIANG7fnP0GCjfWoUzPi06mMfczerpoHWawDs7BwrCDGRYTSvukW7z6KuUEQBYCPQw8Map1Q8x9ju7jiDmTzvdgGO7Onx6QeP25Rqfl2gGlc9uhxFm2V+nZH2O5vYpZLlwXjFU1T/a42rzX2QT841H5jerzoLgcuXRfVIST4agXiKnQcMBWtw2Ntbxnk1wqI1S6SZB9e1wDO1iFnLjVTsqelnw6ALy5Hb7AwfJHswQmnMZn7GEXuVIugpec3y/viNm8yGR9Nq7MTUhDefMC5EhGJgWUZe8+BxCe0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cFJqB3KqXqt885BskcjvicfoeOnz6L5liyOq1MBylVs=; b=HqwBvs8bYRmOUdes/c0FbnSWmoAqHVYv4VNu/TxUlel0HFAKaPIlMD5ihJ/m9GjT2A9PZ//vEky6QkiD3UpOfin9aPIpjKvNTH4vsUjvnQZZb0dwh4B2iYikitebSCx6NgHgpATpdzzzJ10ULRMCaZWCqvVsdB48mDrJd6xnCGy1cFcUQMgRAHhAxWVLlp3VuEEMqaz/unPS9o/S4b+VZafpP4+IxTumvHxzr9riML/5uJmXHcTme4EQmwoInzc91Dxe/Kht6sWWicYivqtJyHtbxSZqDtNCdjc7xBNYb/YgK/DpnpJ2T7Mv7hlI6JWCvuJ8TXDTHp/pv6zSIdnohw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cFJqB3KqXqt885BskcjvicfoeOnz6L5liyOq1MBylVs=; b=B4agFQQLHxjHfQfUNI7iVj4acWhtqmP+DYS3Siyiyb63uCPllMDSjzhvKeDqq34dd7BGSdzIxnUEux/DeWsq6bIu9E+AdOdbyqwYty7ZS+ol7TJGAFqrYQD11upQ+b8k+NxEC8doq7gyjBqn+rFtue9+Dv67dFDFDEFaepeNaK0=
Received: from BL0PR05MB5076.namprd05.prod.outlook.com (2603:10b6:208:83::12) by BL0PR05MB5571.namprd05.prod.outlook.com (2603:10b6:208:2f::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.16; Thu, 11 Jun 2020 15:51:26 +0000
Received: from BL0PR05MB5076.namprd05.prod.outlook.com ([fe80::499e:c613:2d2:b09f]) by BL0PR05MB5076.namprd05.prod.outlook.com ([fe80::499e:c613:2d2:b09f%7]) with mapi id 15.20.3088.017; Thu, 11 Jun 2020 15:51:26 +0000
From: John Scudder <jgs@juniper.net>
To: Melchior Aelmans <melchior@aelmans.eu>
CC: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>, OPSEC <opsec@ietf.org>
Thread-Topic: [OPSEC] ACLs on SP edge nodes
Thread-Index: AdY0a/IpEOuk8tAlQFSwSjeTaHjy6wLl1eQAAAE4ARc=
Date: Thu, 11 Jun 2020 15:51:26 +0000
Message-ID: <48B555CD-9375-4BD1-B7BB-C8AB4C6A8859@juniper.net>
References: <DM6PR05MB63482CC7CA9B536EF87FE830AEB10@DM6PR05MB6348.namprd05.prod.outlook.com>, <CALxNLBidp7kqankaNx89fmC1Ky9D=vB-QZ3rNxH-iFXipn6jUA@mail.gmail.com>
In-Reply-To: <CALxNLBidp7kqankaNx89fmC1Ky9D=vB-QZ3rNxH-iFXipn6jUA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none; dmarc.ietf.org; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [2600:1700:37a0:3ca0:2826:b407:e27e:bcfb]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: fbc8741e-95eb-4dea-bd35-08d80e1f4c76
x-ms-traffictypediagnostic: BL0PR05MB5571:
x-microsoft-antispam-prvs: <BL0PR05MB5571AD733F896FC724370DC3AA800@BL0PR05MB5571.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 0431F981D8
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0z3kBHUQuE5giiVI/UXrND3a61qCdHKY1UutUHb0fIiaRQcuZzLbG6ZMM1zeDea/Igcq3NVG0B/SOGxlqa6oLRCeQ+ib92KnUzgCLm31Jlyxo7jdcgi5swFzDao//KquDXm3lpkb4j8en3usBj2YpXaB+hHCPKw1AIVI3Xy1n+SnPM/1PykPxCkhZIj8gWAWcgbHkQld4HTqIo55tGjHYba9L+Ip/7s+vQ4TDi+5wNfm3SM/I5TwPfp/HSTIkSB4ybXUCp4ua95TqbkcnTpyiBPW9oklekKddJm57nR5qs0kSNBTFrfIciH0NOsI6IXqyh12yIccnzZIJWrO4C5UhWm1HTn6U/lM5Is+PHPUbtA9bV8PF4aY0F9HEbqgl/zNbEudh5cs6kAVTlRI9fy5rQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR05MB5076.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(39860400002)(136003)(376002)(346002)(396003)(166002)(2616005)(8936002)(2906002)(33656002)(83380400001)(5660300002)(478600001)(966005)(8676002)(186003)(4326008)(86362001)(71200400001)(66946007)(54906003)(76116006)(6916009)(66446008)(91956017)(64756008)(6506007)(66476007)(6512007)(6486002)(36756003)(53546011)(316002)(66556008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: sPnSgSD03KfDrIEoL25cI6d+uPl1JhZINYTtPVjqo/nhCT8JFxi9xN16DFXg6d4EYHm0qtKSMiqtMujgsAdgtnOaX5CTfa4vf+1gjxnd1uvlPp812EElxWbl3FG6CRbJaOzaMda9RMZ/wW3VfSnYvAXBZSJ1N+r4sjS9Ehdf+0vtbo/hcJQgEWcuZS6qqo0jmm7Np7/lnC4OFW126CTXkZeVotyZYTZHZ3VqMm/ZLCNVBMdXbECxuqgnokhFref02WuzC54VtU3tRkUUWm2nEDYp2ax9Z6/ksoZ5vt2eyGLNxh75pu8F9Hulp9J+W5M3bnu9U+uj8aP8J4bksidTNIoyz86l166c/CerkwB3yTgJWie/2j9VzYza17+4Tu6TkXDqvAs1aXCHTBTaGdSWrkfr3H/tDkramKfqFtW0xg6axS6zhJg8o8Uq6MRfVdzQ7PZlJQ+u2b0GLu2ilGD77jIP4hjeminkb9dtP2XgNZ43/sCoMne+lhJKCYP1ZUWYofBtGy0Pf1slW4MD7ejIqe/EYMl5fCWtKou3hFxK4T57LPlSbpVSNgER+nLzxZQy
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_48B555CD93754BD1B7BBC8AB4C6A8859junipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: fbc8741e-95eb-4dea-bd35-08d80e1f4c76
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jun 2020 15:51:26.1043 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JiFlAuD3Up5PyiagG1IKfCn3lhFJpylyQePi3qVB5psaK2jj61A92uUcaApK5aTe
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR05MB5571
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.687 definitions=2020-06-11_15:2020-06-11, 2020-06-11 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 mlxscore=0 mlxlogscore=999 priorityscore=1501 adultscore=0 lowpriorityscore=0 suspectscore=0 bulkscore=0 cotscore=-2147483648 phishscore=0 spamscore=0 clxscore=1011 impostorscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2006110123
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/_kD2nxigliKOl87RMGNbSIqYmJo>
Subject: Re: [OPSEC] ACLs on SP edge nodes
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jun 2020 15:51:32 -0000

I think it was a question from me to Ron that kicked off his question to Opsec. For my question, no, it doesn’t help — what I was looking for was a citable RFC that said the equivalent of “thou shalt filter thy infrastructure addresses”. Because everyone knows you should do this, but apparently nobody has bothered to say so in a standard; this creates awkwardness when writing Security Considerations sections.

I see Ron said “document” and your reply does indeed fill the bill. To fix my problem I’d really need an IETF (or equivalent body, I suppose) standard or BCP, though, IMO.

Thanks,

—John

On Jun 11, 2020, at 11:16 AM, Melchior Aelmans <melchior@aelmans.eu> wrote:

Hi Ron!

Does this help? https://www.juniper.net/documentation/en_US/day-one-books/DO_BGP_SecureRouting2.0.pdf

Cheers,
Melchior

On Wed, May 27, 2020 at 11:21 PM Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org<mailto:40juniper.net@dmarc.ietf.org>> wrote:
Folks,

Does anybody know of a document that provides general recommendations for ACL’s to be implemented on service provider edge nodes?


                                                                                                            Ron



Juniper Business Use Only

_______________________________________________
OPSEC mailing list
OPSEC@ietf.org<mailto:OPSEC@ietf.org>
https://www.ietf.org/mailman/listinfo/opsec<https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/opsec__;!!NEt6yMaO-gk!UPSCEqGPw30dB1eBx48HvNXmnDLaXxL3w6ZLfU2gqOJ8n1LRT5GKqCEyBn6eEA$>

v2.23.0 | Report a Bug | By Email