Re: [OPSEC] [Errata Verified] RFC6192 (4851)
Dave Dugal <dave@juniper.net> Fri, 31 March 2017 16:59 UTC
Return-Path: <dave@juniper.net>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05999129574; Fri, 31 Mar 2017 09:59:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pb6efGnE82qE; Fri, 31 Mar 2017 09:58:59 -0700 (PDT)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0091.outbound.protection.outlook.com [104.47.42.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 424D6129512; Fri, 31 Mar 2017 09:58:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=/O1gx66LB0yI/w1tSRi0p53Ksnijr56OS9iLiIH+kLI=; b=hK2ZJZZvD2sh40dQJHOSDryGCD3Fu3GwfZGQSvUYJr7K2Ib0+yyekJpjD0Fr4apKcKp9MBwESUAbOQG0QpiXDboLft9W2ZRsJOyg65ShDRsnmYRfvokh19sE0FryaG/BcYP+UnDSyHCav77K10dA20cWuGqm+ApO+ZsSl6YYm+s=
Authentication-Results: juniper.net; dkim=none (message not signed) header.d=none;juniper.net; dmarc=none action=none header.from=juniper.net;
Received: from [172.29.38.168] (66.129.241.12) by BLUPR0501MB1073.namprd05.prod.outlook.com (10.160.34.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1019.8; Fri, 31 Mar 2017 16:58:57 +0000
References: <20170329182147.BF8F8B80D6F@rfc-editor.org> <68EFACB32CF4464298EA2779B058889D53BB78AD@PDDCWMBXEX503.ctl.intranet>
CC: "Smith, Donald" <Donald.Smith@CenturyLink.com>, "cpignata@cisco.com" <cpignata@cisco.com>, "rodunn@cisco.com" <rodunn@cisco.com>, "opsec@ietf.org" <opsec@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
To: RFC Errata System <rfc-editor@rfc-editor.org>, "hugocanalli@gmail.com" <hugocanalli@gmail.com>
From: Dave Dugal <dave@juniper.net>
Openpgp: url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x879F65CDAB6E02A5
Organization: Juniper Networks, Inc.
Message-ID: <e5c1e1c6-c714-52e6-0939-976f4e95c50c@juniper.net>
Date: Fri, 31 Mar 2017 12:58:53 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <68EFACB32CF4464298EA2779B058889D53BB78AD@PDDCWMBXEX503.ctl.intranet>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [66.129.241.12]
X-ClientProxiedBy: BN6PR03CA0023.namprd03.prod.outlook.com (10.168.230.161) To BLUPR0501MB1073.namprd05.prod.outlook.com (10.160.34.142)
X-MS-Office365-Filtering-Correlation-Id: b3dcd289-cb55-42d4-1ae5-08d47857390d
X-MS-Office365-Filtering-HT: Tenant
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081)(201703131423075)(201703031133081); SRVR:BLUPR0501MB1073;
X-Microsoft-Exchange-Diagnostics: 1; BLUPR0501MB1073; 3:3DSSK5BKV0QsQvQ5006branWdRxvQLlrKu+SrGxIfD9xF2WZ0tFboOy/XIgL0ZXFjWnFZ/vLG97nbgnUNBvUyr98z2jVLcm6aWLdycYhRxhb+CnFJMza+skfDxUxzM+3vtd/ho2Jr2yeaRwOCHzgF94UsXMyasrl2wrqHo4p85hCsTmKOYO4C5CWHAO1Z7XhhHE06I819A/YBTbMdusJ/TTJzr2Z0C8aI2PNRcCmKEb5fxh/yFqeJ5LGKDQeC3yzD9EA3xmzPB6K/yp8FRuBqN+OwKSq8Lu3DukQgUmNPYtvO58QNIOohJXqypqOGMkxM5ZR/jFn8ziIG1Y5Q+MWrY3NWor8EwHT0F58Sd40K/s=; 25:hHcuG036wHsbc9pB1rnWvVke6b3U/5ZvwC+jQXtN4hD1Yu2d/4qVEGHIZ3sXLJcf1Od1qDmRHeU8MeUD+Mdnv7LFdeF07+kYDft9FIQdTplCpaYOOg5LM3m7aY8QrOaMxqSc/9ZUdZV8/mrD/gowld0AYRQgi0AgdJlT57mjoVXkq1iqYm9MR/zrq3238TbHmY0wpy2RT9bCJNMGlqbXA4aU0DL/mjt9lk3dJ2Kv/pdsnnXyF2eT8CNlYGnzI/6s2GiAFL4A4Wt+O/ew22VpP+elWrVOODcB9oZGGSDdaavrQSfXTHIIqUUyA/hO8QxcjqJh/8IL2cPbpl5tWCQ5J0L5uLKTWBWQNKRiJZKhtpd7EsXasctfG0hB5xfk/mR9rZ+M8+ztH4BEHcas3VpgdvQF9ceqeZigOKLG7Lqg8j3paB69/9prjnSZv3YXTMkWMRdyVxb1kdm/DVbtAwG+aQ==
X-Microsoft-Exchange-Diagnostics: 1; BLUPR0501MB1073; 31:XJQH/8c6/xcCzsccXMymU93UUe7NS1h6Dt77vE6n9L321NCkROMOcHSz8DIwlLiXqa1kwJaJ/7W2XXI94vi2NE53BAsSVDc/pV6YFdrMd43sR4N3Xl7uc38XVX1xall62mCkiZOLN9SltyHZqUp8dBRCHU4C4H6beHfqhJINPMO2+Q2GeAUFWmXgqivH4f8plys92Nt1Ooq6n0XejuAJpOCOAuuWPXFO9Cq4OydJVG4=; 20:yGLyKG9gNeVwAaF/2EY7XhgmOi5/nCY7U3fi6KiVoLOrzG+6WICEodBT0m8nxlPgIlWE45MLeJ2YyX9kB/qaVUmqmILg5+NZZODybiadMh93GILP79ksh54TYwOj8ziPWEWMc4aj3glsEROuvz1a3kZ8xuB+IZL6Sg63CG64mrd3QhWPTQrL+0KltnsparrhPBYs+B4hhnfTr+7GSMhWF0KMQi2VNKqsE4j/d8KUl2MEdGh2ZKMyRxQ/ZDtWtJgDq/l7X/hauQzyHyUIx5XTcjWKTwvFTrW4jXtNnd7tVVhSUwANTw16zg/zV2sAxCpx+FapXEy0hkShhjRnY5+vCL0uajQ3s18OLgkN4jQMrH9+5kRWHfZf39Eqy4Mj0eFlmKOtaj9+WW0S0hY3B2N2Ep0MMZXXWa/zRTTydzPa9RnNVeXjIiXLMPDISppsYXCjPrcaaC4XRXED+0/k5ib8K5+Rpjd3i+Q5a6Mh1sMUJjOYwwg4RfzVuJGlRc0zBIIMPiSfTCRfyohmfYiNRxwL0Ma/na19SZ/+0F/2v4UrE/j7KjzPdOIgVLjEwgKShmZvrWkpMSJ1S1CmZOG7CoAuWS64LhRxHu6AeAEpXXuYy38=
X-Microsoft-Antispam-PRVS: <BLUPR0501MB10733AD62EAAC9BA3CB0D393C2370@BLUPR0501MB1073.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(192374486261705)(138986009662008)(95692535739014);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(10201501046)(6055026)(6041248)(201703131423075)(201703011903075)(201702281528075)(201703061421075)(20161123560025)(20161123555025)(20161123564025)(20161123562025)(6072148); SRVR:BLUPR0501MB1073; BCL:0; PCL:0; RULEID:; SRVR:BLUPR0501MB1073;
X-Microsoft-Exchange-Diagnostics: 1; BLUPR0501MB1073; 4:sidZ47RTXIeUsEaDn5vDh5HTjph0iqgy6fDnPtQ/mVCrJn9DgPkAS/dk3pUfUWocoNWZnbDMLj5cakG/MK6OJvfaMhq3k6WdE9rMAfvMe2BNkZkoKaRWwFogv3AoGXTyqRnUZo+zQJVXFaTOpYIOB8extHsSA5hJrk4AinQqQ3bpTey8GwiCJcRSQFBGCqjlJf2iJRDFR5657bnsCQ8bxaKoFL4FLyOlwzHGXiOlTe/7QNpvjw8vSQVdzU18XyYvgUh950DFyLIdbGlL3qOoQ3eQKYhcPnz4vXbGwmIbsFF8jdxEQurSWXJcWQOw8DdBuG6rm7r42dH2BtHuGKu/JR9+Rgo4Hi4otAxF3QcodWb7EmkrPEFPT4/CkCYtxwl0pKDmztJh1zmr2a62Gk/B0iFfAgtXEcIpcf6pTK9l+nf4N7O+CB/7Yl029YmRX11snQZsXlfuGUWkXOLBOEGYm7VwJWaLeKtaCi46wKbkllHRMxFI3M1kRe8xRz1vk8Ju3qR7VrnBA6y5TowM59chzK5c+OLUF6y2tE51dHdU4ivT7xISy9v9M0fxDtcmZvLQcvQzMkLJ17YVDjLJhUfyCo9juDt26gHi7IPz7TeFUBBvs9Y2T2HINNK8c/nkWyxBH0gOzrHtwVbte86FDrdzPX0bZKYju1fTdvsEHBb3EkcvU1NQwKDkIPuFYf4h1yGphxua9KXZm+1poZuf/DPfFBmo6T/5447SR+ufyZJN1bnPn40Vz4Yfa6PsVOHxRyu5EWVXKJbqb5KwuFTeUNx8yBY3THBtmHyuKIvBXLfdrpcMN/AWvj/Fb9Ek00KmY1JzZIacoZDS/lP5P9q3Zy8bhzR+zoBFdqvzAHb0gvRVD4giRGfoH9VdOtP/jhl4g6pI
X-Forefront-PRVS: 02638D901B
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4630300001)(6009001)(6049001)(39840400002)(39860400002)(39450400003)(39850400002)(39400400002)(39410400002)(377424004)(377454003)(24454002)(189998001)(7110500001)(31686004)(81166006)(4001350100001)(50466002)(2906002)(65826007)(42186005)(53936002)(966004)(66066001)(65806001)(65956001)(36756003)(2420400007)(15188155005)(6666003)(2950100002)(2501003)(5890100001)(8676002)(64126003)(229853002)(83506001)(53546009)(230700001)(3260700006)(25786009)(305945005)(5660300001)(77096006)(6486002)(31696002)(86362001)(4326008)(6306002)(3846002)(6116002)(38730400002)(6246003)(54906002)(54356999)(50986999)(33646002)(47776003)(16799955002)(76176999)(23676002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR0501MB1073; H:[172.29.38.168]; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1;BLUPR0501MB1073;23:oE9QUTezD69THKNZphR4x3DOye8RGb0TKwwadPFBHpUkSyQ/qBec990OAL4GcizlkAVJur3l0/bVIwuYJ3AMG9bD1fZeTh3BxU9CBWkElblEfqyblFNufXly67wYIsJD7vbF6Jl/ZifY6r4qh/DysF9+DEzxyw/+ZrpvxTf4xyy8w+6IUCaraTrvm1hkjKQRaDf29NP5car7zTe/SjKT3VssN+HpJJERYF+5wKT9Y6IzwoL1JW2YAiSwVuXDKkOYYvqn0Ig0EyCZExsszebv9e4kcrSoN+o0tLX+Mk4rkvW7cF1e6O6/o8JBNBxZsuH0HWW7E7w4PhlNuqIGhB1pHSnG/6PbFLPnlShO1g5Q1NuWw573cUpB3Db8LBPxXyl6eyfKVvgUbmjy2XADWI1jxE0ZTvJqhApZZyWg50mzt1ppZMpjslZNdzNUZmJPM+sFwVLOJifNiUtSZl+ID5+I3PZwTiKTJUPAQzWtr9cieb9Ru2uVmrgitYq/vZCWNQ7QNsCmZ45lR6GTbuEe/y7T0kWbVHrU8ZxSAKZ1TeJ5/qsouW/0xJEIkXb+tPM01E0JOUox1GuQXCzTk3r3rOmfX4Z9vxmQhYtWnLJB5jCspxU3oQZywACkTz5xhy8syFjOPg309jiYQqxlN508Z0Q8AHJQhCuUj/y66ZtUnOqpYOY1A0vbWVwh7SnWZPi3DnDce6mh70QHlEXJfka5lOldkJJVnT/hZQNVnac4+sK40CFUh8DXKzIAQYD1zPNf7zC0BadpwSal0mz0hMqtnZ8132yzoIhtHDsiBWPIwZ/23v4J8h6TBQqAnzLdTjJn9rTJe+iV3OVf7KIOE4+HLkFyo7IIvEwMY+vzK7n5HgbzXRsB9TLiYrCEtvUq0yldhaPBWvwjx0T37t8TmvSJ0YQlIqSFe3ueKgP8O68vSoez8hAFLOEvHLsDQizt2muClJDDsM2gE7UvlV6rss+mi2a5RF2HNiTfS/y8Hrx5uZtazZc0FILuj5BwsEuVLXdsSR2ppS4ty1cKY1LOa/ZQIMxvlx0zvxVfrbNhYyVXuuM4IO5LVzlRsAO7bisk2xFQTcZk4GGnzWeoCKRUyF7/wdvKh2qYBKjA154/Tc2QfYBQNNMqfkX0g1PcwFy5UlR+5hp/Emg+ddC8C324rpfYtXBpmj8ZQrGJM9RR6WW2vNdni5gcoJ4STm5iBBO16Sd3Nm7Luseg7a7AyFri+8JOy2XgDDKii7+gM77fbmD/8LHqmr0cDeUjzU8UmDdJxFYVmeE+3bibzx1wAFyE0XOhoVUwddpV0ZWUSMhAgc8wiHJBZMEQF/EEnSvnfQyM2h55IN3QLzl9ryYa0/OHgZZPRgxXbdq4NDKJhtsqGaOs4ALX8lksOcEfinCBZHyOjjJItpIbVVaVm1tfyCGxwKncTWIsAZ2YgTUfjsmlJIFO/JIQNl1Xb4ZLolO8D71hzk/5PeyoXmCnbUOIeWEZDelyz3lTaKuqDiGC6T/hPqkooVMFHHo=
X-Microsoft-Exchange-Diagnostics: 1; BLUPR0501MB1073; 6:ARSyk8larbngngqpAif46JvEPZ/TcxS0aapHB5af2AZuMwnptkm7ilTYOWQNjq8ixAZBQ1d90ONrtlwzqurnX09rjLdJdVIzebRNVtYXtAtnETW9dyLnTAYY5wT5DeOXvaqH9HcuTS7F9Eux71B9YpCofjpuwluKZORhQvWv2ubpK3V120T7XnZpT3fYqwhmGGDSL/8DObDBdahen5FomIF3zgSIqlse4AandJ92q2HG6GPQOt06GA1OA2fVXI7n71VbMVN9Dw9uOOMMSNcPunKFP9XsBCh/td/CofY55KX+Iu94Ncbc3laCnqOGH8UDe6lyXOAuOwyI1xHzKQCBVnNgaQYbpxM3EIoNyqpTePPv8X2mt/X4u4uQVwt3whM3zPXicSS+O53k80yDt8WYmO9HC9bc2u3bHpqSz9JDN7g=; 5:fazjCJOyIHwpbS6Wb9acIYu8+wOaaGdxXH4k4m/E/7GSrE2AWF7awbDqCL0H6x0WsRTPKkQqdlQrPq8A9oCFX39b7M11OCPxN3G2VrXk5EiPM8BbYOESD8l0TTunIP0fs7qf4l9S5o6yhQxk02Mmug==; 24:Fe4p/bqqhwqiP77H5fKVgLvY0RwTG+txbSQIKZvuxauD36IkPE+sbSUaG7WF57sC7VBp5WSrEK+8wzXrqFiSAtdwL30C1TBCpjMIQAMhlew=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; BLUPR0501MB1073; 7:bK5b9MEMy/yvQ26TPVpdLhYrSNH8CUkGn1yz8fLCvj9TSTrWuE+GuTWZ75HRkBDLXc+zXajY7rp9EiLEaYb1xgH4ew6yQXjM+n5rQ0PlvCvoRkBBr6UyL0iKIjpgULq7uAV8kLEZGncVHXgH8zDS763YC9KOSTgHdVkBlK3CW59gcmMe//gBLsBFlH1YQf/rq9sZxUjiN2RWzxeRug5xJDCxFvlDLJJpC4m5ml5uxj2Demx9m/R4cudZdyA0S1njdl+lPKabbYlaJEG47lgSzHyix46DKTqQOo2NlTp0fRVXXN3r6qHbwoDwlzIINgWcmnCYNSzGPN/aBw7lgx59LA==
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Mar 2017 16:58:57.5105 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR0501MB1073
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/vmMx7Gz7z0YenPK-pPIe8VF9y04>
Subject: Re: [OPSEC] [Errata Verified] RFC6192 (4851)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 16:59:02 -0000
I agree with Don's concern. The original intent was to keep all TCP segments away from port 179 unless the source address is that of a known BGP peer (3.1. Legitimate Traffic). The examples listed in the appendices were meant to provide generalized "do no harm" starting points. Additional customization and finer granularity is completely acceptable as an exercise left to the implementer, as long as the Design Trade-Offs (3.3) are well understood. I'm also unsure how s/port/source-port/ in this 'accept' clause on an input filter helps to defend against a source port 179 SSH intrusion. The intent of using 'port' was to accept EBGP replies whether the local router initiated the session (src:179, dst:ephemeral) or the peer initiated the session (src:ephemeral, dst:179). --- Dave Dugal Juniper Networks PGP Key: 0x879F65CDAB6E02A5 On 3/29/2017 4:37 PM, Smith, Donald wrote: > I think the established will block fins, and resets unless they happen > to have the ACK bit set too. > > It will block syn only packets too but since this is for ebgp-reply that > should be ok. > > > if (initial_ttl!=255) then (rfc5082_compliant==0) > Donald.Smith@centurylink.com <mailto:Donald.Smith@centurylink.com> > > ------------------------------------------------------------------------ > > *From:* OPSEC [opsec-bounces@ietf.org] on behalf of RFC Errata System > [rfc-editor@rfc-editor.org] > *Sent:* Wednesday, March 29, 2017 12:21 PM > *To:* hugocanalli@gmail.com; dave@juniper.net; cpignata@cisco.com; > rodunn@cisco.com > *Cc:* opsec@ietf.org; iesg@ietf.org; rfc-editor@rfc-editor.org > *Subject:* [OPSEC] [Errata Verified] RFC6192 (4851) > > The following errata report has been verified for RFC6192, > "Protecting the Router Control Plane". > > -------------------------------------- > You may review the report below and at: > http://www.rfc-editor.org/errata_search.php?rfc=6192&eid=4851 > > -------------------------------------- > Status: Verified > Type: Technical > > Reported by: Hugo Leonardo Canalli <hugocanalli@gmail.com> > Date Reported: 2016-11-01 > Verified by: joel jaeggli (IESG) > > Section: A.2 > > Original Text > ------------- > term ebgp-reply { > from { > source-prefix-list { > EBGP-NEIGHBORS; > } > protocol tcp; > port bgp; > } > then accept; > } > > Corrected Text > -------------- > term ebgp-reply { > from { > source-prefix-list { > EBGP-NEIGHBORS; > } > protocol tcp; > tcp-established; > source-port bgp; > } > then accept; > } > > > > Notes > ----- > There is a security question in that firewall relating to bgp reply. > Any neighbor that fakes a tcp source port to 179 can access any router > port, for example, ssh. > Need to add the line tcp-established. Would also be better to add > source-port bgp since bgp protocol uses the 179 port to destination. Add > the fix to all bgps, including ipv6. > > -------------------------------------- > RFC6192 (draft-ietf-opsec-protect-control-plane-06) > -------------------------------------- > Title : Protecting the Router Control Plane > Publication Date : March 2011 > Author(s) : D. Dugal, C. Pignataro, R. Dunn > Category : INFORMATIONAL > Source : Operational Security Capabilities for IP Network > Infrastructure > Area : Operations and Management > Stream : IETF > Verifying Party : IESG > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec > > > This communication is the property of CenturyLink and may contain > confidential or privileged information. Unauthorized use of this > communication is strictly prohibited and may be unlawful. If you have > received this communication in error, please immediately notify the > sender by reply e-mail and destroy all copies of the communication and > any attachments. >
- [OPSEC] [Errata Verified] RFC6192 (4851) RFC Errata System
- Re: [OPSEC] [Errata Verified] RFC6192 (4851) Smith, Donald
- Re: [OPSEC] [Errata Verified] RFC6192 (4851) Dave Dugal