Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04

"Glen Zorn" <gwz@net-zen.net> Wed, 15 December 2010 05:40 UTC

Return-Path: <gwz@net-zen.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 30A533A6DB0 for <secdir@core3.amsl.com>; Tue, 14 Dec 2010 21:40:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.408
X-Spam-Level:
X-Spam-Status: No, score=-102.408 tagged_above=-999 required=5 tests=[AWL=0.191, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ThEaJvVeDed for <secdir@core3.amsl.com>; Tue, 14 Dec 2010 21:40:41 -0800 (PST)
Received: from smtpauth17.prod.mesa1.secureserver.net (smtpauth17.prod.mesa1.secureserver.net [64.202.165.29]) by core3.amsl.com (Postfix) with SMTP id C5A4D3A6E33 for <secdir@ietf.org>; Tue, 14 Dec 2010 21:40:41 -0800 (PST)
Received: (qmail 22088 invoked from network); 15 Dec 2010 05:26:55 -0000
Received: from unknown (124.120.200.9) by smtpauth17.prod.mesa1.secureserver.net (64.202.165.29) with ESMTP; 15 Dec 2010 05:26:54 -0000
From: "Glen Zorn" <gwz@net-zen.net>
To: "'Carlos Pignataro \(cpignata\)'" <cpignata@cisco.com>, "'Joe Abley'" <jabley@hopcount.ca>
References: <001201cb9b59$acd02d70$06708850$@net> <DCC6725D-0C45-47BD-AC49-A38A256A75A8@hopcount.ca> <9B0EE2FE-9DCB-4F52-8515-F30050DF46F8@cisco.com>
In-Reply-To: <9B0EE2FE-9DCB-4F52-8515-F30050DF46F8@cisco.com>
Date: Wed, 15 Dec 2010 12:42:13 +0700
Organization: Network Zen
Message-ID: <001201cb9c1a$d52beea0$7f83cbe0$@net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcubrgP3DUhH6C2aTHao33g2eHp+ewAbFIwg
Content-Language: en-us
Cc: draft-ietf-opsec-protect-control-plane@tools.ietf.org, opsec-chairs@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Dec 2010 05:40:43 -0000

Carlos Pignataro (cpignata) [mailto://cpignata@cisco.com] writes:

...

> >> Section 3.1 says:
> >>
> >>  o  Permit RADIUS authentication and accounting replies from RADIUS
> >>     servers 198.51.100.9, 198.51.100.10, 2001:DB8:100::9, and 2001:
> >>     DB8:100::10 that are listening on UDP ports 1645 and 1646.  Note
> >>     that this doesn't account for a server using Internet Assigned
> >>     Numbers Authority (IANA) ports 1812 and 1813 for RADIUS.
> >>
> >> So, in other words, RADIUS traffic on the ports (officially assigned
> for
> >> more than ten years now) will be blocked.  This seems like a very
> poor
> >> example.
> 
> Please note that this was intentional, as a doc produced in Opsec we
> intended to make it as close to the operational reality we know as
> possible. And our perspective was that we see more 1645/1646.

There are lots of non-standard hacks in the wild; I don't think that it's
the job of the IETF to document them.

...