Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04

"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Tue, 14 December 2010 20:49 UTC

Return-Path: <cpignata@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 912F628C115; Tue, 14 Dec 2010 12:49:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.253
X-Spam-Level:
X-Spam-Status: No, score=-110.253 tagged_above=-999 required=5 tests=[AWL=0.346, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g1H-p-OYtHav; Tue, 14 Dec 2010 12:49:36 -0800 (PST)
Received: from rtp-iport-2.cisco.com (rtp-iport-2.cisco.com [64.102.122.149]) by core3.amsl.com (Postfix) with ESMTP id F2FD128C0E1; Tue, 14 Dec 2010 12:49:35 -0800 (PST)
Authentication-Results: rtp-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAApnB02tJXG+/2dsb2JhbACkE3imeptChUoEhGSJMw
X-IronPort-AV: E=Sophos;i="4.59,344,1288569600"; d="scan'208";a="193052521"
Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rtp-iport-2.cisco.com with ESMTP; 14 Dec 2010 20:51:16 +0000
Received: from xbh-rcd-202.cisco.com (xbh-rcd-202.cisco.com [72.163.62.201]) by rcdn-core2-3.cisco.com (8.14.3/8.14.3) with ESMTP id oBEKpG2E017429; Tue, 14 Dec 2010 20:51:16 GMT
Received: from xmb-rcd-206.cisco.com ([72.163.62.213]) by xbh-rcd-202.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 14 Dec 2010 14:51:16 -0600
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 14 Dec 2010 14:51:13 -0600
Message-ID: <960EC8F9A775AB40BF58D8953342D86303756C03@XMB-RCD-206.cisco.com>
In-Reply-To: <1958D397-8B8F-4046-A976-46AEC67EA214@hopcount.ca>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: secdir review of draft-ietf-opsec-protect-control-plane-04
Thread-Index: Acubr6LhTxZn+Br0S22P5bVYQS7qmQAIAVjA
References: <001201cb9b59$acd02d70$06708850$@net> <DCC6725D-0C45-47BD-AC49-A38A256A75A8@hopcount.ca> <9B0EE2FE-9DCB-4F52-8515-F30050DF46F8@cisco.com> <1958D397-8B8F-4046-A976-46AEC67EA214@hopcount.ca>
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: Joe Abley <jabley@hopcount.ca>
X-OriginalArrivalTime: 14 Dec 2010 20:51:16.0017 (UTC) FILETIME=[A6905210:01CB9BD0]
Cc: draft-ietf-opsec-protect-control-plane@tools.ietf.org, secdir@ietf.org, opsec-chairs@tools.ietf.org, iesg@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2010 20:49:37 -0000

Joe,

Not the most authoritative source, granted, but I believe at the time we
discussed this we checked Wikipedia (and not C J as precedence), at
<http://en.wikipedia.org/wiki/RADIUS#UDP_port_numbers>, that says "The
tradition of using 1645 and 1646 for backwards compatibility continues
to this day", and with full context:

"However, prior to IANA allocation of ports 1812 and 1813, ports 1645
and 1646 (authentication and accounting, respectively) were used
unofficially and became the default ports assigned by many RADIUS
Client/Server implementations of the time. The tradition of using 1645
and 1646 for backwards compatibility continues to this day. For this
reason many RADIUS Server implementations monitor both sets of UDP ports
for RADIUS requests."

That said, I think that you can make a strong case for using the
"proper" ones. We will make this change.

Thanks, Joe and Glen.

-- Carlos.

-----Original Message-----
From: Joe Abley [mailto:jabley@hopcount.ca] 
Sent: Tuesday, December 14, 2010 11:55 AM
To: Carlos Pignataro (cpignata)
Cc: Glen Zorn; iesg@ietf.org; secdir@ietf.org;
draft-ietf-opsec-protect-control-plane@tools.ietf.org;
opsec-chairs@tools.ietf.org
Subject: Re: secdir review of draft-ietf-opsec-protect-control-plane-04


On 2010-12-14, at 11:43, Carlos Pignataro (cpignata) wrote:

> Please note that this was intentional, as a doc produced in Opsec we
intended to make it as close to the operational reality we know as
possible. And our perspective was that we see more 1645/1646. 

I understand that's your perspective, which is entirely understandable
given what cisco devices do by default, but I don't think it's
necessarily the case that 1645/1646 are universally prevalent (at least,
claims that it is ought to be balanced with some balanced, real-world
observation). I take your point that juniper devices accommodate the
pre-standard ports as well as the IANA-assigned ones. There are more
vendors in the world than just C and J, however.

I think pointing out that 1645/1646 are also used is perfectly valid,
for the reasons of operational reality that you mention, but that the
examples should use 1812/1813.


Joe