Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04

"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Tue, 14 December 2010 16:48 UTC

Return-Path: <cpignata@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8EEA63A6FB4; Tue, 14 Dec 2010 08:48:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -107.834
X-Spam-Level:
X-Spam-Status: No, score=-107.834 tagged_above=-999 required=5 tests=[AWL=-0.698, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_HI=-8, RCVD_NUMERIC_HELO=2.067, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5E8D+Q7uqshc; Tue, 14 Dec 2010 08:48:03 -0800 (PST)
Received: from rtp-iport-2.cisco.com (rtp-iport-2.cisco.com [64.102.122.149]) by core3.amsl.com (Postfix) with ESMTP id 914073A6EA9; Tue, 14 Dec 2010 08:48:03 -0800 (PST)
Authentication-Results: rtp-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AmYIAMsuB02tJV2a/2dsb2JhbACjImoCeKZHm16DBYJFBIRkhheDHIRx
X-IronPort-AV: E=Sophos;i="4.59,343,1288569600"; d="scan'208";a="192931424"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rtp-iport-2.cisco.com with ESMTP; 14 Dec 2010 16:43:21 +0000
Received: from xbh-rcd-202.cisco.com (xbh-rcd-202.cisco.com [72.163.62.201]) by rcdn-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id oBEGhLq0021377; Tue, 14 Dec 2010 16:43:21 GMT
Received: from xmb-rcd-206.cisco.com ([72.163.62.213]) by xbh-rcd-202.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 14 Dec 2010 10:43:20 -0600
Received: from 128.107.191.87 ([128.107.191.87]) by XMB-RCD-206.cisco.com ([72.163.62.213]) with Microsoft Exchange Server HTTP-DAV ; Tue, 14 Dec 2010 16:43:20 +0000
References: <001201cb9b59$acd02d70$06708850$@net> <DCC6725D-0C45-47BD-AC49-A38A256A75A8@hopcount.ca>
Content-Transfer-Encoding: quoted-printable
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
Content-Type: text/plain; charset="us-ascii"
In-Reply-To: <DCC6725D-0C45-47BD-AC49-A38A256A75A8@hopcount.ca>
Thread-Topic: secdir review of draft-ietf-opsec-protect-control-plane-04
Thread-Index: AcubrgP3DUhH6C2aTHao33g2eHp+ew==
Message-ID: <9B0EE2FE-9DCB-4F52-8515-F30050DF46F8@cisco.com>
Date: Tue, 14 Dec 2010 11:43:09 -0500
To: "Joe Abley" <jabley@hopcount.ca>
MIME-Version: 1.0 (iPhone Mail 8C148)
X-OriginalArrivalTime: 14 Dec 2010 16:43:20.0783 (UTC) FILETIME=[043BBDF0:01CB9BAE]
Cc: draft-ietf-opsec-protect-control-plane@tools.ietf.org, secdir@ietf.org, opsec-chairs@tools.ietf.org, iesg@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2010 16:48:04 -0000

Glen,

Thanks much for your review. 
Please see inline. 

Thumb typed by Carlos Pignataro.

On Dec 14, 2010, at 8:26 AM, "Joe Abley" <jabley@hopcount.ca> wrote:

> 
> On 2010-12-14, at 01:39, Glen Zorn wrote:
> 
>> I have reviewed this document as part of the security directorate's ongoing
>> effort to review all IETF documents being processed by the IESG.  These
>> comments were written primarily for the benefit of the security area
>> directors.  Document editors and WG chairs should treat these comments just
>> like any other last call comments.
>> 
>> Section 3.1 says:
>> 
>>  o  Permit RADIUS authentication and accounting replies from RADIUS
>>     servers 198.51.100.9, 198.51.100.10, 2001:DB8:100::9, and 2001:
>>     DB8:100::10 that are listening on UDP ports 1645 and 1646.  Note
>>     that this doesn't account for a server using Internet Assigned
>>     Numbers Authority (IANA) ports 1812 and 1813 for RADIUS.
>> 
>> So, in other words, RADIUS traffic on the ports (officially assigned for
>> more than ten years now) will be blocked.  This seems like a very poor
>> example.

Please note that this was intentional, as a doc produced in Opsec we intended to make it as close to the operational reality we know as possible. And our perspective was that we see more 1645/1646. 

We can change it, sure. But just for the record this was discussed and intentionally decided.

If our argument was "let's write what we see is in use", what's the operational argument for 1812/1813, or is that you think IANA's assigned is inuse more ubiquitously?

> 
> This is a cisco-ism -- cisco devices use 1645/1646 by default and have to be configured explicitly to use 1812/1813.

For the record it's not only cisco that defaults to the "tradition" ports. Juniper listens on both, others also. 

> I think this should be changed, as you intimate.

Ok. 

Thanks,

Carlos. 

> Good catch.
> 
> 
> Joe
>