Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04
"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Tue, 14 December 2010 21:51 UTC
Return-Path: <cpignata@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C40F028C130; Tue, 14 Dec 2010 13:51:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.284
X-Spam-Level:
X-Spam-Status: No, score=-110.284 tagged_above=-999 required=5 tests=[AWL=0.315, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S1GbToWsU6aO; Tue, 14 Dec 2010 13:51:50 -0800 (PST)
Received: from rtp-iport-2.cisco.com (rtp-iport-2.cisco.com [64.102.122.149]) by core3.amsl.com (Postfix) with ESMTP id 10DF028C14A; Tue, 14 Dec 2010 13:51:48 -0800 (PST)
Authentication-Results: rtp-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none
X-Files: draft-ietf-opsec-protect-control-plane-06-from-5.abdiff.txt : 30936
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAEd2B02tJXHB/2dsb2JhbACkFnimRZs6gwWCRQSEZIkz
X-IronPort-AV: E=Sophos; i="4.59,344,1288569600"; d="txt'?scan'208"; a="193083044"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rtp-iport-2.cisco.com with ESMTP; 14 Dec 2010 21:53:29 +0000
Received: from xbh-rcd-101.cisco.com (xbh-rcd-101.cisco.com [72.163.62.138]) by rcdn-core2-6.cisco.com (8.14.3/8.14.3) with ESMTP id oBELrSvb009753; Tue, 14 Dec 2010 21:53:28 GMT
Received: from xmb-rcd-206.cisco.com ([72.163.62.213]) by xbh-rcd-101.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 14 Dec 2010 15:53:28 -0600
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01CB9BD9.5729395C"
Date: Tue, 14 Dec 2010 15:53:27 -0600
Message-ID: <960EC8F9A775AB40BF58D8953342D86303756C62@XMB-RCD-206.cisco.com>
In-Reply-To: <13205C286662DE4387D9AF3AC30EF456B02F2A46AC@EMBX01-WF.jnpr.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: secdir review of draft-ietf-opsec-protect-control-plane-04
Thread-Index: Acubpr/14Cwlsd7NSeGL8pAU0+7LHwAAaimQAAv8C4A=
References: <001201cb9b59$acd02d70$06708850$@net> <4D07926A.9030007@ieca.com> <13205C286662DE4387D9AF3AC30EF456B02F2A46AC@EMBX01-WF.jnpr.net>
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: Ronald Bonica <rbonica@juniper.net>, Sean Turner <turners@ieca.com>, Glen Zorn <gwz@net-zen.net>, draft-ietf-opsec-protect-control-plane@tools.ietf.org
X-OriginalArrivalTime: 14 Dec 2010 21:53:28.0633 (UTC) FILETIME=[57605290:01CB9BD9]
Cc: opsec-chairs@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2010 21:51:53 -0000
Ron, (Glen, Joe,) Please find attached ABDiffs (RFC-Ed style Diffs) for this change. Please note that because of the actual change in the example filter in the Appendices, the diffs are longer than should (treats big chunks of configs as single para). But my `rfcdiff` marks the line of change with a beginning "|" at least. If you'd rather, we can ship a new revision (it's cheap with the IDST). Thanks ! -- Carlos. -----Original Message----- From: Ronald Bonica [mailto:rbonica@juniper.net] Sent: Tuesday, December 14, 2010 11:04 AM To: Sean Turner; Glen Zorn; draft-ietf-opsec-protect-control-plane@tools.ietf.org Cc: opsec-chairs@tools.ietf.org; iesg@ietf.org; secdir@ietf.org Subject: RE: secdir review of draft-ietf-opsec-protect-control-plane-04 Authors, I think that we can correct this problem with an RFC editors note before the telechat on Thursday. Could one of you please provide the updated text? Ron > -----Original Message----- > From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On Behalf Of > Sean Turner > Sent: Tuesday, December 14, 2010 10:51 AM > To: Glen Zorn; draft-ietf-opsec-protect-control-plane@tools.ietf.org > Cc: opsec-chairs@tools.ietf.org; iesg@ietf.org; secdir@ietf.org > Subject: Re: secdir review of draft-ietf-opsec-protect-control-plane-04 > > I hoping that this was a typo. I pulled out all the registered RADIUS > ports from http://www.iana.org/assignments/port-numbers and 1645/1646: > > sightline 1645/tcp SightLine > sightline 1645/udp SightLine > # admin <iana&sightlinesystems.com> > sa-msg-port 1646/tcp sa-msg-port > sa-msg-port 1646/udp sa-msg-port > # Eric Whitehill <Eric.Whitehill&itt.com> > > > radius 1812/tcp RADIUS > radius 1812/udp RADIUS > # [RFC2865] > radius-acct 1813/tcp RADIUS Accounting > radius-acct 1813/udp RADIUS Accounting > # [RFC2866] > radsec 2083/tcp Secure Radius Service > radsec 2083/udp Secure Radius Service > # Mike McCauley <mikem&open.com.au> May 2005 > radius-dynauth 3799/tcp RADIUS Dynamic Authorization > radius-dynauth 3799/udp RADIUS Dynamic Authorization > # RFC 3576 - July 2003 > > Should 1812 & 1813 be listed or also 2083 & 3799? > > spt > > On 12/14/10 1:39 AM, Glen Zorn wrote: > > I have reviewed this document as part of the security directorate's > ongoing > > effort to review all IETF documents being processed by the IESG. > These > > comments were written primarily for the benefit of the security area > > directors. Document editors and WG chairs should treat these > comments just > > like any other last call comments. > > > > Section 3.1 says: > > > > o Permit RADIUS authentication and accounting replies from > RADIUS > > servers 198.51.100.9, 198.51.100.10, 2001:DB8:100::9, and > 2001: > > DB8:100::10 that are listening on UDP ports 1645 and 1646. > Note > > that this doesn't account for a server using Internet Assigned > > Numbers Authority (IANA) ports 1812 and 1813 for RADIUS. > > > > So, in other words, RADIUS traffic on the ports (officially assigned > for > > more than ten years now) will be blocked. This seems like a very > poor > > example. > > > > > > > >
- [secdir] secdir review of draft-ietf-opsec-protec… Glen Zorn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Sean Turner
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Sean Turner
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Carlos Pignataro (cpignata)
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Carlos Pignataro (cpignata)
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Carlos Pignataro (cpignata)
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Glen Zorn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Glen Zorn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Glen Zorn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Glen Zorn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Joe Abley
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Rodney Dunn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Joe Abley
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Rodney Dunn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Ronald Bonica
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Joe Abley
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Carlos Pignataro (cpignata)