Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04

"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Tue, 14 December 2010 21:51 UTC

Return-Path: <cpignata@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C40F028C130; Tue, 14 Dec 2010 13:51:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.284
X-Spam-Level:
X-Spam-Status: No, score=-110.284 tagged_above=-999 required=5 tests=[AWL=0.315, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S1GbToWsU6aO; Tue, 14 Dec 2010 13:51:50 -0800 (PST)
Received: from rtp-iport-2.cisco.com (rtp-iport-2.cisco.com [64.102.122.149]) by core3.amsl.com (Postfix) with ESMTP id 10DF028C14A; Tue, 14 Dec 2010 13:51:48 -0800 (PST)
Authentication-Results: rtp-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none
X-Files: draft-ietf-opsec-protect-control-plane-06-from-5.abdiff.txt : 30936
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAEd2B02tJXHB/2dsb2JhbACkFnimRZs6gwWCRQSEZIkz
X-IronPort-AV: E=Sophos; i="4.59,344,1288569600"; d="txt'?scan'208"; a="193083044"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rtp-iport-2.cisco.com with ESMTP; 14 Dec 2010 21:53:29 +0000
Received: from xbh-rcd-101.cisco.com (xbh-rcd-101.cisco.com [72.163.62.138]) by rcdn-core2-6.cisco.com (8.14.3/8.14.3) with ESMTP id oBELrSvb009753; Tue, 14 Dec 2010 21:53:28 GMT
Received: from xmb-rcd-206.cisco.com ([72.163.62.213]) by xbh-rcd-101.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 14 Dec 2010 15:53:28 -0600
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01CB9BD9.5729395C"
Date: Tue, 14 Dec 2010 15:53:27 -0600
Message-ID: <960EC8F9A775AB40BF58D8953342D86303756C62@XMB-RCD-206.cisco.com>
In-Reply-To: <13205C286662DE4387D9AF3AC30EF456B02F2A46AC@EMBX01-WF.jnpr.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: secdir review of draft-ietf-opsec-protect-control-plane-04
Thread-Index: Acubpr/14Cwlsd7NSeGL8pAU0+7LHwAAaimQAAv8C4A=
References: <001201cb9b59$acd02d70$06708850$@net> <4D07926A.9030007@ieca.com> <13205C286662DE4387D9AF3AC30EF456B02F2A46AC@EMBX01-WF.jnpr.net>
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: Ronald Bonica <rbonica@juniper.net>, Sean Turner <turners@ieca.com>, Glen Zorn <gwz@net-zen.net>, draft-ietf-opsec-protect-control-plane@tools.ietf.org
X-OriginalArrivalTime: 14 Dec 2010 21:53:28.0633 (UTC) FILETIME=[57605290:01CB9BD9]
Cc: opsec-chairs@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2010 21:51:53 -0000

Ron, (Glen, Joe,)

Please find attached ABDiffs (RFC-Ed style Diffs) for this change.
Please note that because of the actual change in the example filter in
the Appendices, the diffs are longer than should (treats big chunks of
configs as single para). But my `rfcdiff` marks the line of change with
a beginning "|" at least.

If you'd rather, we can ship a new revision (it's cheap with the IDST).

Thanks !

-- Carlos.

-----Original Message-----
From: Ronald Bonica [mailto:rbonica@juniper.net] 
Sent: Tuesday, December 14, 2010 11:04 AM
To: Sean Turner; Glen Zorn;
draft-ietf-opsec-protect-control-plane@tools.ietf.org
Cc: opsec-chairs@tools.ietf.org; iesg@ietf.org; secdir@ietf.org
Subject: RE: secdir review of draft-ietf-opsec-protect-control-plane-04

Authors,

I think that we can correct this problem with an RFC editors note before
the telechat on Thursday. Could one of you please provide the updated
text?

                                    Ron


> -----Original Message-----
> From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On Behalf
Of
> Sean Turner
> Sent: Tuesday, December 14, 2010 10:51 AM
> To: Glen Zorn; draft-ietf-opsec-protect-control-plane@tools.ietf.org
> Cc: opsec-chairs@tools.ietf.org; iesg@ietf.org; secdir@ietf.org
> Subject: Re: secdir review of
draft-ietf-opsec-protect-control-plane-04
> 
> I hoping that this was a typo.  I pulled out all the registered RADIUS
> ports from http://www.iana.org/assignments/port-numbers and 1645/1646:
> 
> sightline       1645/tcp  SightLine
> sightline       1645/udp  SightLine
> #                         admin <iana&sightlinesystems.com>
> sa-msg-port     1646/tcp  sa-msg-port
> sa-msg-port     1646/udp  sa-msg-port
> #                         Eric Whitehill <Eric.Whitehill&itt.com>
> 
> 
> radius          1812/tcp    RADIUS
> radius          1812/udp    RADIUS
> #                           [RFC2865]
> radius-acct     1813/tcp    RADIUS Accounting
> radius-acct     1813/udp    RADIUS Accounting
> #                           [RFC2866]
> radsec          2083/tcp   Secure Radius Service
> radsec          2083/udp   Secure Radius Service
> #                          Mike McCauley <mikem&open.com.au> May 2005
> radius-dynauth  3799/tcp   RADIUS Dynamic Authorization
> radius-dynauth  3799/udp   RADIUS Dynamic Authorization
> #                          RFC 3576 - July 2003
> 
> Should 1812 & 1813 be listed or also 2083 & 3799?
> 
> spt
> 
> On 12/14/10 1:39 AM, Glen Zorn wrote:
> > I have reviewed this document as part of the security directorate's
> ongoing
> > effort to review all IETF documents being processed by the IESG.
> These
> > comments were written primarily for the benefit of the security area
> > directors.  Document editors and WG chairs should treat these
> comments just
> > like any other last call comments.
> >
> > Section 3.1 says:
> >
> >     o  Permit RADIUS authentication and accounting replies from
> RADIUS
> >        servers 198.51.100.9, 198.51.100.10, 2001:DB8:100::9, and
> 2001:
> >        DB8:100::10 that are listening on UDP ports 1645 and 1646.
> Note
> >        that this doesn't account for a server using Internet
Assigned
> >        Numbers Authority (IANA) ports 1812 and 1813 for RADIUS.
> >
> > So, in other words, RADIUS traffic on the ports (officially assigned
> for
> > more than ten years now) will be blocked.  This seems like a very
> poor
> > example.
> >
> >
> >
> >