Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04

Joe Abley <jabley@hopcount.ca> Tue, 14 December 2010 13:24 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 14AA23A6FA3; Tue, 14 Dec 2010 05:24:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.582
X-Spam-Level:
X-Spam-Status: No, score=-102.582 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A5EBeEmPKVLd; Tue, 14 Dec 2010 05:24:07 -0800 (PST)
Received: from monster.hopcount.ca (monster.hopcount.ca [216.235.14.38]) by core3.amsl.com (Postfix) with ESMTP id 502563A6FA1; Tue, 14 Dec 2010 05:24:07 -0800 (PST)
Received: from [199.212.90.26] (helo=dh26.r1.owls.hopcount.ca) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <jabley@hopcount.ca>) id 1PSUwk-000Eag-CC; Tue, 14 Dec 2010 13:29:38 +0000
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset=us-ascii
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <001201cb9b59$acd02d70$06708850$@net>
Date: Tue, 14 Dec 2010 08:25:42 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <DCC6725D-0C45-47BD-AC49-A38A256A75A8@hopcount.ca>
References: <001201cb9b59$acd02d70$06708850$@net>
To: Glen Zorn <gwz@net-zen.net>
X-Mailer: Apple Mail (2.1082)
X-SA-Exim-Connect-IP: 199.212.90.26
X-SA-Exim-Mail-From: jabley@hopcount.ca
X-SA-Exim-Scanned: No (on monster.hopcount.ca); SAEximRunCond expanded to false
X-Mailman-Approved-At: Wed, 15 Dec 2010 00:36:03 -0800
Cc: draft-ietf-opsec-protect-control-plane@tools.ietf.org, opsec-chairs@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2010 13:24:08 -0000

On 2010-12-14, at 01:39, Glen Zorn wrote:

> I have reviewed this document as part of the security directorate's ongoing
> effort to review all IETF documents being processed by the IESG.  These
> comments were written primarily for the benefit of the security area
> directors.  Document editors and WG chairs should treat these comments just
> like any other last call comments.
> 
> Section 3.1 says:
> 
>   o  Permit RADIUS authentication and accounting replies from RADIUS
>      servers 198.51.100.9, 198.51.100.10, 2001:DB8:100::9, and 2001:
>      DB8:100::10 that are listening on UDP ports 1645 and 1646.  Note
>      that this doesn't account for a server using Internet Assigned
>      Numbers Authority (IANA) ports 1812 and 1813 for RADIUS.
> 
> So, in other words, RADIUS traffic on the ports (officially assigned for
> more than ten years now) will be blocked.  This seems like a very poor
> example.

This is a cisco-ism -- cisco devices use 1645/1646 by default and have to be configured explicitly to use 1812/1813. I think this should be changed, as you intimate. Good catch.


Joe