Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04

Rodney Dunn <rodunn@cisco.com> Tue, 14 December 2010 14:15 UTC

Return-Path: <rodunn@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EB33E3A6E9E; Tue, 14 Dec 2010 06:15:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fXZEwUdhzuRK; Tue, 14 Dec 2010 06:15:03 -0800 (PST)
Received: from av-tac-rtp.cisco.com (hen.cisco.com [64.102.19.198]) by core3.amsl.com (Postfix) with ESMTP id DB68B3A6E94; Tue, 14 Dec 2010 06:15:02 -0800 (PST)
X-TACSUNS: Virus Scanned
Received: from rooster.cisco.com (localhost.cisco.com [127.0.0.1]) by av-tac-rtp.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id oBEEGemQ026826; Tue, 14 Dec 2010 09:16:40 -0500 (EST)
Received: from dhcp-64-102-157-231.cisco.com (dhcp-64-102-157-231.cisco.com [64.102.157.231]) by rooster.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id oBEEGdRt024112; Tue, 14 Dec 2010 09:16:39 -0500 (EST)
Message-ID: <4D077C47.4010506@cisco.com>
Date: Tue, 14 Dec 2010 06:16:39 -0800
From: Rodney Dunn <rodunn@cisco.com>
Organization: Cisco Systems Inc.
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: Joe Abley <jabley@hopcount.ca>
References: <001201cb9b59$acd02d70$06708850$@net> <DCC6725D-0C45-47BD-AC49-A38A256A75A8@hopcount.ca>
In-Reply-To: <DCC6725D-0C45-47BD-AC49-A38A256A75A8@hopcount.ca>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Wed, 15 Dec 2010 00:36:03 -0800
Cc: draft-ietf-opsec-protect-control-plane@tools.ietf.org, secdir@ietf.org, opsec-chairs@tools.ietf.org, iesg@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: rodunn@cisco.com
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2010 14:15:04 -0000

Thanks Joe/Glen,

I made the updates to change them to 1812/1813 with a not to the 
reference to the 1645/1646 ports.

"Permit RADIUS authentication and accounting replies from RADIUS servers 
198.51.100.9, 198.51.100.10, 2001:DB8:100::9, and 2001:DB8:100::10 that 
are listening on UDP ports 1812 and 1813. Note that this doesn't account 
for a server using the commonly deployed pre-standard UDP ports of 1812 
and 1813."

Also updated the relevant configurations.

Rodney





On 12/14/10 5:25 AM, Joe Abley wrote:
>
> On 2010-12-14, at 01:39, Glen Zorn wrote:
>
>> I have reviewed this document as part of the security directorate's ongoing
>> effort to review all IETF documents being processed by the IESG.  These
>> comments were written primarily for the benefit of the security area
>> directors.  Document editors and WG chairs should treat these comments just
>> like any other last call comments.
>>
>> Section 3.1 says:
>>
>>    o  Permit RADIUS authentication and accounting replies from RADIUS
>>       servers 198.51.100.9, 198.51.100.10, 2001:DB8:100::9, and 2001:
>>       DB8:100::10 that are listening on UDP ports 1645 and 1646.  Note
>>       that this doesn't account for a server using Internet Assigned
>>       Numbers Authority (IANA) ports 1812 and 1813 for RADIUS.
>>
>> So, in other words, RADIUS traffic on the ports (officially assigned for
>> more than ten years now) will be blocked.  This seems like a very poor
>> example.
>
> This is a cisco-ism -- cisco devices use 1645/1646 by default and have to be configured explicitly to use 1812/1813. I think this should be changed, as you intimate. Good catch.
>
>
> Joe