Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04
Rodney Dunn <rodunn@cisco.com> Tue, 14 December 2010 14:15 UTC
Return-Path: <rodunn@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EB33E3A6E9E; Tue, 14 Dec 2010 06:15:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fXZEwUdhzuRK; Tue, 14 Dec 2010 06:15:03 -0800 (PST)
Received: from av-tac-rtp.cisco.com (hen.cisco.com [64.102.19.198]) by core3.amsl.com (Postfix) with ESMTP id DB68B3A6E94; Tue, 14 Dec 2010 06:15:02 -0800 (PST)
X-TACSUNS: Virus Scanned
Received: from rooster.cisco.com (localhost.cisco.com [127.0.0.1]) by av-tac-rtp.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id oBEEGemQ026826; Tue, 14 Dec 2010 09:16:40 -0500 (EST)
Received: from dhcp-64-102-157-231.cisco.com (dhcp-64-102-157-231.cisco.com [64.102.157.231]) by rooster.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id oBEEGdRt024112; Tue, 14 Dec 2010 09:16:39 -0500 (EST)
Message-ID: <4D077C47.4010506@cisco.com>
Date: Tue, 14 Dec 2010 06:16:39 -0800
From: Rodney Dunn <rodunn@cisco.com>
Organization: Cisco Systems Inc.
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: Joe Abley <jabley@hopcount.ca>
References: <001201cb9b59$acd02d70$06708850$@net> <DCC6725D-0C45-47BD-AC49-A38A256A75A8@hopcount.ca>
In-Reply-To: <DCC6725D-0C45-47BD-AC49-A38A256A75A8@hopcount.ca>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Wed, 15 Dec 2010 00:36:03 -0800
Cc: draft-ietf-opsec-protect-control-plane@tools.ietf.org, secdir@ietf.org, opsec-chairs@tools.ietf.org, iesg@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: rodunn@cisco.com
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2010 14:15:04 -0000
Thanks Joe/Glen, I made the updates to change them to 1812/1813 with a not to the reference to the 1645/1646 ports. "Permit RADIUS authentication and accounting replies from RADIUS servers 198.51.100.9, 198.51.100.10, 2001:DB8:100::9, and 2001:DB8:100::10 that are listening on UDP ports 1812 and 1813. Note that this doesn't account for a server using the commonly deployed pre-standard UDP ports of 1812 and 1813." Also updated the relevant configurations. Rodney On 12/14/10 5:25 AM, Joe Abley wrote: > > On 2010-12-14, at 01:39, Glen Zorn wrote: > >> I have reviewed this document as part of the security directorate's ongoing >> effort to review all IETF documents being processed by the IESG. These >> comments were written primarily for the benefit of the security area >> directors. Document editors and WG chairs should treat these comments just >> like any other last call comments. >> >> Section 3.1 says: >> >> o Permit RADIUS authentication and accounting replies from RADIUS >> servers 198.51.100.9, 198.51.100.10, 2001:DB8:100::9, and 2001: >> DB8:100::10 that are listening on UDP ports 1645 and 1646. Note >> that this doesn't account for a server using Internet Assigned >> Numbers Authority (IANA) ports 1812 and 1813 for RADIUS. >> >> So, in other words, RADIUS traffic on the ports (officially assigned for >> more than ten years now) will be blocked. This seems like a very poor >> example. > > This is a cisco-ism -- cisco devices use 1645/1646 by default and have to be configured explicitly to use 1812/1813. I think this should be changed, as you intimate. Good catch. > > > Joe
- [secdir] secdir review of draft-ietf-opsec-protec… Glen Zorn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Sean Turner
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Sean Turner
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Carlos Pignataro (cpignata)
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Carlos Pignataro (cpignata)
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Carlos Pignataro (cpignata)
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Glen Zorn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Glen Zorn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Glen Zorn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Glen Zorn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Joe Abley
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Rodney Dunn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Joe Abley
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Rodney Dunn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Ronald Bonica
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Joe Abley
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Carlos Pignataro (cpignata)