Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04

[Rodney Dunn <rodunn@cisco.com>]

Thanks Joe/Glen,

I made the updates to change them to 1812/1813 with a not to the 
reference to the 1645/1646 ports.

"Permit RADIUS authentication and accounting replies from RADIUS servers 
198.51.100.9, 198.51.100.10, 2001:DB8:100::9, and 2001:DB8:100::10 that 
are listening on UDP ports 1812 and 1813. Note that this doesn't account 
for a server using the commonly deployed pre-standard UDP ports of 1812 
and 1813."

Also updated the relevant configurations.

Rodney





On 12/14/10 5:25 AM, Joe Abley wrote:
>
> On 2010-12-14, at 01:39, Glen Zorn wrote:
>
>> I have reviewed this document as part of the security directorate's ongoing
>> effort to review all IETF documents being processed by the IESG.  These
>> comments were written primarily for the benefit of the security area
>> directors.  Document editors and WG chairs should treat these comments just
>> like any other last call comments.
>>
>> Section 3.1 says:
>>
>>    o  Permit RADIUS authentication and accounting replies from RADIUS
>>       servers 198.51.100.9, 198.51.100.10, 2001:DB8:100::9, and 2001:
>>       DB8:100::10 that are listening on UDP ports 1645 and 1646.  Note
>>       that this doesn't account for a server using Internet Assigned
>>       Numbers Authority (IANA) ports 1812 and 1813 for RADIUS.
>>
>> So, in other words, RADIUS traffic on the ports (officially assigned for
>> more than ten years now) will be blocked.  This seems like a very poor
>> example.
>
> This is a cisco-ism -- cisco devices use 1645/1646 by default and have to be configured explicitly to use 1812/1813. I think this should be changed, as you intimate. Good catch.
>
>
> Joe