[secdir] secdir review of draft-ietf-opsec-protect-control-plane-04

"Glen Zorn" <gwz@net-zen.net> Tue, 14 December 2010 06:38 UTC

Return-Path: <gwz@net-zen.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 344AA3A6E4F for <secdir@core3.amsl.com>; Mon, 13 Dec 2010 22:38:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.572
X-Spam-Status: No, score=-102.572 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id dXrMJUrhoHgC for <secdir@core3.amsl.com>; Mon, 13 Dec 2010 22:37:59 -0800 (PST)
Received: from smtpauth13.prod.mesa1.secureserver.net (smtpauth13.prod.mesa1.secureserver.net []) by core3.amsl.com (Postfix) with SMTP id 4EBB23A6E4B for <secdir@ietf.org>; Mon, 13 Dec 2010 22:37:58 -0800 (PST)
Received: (qmail 3323 invoked from network); 14 Dec 2010 06:39:38 -0000
Received: from unknown ( by smtpauth13.prod.mesa1.secureserver.net ( with ESMTP; 14 Dec 2010 06:39:37 -0000
From: Glen Zorn <gwz@net-zen.net>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-opsec-protect-control-plane@tools.ietf.org, opsec-chairs@tools.ietf.org
Date: Tue, 14 Dec 2010 13:39:31 +0700
Organization: Network Zen
Message-ID: <001201cb9b59$acd02d70$06708850$@net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcubWamob5YqS29CS2ujzWXZeKAbbg==
Content-Language: en-us
Subject: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2010 06:38:00 -0000

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

Section 3.1 says:

   o  Permit RADIUS authentication and accounting replies from RADIUS
      servers,, 2001:DB8:100::9, and 2001:
      DB8:100::10 that are listening on UDP ports 1645 and 1646.  Note
      that this doesn't account for a server using Internet Assigned
      Numbers Authority (IANA) ports 1812 and 1813 for RADIUS.

So, in other words, RADIUS traffic on the ports (officially assigned for
more than ten years now) will be blocked.  This seems like a very poor