Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04

"Glen Zorn" <gwz@net-zen.net> Wed, 15 December 2010 05:27 UTC

Return-Path: <gwz@net-zen.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3F8D43A6E3F for <secdir@core3.amsl.com>; Tue, 14 Dec 2010 21:27:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.395
X-Spam-Level:
X-Spam-Status: No, score=-102.395 tagged_above=-999 required=5 tests=[AWL=0.204, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FIHsDoQTRDZx for <secdir@core3.amsl.com>; Tue, 14 Dec 2010 21:26:59 -0800 (PST)
Received: from p3plsmtpa01-10.prod.phx3.secureserver.net (p3plsmtpa01-10.prod.phx3.secureserver.net [72.167.82.90]) by core3.amsl.com (Postfix) with SMTP id 32C883A6FD6 for <secdir@ietf.org>; Tue, 14 Dec 2010 21:26:58 -0800 (PST)
Received: (qmail 31454 invoked from network); 15 Dec 2010 05:28:40 -0000
Received: from unknown (124.120.200.9) by p3plsmtpa01-10.prod.phx3.secureserver.net (72.167.82.90) with ESMTP; 15 Dec 2010 05:28:39 -0000
From: Glen Zorn <gwz@net-zen.net>
To: 'Sean Turner' <turners@ieca.com>, draft-ietf-opsec-protect-control-plane@tools.ietf.org
References: <001201cb9b59$acd02d70$06708850$@net> <4D07926A.9030007@ieca.com>
In-Reply-To: <4D07926A.9030007@ieca.com>
Date: Wed, 15 Dec 2010 12:28:30 +0700
Organization: Network Zen
Message-ID: <001001cb9c18$ea998970$bfcc9c50$@net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcubprmL7kvQCK7lSdavRidlJoTNWQAcWvZw
Content-Language: en-us
Cc: opsec-chairs@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Dec 2010 05:27:00 -0000

Sean Turner [mailto:turners@ieca.com] writes:

> I hoping that this was a typo.  I pulled out all the registered RADIUS
> ports from http://www.iana.org/assignments/port-numbers and 1645/1646:
> 
> sightline       1645/tcp  SightLine
> sightline       1645/udp  SightLine
> #                         admin <iana&sightlinesystems.com>
> sa-msg-port     1646/tcp  sa-msg-port
> sa-msg-port     1646/udp  sa-msg-port
> #                         Eric Whitehill <Eric.Whitehill&itt.com>
> 
> 
> radius          1812/tcp    RADIUS
> radius          1812/udp    RADIUS
> #                           [RFC2865]
> radius-acct     1813/tcp    RADIUS Accounting
> radius-acct     1813/udp    RADIUS Accounting
> #                           [RFC2866]
> radsec          2083/tcp   Secure Radius Service
> radsec          2083/udp   Secure Radius Service
> #                          Mike McCauley <mikem&open.com.au> May 2005
> radius-dynauth  3799/tcp   RADIUS Dynamic Authorization
> radius-dynauth  3799/udp   RADIUS Dynamic Authorization
> #                          RFC 3576 - July 2003
> 
> Should 1812 & 1813 be listed or also 2083 & 3799?

radsec isn't RADIUS; RFC 3576 isn't a core part of RADIUS, either.  I think
that 1812 & 1813 are fine in the context of this example.

> 
> spt
> 
> On 12/14/10 1:39 AM, Glen Zorn wrote:
> > I have reviewed this document as part of the security directorate's
> ongoing
> > effort to review all IETF documents being processed by the IESG.
> These
> > comments were written primarily for the benefit of the security area
> > directors.  Document editors and WG chairs should treat these comments
> just
> > like any other last call comments.
> >
> > Section 3.1 says:
> >
> >     o  Permit RADIUS authentication and accounting replies from RADIUS
> >        servers 198.51.100.9, 198.51.100.10, 2001:DB8:100::9, and 2001:
> >        DB8:100::10 that are listening on UDP ports 1645 and 1646.
> Note
> >        that this doesn't account for a server using Internet Assigned
> >        Numbers Authority (IANA) ports 1812 and 1813 for RADIUS.
> >
> > So, in other words, RADIUS traffic on the ports (officially assigned
> for
> > more than ten years now) will be blocked.  This seems like a very poor
> > example.
> >
> >
> >
> >