Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04
Sean Turner <turners@ieca.com> Tue, 14 December 2010 16:18 UTC
Return-Path: <turners@ieca.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A14383A6FB9 for <secdir@core3.amsl.com>; Tue, 14 Dec 2010 08:18:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.522
X-Spam-Level:
X-Spam-Status: No, score=-102.522 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id evfCxnqkZhsL for <secdir@core3.amsl.com>; Tue, 14 Dec 2010 08:18:27 -0800 (PST)
Received: from nm28-vm0.bullet.mail.sp2.yahoo.com (nm28-vm0.bullet.mail.sp2.yahoo.com [98.139.91.234]) by core3.amsl.com (Postfix) with SMTP id 98C4F3A6FB6 for <secdir@ietf.org>; Tue, 14 Dec 2010 08:18:27 -0800 (PST)
Received: from [98.139.91.64] by nm28.bullet.mail.sp2.yahoo.com with NNFMP; 14 Dec 2010 16:20:05 -0000
Received: from [98.139.91.57] by tm4.bullet.mail.sp2.yahoo.com with NNFMP; 14 Dec 2010 16:20:05 -0000
Received: from [127.0.0.1] by omp1057.mail.sp2.yahoo.com with NNFMP; 14 Dec 2010 16:20:05 -0000
X-Yahoo-Newman-Id: 446793.82999.bm@omp1057.mail.sp2.yahoo.com
Received: (qmail 77198 invoked from network); 14 Dec 2010 16:20:05 -0000
Received: from thunderfish.local (turners@96.231.115.248 with plain) by smtp112.biz.mail.sp1.yahoo.com with SMTP; 14 Dec 2010 08:20:04 -0800 PST
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-YMail-OSG: RbEeS48VM1lgstZYDpTFdmnyJH2oqztmbeK3HIFIrunED3o Jy_tNhMIc6xms5DY3t_MgIZdwKoExJ2WAfGcxF0s.ygsNP8rSrXjVrKgl_Sa XfXYDt2J48jEV_OzvwZ1cGYTObX6h4A16hPABBrUoyifyVO3vKd9YJYlmHFo gMt8kYmDalNVFSn6wZXYLAPu5n8.gFEdwom8YJm5_7TQfqCrqv9zlqy.TxWz fUvx9vdzGxShDn5BEewPy4Xj32.yAHKi1dDQ2g2l6YxANTKvs_HuPNeVM_0s j6XkpNfXROzIc3DwDyLiOdq_N096pwBjAgA--
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4D079933.2080302@ieca.com>
Date: Tue, 14 Dec 2010 11:20:03 -0500
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: Ronald Bonica <rbonica@juniper.net>
References: <001201cb9b59$acd02d70$06708850$@net> <4D07926A.9030007@ieca.com> <13205C286662DE4387D9AF3AC30EF456B02F2A46AC@EMBX01-WF.jnpr.net>
In-Reply-To: <13205C286662DE4387D9AF3AC30EF456B02F2A46AC@EMBX01-WF.jnpr.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-opsec-protect-control-plane@tools.ietf.org" <draft-ietf-opsec-protect-control-plane@tools.ietf.org>, "opsec-chairs@tools.ietf.org" <opsec-chairs@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-opsec-protect-control-plane-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2010 16:18:28 -0000
Note that the example filters in the Appendicies will also need to be fixed. spt On 12/14/10 11:04 AM, Ronald Bonica wrote: > Authors, > > I think that we can correct this problem with an RFC editors note before the telechat on Thursday. Could one of you please provide the updated text? > > Ron > > >> -----Original Message----- >> From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On Behalf Of >> Sean Turner >> Sent: Tuesday, December 14, 2010 10:51 AM >> To: Glen Zorn; draft-ietf-opsec-protect-control-plane@tools.ietf.org >> Cc: opsec-chairs@tools.ietf.org; iesg@ietf.org; secdir@ietf.org >> Subject: Re: secdir review of draft-ietf-opsec-protect-control-plane-04 >> >> I hoping that this was a typo. I pulled out all the registered RADIUS >> ports from http://www.iana.org/assignments/port-numbers and 1645/1646: >> >> sightline 1645/tcp SightLine >> sightline 1645/udp SightLine >> # admin<iana&sightlinesystems.com> >> sa-msg-port 1646/tcp sa-msg-port >> sa-msg-port 1646/udp sa-msg-port >> # Eric Whitehill<Eric.Whitehill&itt.com> >> >> >> radius 1812/tcp RADIUS >> radius 1812/udp RADIUS >> # [RFC2865] >> radius-acct 1813/tcp RADIUS Accounting >> radius-acct 1813/udp RADIUS Accounting >> # [RFC2866] >> radsec 2083/tcp Secure Radius Service >> radsec 2083/udp Secure Radius Service >> # Mike McCauley<mikem&open.com.au> May 2005 >> radius-dynauth 3799/tcp RADIUS Dynamic Authorization >> radius-dynauth 3799/udp RADIUS Dynamic Authorization >> # RFC 3576 - July 2003 >> >> Should 1812& 1813 be listed or also 2083& 3799? >> >> spt >> >> On 12/14/10 1:39 AM, Glen Zorn wrote: >>> I have reviewed this document as part of the security directorate's >> ongoing >>> effort to review all IETF documents being processed by the IESG. >> These >>> comments were written primarily for the benefit of the security area >>> directors. Document editors and WG chairs should treat these >> comments just >>> like any other last call comments. >>> >>> Section 3.1 says: >>> >>> o Permit RADIUS authentication and accounting replies from >> RADIUS >>> servers 198.51.100.9, 198.51.100.10, 2001:DB8:100::9, and >> 2001: >>> DB8:100::10 that are listening on UDP ports 1645 and 1646. >> Note >>> that this doesn't account for a server using Internet Assigned >>> Numbers Authority (IANA) ports 1812 and 1813 for RADIUS. >>> >>> So, in other words, RADIUS traffic on the ports (officially assigned >> for >>> more than ten years now) will be blocked. This seems like a very >> poor >>> example. >>> >>> >>> >>> >
- [secdir] secdir review of draft-ietf-opsec-protec… Glen Zorn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Sean Turner
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Sean Turner
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Carlos Pignataro (cpignata)
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Carlos Pignataro (cpignata)
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Carlos Pignataro (cpignata)
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Glen Zorn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Glen Zorn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Glen Zorn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Glen Zorn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Joe Abley
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Rodney Dunn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Joe Abley
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Rodney Dunn
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Ronald Bonica
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Joe Abley
- Re: [secdir] secdir review of draft-ietf-opsec-pr… Carlos Pignataro (cpignata)