From nobody Tue Apr 1 01:48:57 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04E361A6FFB for ; Tue, 1 Apr 2014 01:48:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r0j2wTGgB0Pu for ; Tue, 1 Apr 2014 01:48:53 -0700 (PDT) Received: from mail1.bemta3.messagelabs.com (mail1.bemta3.messagelabs.com [195.245.230.177]) by ietfa.amsl.com (Postfix) with ESMTP id 29F361A0812 for ; Tue, 1 Apr 2014 01:48:53 -0700 (PDT) Received: from [85.158.137.67:34733] by server-17.bemta-3.messagelabs.com id CF/9E-22741-17D7A335; Tue, 01 Apr 2014 08:48:49 +0000 X-Env-Sender: robert.sleigh@ee.co.uk X-Msg-Ref: server-5.tower-139.messagelabs.com!1396342128!28677251!1 X-Originating-IP: [193.36.79.210] X-StarScan-Received: X-StarScan-Version: 6.11.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 25602 invoked from network); 1 Apr 2014 08:48:48 -0000 Received: from unknown (HELO aphex) (193.36.79.210) by server-5.tower-139.messagelabs.com with SMTP; 1 Apr 2014 08:48:48 -0000 Received: from UK30S005EXS02.EEAD.EEINT.CO.UK (Not Verified[10.246.208.14]) by aphex with MailMarshal (v6, 8, 2, 9371) id ; Tue, 01 Apr 2014 09:51:31 +0100 Received: from UK31S005EXS06.EEAD.EEINT.CO.UK ([fe80::d851:f0e3:bba5:c1a0]) by UK30S005EXS02.EEAD.EEINT.CO.UK ([2002:62c:2a4f::62c:2a4f]) with mapi id 14.02.0318.004; Tue, 1 Apr 2014 09:48:47 +0100 From: "Sleigh, Robert" To: Marco Ermini , "opsec@ietf.org" Thread-Topic: [OPSEC] comments for firewall draft Thread-Index: AQHPTIlSGEUkBVtZGkyikdOJaeSur5r7WW0AgAAMAQCAAQ9cMA== Date: Tue, 1 Apr 2014 08:48:47 +0000 Message-ID: <679694A32AB94046931C676BEF4BA8B80C8F9093@UK31S005EXS06.EEAD.EEINT.CO.UK> References: <53399D5A.8050802@viagenie.ca> <38465846B6383D4A8688C0A13971900C46A146D7@GE2EML2K1003.corp.resmed.org> In-Reply-To: <38465846B6383D4A8688C0A13971900C46A146D7@GE2EML2K1003.corp.resmed.org> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.246.208.5] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/yq6DbPmJjA9b4g5WV8ol98dl42E Subject: Re: [OPSEC] comments for firewall draft X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2014 08:48:56 -0000 Hi Marco -1 for me, no place for NAT in an IPv6 FW doc Regards =A0 Bob 07958 318592 =A0 Life's for sharing... and what I like to share the most is a smile -----Original Message----- From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Marco Ermini Sent: 31 March 2014 18:36 To: opsec@ietf.org Subject: Re: [OPSEC] comments for firewall draft -----Original Message----- From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Simon Perreault Sent: Monday, March 31, 2014 6:53 PM To: opsec@ietf.org Subject: Re: [OPSEC] comments for firewall draft > Do you have specific things in mind that the draft should say on this t= opic? > > IMHO, the fact that NAT is common in firewall equipment is irrelevant. > Many other functions are common: IPSEC gateway, SSL VPN, IDS, etc. etc.= > etc. A draft covering everything would be a huge effort with low chance= =20of success. > > I would prefer this draft to remain focused on the core firewall functi= on. Well, then the argument is: is NAT a central function in a firewall, espe= cially in an IPv6 one? I do believe NAT is a bit different than the others you mentioned, becaus= e in the great majority of circumstances you would really use a firewall = to perform NAT. In all of the other cases you mentioned (VPN, NIDS, etc.) they may be ena= bled with a license in environments where no better solution is desired, = required or could be afforded; but they are really not central to a firew= all, and are better performed with a dedicated system. Mileage may vary with different firewall brands; e.g. with Juniper, SSL V= PN is better provided by a dedicated security gateway appliance, while in= =20Cisco or Palo Alto there is more convergence and this function is enab= led by license. Anyway, all of them (thinking especially about NIDS/NIPS)= =20are better provided by dedicated appliances and are not really so cent= ral for a firewall. Worth to be noted, in the original RFP document I redacted, there were al= so all of these functions, but they were removed as it would have been to= o many things to discuss at once. However, I do think that NAT may have s= ome special merit. Therefore it would be good to collect votes on that. S= o far I got 3+ and 1- if I am not wrong. Marco Ermini=20 Senior IT Security and Compliance Analyst ResMed Germany Inc Fraunhofer S= tr. 16 - 82152 - Martinsried - Germany ResMed.com=20 =20----------------------------------------------------------------------= Warning: Copyright ResMed. Where the contents of this email and/or atta= chment includes materials prepared by ResMed, the use of those materials = is subject exclusively to the conditions of engagement between ResMed and= =20the intended recipient. This communication is confidential and may co= ntain legally privileged information. By the use of email over the Inter= net or other communication systems, ResMed is not waiving either confiden= tiality of, or legal privilege in, the content of the email and of any at= tachments. If the recipient of this message is not the intended addresse= e, please call ResMed immediately on 1 (800) 424-0737 USA. =20----------------------------------------------------------------------= _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec NOTICE AND DISCLAIMER This e-mail (including any attachments) is intended for the above-named p= erson(s). If you are not the intended recipient, notify the sender immed= iately, delete this email from your system and do not disclose or use for= =20any purpose. =20 =20 We may monitor all incoming and outgoing emails in line with current legi= slation. We have taken steps to ensure that this email and attachments ar= e free from any virus, but it remains your responsibility to ensure that = viruses do not adversely affect you.=20 EE Limited Registered in England and Wales Company Registered Number: 02382161 Registered Office Address: Trident Place, Mosquito Way, Hatfield, Hertfor= dshire, AL10 9BW From nobody Tue Apr 1 02:20:53 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7566A1A7016 for ; Tue, 1 Apr 2014 02:20:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6CGzdKvdf8wk for ; Tue, 1 Apr 2014 02:20:49 -0700 (PDT) Received: from mail1.bemta3.messagelabs.com (mail1.bemta3.messagelabs.com [195.245.230.176]) by ietfa.amsl.com (Postfix) with ESMTP id 698431A098C for ; Tue, 1 Apr 2014 02:20:48 -0700 (PDT) Received: from [85.158.137.35:56830] by server-16.bemta-3.messagelabs.com id C9/52-13481-CE48A335; Tue, 01 Apr 2014 09:20:44 +0000 X-Env-Sender: robert.sleigh@ee.co.uk X-Msg-Ref: server-5.tower-134.messagelabs.com!1396344032!26304504!1 X-Originating-IP: [193.36.79.210] X-StarScan-Received: X-StarScan-Version: 6.11.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 3663 invoked from network); 1 Apr 2014 09:20:34 -0000 Received: from unknown (HELO aphex) (193.36.79.210) by server-5.tower-134.messagelabs.com with SMTP; 1 Apr 2014 09:20:34 -0000 Received: from UK31S005EXS02.EEAD.EEINT.CO.UK (Not Verified[10.246.208.27]) by aphex with MailMarshal (v6, 8, 2, 9371) id ; Tue, 01 Apr 2014 10:23:15 +0100 Received: from UK31S005EXS06.EEAD.EEINT.CO.UK ([fe80::d851:f0e3:bba5:c1a0]) by UK31S005EXS02.EEAD.EEINT.CO.UK ([fe80::5093:62a6:6ee3:7198%11]) with mapi id 14.02.0318.004; Tue, 1 Apr 2014 10:20:31 +0100 From: "Sleigh, Robert" To: "Sleigh, Robert" , Marco Ermini , "opsec@ietf.org" Thread-Topic: [OPSEC] comments for firewall draft Thread-Index: AQHPTIlSGEUkBVtZGkyikdOJaeSur5r7WW0AgAAMAQCAAQ9cMIAAAlmQ Date: Tue, 1 Apr 2014 09:20:32 +0000 Message-ID: <679694A32AB94046931C676BEF4BA8B80C8F913E@UK31S005EXS06.EEAD.EEINT.CO.UK> References: <53399D5A.8050802@viagenie.ca> <38465846B6383D4A8688C0A13971900C46A146D7@GE2EML2K1003.corp.resmed.org> <679694A32AB94046931C676BEF4BA8B80C8F9093@UK31S005EXS06.EEAD.EEINT.CO.UK> In-Reply-To: <679694A32AB94046931C676BEF4BA8B80C8F9093@UK31S005EXS06.EEAD.EEINT.CO.UK> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.246.208.5] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/5Y7UJXmtj_UBeysXGKqhh2fnbVg Subject: Re: [OPSEC] comments for firewall draft X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2014 09:20:51 -0000 Hi Marco A little more clarity after a little more reflection... -1 no place for NAT66 or NAT46 +1 for optional/transitional NAT64 in an IPv6 FW doc, on the assumption that the intent to create an "IPv6 F= W doc" sets it apart from just a "FW doc" where I might expect to see the= =20full range of IPv4 & IPv6 techniques included... Regards =A0 Bob 07958 318592 =A0 Life's for sharing... and what I like to share the most is a smile -----Original Message----- From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Sleigh, Robert Sent: 01 April 2014 09:49 To: Marco Ermini; opsec@ietf.org Subject: Re: [OPSEC] comments for firewall draft Hi Marco -1 for me, no place for NAT in an IPv6 FW doc Regards =A0 Bob 07958 318592 =A0 Life's for sharing... and what I like to share the most is a smile -----Original Message----- From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Marco Ermini Sent: 31 March 2014 18:36 To: opsec@ietf.org Subject: Re: [OPSEC] comments for firewall draft -----Original Message----- From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Simon Perreault Sent: Monday, March 31, 2014 6:53 PM To: opsec@ietf.org Subject: Re: [OPSEC] comments for firewall draft > Do you have specific things in mind that the draft should say on this t= opic? > > IMHO, the fact that NAT is common in firewall equipment is irrelevant. > Many other functions are common: IPSEC gateway, SSL VPN, IDS, etc. etc.= > etc. A draft covering everything would be a huge effort with low chance= =20of success. > > I would prefer this draft to remain focused on the core firewall functi= on. Well, then the argument is: is NAT a central function in a firewall, espe= cially in an IPv6 one? I do believe NAT is a bit different than the others you mentioned, becaus= e in the great majority of circumstances you would really use a firewall = to perform NAT. In all of the other cases you mentioned (VPN, NIDS, etc.) they may be ena= bled with a license in environments where no better solution is desired, = required or could be afforded; but they are really not central to a firew= all, and are better performed with a dedicated system. Mileage may vary with different firewall brands; e.g. with Juniper, SSL V= PN is better provided by a dedicated security gateway appliance, while in= =20Cisco or Palo Alto there is more convergence and this function is enab= led by license. Anyway, all of them (thinking especially about NIDS/NIPS)= =20are better provided by dedicated appliances and are not really so cent= ral for a firewall. Worth to be noted, in the original RFP document I redacted, there were al= so all of these functions, but they were removed as it would have been to= o many things to discuss at once. However, I do think that NAT may have s= ome special merit. Therefore it would be good to collect votes on that. S= o far I got 3+ and 1- if I am not wrong. Marco Ermini=20 Senior IT Security and Compliance Analyst ResMed Germany Inc Fraunhofer S= tr. 16 - 82152 - Martinsried - Germany ResMed.com=20 =20----------------------------------------------------------------------= Warning: Copyright ResMed. Where the contents of this email and/or atta= chment includes materials prepared by ResMed, the use of those materials = is subject exclusively to the conditions of engagement between ResMed and= =20the intended recipient. This communication is confidential and may co= ntain legally privileged information. By the use of email over the Inter= net or other communication systems, ResMed is not waiving either confiden= tiality of, or legal privilege in, the content of the email and of any at= tachments. If the recipient of this message is not the intended addresse= e, please call ResMed immediately on 1 (800) 424-0737 USA. =20----------------------------------------------------------------------= _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec NOTICE AND DISCLAIMER This e-mail (including any attachments) is intended for the above-named p= erson(s). If you are not the intended recipient, notify the sender immed= iately, delete this email from your system and do not disclose or use for= =20any purpose. =20 =20 We may monitor all incoming and outgoing emails in line with current legi= slation. We have taken steps to ensure that this email and attachments ar= e free from any virus, but it remains your responsibility to ensure that = viruses do not adversely affect you.=20 EE Limited Registered in England and Wales Company Registered Number: 02382161 Registered Office Address: Trident Place, Mosquito Way, Hatfield, Hertfor= dshire, AL10 9BW _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec NOTICE AND DISCLAIMER This e-mail (including any attachments) is intended for the above-named p= erson(s). If you are not the intended recipient, notify the sender immed= iately, delete this email from your system and do not disclose or use for= =20any purpose. =20 =20 We may monitor all incoming and outgoing emails in line with current legi= slation. We have taken steps to ensure that this email and attachments ar= e free from any virus, but it remains your responsibility to ensure that = viruses do not adversely affect you.=20 EE Limited Registered in England and Wales Company Registered Number: 02382161 Registered Office Address: Trident Place, Mosquito Way, Hatfield, Hertfor= dshire, AL10 9BW From nobody Tue Apr 1 02:23:52 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A13211A802C for ; Tue, 1 Apr 2014 02:23:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, UNPARSEABLE_RELAY=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vYIO9_2nkE_S for ; Tue, 1 Apr 2014 02:23:41 -0700 (PDT) Received: from mail1.bemta8.messagelabs.com (mail1.bemta8.messagelabs.com [216.82.243.201]) by ietfa.amsl.com (Postfix) with ESMTP id 533121A8032 for ; Tue, 1 Apr 2014 02:23:41 -0700 (PDT) Received: from [216.82.242.131:38977] by server-9.bemta-8.messagelabs.com id 87/87-11188-9958A335; Tue, 01 Apr 2014 09:23:37 +0000 X-Env-Sender: Marco.Ermini@ResMed.com X-Msg-Ref: server-7.tower-76.messagelabs.com!1396344216!34732075!1 X-Originating-IP: [195.234.33.10] X-StarScan-Received: X-StarScan-Version: 6.11.1; banners=resmed.com,-,- X-VirusChecked: Checked Received: (qmail 22218 invoked from network); 1 Apr 2014 09:23:37 -0000 Received: from unknown (HELO mail.resmed.de) (195.234.33.10) by server-7.tower-76.messagelabs.com with SMTP; 1 Apr 2014 09:23:37 -0000 Received: from GE2EML2K1002.corp.resmed.org ([172.17.6.117]) by mail.resmed.de with Microsoft SMTPSVC(6.0.3790.4675); Tue, 1 Apr 2014 11:23:36 +0200 Received: from GE2EML2K1003.corp.resmed.org ([fe80::8547:a85:1c2d:a4bd]) by GE2EML2K1002.corp.resmed.org ([fe80::f03c:7713:9fd9:8984%17]) with mapi id 14.01.0355.002; Tue, 1 Apr 2014 11:23:35 +0200 From: Marco Ermini To: "opsec@ietf.org" Thread-Topic: [OPSEC] comments for firewall draft Thread-Index: AQHPTIlWpyXEukspEkWNz7BwNWd4kZr7SKkAgAAqYWCAAODAgIAACN4AgAAhuSA= Date: Tue, 1 Apr 2014 09:23:35 +0000 Message-ID: <38465846B6383D4A8688C0A13971900C46A17E3F@GE2EML2K1003.corp.resmed.org> References: <53399D5A.8050802@viagenie.ca> <38465846B6383D4A8688C0A13971900C46A146D7@GE2EML2K1003.corp.resmed.org> <679694A32AB94046931C676BEF4BA8B80C8F9093@UK31S005EXS06.EEAD.EEINT.CO.UK> <679694A32AB94046931C676BEF4BA8B80C8F913E@UK31S005EXS06.EEAD.EEINT.CO.UK> In-Reply-To: <679694A32AB94046931C676BEF4BA8B80C8F913E@UK31S005EXS06.EEAD.EEINT.CO.UK> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.17.48.87] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 01 Apr 2014 09:23:36.0654 (UTC) FILETIME=[0F6C26E0:01CF4D8C] Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/9iDtySa7pos2ukMw2ky4r-zmF_Q Subject: Re: [OPSEC] comments for firewall draft X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2014 09:23:44 -0000 Fine for me. Fernando already commented on this, and he said he is engaged in adding so= me words in the draft describing why NAT (or other functions for what that= matters) are not included. Does anyone else think we should add "optional/transitional NAT64" to the = draft? Marco Ermini Senior IT Security and Compliance Analyst =20 ResMed Germany Inc=A0Fraunhofer Str. 16 - 82152 - Martinsried - Germany ResMed.com -----Original Message----- From: Sleigh, Robert [mailto:robert.sleigh@ee.co.uk]=20 Sent: Tuesday, April 01, 2014 11:21 AM To: Sleigh, Robert; Marco Ermini; opsec@ietf.org Subject: RE: [OPSEC] comments for firewall draft Hi Marco A little more clarity after a little more reflection... -1 no place for NAT66 or NAT46 +1 for optional/transitional NAT64 in an IPv6 FW doc, on the assumption that the intent to create an "IPv6 FW= doc" sets it apart from just a "FW doc" where I might expect to see the f= ull range of IPv4 & IPv6 techniques included... Regards =A0 Bob 07958 318592 =A0 Life's for sharing... and=20what I like to share the most is a smile -----Original Message----- From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Sleigh, Robert Sent: 01 April 2014 09:49 To: Marco Ermini; opsec@ietf.org Subject: Re: [OPSEC] comments for firewall draft Hi Marco -1 for me, no place for NAT in an IPv6 FW doc Regards =A0 Bob 07958 318592 =A0 Life's for sharing... and what I like to share the most is a smile -----Original Message----- From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Marco Ermini Sent: 31 March 2014 18:36 To: opsec@ietf.org Subject: Re: [OPSEC] comments for firewall draft -----Original Message----- From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Simon Perreault Sent: Monday, March 31, 2014 6:53 PM To: opsec@ietf.org Subject: Re: [OPSEC] comments for firewall draft > Do you have specific things in mind that the draft should say on this to= pic? > > IMHO, the fact that NAT is common in firewall equipment is irrelevant. > Many other functions are common: IPSEC gateway, SSL VPN, IDS, etc. etc. > etc. A draft covering everything would be a huge effort with low chance = of success. > > I would prefer this draft to remain focused on the core firewall functio= n. Well, then the argument is: is NAT a central function in a firewall, espec= ially in an IPv6 one? I do believe NAT is a bit different than the others you mentioned, because= in the great majority of circumstances you would really use a firewall to= perform NAT. In all of the other cases you mentioned (VPN, NIDS, etc.) they may be enab= led with a license in environments where no better solution is desired, re= quired or could be afforded; but they are really not central to a firewall= , and are better performed with a dedicated system. Mileage may vary with different firewall brands; e.g. with Juniper, SSL VP= N is better provided by a dedicated security gateway appliance, while in C= isco or Palo Alto there is more convergence and this function is enabled b= y license. Anyway, all of them (thinking especially about NIDS/NIPS) are b= etter provided by=20dedicated appliances and are not really so central for= a firewall. Worth to be noted, in the original RFP document I redacted, there were als= o all of these functions, but they were removed as it would have been too = many things to discuss at once. However, I do think that NAT may have some= special merit. Therefore it would be good to collect votes on that. So fa= r I got 3+ and 1- if I am not wrong. Marco Ermini=20 Senior IT Security and Compliance Analyst ResMed Germany Inc Fraunhofer St= r. 16 - 82152 - Martinsried - Germany ResMed.com=20 ---------------------------------------------------------------------- Warning: Copyright ResMed. Where the contents of this email and/or attac= hment includes materials prepared by ResMed, the use of those materials is= subject exclusively to the conditions of engagement between ResMed and th= e intended recipient. This communication is confidential and may contain = legally privileged information. By the use of email over the Internet or = other communication systems, ResMed is not waiving either confidentiality = of, or legal privilege in, the content of the email and of any attachments= . If the recipient of this message is not the intended addressee, please = call ResMed immediately on 1 (800) 424-0737 USA. ---------------------------------------------------------------------- _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec NOTICE AND DISCLAIMER This e-mail (including any attachments) is intended for the above-named pe= rson(s). If you are not the intended recipient, notify the sender immedia= tely, delete this email from your system and do not disclose or use for an= y purpose. =20 =20 We may monitor all incoming and outgoing emails in line with current legis= lation. We have taken steps to ensure that this email and attachments are = free from any virus, but it remains your responsibility to ensure that vir= uses do not adversely affect you.=20 EE Limited Registered in England and Wales Company Registered Number: 02382161 Registered Office Address: Trident Place, Mosquito Way, Hatfield, Hertford= shire, AL10 9BW _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec NOTICE AND DISCLAIMER This e-mail (including any attachments) is intended for the above-named pe= rson(s). If you are not the intended recipient, notify the sender immedia= tely, delete this email from your system and do not disclose or use for an= y purpose. =20 =20 We may monitor all incoming and outgoing emails in line with current legis= lation. We have taken steps to ensure that this email and attachments are = free from any virus, but it remains your responsibility to ensure that vir= uses do not adversely affect you.=20 EE Limited Registered in England and Wales Company Registered Number: 02382161 Registered Office Address: Trident Place, Mosquito Way, Hatfield, Hertford= shire, AL10 9BW ---------------------------------------------------------------------- Warning: Copyright ResMed. Where the contents of this email and/or attac= hment includes materials prepared by ResMed, the use of those materials is subject exclusively to the conditions of engagement between R= esMed and the intended recipient. This communication is confidential and = may contain legally privileged information. By the use of email over the = Internet or other communication systems, ResMed is not waiving either conf= identiality of, or legal privilege in, the content of the email and of any= attachments. If the recipient of this message is not the intended addres= see, please call ResMed immediately on 1 (800) 424-0737 USA. ---------------------------------------------------------------------- From nobody Tue Apr 8 02:18:27 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 344001A01CE for ; Tue, 8 Apr 2014 02:18:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.51 X-Spam-Level: X-Spam-Status: No, score=-9.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pHCwbsOoFBCA for ; Tue, 8 Apr 2014 02:18:19 -0700 (PDT) Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) by ietfa.amsl.com (Postfix) with ESMTP id 853471A01BB for ; Tue, 8 Apr 2014 02:18:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6996; q=dns/txt; s=iport; t=1396948694; x=1398158294; h=from:to:cc:subject:date:message-id:mime-version; bh=aFjNKZrg8YLlYcX9hDnNZu7dzzJJMu1VWmHC1h8OT6Y=; b=U5Bl5M4CPpj7l5Vhv/AYqQPDhn9zuzcQ5J+Tb9glF4sQUviIytPGZ9Af WzXB3zadQIoK3cyJeOJbG20OwWnM6dTqHwB4a+zjyVKHn66CXiGP1l7IY OAd1g1LMUvpxPpY8Dtto4GBjFsJqYMrv3ucJpK/fZ+HwnhArGPm7JRc1f s=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AiYFAGC+Q1OtJV2a/2dsb2JhbABZgkJEO1fEI4EeFnSCJwEEHRBMEgEqViYBBA4Nh3ENyiMTBI45LQSDK4EUBKscgzCCKw X-IronPort-AV: E=Sophos; i="4.97,816,1389744000"; d="scan'208,217"; a="33905333" Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-4.cisco.com with ESMTP; 08 Apr 2014 09:18:13 +0000 Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id s389IDHV012201 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 8 Apr 2014 09:18:13 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.118]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.03.0123.003; Tue, 8 Apr 2014 04:18:13 -0500 From: "Gunter Van de Velde (gvandeve)" To: opsec wg mailing list Thread-Topic: Start of 2nd WGLC for draft-ietf-opsec-bgp-security Thread-Index: Ac9TCpCty6WW3UV9Rc+t1rBkEBAqQQ== Date: Tue, 8 Apr 2014 09:18:13 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B241138EAF1@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.84.61] Content-Type: multipart/alternative; boundary="_000_67832B1175062E48926BF3CB27C49B241138EAF1xmbalnx12ciscoc_" MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/DPNDRJ8wfCh5npz41xF1JNVsdEA Cc: "draft-ietf-opsec-bgp-security@tools.ietf.org" Subject: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2014 09:18:24 -0000 --_000_67832B1175062E48926BF3CB27C49B241138EAF1xmbalnx12ciscoc_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Dear OpSec WG, This starts a 2nd Working Group Last Call for draft-ietf-opsec-bgp-security= . Due to the time taken to integrate all comments from the first WGLC this 2n= d WGLC is initiated. All three authors have replied, stating that they do not know of any IPR as= sociated with this draft. The draft is available here: https://datatracker.ietf.org/doc/draft-ietf-op= sec-bgp-security/ Please review this draft to see if you think it is ready for publication an= d comments to the list, clearly stating your view. This WGLC ends 22-April-2014. Thanks, G/ --_000_67832B1175062E48926BF3CB27C49B241138EAF1xmbalnx12ciscoc_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Dear O= pSec WG,

This s= tarts a 2^nd Working Group Last Call for draft-ietf-opsec-bgp-sec= urity.

Due to= the time taken to integrate all comments from the first WGLC this 2^nd= WGLC is initiated.

&= nbsp;

All th= ree authors have replied, stating that they do not know of any IPR associat= ed with this draft.

The dr= aft is available here: https://datatracker.ietf.org/doc/draft-ietf-opsec-bgp-security/=

Please= review this draft to see if you think it is ready for publication and comm= ents to the list, clearly stating your view.<= /o:p>

This W= GLC ends 22-April-2014.

Thanks= ,

--_000_67832B1175062E48926BF3CB27C49B241138EAF1xmbalnx12ciscoc_-- From nobody Tue Apr 8 03:08:55 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20F061A01FF for ; Tue, 8 Apr 2014 03:08:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0jsYVIOGuMWV for ; Tue, 8 Apr 2014 03:08:48 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) by ietfa.amsl.com (Postfix) with ESMTP id 99BC01A02A5 for ; Tue, 8 Apr 2014 03:08:17 -0700 (PDT) Received: from [186.137.77.143] (helo=[192.168.3.106]) by web01.jbserver.net with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from ) id 1WXSwo-0007Aw-Kb; Tue, 08 Apr 2014 12:08:06 +0200 Message-ID: <5343CA7C.6030109@si6networks.com> Date: Tue, 08 Apr 2014 07:07:56 -0300 From: Fernando Gont User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: "Smith, Donald" , Marco Ermini , "opsec@ietf.org" References: <38465846B6383D4A8688C0A13971900C469B76AA@GE2EML2K1003.corp.resmed.org> <68EFACB32CF4464298EA2779B058889D123C146D@PDDCWMBXEX503.ctl.intranet> In-Reply-To: <68EFACB32CF4464298EA2779B058889D123C146D@PDDCWMBXEX503.ctl.intranet> X-Enigmail-Version: 1.5.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/Rg32xIgZzzyLRtiDQvaaXJM0KYY Subject: Re: [OPSEC] I-D Action: draft-gont-opsec-ipv6-firewall-reqs-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2014 10:08:54 -0000 On 02/18/2014 08:39 PM, Smith, Donald wrote: > Just a nit initially. > "This document > specifies a set of requirements for IPv6 firewalls, marked as > "mandatory", "recommended", or "optional"." > > > That isn't the language we use. FWIW, the plan is to change the requirements language to: ---- cut here ---- In this document, the words that are used to define the significance of each particular requirement are capitalized. These words are: o "MUST" This word, or the words "REQUIRED" and "SHALL" mean that the item is an absolute requirement of the specification. o "SHOULD" This word or the adjective "RECOMMENDED" means that there may exist valid reasons in particular circumstances to ignore this item, but the full implications should be understood and the case carefully weighed before choosing a different course. o "MAY" This word or the adjective "OPTIONAL" means that this item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because it enhances the product, for example; another vendor may omit the same item. A firewall implementation is a module that supports at least one of the feature types defined in this document. Firewall implementations may support multiple feature types, but conformance is considered individually for each type. A firewall implementation is not compliant with a specific feature type if it fails to satisfy one or more of the MUST requirements of such specific feature type. An implementation that satisfies all the MUST and all the SHOULD requirements of a specific feature is said to be "unconditionally compliant" with such feature type; one that satisfies all the MUST requirements but not all the SHOULD requirements is said to be "conditionally compliant" with such feature type. ---- cut here ---- So you may decide to implement one set of feature, but not another. e.g. "This device is fully-compliant wit the general security requirements in [fw-reqs], conditionally-compliant to the reporting requirements in [fw-reqs]", etc. (FWIW, this was partly borrowed from the firewalls performance benchmarking rfc, and part from some other rfc) Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Wed Apr 9 14:05:49 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40D581A024D for ; Wed, 9 Apr 2014 14:05:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.664 X-Spam-Level: ** X-Spam-Status: No, score=2.664 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h_R8NHVRF7mD for ; Wed, 9 Apr 2014 14:05:30 -0700 (PDT) Received: from cdpipgw02.twcable.com (cdpipgw02.twcable.com [165.237.59.23]) by ietfa.amsl.com (Postfix) with ESMTP id 90DA11A0232 for ; Wed, 9 Apr 2014 14:05:30 -0700 (PDT) X-SENDER-IP: 10.136.163.10 X-SENDER-REPUTATION: None X-IronPort-AV: E=Sophos;i="4.97,828,1389762000"; d="scan'208,217";a="255326567" Received: from unknown (HELO PRVPEXHUB01.corp.twcable.com) ([10.136.163.10]) by cdpipgw02.twcable.com with ESMTP/TLS/RC4-MD5; 09 Apr 2014 17:03:22 -0400 Received: from PRVPEXVS15.corp.twcable.com ([10.136.163.78]) by PRVPEXHUB01.corp.twcable.com ([10.136.163.10]) with mapi; Wed, 9 Apr 2014 17:05:29 -0400 From: "George, Wes" To: "Gunter Van de Velde (gvandeve)" , opsec wg mailing list Date: Wed, 9 Apr 2014 17:05:27 -0400 Thread-Topic: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security Thread-Index: Ac9UN2+/T1QHbw+ATLC7yGU3XgLHJQ== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.9.131030 acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_CF6B0FC1179B5wesleygeorgetwcablecom_" MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/EHAHFniBgk2lodUlLGq6keOQFUc Cc: "draft-ietf-opsec-bgp-security@tools.ietf.org" Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 21:05:38 -0000 --_000_CF6B0FC1179B5wesleygeorgetwcablecom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SeKAmXZlIHJldmlld2VkIHByZXZpb3VzIHZlcnNpb25zIG9mIHRoaXMgZHJhZnQsIGJ1dCBtYWRl IGEgbmV3IHBhc3MgdGhyb3VnaCBpdC4NCkkgdGhpbmsgaXTigJlzIG1vc3RseSByZWFkeSB0byBw dWJsaXNoLCB0aG91Z2ggc29saWNpdGluZyByZXZpZXdzIGZyb20gbm9uLUlFVEYgb3BlcmF0b3Ig bGlzdHMgbWlnaHQgYmUgYSBnb29kIHRoaW5nIHRvIGRvIGJlZm9yZSB3ZSBnbyB0byBJRVRGIExD Lg0KDQpUaGUgYWJzdHJhY3QgbmVlZHMgdG8gcmVtb3ZlIHRoZSByZWZlcmVuY2UgdG8gTUQ1IHNp bmNlIGl0IGlzIGRlcHJlY2F0ZWQuIFNpbWlsYXJseSwgc2VjdGlvbiA0LjEgbmVlZHMgdG8gZXhw bGljaXRseSBub3RlIHRoYXQgTUQ1IGhhcyBiZWVuIGRlcHJlY2F0ZWQgYnkgQU8sIG5vdCBzaW1w bHkgcmVjb21tZW5kIHRoYXQgQU8gYmUgdXNlZCB3aGVuIGF2YWlsYWJsZS4gSeKAmWxsIGNvbmNl ZGUgdGhhdCBNRDUgaXMgYmV0dGVyIHRoYW4gbm90aGluZywgYnV0IGl04oCZcyBub3Qgc29tZXRo aW5nIHdlIHdhbnQgdG8gcmVjb21tZW5kIGluIGEgbmV3IEJDUCB3aXRob3V0IGJlaW5nIGNsZWFy IHdoeSBpdCBzaG91bGRu4oCZdCBiZSB1c2VkIGFueW1vcmUuDQoNClRoZXJlIGFyZSBwbGFjZXMg d2hlcmUgd29yZHMgbGlrZSDigJxyZWNvbW1lbmRlZCIgYXJlIHVzZWQgaW4gd2F5cyB0aGF0IGxv b2sgdG8gYmUgMjExOSB1c2FnZSwgYnV0IGFyZSBub3QgY2FwaXRhbGl6ZWQuIFRoaXMgbmVlZHMg dG8gYmUgY29uc2lzdGVudCB0aHJvdWdob3V0IHRoZSBkb2N1bWVudCwgc28gdGhhdCB0aGV5IGFy ZSB1c2VkIHdoZW5ldmVyIGEgcmVjb21tZW5kYXRpb24gaXMgYmVpbmcgbWFkZSBhcyBzb21ldGhp bmcgdGhhdCB5b3UgU0hPVUxEL01VU1QgZG8gaW4gb3JkZXIgdG8gYmUgaW4gY29tcGxpYW5jZSB3 aXRoIHRoaXMgQmVzdCBDb21tb24gUHJhY3RpY2UuDQoNClNlY3Rpb24gMy0gbWF5IHdhbnQgdG8g bWVudGlvbiByYXRlLWxpbWl0aW5nIGFjY2VwdGVkIHRyYWZmaWMgaW4gYWRkaXRpb24gdG8gc3Ry aWN0IGZpbHRlcmluZyBvZiB1bmFjY2VwdGFibGUgdHJhZmZpYw0KDQo0LjEg4oCTIHJlZmVyZW5j ZSB0byBCQ1AzOCBpbiB0aGUg4oCcYmxvY2sgc3Bvb2ZlZCBwYWNrZXRz4oCdIHNlY3Rpb24gYXQg dGhlIGVuZD8NCg0KNS4xLjIuMyDigJMgcmVmZXJlbmNlIHRvIElSUnRvb2xzZXQ/DQoNCjUuMi4x IChvciBwb3NzaWJseSBzZWN0aW9uIDgpIC0gRmlsdGVyaW5nIHBlZXIgQVNlcyBpbmJvdW5kIGZy b20gY3VzdG9tZXJzPyAoaW4gdGhpcyBjYXNlIOKAnHBlZXLigJ0gbWVhbmluZyBhIG5vbi10cmFu c2l0IGludGVyY29ubmVjdCwgbm90IGp1c3Qgc29tZW9uZSB5b3UgYXJlIGNvbm5lY3RlZCB0byB2 aWEgQkdQKSBJLmUuIElmIEkga25vdyB0aGF0IEkgc2hvdWxkIG9ubHkgcmVjZWl2ZSByb3V0ZXMg d2l0aCA3MDEgaW4gdGhlIHBhdGggZnJvbSA3MDEgYmVjYXVzZSBJIGRvIG5vdCB1c2UgYW55IG90 aGVyIEFTTiBhcyB0cmFuc2l0IHRvIHJlYWNoIDcwMSwgSSBzaG91bGQgZmlsdGVyIHJvdXRlcyBp bmJvdW5kIGZyb20gb3RoZXIgc291cmNlcyB0byBlbnN1cmUgdGhhdCB0aGV5IGRvbuKAmXQgYW5u b3VuY2Ugcm91dGVzIHdpdGggdGhhdCBwYXRoLiBUaGlzIGlzIHNvbWV3aGVyZSBiZXR3ZWVuIHRo ZSBzdHJpY3QgSVJSIGJhc2VkIGZpbHRlcnMgYW5kIHRoZSBsb29zZSBmaWx0ZXJzLCBhbmQgZGVw ZW5kcyBvbiB0aGUgdG9wb2xvZ3kgb2YgdGhlIG5ldHdvcmsgYW5kIG15IGJ1c2luZXNzIHJlbGF0 aW9uc2hpcHMsIGJ1dCBJIHRoaW5rIGl04oCZcyBhIHVzZWZ1bCBwb2ludCB0byBtYWtlIHRvIGFk ZCBzb21lIGFkZGl0aW9uYWwgc2FmZXR5IGZpbHRlcmluZyB0byBwcmV2ZW50IOKAnG15IGlkaW90 IGN1c3RvbWVyIGlzIHRyeWluZyB0byByZS1hbm5vdW5jZSB0aGUgaW50ZXJuZXQgdG8gbWXigJ0g YWxvbmcgd2l0aCBtYXgtcHJlZml4LCB3aGljaCB5b3UgYWxyZWFkeSBjb3Zlci4NCg0KU2VjdGlv biAxMeKAmXMgZnV0dXJlIHdvcmsgZWl0aGVyIG5lZWRzIHRvIGJlIGNvbXBsZXRlZCBpbiB0aGlz IGRvY3VtZW50IG9yIGV4cGxpY2l0bHkgaWRlbnRpZmllZCBhcyB3b3JrIGZvciBhIGZ1dHVyZSBk b2N1bWVudC4gVGhlIFdHIG5lZWRzIHRvIGRpc2N1c3Mgd2hhdCBpcyBhcHByb3ByaWF0ZSB0byBh ZGQgdG8gdGhpcyBkb2MgdnMgbGVhdmUgZm9yIGZ1dHVyZSB3b3JrIGJlZm9yZSB0aGlzIHByb2Nl ZWRzLg0KDQpTZWN0aW9uIDEyIG5lZWRzIGV4cGxpY2l0IG5vdGVzIHRvIHRoZSBSRkMgZWRpdG9y IHRvIHJlbW92ZSB0aGUgc2VjdGlvbiBwcmlvciB0byBwdWJsaWNhdGlvbi4NCg0KVGhpcyBtYXkg YmUgc29tZXRoaW5nIHRoYXQgdGhlIFJGQyBlZGl0b3Igd2lsbCBmaXgsIGJ1dCBpdCB3b3VsZCBi ZSBwcmVmZXJhYmxlIHRvIHVzZSB0aGUgYWN0dWFsIGRyYWZ0IG5hbWUgb3IgUkZDIG51bWJlciBh cyB0aGUgcmVmZXJlbmNlIHRhZyBpbnN0ZWFkIG9mIG51bWVyaWMgdGFncywgc28gdGhhdCB0aGUg cmVhZGVyIGtub3dzIHdoYXQgeW91IGFyZSByZWZlcmVuY2luZyB3aXRob3V0IGhhdmluZyB0byBq dW1wIHRvIGZvb3Rub3RlcyBlYWNoIHRpbWUuDQoNCg0KVGhhbmtzLA0KDQpXZXMgR2VvcmdlDQoN Cg0KRnJvbTogIkd1bnRlciBWYW4gZGUgVmVsZGUgKGd2YW5kZXZlKSIgPGd2YW5kZXZlQGNpc2Nv LmNvbTxtYWlsdG86Z3ZhbmRldmVAY2lzY28uY29tPj4NCkRhdGU6IFR1ZXNkYXksIEFwcmlsIDgs IDIwMTQgYXQgNToxOCBBTQ0KVG86IG9wc2VjIHdnIG1haWxpbmcgbGlzdCA8b3BzZWNAaWV0Zi5v cmc8bWFpbHRvOm9wc2VjQGlldGYub3JnPj4NCkNjOiAiZHJhZnQtaWV0Zi1vcHNlYy1iZ3Atc2Vj dXJpdHlAdG9vbHMuaWV0Zi5vcmc8bWFpbHRvOmRyYWZ0LWlldGYtb3BzZWMtYmdwLXNlY3VyaXR5 QHRvb2xzLmlldGYub3JnPiIgPGRyYWZ0LWlldGYtb3BzZWMtYmdwLXNlY3VyaXR5QHRvb2xzLmll dGYub3JnPG1haWx0bzpkcmFmdC1pZXRmLW9wc2VjLWJncC1zZWN1cml0eUB0b29scy5pZXRmLm9y Zz4+DQpTdWJqZWN0OiBbT1BTRUNdIFN0YXJ0IG9mIDJuZCBXR0xDIGZvciBkcmFmdC1pZXRmLW9w c2VjLWJncC1zZWN1cml0eQ0KDQoNCkRlYXIgT3BTZWMgV0csDQoNCg0KDQpUaGlzIHN0YXJ0cyBh IDJuZCBXb3JraW5nIEdyb3VwIExhc3QgQ2FsbCBmb3IgZHJhZnQtaWV0Zi1vcHNlYy1iZ3Atc2Vj dXJpdHkuDQoNCkR1ZSB0byB0aGUgdGltZSB0YWtlbiB0byBpbnRlZ3JhdGUgYWxsIGNvbW1lbnRz IGZyb20gdGhlIGZpcnN0IFdHTEMgdGhpcyAybmQgV0dMQyBpcyBpbml0aWF0ZWQuDQoNCg0KDQpB bGwgdGhyZWUgYXV0aG9ycyBoYXZlIHJlcGxpZWQsIHN0YXRpbmcgdGhhdCB0aGV5IGRvIG5vdCBr bm93IG9mIGFueSBJUFIgYXNzb2NpYXRlZCB3aXRoIHRoaXMgZHJhZnQuDQoNCg0KVGhlIGRyYWZ0 IGlzIGF2YWlsYWJsZSBoZXJlOiBodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFm dC1pZXRmLW9wc2VjLWJncC1zZWN1cml0eS88aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9k b2MvZHJhZnQtaWV0Zi1vcHNlYy1sbGEtb25seS8+DQoNCg0KUGxlYXNlIHJldmlldyB0aGlzIGRy YWZ0IHRvIHNlZSBpZiB5b3UgdGhpbmsgaXQgaXMgcmVhZHkgZm9yIHB1YmxpY2F0aW9uIGFuZCBj b21tZW50cyB0byB0aGUgbGlzdCwgY2xlYXJseSBzdGF0aW5nIHlvdXIgdmlldy4NCg0KDQoNClRo aXMgV0dMQyBlbmRzIDIyLUFwcmlsLTIwMTQuDQoNCg0KDQpUaGFua3MsDQoNCkcvDQoNCg0KX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX18NClRoaXMgRS1tYWlsIGFuZCBhbnkgb2YgaXRz IGF0dGFjaG1lbnRzIG1heSBjb250YWluIFRpbWUgV2FybmVyIENhYmxlIHByb3ByaWV0YXJ5IGlu Zm9ybWF0aW9uLCB3aGljaCBpcyBwcml2aWxlZ2VkLCBjb25maWRlbnRpYWwsIG9yIHN1YmplY3Qg dG8gY29weXJpZ2h0IGJlbG9uZ2luZyB0byBUaW1lIFdhcm5lciBDYWJsZS4gVGhpcyBFLW1haWwg aXMgaW50ZW5kZWQgc29sZWx5IGZvciB0aGUgdXNlIG9mIHRoZSBpbmRpdmlkdWFsIG9yIGVudGl0 eSB0byB3aGljaCBpdCBpcyBhZGRyZXNzZWQuIElmIHlvdSBhcmUgbm90IHRoZSBpbnRlbmRlZCBy ZWNpcGllbnQgb2YgdGhpcyBFLW1haWwsIHlvdSBhcmUgaGVyZWJ5IG5vdGlmaWVkIHRoYXQgYW55 IGRpc3NlbWluYXRpb24sIGRpc3RyaWJ1dGlvbiwgY29weWluZywgb3IgYWN0aW9uIHRha2VuIGlu IHJlbGF0aW9uIHRvIHRoZSBjb250ZW50cyBvZiBhbmQgYXR0YWNobWVudHMgdG8gdGhpcyBFLW1h aWwgaXMgc3RyaWN0bHkgcHJvaGliaXRlZCBhbmQgbWF5IGJlIHVubGF3ZnVsLiBJZiB5b3UgaGF2 ZSByZWNlaXZlZCB0aGlzIEUtbWFpbCBpbiBlcnJvciwgcGxlYXNlIG5vdGlmeSB0aGUgc2VuZGVy IGltbWVkaWF0ZWx5IGFuZCBwZXJtYW5lbnRseSBkZWxldGUgdGhlIG9yaWdpbmFsIGFuZCBhbnkg Y29weSBvZiB0aGlzIEUtbWFpbCBhbmQgYW55IHByaW50b3V0Lg0K --_000_CF6B0FC1179B5wesleygeorgetwcablecom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5IHN0eWxlPSJ3b3JkLXdy YXA6IGJyZWFrLXdvcmQ7IC13ZWJraXQtbmJzcC1tb2RlOiBzcGFjZTsgLXdlYmtpdC1saW5lLWJy ZWFrOiBhZnRlci13aGl0ZS1zcGFjZTsgY29sb3I6IHJnYigwLCAwLCAwKTsgZm9udC1zaXplOiAx NHB4OyBmb250LWZhbWlseTogQ2FsaWJyaSwgc2Fucy1zZXJpZjsiPg0KPGRpdj4NCjxkaXY+DQo8 ZGl2PknigJl2ZSByZXZpZXdlZCBwcmV2aW91cyB2ZXJzaW9ucyBvZiB0aGlzIGRyYWZ0LCBidXQg bWFkZSBhIG5ldyBwYXNzIHRocm91Z2ggaXQuPC9kaXY+DQo8ZGl2PkkgdGhpbmsgaXTigJlzIG1v c3RseSByZWFkeSB0byBwdWJsaXNoLCB0aG91Z2ggc29saWNpdGluZyByZXZpZXdzIGZyb20gbm9u LUlFVEYgb3BlcmF0b3IgbGlzdHMgbWlnaHQgYmUgYSBnb29kIHRoaW5nIHRvIGRvIGJlZm9yZSB3 ZSBnbyB0byBJRVRGIExDLjwvZGl2Pg0KPGRpdj48YnI+DQo8L2Rpdj4NCjxkaXY+VGhlIGFic3Ry YWN0IG5lZWRzIHRvIHJlbW92ZSB0aGUgcmVmZXJlbmNlIHRvIE1ENSBzaW5jZSBpdCBpcyBkZXBy ZWNhdGVkLiBTaW1pbGFybHksIHNlY3Rpb24gNC4xIG5lZWRzIHRvIGV4cGxpY2l0bHkgbm90ZSB0 aGF0IE1ENSBoYXMgYmVlbiBkZXByZWNhdGVkIGJ5IEFPLCBub3Qgc2ltcGx5IHJlY29tbWVuZCB0 aGF0IEFPIGJlIHVzZWQgd2hlbiBhdmFpbGFibGUuIEnigJlsbCBjb25jZWRlIHRoYXQgTUQ1IGlz IGJldHRlciB0aGFuIG5vdGhpbmcsDQogYnV0IGl04oCZcyBub3Qgc29tZXRoaW5nIHdlIHdhbnQg dG8gcmVjb21tZW5kIGluIGEgbmV3IEJDUCB3aXRob3V0IGJlaW5nIGNsZWFyIHdoeSBpdCBzaG91 bGRu4oCZdCBiZSB1c2VkIGFueW1vcmUuJm5ic3A7PC9kaXY+DQo8ZGl2Pjxicj4NCjwvZGl2Pg0K PGRpdj5UaGVyZSBhcmUgcGxhY2VzIHdoZXJlIHdvcmRzIGxpa2Ug4oCccmVjb21tZW5kZWQmcXVv dDsgYXJlIHVzZWQgaW4gd2F5cyB0aGF0IGxvb2sgdG8gYmUgMjExOSB1c2FnZSwgYnV0IGFyZSBu b3QgY2FwaXRhbGl6ZWQuIFRoaXMgbmVlZHMgdG8gYmUgY29uc2lzdGVudCB0aHJvdWdob3V0IHRo ZSBkb2N1bWVudCwgc28gdGhhdCB0aGV5IGFyZSB1c2VkIHdoZW5ldmVyIGEgcmVjb21tZW5kYXRp b24gaXMgYmVpbmcgbWFkZSBhcyBzb21ldGhpbmcgdGhhdCB5b3UNCiBTSE9VTEQvTVVTVCBkbyBp biBvcmRlciB0byBiZSBpbiBjb21wbGlhbmNlIHdpdGggdGhpcyBCZXN0IENvbW1vbiBQcmFjdGlj ZS48L2Rpdj4NCjxkaXY+PGJyPg0KPC9kaXY+DQo8ZGl2PlNlY3Rpb24gMy0gbWF5IHdhbnQgdG8g bWVudGlvbiByYXRlLWxpbWl0aW5nIGFjY2VwdGVkIHRyYWZmaWMgaW4gYWRkaXRpb24gdG8gc3Ry aWN0IGZpbHRlcmluZyBvZiB1bmFjY2VwdGFibGUgdHJhZmZpYzwvZGl2Pg0KPGRpdj48YnI+DQo8 L2Rpdj4NCjxkaXY+NC4xIOKAkyByZWZlcmVuY2UgdG8gQkNQMzggaW4gdGhlIOKAnGJsb2NrIHNw b29mZWQgcGFja2V0c+KAnSBzZWN0aW9uIGF0IHRoZSBlbmQ/PC9kaXY+DQo8ZGl2Pjxicj4NCjwv ZGl2Pg0KPGRpdj41LjEuMi4zIOKAkyByZWZlcmVuY2UgdG8gSVJSdG9vbHNldD88L2Rpdj4NCjxk aXY+PGJyPg0KPC9kaXY+DQo8ZGl2PjUuMi4xIChvciBwb3NzaWJseSBzZWN0aW9uIDgpIC0gRmls dGVyaW5nIHBlZXIgQVNlcyBpbmJvdW5kIGZyb20gY3VzdG9tZXJzPyAoaW4gdGhpcyBjYXNlIOKA nHBlZXLigJ0gbWVhbmluZyBhIG5vbi10cmFuc2l0IGludGVyY29ubmVjdCwgbm90IGp1c3Qgc29t ZW9uZSB5b3UgYXJlIGNvbm5lY3RlZCB0byB2aWEgQkdQKSBJLmUuIElmIEkga25vdyB0aGF0IEkg c2hvdWxkIG9ubHkgcmVjZWl2ZSByb3V0ZXMgd2l0aCA3MDEgaW4gdGhlIHBhdGggZnJvbQ0KIDcw MSBiZWNhdXNlIEkgZG8gbm90IHVzZSBhbnkgb3RoZXIgQVNOIGFzIHRyYW5zaXQgdG8gcmVhY2gg NzAxLCBJIHNob3VsZCBmaWx0ZXIgcm91dGVzIGluYm91bmQgZnJvbSBvdGhlciBzb3VyY2VzIHRv IGVuc3VyZSB0aGF0IHRoZXkgZG9u4oCZdCBhbm5vdW5jZSByb3V0ZXMgd2l0aCB0aGF0IHBhdGgu IFRoaXMgaXMgc29tZXdoZXJlIGJldHdlZW4gdGhlIHN0cmljdCBJUlIgYmFzZWQgZmlsdGVycyBh bmQgdGhlIGxvb3NlIGZpbHRlcnMsIGFuZCBkZXBlbmRzDQogb24gdGhlIHRvcG9sb2d5IG9mIHRo ZSBuZXR3b3JrIGFuZCBteSBidXNpbmVzcyByZWxhdGlvbnNoaXBzLCBidXQgSSB0aGluayBpdOKA mXMgYSB1c2VmdWwgcG9pbnQgdG8gbWFrZSB0byBhZGQgc29tZSBhZGRpdGlvbmFsIHNhZmV0eSBm aWx0ZXJpbmcgdG8gcHJldmVudCDigJxteSBpZGlvdCBjdXN0b21lciBpcyB0cnlpbmcgdG8gcmUt YW5ub3VuY2UgdGhlIGludGVybmV0IHRvIG1l4oCdIGFsb25nIHdpdGggbWF4LXByZWZpeCwgd2hp Y2ggeW91IGFscmVhZHkNCiBjb3Zlci48L2Rpdj4NCjxkaXY+PGJyPg0KPC9kaXY+DQo8ZGl2PlNl Y3Rpb24gMTHigJlzIGZ1dHVyZSB3b3JrIGVpdGhlciBuZWVkcyB0byBiZSBjb21wbGV0ZWQgaW4g dGhpcyBkb2N1bWVudCBvciBleHBsaWNpdGx5IGlkZW50aWZpZWQgYXMgd29yayBmb3IgYSBmdXR1 cmUgZG9jdW1lbnQuIFRoZSBXRyBuZWVkcyB0byBkaXNjdXNzIHdoYXQgaXMgYXBwcm9wcmlhdGUg dG8gYWRkIHRvIHRoaXMgZG9jIHZzIGxlYXZlIGZvciBmdXR1cmUgd29yayBiZWZvcmUgdGhpcyBw cm9jZWVkcy48L2Rpdj4NCjxkaXY+PGJyPg0KPC9kaXY+DQo8ZGl2PlNlY3Rpb24gMTIgbmVlZHMg ZXhwbGljaXQgbm90ZXMgdG8gdGhlIFJGQyBlZGl0b3IgdG8gcmVtb3ZlIHRoZSBzZWN0aW9uIHBy aW9yIHRvIHB1YmxpY2F0aW9uLiZuYnNwOzwvZGl2Pg0KPGRpdj48YnI+DQo8L2Rpdj4NCjxkaXY+ VGhpcyBtYXkgYmUgc29tZXRoaW5nIHRoYXQgdGhlIFJGQyBlZGl0b3Igd2lsbCBmaXgsIGJ1dCBp dCB3b3VsZCBiZSBwcmVmZXJhYmxlIHRvIHVzZSB0aGUgYWN0dWFsIGRyYWZ0IG5hbWUgb3IgUkZD IG51bWJlciBhcyB0aGUgcmVmZXJlbmNlIHRhZyBpbnN0ZWFkIG9mIG51bWVyaWMgdGFncywgc28g dGhhdCB0aGUgcmVhZGVyIGtub3dzIHdoYXQgeW91IGFyZSByZWZlcmVuY2luZyB3aXRob3V0IGhh dmluZyB0byBqdW1wIHRvIGZvb3Rub3Rlcw0KIGVhY2ggdGltZS4mbmJzcDs8L2Rpdj4NCjxkaXY+ PGJyPg0KPC9kaXY+DQo8ZGl2Pjxicj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tdG9wOiAwaW47IG1hcmdpbi1yaWdodDogMGluOyBtYXJnaW4tbGVm dDogMGluOyI+DQpUaGFua3MsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLXRvcDogMGluOyBtYXJnaW4tcmlnaHQ6IDBpbjsgbWFyZ2luLWxlZnQ6IDBp bjsiPg0KPG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLXRvcDogMGluOyBtYXJnaW4tcmlnaHQ6IDBpbjsgbWFyZ2luLWxlZnQ6IDBpbjsiPg0K V2VzIEdlb3JnZTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi10b3A6IDBpbjsgbWFyZ2luLXJpZ2h0OiAwaW47IG1hcmdpbi1sZWZ0OiAwaW47Ij4NCjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi10 b3A6IDBpbjsgbWFyZ2luLXJpZ2h0OiAwaW47IG1hcmdpbi1sZWZ0OiAwaW47Ij4NCjxicj4NCjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxzcGFuIGlkPSJPTEtfU1JDX0JPRFlfU0VDVElP TiI+DQo8ZGl2IHN0eWxlPSJmb250LWZhbWlseTpDYWxpYnJpOyBmb250LXNpemU6MTFwdDsgdGV4 dC1hbGlnbjpsZWZ0OyBjb2xvcjpibGFjazsgQk9SREVSLUJPVFRPTTogbWVkaXVtIG5vbmU7IEJP UkRFUi1MRUZUOiBtZWRpdW0gbm9uZTsgUEFERElORy1CT1RUT006IDBpbjsgUEFERElORy1MRUZU OiAwaW47IFBBRERJTkctUklHSFQ6IDBpbjsgQk9SREVSLVRPUDogI2I1YzRkZiAxcHQgc29saWQ7 IEJPUkRFUi1SSUdIVDogbWVkaXVtIG5vbmU7IFBBRERJTkctVE9QOiAzcHQiPg0KPHNwYW4gc3R5 bGU9ImZvbnQtd2VpZ2h0OmJvbGQiPkZyb206IDwvc3Bhbj4mcXVvdDtHdW50ZXIgVmFuIGRlIFZl bGRlIChndmFuZGV2ZSkmcXVvdDsgJmx0OzxhIGhyZWY9Im1haWx0bzpndmFuZGV2ZUBjaXNjby5j b20iPmd2YW5kZXZlQGNpc2NvLmNvbTwvYT4mZ3Q7PGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtd2Vp Z2h0OmJvbGQiPkRhdGU6IDwvc3Bhbj5UdWVzZGF5LCBBcHJpbCA4LCAyMDE0IGF0IDU6MTggQU08 YnI+DQo8c3BhbiBzdHlsZT0iZm9udC13ZWlnaHQ6Ym9sZCI+VG86IDwvc3Bhbj5vcHNlYyB3ZyBt YWlsaW5nIGxpc3QgJmx0OzxhIGhyZWY9Im1haWx0bzpvcHNlY0BpZXRmLm9yZyI+b3BzZWNAaWV0 Zi5vcmc8L2E+Jmd0Ozxicj4NCjxzcGFuIHN0eWxlPSJmb250LXdlaWdodDpib2xkIj5DYzogPC9z cGFuPiZxdW90OzxhIGhyZWY9Im1haWx0bzpkcmFmdC1pZXRmLW9wc2VjLWJncC1zZWN1cml0eUB0 b29scy5pZXRmLm9yZyI+ZHJhZnQtaWV0Zi1vcHNlYy1iZ3Atc2VjdXJpdHlAdG9vbHMuaWV0Zi5v cmc8L2E+JnF1b3Q7ICZsdDs8YSBocmVmPSJtYWlsdG86ZHJhZnQtaWV0Zi1vcHNlYy1iZ3Atc2Vj dXJpdHlAdG9vbHMuaWV0Zi5vcmciPmRyYWZ0LWlldGYtb3BzZWMtYmdwLXNlY3VyaXR5QHRvb2xz LmlldGYub3JnPC9hPiZndDs8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC13ZWlnaHQ6Ym9sZCI+U3Vi amVjdDogPC9zcGFuPltPUFNFQ10gU3RhcnQgb2YgMm5kIFdHTEMgZm9yIGRyYWZ0LWlldGYtb3Bz ZWMtYmdwLXNlY3VyaXR5PGJyPg0KPC9kaXY+DQo8ZGl2Pjxicj4NCjwvZGl2Pg0KPGRpdiB4bWxu czp2PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOnZtbCIgeG1sbnM6bz0idXJuOnNjaGVtYXMt bWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3Nv ZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29t L29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRt bDQwIj4NCjxtZXRhIG5hbWU9IkdlbmVyYXRvciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQg KGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxlPjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8N CkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAy IDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlRpbWVzOw0KCXBhbm9zZS0x OjIgMiA2IDMgNSA0IDUgMiAzIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9y bWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsNCgltYXJnaW4t Ym90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJy aSIsInNhbnMtc2VyaWYiOw0KCW1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTO30NCmE6bGluaywg c3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7 DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJs aW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0 ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnANCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0K CW1zby1tYXJnaW4tdG9wLWFsdDphdXRvOw0KCW1hcmdpbi1yaWdodDowY207DQoJbXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG87DQoJbWFyZ2luLWxlZnQ6MGNtOw0KCWZvbnQtc2l6ZToxMi4wcHQ7 DQoJZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIsInNlcmlmIjt9DQpzcGFuLkVtYWlsU3R5 bGUxNw0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1jb21wb3NlOw0KCWZvbnQtZmFtaWx5OiJD YWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6d2luZG93dGV4dDt9DQouTXNvQ2hwRGVmYXVs dA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIs InNhbnMtc2VyaWYiOw0KCW1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTO30NCkBwYWdlIFdvcmRT ZWN0aW9uMQ0KCXtzaXplOjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46NzIuMHB0IDcyLjBwdCA3 Mi4wcHQgNzIuMHB0O30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0K LS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpl eHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0 ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6 ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0t Pg0KPGRpdiBsYW5nPSJFTi1HQiIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNs YXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgc3R5bGU9Im1hcmdpbjowY207bWFyZ2luLWJvdHRvbTou MDAwMXB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMy41cHQ7IGZvbnQtZmFtaWx5OiBBcmlh bCwgc2Fucy1zZXJpZjsgY29sb3I6IGJsYWNrOyI+RGVhciBPcFNlYyBXRyw8L3NwYW4+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZTogMTMuNXB0OyBmb250LWZhbWlseTogVGltZXMsIHNlcmlmOyBjb2xv cjogYmxhY2s7Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMy41cHQ7IGZvbnQtZmFtaWx5OiBUaW1lcywgc2VyaWY7 IGNvbG9yOiBibGFjazsiPjxicj4NCjxicj4NCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIHN0 eWxlPSJtYXJnaW46MGNtO21hcmdpbi1ib3R0b206LjAwMDFwdCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZTogMTMuNXB0OyBmb250LWZhbWlseTogQXJpYWwsIHNhbnMtc2VyaWY7IGNvbG9yOiBibGFj azsiPlRoaXMgc3RhcnRzIGEgMjxzdXA+bmQ8L3N1cD4gV29ya2luZyBHcm91cCBMYXN0IENhbGwg Zm9yIGRyYWZ0LWlldGYtb3BzZWMtYmdwLXNlY3VyaXR5LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIHN0eWxlPSJtYXJnaW46MGNtO21hcmdpbi1ib3R0b206LjAwMDFwdCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZTogMTMuNXB0OyBmb250LWZhbWlseTogQXJpYWwsIHNhbnMtc2VyaWY7IGNvbG9y OiBibGFjazsiPkR1ZSB0byB0aGUgdGltZSB0YWtlbiB0byBpbnRlZ3JhdGUgYWxsIGNvbW1lbnRz IGZyb20gdGhlIGZpcnN0IFdHTEMgdGhpcyAyPHN1cD5uZDwvc3VwPiBXR0xDIGlzIGluaXRpYXRl ZC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0ibWFyZ2luOjBjbTttYXJnaW4tYm90 dG9tOi4wMDAxcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDEzLjVwdDsgZm9udC1mYW1pbHk6 IEFyaWFsLCBzYW5zLXNlcmlmOyBjb2xvcjogYmxhY2s7Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bh bj48L3A+DQo8cCBzdHlsZT0ibWFyZ2luOjBjbTttYXJnaW4tYm90dG9tOi4wMDAxcHQiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6IDEzLjVwdDsgZm9udC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlm OyBjb2xvcjogYmxhY2s7Ij5BbGwgdGhyZWUgYXV0aG9ycyBoYXZlIHJlcGxpZWQsIHN0YXRpbmcg dGhhdCB0aGV5IGRvIG5vdCBrbm93IG9mIGFueSBJUFIgYXNzb2NpYXRlZCB3aXRoIHRoaXMgZHJh ZnQuPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDEzLjVwdDsgZm9udC1mYW1pbHk6IFRp bWVzLCBzZXJpZjsgY29sb3I6IGJsYWNrOyI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTMuNXB0OyBmb250LWZhbWls eTogVGltZXMsIHNlcmlmOyBjb2xvcjogYmxhY2s7Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBzdHlsZT0ibWFyZ2luOjBjbTttYXJnaW4tYm90dG9tOi4wMDAxcHQiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6IDEzLjVwdDsgZm9udC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlmOyBj b2xvcjogYmxhY2s7Ij5UaGUgZHJhZnQgaXMgYXZhaWxhYmxlIGhlcmU6PC9zcGFuPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6IDEzLjVwdDsgZm9udC1mYW1pbHk6IFRpbWVzLCBzZXJpZjsgY29sb3I6 IGJsYWNrOyI+PGEgaHJlZj0iaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQt aWV0Zi1vcHNlYy1sbGEtb25seS8iPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTogQXJpYWwsIHNh bnMtc2VyaWY7IGNvbG9yOiBibGFjazsiPg0KIGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcv ZG9jL2RyYWZ0LWlldGYtb3BzZWMtYmdwLXNlY3VyaXR5Lzwvc3Bhbj48L2E+PG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTog MTMuNXB0OyBmb250LWZhbWlseTogVGltZXMsIHNlcmlmOyBjb2xvcjogYmxhY2s7Ij48bzpwPiZu YnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0ibWFyZ2luOjBjbTttYXJnaW4tYm90dG9t Oi4wMDAxcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDEzLjVwdDsgZm9udC1mYW1pbHk6IEFy aWFsLCBzYW5zLXNlcmlmOyBjb2xvcjogYmxhY2s7Ij5QbGVhc2UgcmV2aWV3IHRoaXMgZHJhZnQg dG8gc2VlIGlmIHlvdSB0aGluayBpdCBpcyByZWFkeSBmb3IgcHVibGljYXRpb24gYW5kIGNvbW1l bnRzIHRvIHRoZSBsaXN0LCBjbGVhcmx5IHN0YXRpbmcgeW91ciB2aWV3Ljwvc3Bhbj48c3BhbiBz dHlsZT0iZm9udC1zaXplOiAxMy41cHQ7IGZvbnQtZmFtaWx5OiBUaW1lcywgc2VyaWY7IGNvbG9y OiBibGFjazsiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6IDEzLjVwdDsgZm9udC1mYW1pbHk6IFRpbWVzLCBzZXJpZjsg Y29sb3I6IGJsYWNrOyI+PGJyPg0KPGJyPg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgc3R5 bGU9Im1hcmdpbjowY207bWFyZ2luLWJvdHRvbTouMDAwMXB0Ij48c3BhbiBzdHlsZT0iZm9udC1z aXplOiAxMy41cHQ7IGZvbnQtZmFtaWx5OiBBcmlhbCwgc2Fucy1zZXJpZjsgY29sb3I6IGJsYWNr OyI+VGhpcyBXR0xDIGVuZHMgMjItQXByaWwtMjAxNC48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZTogMTMuNXB0OyBmb250LWZhbWlseTogVGltZXMsIHNlcmlmOyBjb2xvcjogYmxhY2s7Ij48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOiAxMy41cHQ7IGZvbnQtZmFtaWx5OiBUaW1lcywgc2VyaWY7IGNvbG9yOiBibGFj azsiPjxicj4NCjxicj4NCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW46 MGNtO21hcmdpbi1ib3R0b206LjAwMDFwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTMuNXB0 OyBmb250LWZhbWlseTogQXJpYWwsIHNhbnMtc2VyaWY7IGNvbG9yOiBibGFjazsiPlRoYW5rcyw8 L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTMuNXB0OyBmb250LWZhbWlseTogVGltZXMs IHNlcmlmOyBjb2xvcjogYmxhY2s7Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0i bWFyZ2luOjBjbTttYXJnaW4tYm90dG9tOi4wMDAxcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 IDEzLjVwdDsgZm9udC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlmOyBjb2xvcjogYmxhY2s7Ij5H Lzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOiAxMy41cHQ7IGZvbnQtZmFtaWx5OiBUaW1l cywgc2VyaWY7IGNvbG9yOiBibGFjazsiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2 Pg0KPC9zcGFuPjxicj4NCjxocj4NCjxmb250IGZhY2U9IkFyaWFsIiBjb2xvcj0iR3JheSIgc2l6 ZT0iMSI+VGhpcyBFLW1haWwgYW5kIGFueSBvZiBpdHMgYXR0YWNobWVudHMgbWF5IGNvbnRhaW4g VGltZSBXYXJuZXIgQ2FibGUgcHJvcHJpZXRhcnkgaW5mb3JtYXRpb24sIHdoaWNoIGlzIHByaXZp bGVnZWQsIGNvbmZpZGVudGlhbCwgb3Igc3ViamVjdCB0byBjb3B5cmlnaHQgYmVsb25naW5nIHRv IFRpbWUgV2FybmVyIENhYmxlLiBUaGlzIEUtbWFpbCBpcyBpbnRlbmRlZCBzb2xlbHkNCiBmb3Ig dGhlIHVzZSBvZiB0aGUgaW5kaXZpZHVhbCBvciBlbnRpdHkgdG8gd2hpY2ggaXQgaXMgYWRkcmVz c2VkLiBJZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQgcmVjaXBpZW50IG9mIHRoaXMgRS1tYWls LCB5b3UgYXJlIGhlcmVieSBub3RpZmllZCB0aGF0IGFueSBkaXNzZW1pbmF0aW9uLCBkaXN0cmli dXRpb24sIGNvcHlpbmcsIG9yIGFjdGlvbiB0YWtlbiBpbiByZWxhdGlvbiB0byB0aGUgY29udGVu dHMgb2YgYW5kIGF0dGFjaG1lbnRzIHRvDQogdGhpcyBFLW1haWwgaXMgc3RyaWN0bHkgcHJvaGli aXRlZCBhbmQgbWF5IGJlIHVubGF3ZnVsLiBJZiB5b3UgaGF2ZSByZWNlaXZlZCB0aGlzIEUtbWFp bCBpbiBlcnJvciwgcGxlYXNlIG5vdGlmeSB0aGUgc2VuZGVyIGltbWVkaWF0ZWx5IGFuZCBwZXJt YW5lbnRseSBkZWxldGUgdGhlIG9yaWdpbmFsIGFuZCBhbnkgY29weSBvZiB0aGlzIEUtbWFpbCBh bmQgYW55IHByaW50b3V0Ljxicj4NCjwvZm9udD4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_CF6B0FC1179B5wesleygeorgetwcablecom_-- From nobody Thu Apr 10 00:21:02 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCB441A0145 for ; Thu, 10 Apr 2014 00:20:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -12.073 X-Spam-Level: X-Spam-Status: No, score=-12.073 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JhNxzg8VqbUm for ; Thu, 10 Apr 2014 00:20:54 -0700 (PDT) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id C1C901A015D for ; Thu, 10 Apr 2014 00:20:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6892; q=dns/txt; s=iport; t=1397114449; x=1398324049; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=T8Nzf4PF+M+ZUovlUcwA56q2BgBW65E/jbbsw52ZYXs=; b=dp7+wknOTKhR4rbB91B9Oqq7dSwKntAkx7KupRzuy4hhoPISiFNI4YPp Z1a40qhGKeMqLCiOINiMMX3Osa4Ar2/B2qMs6XTi46E+ASHZNMHczu/kF a1mV2i1g05jFRI5ifTxfpn8idCQoOoBYobks0/u8h4MOuE9zQrebCHRWx k=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AkIFAHVFRlOtJV2c/2dsb2JhbABZgwY7V7xyhzWBHhZ0giUBAQEDAQEBARpRBAIFBQsCAQgRAwECLycLHQgBAQQOBYd0CA3MKxeJRYRFEQEdLgUHgySBFASUcYNtgTWRDYMwgXI5 X-IronPort-AV: E=Sophos;i="4.97,832,1389744000"; d="scan'208";a="316602613" Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-5.cisco.com with ESMTP; 10 Apr 2014 07:20:48 +0000 Received: from xhc-rcd-x11.cisco.com (xhc-rcd-x11.cisco.com [173.37.183.85]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id s3A7KmE0018041 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 10 Apr 2014 07:20:48 GMT Received: from xmb-rcd-x01.cisco.com ([169.254.1.197]) by xhc-rcd-x11.cisco.com ([173.37.183.85]) with mapi id 14.03.0123.003; Thu, 10 Apr 2014 02:20:48 -0500 From: "Jerome Durand (jerduran)" To: "George, Wes" Thread-Topic: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security Thread-Index: Ac9UN2+/T1QHbw+ATLC7yGU3XgLHJQAf9z4A Date: Thu, 10 Apr 2014 07:20:47 +0000 Message-ID: References: In-Reply-To: Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.102.227] Content-Type: text/plain; charset="Windows-1252" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/Eby43lDSZsUlgTIHc9W6maSTOCg Cc: "draft-ietf-opsec-bgp-security@tools.ietf.org" , opsec wg mailing list Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 07:20:59 -0000 Hi George, > I=92ve reviewed previous versions of this draft, but made a new pass thro= ugh it. First thanks a lot for your help on this doc! > I think it=92s mostly ready to publish, though soliciting reviews from no= n-IETF operator lists might be a good thing to do before we go to IETF LC. Doc has already been presented RIPE and NANOG meeting as you know. Should w= e simply send an email recalling this is last call? > The abstract needs to remove the reference to MD5 since it is deprecated.= Similarly, section 4.1 needs to explicitly note that MD5 has been deprecat= ed by AO, not simply recommend that AO be used when available. I=92ll conce= de that MD5 is better than nothing, but it=92s not something we want to rec= ommend in a new BCP without being clear why it shouldn=92t be used anymore.= =20 I'll remove MD5 from the abstract. For section 4.1 I propose the following text for 2nd paragraph you're refer= ring to: TCP sessions used by BGP can be secured with a variety of mechanisms. MD5 protection of TCP session header [14] was the first existing mechani= sm. It is now deprececated by TCP Authentication Option (TCP-AO, [10]) which offers stronger protection. IPsec can also be used for this purpose. While MD5 is still the most used mechanism due to its availability in vendor's equipment, TCP-AO and MD5 SHOULD be preferred when implemented. Feel free to change the text. > There are places where words like =93recommended" are used in ways that l= ook to be 2119 usage, but are not capitalized. This needs to be consistent = throughout the document, so that they are used whenever a recommendation is= being made as something that you SHOULD/MUST do in order to be in complian= ce with this Best Common Practice. OK. > Section 3- may want to mention rate-limiting accepted traffic in addition= to strict filtering of unacceptable traffic Maybe a note on that. We probably don't want to start discussing the right = thresholds here. > 4.1 =96 reference to BCP38 in the =93block spoofed packets=94 section at = the end? Good point. I remember there was BCP38 at some stage but we removed it and = forgot to add it again when we added this small paragraph in 4.1 > 5.1.2.3 =96 reference to IRRtoolset? OK for a reference. > 5.2.1 (or possibly section 8) - Filtering peer ASes inbound from customer= s? (in this case =93peer=94 meaning a non-transit interconnect, not just so= meone you are connected to via BGP) I.e. If I know that I should only recei= ve routes with 701 in the path from 701 because I do not use any other ASN = as transit to reach 701, I should filter routes inbound from other sources = to ensure that they don=92t announce routes with that path. This is somewhe= re between the strict IRR based filters and the loose filters, and depends = on the topology of the network and my business relationships, but I think i= t=92s a useful point to make to add some additional safety filtering to pre= vent =93my idiot customer is trying to re-announce the internet to me=94 al= ong with max-prefix, which you already cover. I think that first bullet of section 8 is saying this. We are saying we nee= d to make sure we receive only identified ASes from customer, we probably d= on't need to add we have to filter the ones we don't want. Tell me if I did= n't understand your point. Feel free to propose some modified text. > Section 11=92s future work either needs to be completed in this document = or explicitly identified as work for a future document. The WG needs to dis= cuss what is appropriate to add to this doc vs leave for future work before= this proceeds. Indeed. Idea is indeed to remove this section: I forgot it was here. Comments were integrated except the one about IRRTOOLSET. Adding a referenc= e is enough I think, probably don't need to give examples in appendix. > Section 12 needs explicit notes to the RFC editor to remove the section p= rior to publication.=20 Sure, I think I'll even remove this section in next version. > This may be something that the RFC editor will fix, but it would be prefe= rable to use the actual draft name or RFC number as the reference tag inste= ad of numeric tags, so that the reader knows what you are referencing witho= ut having to jump to footnotes each time. If RFC editor can fix it I buy the idea. Otherwise you need to explain to m= e how to do it easily :) Thanks again for your comments. They will be integrated really soon. Please= let me know about the text I proposed in 4.1. Jerome >=20 >=20 > Thanks, > =20 > Wes George > =20 >=20 > From: "Gunter Van de Velde (gvandeve)" > Date: Tuesday, April 8, 2014 at 5:18 AM > To: opsec wg mailing list > Cc: "draft-ietf-opsec-bgp-security@tools.ietf.org" > Subject: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security >=20 > Dear OpSec WG, >=20 >=20 > This starts a 2nd Working Group Last Call for draft-ietf-opsec-bgp-securi= ty. > Due to the time taken to integrate all comments from the first WGLC this = 2nd WGLC is initiated. > =20 > All three authors have replied, stating that they do not know of any IPR = associated with this draft. > =20 > The draft is available here: https://datatracker.ietf.org/doc/draft-ietf-= opsec-bgp-security/ > =20 > Please review this draft to see if you think it is ready for publication = and comments to the list, clearly stating your view. >=20 >=20 > This WGLC ends 22-April-2014. >=20 >=20 > Thanks, > G/ > =20 >=20 > This E-mail and any of its attachments may contain Time Warner Cable prop= rietary information, which is privileged, confidential, or subject to copyr= ight belonging to Time Warner Cable. This E-mail is intended solely for the= use of the individual or entity to which it is addressed. If you are not t= he intended recipient of this E-mail, you are hereby notified that any diss= emination, distribution, copying, or action taken in relation to the conten= ts of and attachments to this E-mail is strictly prohibited and may be unla= wful. If you have received this E-mail in error, please notify the sender i= mmediately and permanently delete the original and any copy of this E-mail = and any printout. > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec -- Jerome Durand Consulting Systems Engineer - Routing & Switching jerduran@cisco.com - +33 6 35 11 60 50 blogs: http://reseauxblog.cisco.fr - http://ipv6blog.cisco.fr twitter: @JeromeDurand linkedin: http://fr.linkedin.com/in/jeromedurand CISCO France 11, rue Camille Desmoulins 92782 Issy les Moulineaux CEDEX 9 FRANCE From nobody Thu Apr 10 10:30:03 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82AD41A01F4 for ; Thu, 10 Apr 2014 10:30:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.737 X-Spam-Level: X-Spam-Status: No, score=-0.737 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yjf1nYPgaGF6 for ; Thu, 10 Apr 2014 10:29:59 -0700 (PDT) Received: from cdpipgw01.twcable.com (cdpipgw01.twcable.com [165.237.59.22]) by ietfa.amsl.com (Postfix) with ESMTP id 8DB281A01FF for ; Thu, 10 Apr 2014 10:29:59 -0700 (PDT) X-SENDER-IP: 10.136.163.15 X-SENDER-REPUTATION: None X-IronPort-AV: E=Sophos;i="4.97,835,1389762000"; d="scan'208";a="263506019" Received: from unknown (HELO PRVPEXHUB06.corp.twcable.com) ([10.136.163.15]) by cdpipgw01.twcable.com with ESMTP/TLS/RC4-MD5; 10 Apr 2014 13:27:56 -0400 Received: from PRVPEXVS15.corp.twcable.com ([10.136.163.78]) by PRVPEXHUB06.corp.twcable.com ([10.136.163.15]) with mapi; Thu, 10 Apr 2014 13:29:58 -0400 From: "George, Wes" To: "Jerome Durand (jerduran)" Date: Thu, 10 Apr 2014 13:30:00 -0400 Thread-Topic: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security Thread-Index: Ac9U4n418boyE8d1QUu1yN8Z6I3g6g== Message-ID: References:

In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.9.131030 acceptlanguage: en-US Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/0YKBfWc7i8FlMDClKVHsRq7GFB0 Cc: "draft-ietf-opsec-bgp-security@tools.ietf.org" , opsec wg mailing list Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 17:30:02 -0000 T24gNC8xMC8xNCwgMzoyMCBBTSwgIkplcm9tZSBEdXJhbmQgKGplcmR1cmFuKSIgPGplcmR1cmFu QGNpc2NvLmNvbT4gd3JvdGU6DQoNCg0KPkRvYyBoYXMgYWxyZWFkeSBiZWVuIHByZXNlbnRlZCBS SVBFIGFuZCBOQU5PRyBtZWV0aW5nIGFzIHlvdSBrbm93LiBTaG91bGQNCj53ZSBzaW1wbHkgc2Vu ZCBhbiBlbWFpbCByZWNhbGxpbmcgdGhpcyBpcyBsYXN0IGNhbGw/DQoNCkNvdWxkbuKAmXQgaHVy dC4NCg0KPkZvciBzZWN0aW9uIDQuMSBJIHByb3Bvc2UgdGhlIGZvbGxvd2luZyB0ZXh0IGZvciAy bmQgcGFyYWdyYXBoIHlvdSdyZQ0KPnJlZmVycmluZyB0bzoNCj4NCj4gICBUQ1Agc2Vzc2lvbnMg dXNlZCBieSBCR1AgY2FuIGJlIHNlY3VyZWQgd2l0aCBhIHZhcmlldHkgb2YgbWVjaGFuaXNtcy4N Cj4gICBNRDUgcHJvdGVjdGlvbiBvZiBUQ1Agc2Vzc2lvbiBoZWFkZXIgWzE0XSB3YXMgdGhlIGZp cnN0IGV4aXN0aW5nDQo+bWVjaGFuaXNtLg0KPiAgIEl0IGlzIG5vdyBkZXByZWNlY2F0ZWQgYnkg VENQIEF1dGhlbnRpY2F0aW9uIE9wdGlvbiAoVENQLUFPLCBbMTBdKQ0KPndoaWNoDQo+ICAgb2Zm ZXJzIHN0cm9uZ2VyIHByb3RlY3Rpb24uIElQc2VjIGNhbiBhbHNvIGJlIHVzZWQgZm9yIHRoaXMg cHVycG9zZS4NCj4gICBXaGlsZSBNRDUgaXMgc3RpbGwgdGhlIG1vc3QgdXNlZCBtZWNoYW5pc20g ZHVlIHRvIGl0cyBhdmFpbGFiaWxpdHkgaW4NCj4gICB2ZW5kb3IncyBlcXVpcG1lbnQsIFRDUC1B TyBhbmQgTUQ1IFNIT1VMRCBiZSBwcmVmZXJyZWQgd2hlbg0KPmltcGxlbWVudGVkLg0KDQpMb29r cyBmaW5lLCBhbHRob3VnaCBJIHRoaW5rIHlvdSBtZWFudCB0byBzYXkg4oCcVENQLUFPIFNIT1VM RCBiZSBwcmVmZXJyZWTigJ0NCm5vdCDigJxUQ1AtQU8gYW5kIE1ENSBTSE9VTETigJ0gaW4gdGhl IGxhc3Qgc2VudGVuY2UuDQoNCj4NCj4+U2VjdGlvbiAzLSBtYXkgd2FudCB0byBtZW50aW9uIHJh dGUtbGltaXRpbmcgYWNjZXB0ZWQgdHJhZmZpYyBpbg0KPj5hZGRpdGlvbiB0byBzdHJpY3QgZmls dGVyaW5nIG9mIHVuYWNjZXB0YWJsZSB0cmFmZmljDQo+DQo+TWF5YmUgYSBub3RlIG9uIHRoYXQu IFdlIHByb2JhYmx5IGRvbid0IHdhbnQgdG8gc3RhcnQgZGlzY3Vzc2luZyB0aGUNCj5yaWdodCB0 aHJlc2hvbGRzIGhlcmUuDQoNCkFncmVlDQoNCj4+IDUuMi4xIChvciBwb3NzaWJseSBzZWN0aW9u IDgpIC0gRmlsdGVyaW5nIHBlZXIgQVNlcyBpbmJvdW5kIGZyb20NCj4+Y3VzdG9tZXJzPyAoaW4g dGhpcyBjYXNlIOKAnHBlZXLigJ0gbWVhbmluZyBhIG5vbi10cmFuc2l0IGludGVyY29ubmVjdCwg bm90DQo+Pmp1c3Qgc29tZW9uZSB5b3UgYXJlIGNvbm5lY3RlZCB0byB2aWEgQkdQKSBJLmUuIElm IEkga25vdyB0aGF0IEkgc2hvdWxkDQo+Pm9ubHkgcmVjZWl2ZSByb3V0ZXMgd2l0aCA3MDEgaW4g dGhlIHBhdGggZnJvbSA3MDEgYmVjYXVzZSBJIGRvIG5vdCB1c2UNCj4+YW55IG90aGVyIEFTTiBh cyB0cmFuc2l0IHRvIHJlYWNoIDcwMSwgSSBzaG91bGQgZmlsdGVyIHJvdXRlcyBpbmJvdW5kDQo+ PmZyb20gb3RoZXIgc291cmNlcyB0byBlbnN1cmUgdGhhdCB0aGV5IGRvbuKAmXQgYW5ub3VuY2Ug cm91dGVzIHdpdGggdGhhdA0KPj5wYXRoLiBUaGlzIGlzIHNvbWV3aGVyZSBiZXR3ZWVuIHRoZSBz dHJpY3QgSVJSIGJhc2VkIGZpbHRlcnMgYW5kIHRoZQ0KPj5sb29zZSBmaWx0ZXJzLCBhbmQgZGVw ZW5kcyBvbiB0aGUgdG9wb2xvZ3kgb2YgdGhlIG5ldHdvcmsgYW5kIG15DQo+PmJ1c2luZXNzIHJl bGF0aW9uc2hpcHMsIGJ1dCBJIHRoaW5rIGl04oCZcyBhIHVzZWZ1bCBwb2ludCB0byBtYWtlIHRv IGFkZA0KPj5zb21lIGFkZGl0aW9uYWwgc2FmZXR5IGZpbHRlcmluZyB0byBwcmV2ZW50IOKAnG15 IGlkaW90IGN1c3RvbWVyIGlzIHRyeWluZw0KPj50byByZS1hbm5vdW5jZSB0aGUgaW50ZXJuZXQg dG8gbWXigJ0gYWxvbmcgd2l0aCBtYXgtcHJlZml4LCB3aGljaCB5b3UNCj4+YWxyZWFkeSBjb3Zl ci4NCj4NCj5JIHRoaW5rIHRoYXQgZmlyc3QgYnVsbGV0IG9mIHNlY3Rpb24gOCBpcyBzYXlpbmcg dGhpcy4gV2UgYXJlIHNheWluZyB3ZQ0KPm5lZWQgdG8gbWFrZSBzdXJlIHdlIHJlY2VpdmUgb25s eSBpZGVudGlmaWVkIEFTZXMgZnJvbSBjdXN0b21lciwgd2UNCj5wcm9iYWJseSBkb24ndCBuZWVk IHRvIGFkZCB3ZSBoYXZlIHRvIGZpbHRlciB0aGUgb25lcyB3ZSBkb24ndCB3YW50LiBUZWxsDQo+ bWUgaWYgSSBkaWRuJ3QgdW5kZXJzdGFuZCB5b3VyIHBvaW50LiBGZWVsIGZyZWUgdG8gcHJvcG9z ZSBzb21lIG1vZGlmaWVkDQo+dGV4dC4NCg0KWW914oCZcmUgcmlnaHQsIGl04oCZcyBtb3N0bHkg c2F5aW5nIHRoYXQuIEkgdGhpbmsgdGhlIG1vZGVsIHlvdeKAmXJlIGFkdm9jYXRpbmcNCmlzIGEg ZmlsdGVyIHRoYXQgZXhwbGljaXRseSBwZXJtaXRzIGNlcnRhaW4gQVNOcywgZ2VuZXJhdGVkIHVu aXF1ZWx5IGZvcg0KZWFjaCBjdXN0b21lciwgbWVhbmluZyBlYWNoIGhhcyBhbiBpbXBsaWNpdCBk ZW55IG9mIGFueXRoaW5nIHRoYXQgaXNu4oCZdA0KZXhwbGljaXRseSBwZXJtaXR0ZWQuIFRoYXTi gJlzIGNlcnRhaW5seSB0aGUgYmV0dGVyIG1vZGVsLiBNeSBzdWdnZXN0aW9uIHdhcw0KbW9yZSBm b3IgdGhlIHNlY29uZCBjYXNlIOKAnGlmIHlvdSBjYW5ub3QgYnVpbGQgZmlsdGVyc+KApuKAnSwg d2hlcmUgYnVpbGRpbmcgYQ0Kc2hvcnQgbGlzdCBvZiBleHBsaWNpdGx5IGRlbmllZCBBU05zIHRo YXQgeW91IHNob3VsZCBuZXZlciBzZWUgZnJvbSAqYW55Kg0KZG93bnN0cmVhbSBjdXN0b21lciAo aS5lLiBUaGUgQVNOcyBvZiB5b3VyIHBlZXJzIGFuZC9vciB1cHN0cmVhbSB0cmFuc2l0DQpwcm92 aWRlcnMpIHRvIGEgbm9uLWN1c3RvbWVyLXNwZWNpZmljIGZpbHRlciB0aGF0IGNhbiBiZSBnbG9i YWxseSBhcHBsaWVkDQpvbiBhbGwgY3VzdG9tZXIgQkdQIHNlc3Npb25zIHByb3ZpZGVzIGEgdXNl ZnVsIHNhZmV0eSBtZWNoYW5pc20gYmV5b25kDQpBUy1wYXRoLWxlbmd0aCBsaW1pdHMsIGFuZCBw cm90ZWN0cyBpZiB0aGUgY3VzdG9tZXItc3BlY2lmaWMgZmlsdGVyIGlzDQppbmFkdmVydGVudGx5 IG5vdCBhcHBsaWVkIChzaW5jZSB0aGF0IG5ldmVyIGhhcHBlbnMgOi0pICkuDQpIb3BlIHRoYXTi gJlzIGNsZWFyZXIuDQoNCj4NCj4+IFRoaXMgbWF5IGJlIHNvbWV0aGluZyB0aGF0IHRoZSBSRkMg ZWRpdG9yIHdpbGwgZml4LCBidXQgaXQgd291bGQgYmUNCj4+cHJlZmVyYWJsZSB0byB1c2UgdGhl IGFjdHVhbCBkcmFmdCBuYW1lIG9yIFJGQyBudW1iZXIgYXMgdGhlIHJlZmVyZW5jZQ0KPj50YWcg aW5zdGVhZCBvZiBudW1lcmljIHRhZ3MsIHNvIHRoYXQgdGhlIHJlYWRlciBrbm93cyB3aGF0IHlv dSBhcmUNCj4+cmVmZXJlbmNpbmcgd2l0aG91dCBoYXZpbmcgdG8ganVtcCB0byBmb290bm90ZXMg ZWFjaCB0aW1lLg0KPg0KPklmIFJGQyBlZGl0b3IgY2FuIGZpeCBpdCBJIGJ1eSB0aGUgaWRlYS4g T3RoZXJ3aXNlIHlvdSBuZWVkIHRvIGV4cGxhaW4gdG8NCj5tZSBob3cgdG8gZG8gaXQgZWFzaWx5 IDopDQoNCkkganVzdCBsb29rZWQgYnJpZWZseSBhdCB5b3VyIFhNTCBjb21wYXJlZCB3aXRoIG9u ZSBvZiBteSBkcmFmdHMsIGFuZCBJDQpjYW7igJl0IHNlZSBob3cgaXTigJlzIGRpZmZlcmVudCwg c28gSeKAmW0gYWN0dWFsbHkgbm90IHN1cmUgaG93IHRvIGZpeCwgc28gSQ0KZ3Vlc3MgbGV04oCZ cyBkb27igJl0IHdvcnJ5IGFib3V0IGl0Lg0KDQpXZXMgR2VvcmdlDQoNCg0KVGhpcyBFLW1haWwg YW5kIGFueSBvZiBpdHMgYXR0YWNobWVudHMgbWF5IGNvbnRhaW4gVGltZSBXYXJuZXIgQ2FibGUg cHJvcHJpZXRhcnkgaW5mb3JtYXRpb24sIHdoaWNoIGlzIHByaXZpbGVnZWQsIGNvbmZpZGVudGlh bCwgb3Igc3ViamVjdCB0byBjb3B5cmlnaHQgYmVsb25naW5nIHRvIFRpbWUgV2FybmVyIENhYmxl LiBUaGlzIEUtbWFpbCBpcyBpbnRlbmRlZCBzb2xlbHkgZm9yIHRoZSB1c2Ugb2YgdGhlIGluZGl2 aWR1YWwgb3IgZW50aXR5IHRvIHdoaWNoIGl0IGlzIGFkZHJlc3NlZC4gSWYgeW91IGFyZSBub3Qg dGhlIGludGVuZGVkIHJlY2lwaWVudCBvZiB0aGlzIEUtbWFpbCwgeW91IGFyZSBoZXJlYnkgbm90 aWZpZWQgdGhhdCBhbnkgZGlzc2VtaW5hdGlvbiwgZGlzdHJpYnV0aW9uLCBjb3B5aW5nLCBvciBh Y3Rpb24gdGFrZW4gaW4gcmVsYXRpb24gdG8gdGhlIGNvbnRlbnRzIG9mIGFuZCBhdHRhY2htZW50 cyB0byB0aGlzIEUtbWFpbCBpcyBzdHJpY3RseSBwcm9oaWJpdGVkIGFuZCBtYXkgYmUgdW5sYXdm dWwuIElmIHlvdSBoYXZlIHJlY2VpdmVkIHRoaXMgRS1tYWlsIGluIGVycm9yLCBwbGVhc2Ugbm90 aWZ5IHRoZSBzZW5kZXIgaW1tZWRpYXRlbHkgYW5kIHBlcm1hbmVudGx5IGRlbGV0ZSB0aGUgb3Jp Z2luYWwgYW5kIGFueSBjb3B5IG9mIHRoaXMgRS1tYWlsIGFuZCBhbnkgcHJpbnRvdXQuDQo= From nobody Fri Apr 11 08:38:24 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 282D41A01CF for ; Fri, 11 Apr 2014 08:38:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.002 X-Spam-Level: X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N1e6nsqHDDXV for ; Fri, 11 Apr 2014 08:38:17 -0700 (PDT) Received: from mx-relay36-dus.antispameurope.com (mx-relay36-dus.antispameurope.com [94.100.134.236]) by ietfa.amsl.com (Postfix) with ESMTP id 9FD061A0145 for ; Fri, 11 Apr 2014 08:38:13 -0700 (PDT) Received: from smtpsrv1.fokus.fraunhofer.de ([195.37.77.166]) by mx-gate36-dus.antispameurope.com; Fri, 11 Apr 2014 17:38:08 +0200 Received: from CURIE.fokus.fraunhofer.de (curie.fokus.fraunhofer.de [IPv6:2001:638:806:9::203] (may be forged)) by smtpsrv1.fokus.fraunhofer.de (8.14.4/8.14.4) with ESMTP id s3BFc2kK008437 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=OK) for ; Fri, 11 Apr 2014 17:38:04 +0200 Received: from DIRAC.fokus.fraunhofer.de ([fe80::95a6:a35d:2023:242c]) by CURIE.fokus.fraunhofer.de ([fe80::4405:336c:6211:c99f%16]) with mapi id 14.03.0181.006; Fri, 11 Apr 2014 17:37:54 +0200 From: "Schmoll, Carsten" To: "opsec@ietf.org" Thread-Topic: [OPSEC] IPv6 firewalls reqs: Rationale Thread-Index: Ac9Vm9yDZJRfWPgvSSa3PJ64SVFZrg== Date: Fri, 11 Apr 2014 15:37:56 +0000 Message-ID: <45F6EC28CBA2DE418529BD6EBC89A8226BC843AA@DIRAC.fokus.fraunhofer.de> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.147.69.161] x-kse-antivirus-interceptor-info: protection disabled Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-cloud-security-sender: carsten.schmoll@fokus.fraunhofer.de X-cloud-security-recipient: opsec@ietf.org X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate36-dus with 3971C211802A X-cloud-security-connect: smtpsrv1.fokus.fraunhofer.de[195.37.77.166], TLS=, IP=195.37.77.166 X-cloud-security: scantime:.2275 Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/vz-hsWwFtyLhaQCfUPOtTBDdb60 Subject: Re: [OPSEC] IPv6 firewalls reqs: Rationale X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2014 15:38:22 -0000 Dear Fernando, authors of this I-D, thanks for pushing this (IMO) worthwhile topic forward. The more we see IPv6 availability, the more important is it that the router= /gateway/firewalls, will provide an (at least) on-par-security for IPv6, co= mpared to IPv4. With such a document, firewall makers can have a valuable c= hecklist in their hands - and go at least for the "conditionally-compliant"= feature set. My gut feeling is that such document should aim a little higher than just p= roviding parity with IPv4 firewall features. IMO this is especially true fo= r the DoS section (chapter 7), since more attack vectors exist with IPv6 (o= r so it feels to me). Two small ideas: * If deemed as useful, the document should clearly state the importance of = (the NAT-less yet) stateful PF with IPv6, and maybe some details of it. * If suitable for this I-D, some words could be added on privacy issues wit= h IPv6 and how an IPv6-FW could help (or not) with that. Best regards Carsten -----Original Message----- From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Fernando Gont Sent: Wednesday, February 19, 2014 12:09 AM To: 'opsec@ietf.org' Subject: [OPSEC] IPv6 firewalls reqs: Rationale Folks, As noted in my previous email, this is a request to discuss the first item = listed in my previous email: 1) Agree on a rationale to write this spec. For example, one possible rationale is "aim at providing parity of features= with IPv4". Another one could be that "should should aim a little higher".= For example, in the light of draft-farrell-perpass-attack we may aim at re= quiring some privacy features that might not be that common in IPv4 firewal= ls. Thoughts? Yours, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@si6networks.com PGP Fingerprint: 7809= 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec From nobody Sun Apr 13 08:45:45 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BA511A01CB for ; Sun, 13 Apr 2014 08:45:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.273 X-Spam-Level: X-Spam-Status: No, score=-0.273 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RP_MATCHES_RCVD=-0.272] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cWnzBrPhh8XK for ; Sun, 13 Apr 2014 08:45:41 -0700 (PDT) Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by ietfa.amsl.com (Postfix) with ESMTP id C12861A01C6 for ; Sun, 13 Apr 2014 08:45:38 -0700 (PDT) Received: from mb-aye.local (c-67-171-230-191.hsd1.wa.comcast.net [67.171.230.191]) (authenticated bits=0) by nagasaki.bogus.com (8.14.7/8.14.7) with ESMTP id s3DFjYUP052810 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sun, 13 Apr 2014 15:45:36 GMT (envelope-from joelja@bogus.com) Message-ID: <534AB11A.90800@bogus.com> Date: Sun, 13 Apr 2014 08:45:30 -0700 From: joel jaeggli User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Thunderbird/28.0 MIME-Version: 1.0 To: draft-ietf-opsec-lla-only@tools.ietf.org, opsec chairs , "opsec@ietf.org" X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1dAMnxG2dDFisXkvFWB1xGpw90t91jdmh" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (nagasaki.bogus.com [147.28.0.81]); Sun, 13 Apr 2014 15:45:36 +0000 (UTC) Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/T2aHexPjtvmWX_CQbpXTEBj1Qoo Subject: [OPSEC] draft-ietf-opsec-lla-only IETF last-call X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 15:45:43 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --1dAMnxG2dDFisXkvFWB1xGpw90t91jdmh Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Folks, What I took away from the IETF LC is not that this document is unsuitable for publication, but that a suitably dire warning with respect to the limitations needs to be attached (probably in the introduction). It is my feeling from my colleagues on the IESG that they are relatively opposed to the idea of an IESG statement being applied to say this if the authors can do so in conjunction with the community. Thanks joel --1dAMnxG2dDFisXkvFWB1xGpw90t91jdmh Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNKsRoACgkQ8AA1q7Z/VrI57ACghjmHJCS+2wT5i5igWUxMJ4tM ZgIAoIQQZf9tWarpar2h+VkRDNJfljB9 =xcH5 -----END PGP SIGNATURE----- --1dAMnxG2dDFisXkvFWB1xGpw90t91jdmh-- From nobody Sun Apr 13 08:48:11 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E9D51A01D2 for ; Sun, 13 Apr 2014 08:48:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.773 X-Spam-Level: X-Spam-Status: No, score=-14.773 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id weJSDlyuDfxC for ; Sun, 13 Apr 2014 08:48:09 -0700 (PDT) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id 21FC71A01C6 for ; Sun, 13 Apr 2014 08:48:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=876; q=dns/txt; s=iport; t=1397404087; x=1398613687; h=from:to:subject:date:message-id:in-reply-to: content-transfer-encoding:mime-version; bh=FSE0MH3AbQInCAkdIe2CJIWhLwVimQQKxa5ptSp7lEE=; b=F4u7tXyevqRbiqt4R0slXMATHfwile8nK6PYV/gK0tfpDmOecTjzy2rw KxHwgk0FUSC8wKAqfd3ogsChFZm9R5vK7XPImqdKQew1rKgIGRs71dzj0 /2JOyV9aHedkrrMorLnBEyjCkgZ7I7r7PirAGUJFSgpV/65BeawAE4Mn/ A=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgEFANGwSlOtJA2G/2dsb2JhbABYgwaBEsMtgRoWdIInAQSBCwEIIh05FBECBAESCAyHaMowF447AgYygySBFAEDiSSiAIMxgis X-IronPort-AV: E=Sophos;i="4.97,851,1389744000"; d="scan'208";a="317369268" Received: from alln-core-12.cisco.com ([173.36.13.134]) by rcdn-iport-5.cisco.com with ESMTP; 13 Apr 2014 15:48:07 +0000 Received: from xhc-rcd-x15.cisco.com (xhc-rcd-x15.cisco.com [173.37.183.89]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id s3DFm612008591 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 13 Apr 2014 15:48:06 GMT Received: from xmb-aln-x02.cisco.com ([169.254.5.99]) by xhc-rcd-x15.cisco.com ([173.37.183.89]) with mapi id 14.03.0123.003; Sun, 13 Apr 2014 10:48:06 -0500 From: "Eric Vyncke (evyncke)" To: "'joelja@bogus.com'" , "'draft-ietf-opsec-lla-only@tools.ietf.org'" , "'opsec-chairs@tools.ietf.org'" , "'OpSec@ietf.org'" Thread-Topic: draft-ietf-opsec-lla-only IETF last-call Thread-Index: AQHPVy9xysbEiccWh0mT7TBciDSFrpsPsSUm Date: Sun, 13 Apr 2014 15:48:06 +0000 Message-ID: <97EB7536A2B2C549846804BBF3FD47E123D07FC5@xmb-aln-x02.cisco.com> In-Reply-To: <534AB11A.90800@bogus.com> Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [173.37.181.97] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/zhABe4-OC53QYKb0IWacSJ2FS-8 Subject: Re: [OPSEC] draft-ietf-opsec-lla-only IETF last-call X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 15:48:10 -0000 Joel Thanks for your message=20 Michael and I will come back to you Eric ----- Message d'origine ----- De : joel jaeggli [mailto:joelja@bogus.com] Envoy=E9 : Sunday, April 13, 2014 05:45 PM=0A= =C0 : draft-ietf-opsec-lla-only@tools.ietf.org ; opsec chairs ; opsec@ietf.org = Objet : draft-ietf-opsec-lla-only IETF last-call Folks, What I took away from the IETF LC is not that this document is unsuitable for publication, but that a suitably dire warning with respect to the limitations needs to be attached (probably in the introduction). It is my feeling from my colleagues on the IESG that they are relatively opposed to the idea of an IESG statement being applied to say this if the authors can do so in conjunction with the community. Thanks joel From nobody Sun Apr 13 08:55:38 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B60201A02C6 for ; Sun, 13 Apr 2014 08:55:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.272] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p4vZ6tWKwusU for ; Sun, 13 Apr 2014 08:55:36 -0700 (PDT) Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by ietfa.amsl.com (Postfix) with ESMTP id 7CC651A01DE for ; Sun, 13 Apr 2014 08:55:36 -0700 (PDT) Received: from mb-aye.local (c-67-171-230-191.hsd1.wa.comcast.net [67.171.230.191]) (authenticated bits=0) by nagasaki.bogus.com (8.14.7/8.14.7) with ESMTP id s3DFtVUT052851 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sun, 13 Apr 2014 15:55:31 GMT (envelope-from joelja@bogus.com) Message-ID: <534AB36E.7050601@bogus.com> Date: Sun, 13 Apr 2014 08:55:26 -0700 From: joel jaeggli User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Thunderbird/28.0 MIME-Version: 1.0 To: "Eric Vyncke (evyncke)" , "'draft-ietf-opsec-lla-only@tools.ietf.org'" , "'opsec-chairs@tools.ietf.org'" , "'OpSec@ietf.org'" References: <97EB7536A2B2C549846804BBF3FD47E123D07FC5@xmb-aln-x02.cisco.com> In-Reply-To: <97EB7536A2B2C549846804BBF3FD47E123D07FC5@xmb-aln-x02.cisco.com> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="TR94apeMDnm5l3fhQPj4rv7COQ6AJ0bh2" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (nagasaki.bogus.com [147.28.0.81]); Sun, 13 Apr 2014 15:55:31 +0000 (UTC) Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/KRS96Ixmjbj7968vYhJAyPSM2xc Subject: Re: [OPSEC] draft-ietf-opsec-lla-only IETF last-call X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 15:55:37 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --TR94apeMDnm5l3fhQPj4rv7COQ6AJ0bh2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Thanks guys. joel On 4/13/14, 8:48 AM, Eric Vyncke (evyncke) wrote: > Joel >=20 > Thanks for your message=20 >=20 > Michael and I will come back to you >=20 > Eric >=20 > ----- Message d'origine ----- > De : joel jaeggli [mailto:joelja@bogus.com] > Envoy=E9 : Sunday, April 13, 2014 05:45 PM > =C0 : draft-ietf-opsec-lla-only@tools.ietf.org ; opsec chairs ; opsec@iet= f.org > Objet : draft-ietf-opsec-lla-only IETF last-call >=20 > Folks, >=20 > What I took away from the IETF LC is not that this document is > unsuitable for publication, but that a suitably dire warning with > respect to the limitations needs to be attached (probably in the > introduction). It is my feeling from my colleagues on the IESG that the= y > are relatively opposed to the idea of an IESG statement being applied t= o > say this if the authors can do so in conjunction with the community. >=20 > Thanks > joel >=20 >=20 --TR94apeMDnm5l3fhQPj4rv7COQ6AJ0bh2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNKs28ACgkQ8AA1q7Z/VrLwtACfcCpfRe4BdqKtGKpKtOOntO74 xgsAnjA9IESZXZAtrayxS9lTFqoXtVsL =1r9/ -----END PGP SIGNATURE----- --TR94apeMDnm5l3fhQPj4rv7COQ6AJ0bh2-- From nobody Mon Apr 14 01:21:25 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B6B11A0293 for ; Mon, 14 Apr 2014 01:21:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.272] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t0_qSB0PZYJl for ; Mon, 14 Apr 2014 01:21:22 -0700 (PDT) Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) by ietfa.amsl.com (Postfix) with ESMTP id 345611A0290 for ; Mon, 14 Apr 2014 01:21:22 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id 77A7523E2B25; Mon, 14 Apr 2014 08:21:18 +0000 (UTC) X-Virus-Scanned: amavisd-new at rozanak.com Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id betjC74L7aC6; Mon, 14 Apr 2014 10:21:17 +0200 (CEST) Received: from kopoli (g226184084.adsl.alicedsl.de [92.226.184.84]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id F30E423E24BF; Mon, 14 Apr 2014 10:21:16 +0200 (CEST) From: "Hosnieh Rafiee" To: "'KK'" Date: Mon, 14 Apr 2014 10:21:14 +0200 Message-ID: <000001cf57ba$80a5d940$81f18bc0$@rozanak.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: Ac9Xun6pLhhrOvVJQUmozH5hjV21uA== Content-Language: en-us Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/zFv_m5M05oSBq3gtUPnJ7ADF44w Cc: opsec@ietf.org Subject: Re: [OPSEC] Start of WGLC for draft-ietf-opsec-dhcpv6-shield X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 08:21:23 -0000 I read this draft and I support the publication of this draft. I think = it is important to perform any step toward securing clients and DHCP = servers.=20 I guess it will be also useful that the authors include a section = related to comparison of this work with SAVI-DHCP as I asked authors = offlist. Thanks, Best, Hosnieh From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of KK Sent: Friday, March 28, 2014 4:44 PM To: opsec@ietf.org Subject: [OPSEC] Start of WGLC for draft-ietf-opsec-dhcpv6-shield Dear OpSec WG, This starts a Working Group Last Call for draft-ietf-opsec-dhcpv6-shield The draft is available here: = https://datatracker.ietf.org/doc/draft-ietf-opsec-dhcpv6-shield/ Please review this draft to see if you think it is ready for = publication. Send comments to the list, clearly stating your view. This WGLC ends Friday 11-Apr-2014. Thanks, KK (as OpSec WG co-chair) From nobody Tue Apr 15 11:25:15 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D78A91A01FE; Tue, 15 Apr 2014 11:25:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.174 X-Spam-Level: X-Spam-Status: No, score=-2.174 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.272, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6exoZvdScuMf; Tue, 15 Apr 2014 11:25:07 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [IPv6:2001:1900:3001:11::31]) by ietfa.amsl.com (Postfix) with ESMTP id 375531A011A; Tue, 15 Apr 2014 11:25:07 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id 2075918000C; Tue, 15 Apr 2014 11:24:39 -0700 (PDT) To: nick@foobar.org, dave@juniper.net, cpignata@cisco.com, rodunn@cisco.com X-PHP-Originating-Script: 1005:errata_mail_lib.php From: RFC Errata System Message-Id: <20140415182439.2075918000C@rfc-editor.org> Date: Tue, 15 Apr 2014 11:24:39 -0700 (PDT) Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/ZnJDT8kLOpIZT4qR2KynpB1LBMc Cc: opsec@ietf.org, iesg@ietf.org, rfc-editor@rfc-editor.org Subject: [OPSEC] [Errata Verified] RFC6192 (3906) X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2014 18:25:13 -0000 The following errata report has been verified for RFC6192, "Protecting the Router Control Plane". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=6192&eid=3906 -------------------------------------- Status: Verified Type: Editorial Reported by: Nick Hilliard Date Reported: 2014-03-02 Verified by: Benoit Claise (IESG) Section: A.1 Original Text ------------- [...] ip access-list extended DNS permit udp 198.51.100.0 0.0.0.252 eq domain any ipv6 access-list DNSv6 permit udp 2001:DB8:100:1::/64 eq domain any permit tcp 2001:DB8:100:1::/64 eq domain any ip access-list extended NTP permit udp 198.51.100.4 255.255.255.252 any eq ntp ipv6 access-list NTPv6 permit udp 2001:DB8:100:2::/64 any eq ntp ip access-list extended SSH permit tcp 198.51.100.128 0.0.0.128 any eq 22 ipv6 access-list SSHv6 permit tcp 2001:DB8:100:3::/64 any eq 22 ip access-list extended SNMP permit udp 198.51.100.128 0.0.0.128 any eq snmp [...] Corrected Text -------------- [...] ip access-list extended DNS permit udp 198.51.100.0 0.0.0.3 eq domain any ipv6 access-list DNSv6 permit udp 2001:DB8:100:1::/64 eq domain any permit tcp 2001:DB8:100:1::/64 eq domain any ip access-list extended NTP permit udp 198.51.100.4 0.0.0.3 any eq ntp ipv6 access-list NTPv6 permit udp 2001:DB8:100:2::/64 any eq ntp ip access-list extended SSH permit tcp 198.51.100.128 0.0.0.127 any eq 22 ipv6 access-list SSHv6 permit tcp 2001:DB8:100:3::/64 any eq 22 ip access-list extended SNMP permit udp 198.51.100.128 0.0.0.127 any eq snmp [...] Notes ----- The bitfield masks in the Cisco Configuration example in section A.1 look incorrect. The authors may have intended the following meanings: ip access-list extended DNS all hosts between 198.51.100.0 and 198.51.100.3 instead of all addresses in the range 198.51.100.0/24 which are evenly divisible by 4 ip access-list extended NTP all hosts between 198.51.100.4 and 198.51.100.7 instead of all addresses in the range 0.0.0.0/0 which are evenly divisible by 4 ip access-list extended SSH all hosts between 198.51.100.128 and 198.51.100.255 instead of 198.51.100.128/32 ip access-list extended SNMP all hosts between 198.51.100.128 and 198.51.100.255 instead of 198.51.100.128/32 -------------------------------------- RFC6192 (draft-ietf-opsec-protect-control-plane-06) -------------------------------------- Title : Protecting the Router Control Plane Publication Date : March 2011 Author(s) : D. Dugal, C. Pignataro, R. Dunn Category : INFORMATIONAL Source : Operational Security Capabilities for IP Network Infrastructure Area : Operations and Management Stream : IETF Verifying Party : IESG From nobody Wed Apr 16 04:55:43 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C52D1A014D for ; Wed, 16 Apr 2014 04:55:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.772 X-Spam-Level: X-Spam-Status: No, score=-14.772 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ios1E10Hdw-F for ; Wed, 16 Apr 2014 04:55:37 -0700 (PDT) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 19FB31A0142 for ; Wed, 16 Apr 2014 04:55:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8732; q=dns/txt; s=iport; t=1397649334; x=1398858934; h=from:to:cc:subject:date:message-id:mime-version; bh=X67QciRn7UfvFL4uD+AcwUcr3/pcFV/c8PrU+t0VF1w=; b=FPKpVZ36JIjE79LZOZhLPUkk1Ht+IHhdEp6oZQGyMJ+dgrfvDKVW7Op+ U2/p9wVBN20mJs8icSAiIQXndlEw5EZAOEVs0O0X+bcumXvjrLgoe64LA fjoUdlkDuA0eqdnmr/3xZ/6aTo1/QQaACHluYlgp4ULKO1OmiNs8f7R3m E=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ag8FABtvTlOtJV2Y/2dsb2JhbABZgkJEO1fDM4EhFnSCJQEBAQQdEEELEgEIEQQBAQtWHQkBBA4FCId0DcdTEwSOMS0EgyuBFASrL4Mxgis X-IronPort-AV: E=Sophos;i="4.97,872,1389744000"; d="scan'208,217";a="318169087" Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-8.cisco.com with ESMTP; 16 Apr 2014 11:55:33 +0000 Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id s3GBtXeQ017938 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 16 Apr 2014 11:55:33 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.118]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.03.0123.003; Wed, 16 Apr 2014 06:55:33 -0500 From: "Gunter Van de Velde (gvandeve)" To: opsec wg mailing list Thread-Topic: Start of 2nd WGLC for draft-ietf-opsec-bgp-security Thread-Index: Ac9TCpCty6WW3UV9Rc+t1rBkEBAqQQGX/bdQ Date: Wed, 16 Apr 2014 11:55:32 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B24113958CB@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.196.139] Content-Type: multipart/alternative; boundary="_000_67832B1175062E48926BF3CB27C49B24113958CBxmbalnx12ciscoc_" MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/f2b2THEBwdrdLSFbMw-L4x4uits Cc: "draft-ietf-opsec-bgp-security@tools.ietf.org" , "kk@dropbox.com" Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 11:55:42 -0000 --_000_67832B1175062E48926BF3CB27C49B24113958CBxmbalnx12ciscoc_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Please find this reminder to query for your feedback. Brgds, G/ From: Gunter Van de Velde (gvandeve) Sent: 08 April 2014 11:18 To: opsec wg mailing list Cc: KK (kk@google.com); draft-ietf-opsec-bgp-security@tools.ietf.org Subject: Start of 2nd WGLC for draft-ietf-opsec-bgp-security Dear OpSec WG, This starts a 2nd Working Group Last Call for draft-ietf-opsec-bgp-security= . Due to the time taken to integrate all comments from the first WGLC this 2n= d WGLC is initiated. All three authors have replied, stating that they do not know of any IPR as= sociated with this draft. The draft is available here: https://datatracker.ietf.org/doc/draft-ietf-op= sec-bgp-security/ Please review this draft to see if you think it is ready for publication an= d comments to the list, clearly stating your view. This WGLC ends 22-April-2014. Thanks, G/ --_000_67832B1175062E48926BF3CB27C49B24113958CBxmbalnx12ciscoc_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Please find this remin= der to query for your feedback.

Brgds,

From:= Gunter Van de Velde (gvandeve)
Sent: 08 April 2014 11:18
To: opsec wg mailing list
Cc: KK (kk@google.com); draft-ietf-opsec-bgp-security@tools.ietf.org=
Subject: Start of 2nd WGLC for draft-ietf-opsec-bgp-security

Dear O= pSec WG,

This s= tarts a 2^nd Working Group Last Call for draft-ietf-opsec-bgp-sec= urity.

Due to= the time taken to integrate all comments from the first WGLC this 2^nd= WGLC is initiated.

&= nbsp;

All th= ree authors have replied, stating that they do not know of any IPR associat= ed with this draft.

The dr= aft is available here: https://datatracker.ietf.org/doc/draft-ietf-opsec-bgp-security/=

Please= review this draft to see if you think it is ready for publication and comm= ents to the list, clearly stating your view.<= /o:p>

This W= GLC ends 22-April-2014.

Thanks= ,

--_000_67832B1175062E48926BF3CB27C49B24113958CBxmbalnx12ciscoc_-- From nobody Wed Apr 16 06:34:37 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0083A1A0194 for ; Wed, 16 Apr 2014 06:34:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z-jtn2BnvMGp for ; Wed, 16 Apr 2014 06:34:32 -0700 (PDT) Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe005.messaging.microsoft.com [216.32.181.185]) by ietfa.amsl.com (Postfix) with ESMTP id 7CB1C1A0193 for ; Wed, 16 Apr 2014 06:34:31 -0700 (PDT) Received: from mail27-ch1-R.bigfish.com (10.43.68.228) by CH1EHSOBE019.bigfish.com (10.43.70.76) with Microsoft SMTP Server id 14.1.225.22; Wed, 16 Apr 2014 13:33:47 +0000 Received: from mail27-ch1 (localhost [127.0.0.1]) by mail27-ch1-R.bigfish.com (Postfix) with ESMTP id 2B617180743; Wed, 16 Apr 2014 13:33:47 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.240.101; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0510HT005.namprd05.prod.outlook.com; RD:none; EFVD:NLI X-SpamScore: -20 X-BigFish: VPS-20(zz9371Ic85fh4015Izz1f42h2148h1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6h208chzz1d7338h1de098h1033IL17326ah8275bh8275dh18c673h1de097h186068hz2fh109h2a8h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1bceh224fh1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh1fe8h1ff5h20f0h2216h22d0h2336h2461h2487h24d7h2516h2545h255eh25cch25f6h2605h268bh26c8h26d3h9a9j1155h) Received-SPF: pass (mail27-ch1: domain of juniper.net designates 157.56.240.101 as permitted sender) client-ip=157.56.240.101; envelope-from=rbonica@juniper.net; helo=BL2PRD0510HT005.namprd05.prod.outlook.com ; .outlook.com ; X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(428001)(164054003)(377454003)(189002)(199002)(86362001)(92566001)(16236675002)(50986999)(15202345003)(76482001)(81542001)(46102001)(76176999)(54356999)(2656002)(80022001)(81342001)(87936001)(79102001)(4396001)(74502001)(15975445006)(99286001)(99396002)(74662001)(19609705001)(77982001)(76576001)(83072002)(66066001)(31966008)(20776003)(19300405004)(19580395003)(74316001)(85852003)(83322001)(19580405001)(33646001)(80976001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:CO1PR05MB443; H:CO1PR05MB442.namprd05.prod.outlook.com; FPR:FC8EC43E.9EE295A3.BDD77F7F.4EA1910.20220; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received: from mail27-ch1 (localhost.localdomain [127.0.0.1]) by mail27-ch1 (MessageSwitch) id 139765522511622_19949; Wed, 16 Apr 2014 13:33:45 +0000 (UTC) Received: from CH1EHSMHS035.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.242]) by mail27-ch1.bigfish.com (Postfix) with ESMTP id EFFB8160206; Wed, 16 Apr 2014 13:33:44 +0000 (UTC) Received: from BL2PRD0510HT005.namprd05.prod.outlook.com (157.56.240.101) by CH1EHSMHS035.bigfish.com (10.43.70.35) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 16 Apr 2014 13:33:44 +0000 Received: from CO1PR05MB443.namprd05.prod.outlook.com (10.141.73.152) by BL2PRD0510HT005.namprd05.prod.outlook.com (10.255.100.40) with Microsoft SMTP Server (TLS) id 14.16.435.0; Wed, 16 Apr 2014 13:34:23 +0000 Received: from CO1PR05MB442.namprd05.prod.outlook.com (10.141.73.146) by CO1PR05MB443.namprd05.prod.outlook.com (10.141.73.152) with Microsoft SMTP Server (TLS) id 15.0.918.8; Wed, 16 Apr 2014 13:34:21 +0000 Received: from CO1PR05MB442.namprd05.prod.outlook.com ([169.254.13.244]) by CO1PR05MB442.namprd05.prod.outlook.com ([169.254.13.244]) with mapi id 15.00.0918.000; Wed, 16 Apr 2014 13:34:20 +0000 From: Ronald Bonica To: "Gunter Van de Velde (gvandeve)" , opsec wg mailing list Thread-Topic: Start of 2nd WGLC for draft-ietf-opsec-bgp-security Thread-Index: Ac9TCpCty6WW3UV9Rc+t1rBkEBAqQQGX/bdQAAN0kZA= Date: Wed, 16 Apr 2014 13:34:19 +0000 Message-ID: References: <67832B1175062E48926BF3CB27C49B24113958CB@xmb-aln-x12.cisco.com> In-Reply-To: <67832B1175062E48926BF3CB27C49B24113958CB@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [66.129.241.12] x-forefront-prvs: 01834E39B7 Content-Type: multipart/alternative; boundary="_000_c8822f998646410f8404b9e59c02a13fCO1PR05MB442namprd05pro_" MIME-Version: 1.0 X-OriginatorOrg: juniper.net X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/urn7g8PXtqWE2NBxzjb-HdC5PSQ Cc: "draft-ietf-opsec-bgp-security@tools.ietf.org" , "kk@dropbox.com" Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 13:34:36 -0000 --_000_c8822f998646410f8404b9e59c02a13fCO1PR05MB442namprd05pro_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Folks, This document is very comprehensive and well-written. Kudos to the authors. However, please take a look at the Forward. Ron From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Gunter Van de Veld= e (gvandeve) Sent: Wednesday, April 16, 2014 7:56 AM To: opsec wg mailing list Cc: draft-ietf-opsec-bgp-security@tools.ietf.org; kk@dropbox.com Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security Please find this reminder to query for your feedback. Brgds, G/ From: Gunter Van de Velde (gvandeve) Sent: 08 April 2014 11:18 To: opsec wg mailing list Cc: KK (kk@google.com); draft-ietf-opsec-bgp-security= @tools.ietf.org Subject: Start of 2nd WGLC for draft-ietf-opsec-bgp-security Dear OpSec WG, This starts a 2nd Working Group Last Call for draft-ietf-opsec-bgp-security= . Due to the time taken to integrate all comments from the first WGLC this 2n= d WGLC is initiated. All three authors have replied, stating that they do not know of any IPR as= sociated with this draft. The draft is available here: https://datatracker.ietf.org/doc/draft-ietf-op= sec-bgp-security/ Please review this draft to see if you think it is ready for publication an= d comments to the list, clearly stating your view. This WGLC ends 22-April-2014. Thanks, G/ --_000_c8822f998646410f8404b9e59c02a13fCO1PR05MB442namprd05pro_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Folks,

This document is very = comprehensive and well-written. Kudos to the authors.

However, please take a= look at the Forward.

&nbs= p; &= nbsp; &nbs= p; &= nbsp; Ron

From: OPSEC [mailto:opsec-bounces@ietf.org] <= b>On Behalf Of Gunter Van de Velde (gvandeve)
Sent: Wednesday, April 16, 2014 7:56 AM
To: opsec wg mailing list
Cc: draft-ietf-opsec-bgp-security@tools.ietf.org; kk@dropbox.com
Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-secu= rity

Please = find this reminder to query for your feedback.

&n= bsp;

Brgds,<= o:p>

G/=

&n= bsp;

From: Gunter Van de Velde (gvandeve= )
Sent: 08 April 2014 11:18
To: opsec wg mailing list
Cc: KK (kk@google.com); draft-ietf-opsec-bgp-security@tools.ietf.org
Subject: Start of 2nd WGLC for draft-ietf-opsec-bgp-security

Dear OpSec WG,<= /span>

This starts a 2^nd Working Group Last Call for draft-iet= f-opsec-bgp-security.

Due to the time taken to integrate all comments from the first WGL= C this 2^nd WGLC is initiated.

All three authors have replied, stating that they do not know of a= ny IPR associated with this draft.<= o:p>

The draft is available here:<= span style=3D"font-family:"Arial","sans-serif";color:bl= ack"> https://datatracker.ietf.org/doc/draft-ietf-opsec-bgp-security/=

Please review this draft to see if you think it is ready for publi= cation and comments to the list, clearly stating your view.

This WGLC ends 22-April-2014.

Thanks,<= /p>

--_000_c8822f998646410f8404b9e59c02a13fCO1PR05MB442namprd05pro_-- From nobody Wed Apr 16 07:51:28 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7593F1A01D6 for ; Wed, 16 Apr 2014 07:51:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.2 X-Spam-Level: X-Spam-Status: No, score=-104.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UMovVWdzRpEv for ; Wed, 16 Apr 2014 07:51:19 -0700 (PDT) Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe004.messaging.microsoft.com [207.46.163.27]) by ietfa.amsl.com (Postfix) with ESMTP id 99B9A1A01C0 for ; Wed, 16 Apr 2014 07:51:19 -0700 (PDT) Received: from mail169-co9-R.bigfish.com (10.236.132.246) by CO9EHSOBE017.bigfish.com (10.236.130.80) with Microsoft SMTP Server id 14.1.225.22; Wed, 16 Apr 2014 14:50:35 +0000 Received: from mail169-co9 (localhost [127.0.0.1]) by mail169-co9-R.bigfish.com (Postfix) with ESMTP id D9C852405DC; Wed, 16 Apr 2014 14:50:34 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.240.101; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0510HT002.namprd05.prod.outlook.com; RD:none; EFVD:NLI X-SpamScore: -20 X-BigFish: VPS-20(zz9371Ic85fh4015Izz1f42h2148h1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6h208chzz1d7338h1de098h1033IL17326ah8275bh8275dh18c673h1de097h186068hz2fh109h2a8h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1bceh224fh1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh1fe8h1ff5h20f0h2216h22d0h2336h2461h2487h24d7h2516h2545h255eh25cch25f6h2605h268bh26c8h26d3h9a9j1155h) Received-SPF: pass (mail169-co9: domain of juniper.net designates 157.56.240.101 as permitted sender) client-ip=157.56.240.101; envelope-from=rbonica@juniper.net; helo=BL2PRD0510HT002.namprd05.prod.outlook.com ; .outlook.com ; X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(428001)(199002)(189002)(377454003)(164054003)(74316001)(31966008)(20776003)(19300405004)(83072002)(66066001)(19580395003)(33646001)(80976001)(83322001)(85852003)(19580405001)(80022001)(2656002)(79102001)(4396001)(74502001)(81342001)(87936001)(86362001)(92566001)(16236675002)(46102001)(81542001)(54356999)(76482001)(76176999)(50986999)(15202345003)(74662001)(99396002)(99286001)(76576001)(19609705001)(77982001)(15975445006)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:CO1PR05MB443; H:CO1PR05MB442.namprd05.prod.outlook.com; FPR:FCBEF03E.BCE295A3.BDC7BF7F.AEA4930.202FC; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received: from mail169-co9 (localhost.localdomain [127.0.0.1]) by mail169-co9 (MessageSwitch) id 1397659833667814_3364; Wed, 16 Apr 2014 14:50:33 +0000 (UTC) Received: from CO9EHSMHS022.bigfish.com (unknown [10.236.132.233]) by mail169-co9.bigfish.com (Postfix) with ESMTP id 98CDCD80063; Wed, 16 Apr 2014 14:50:33 +0000 (UTC) Received: from BL2PRD0510HT002.namprd05.prod.outlook.com (157.56.240.101) by CO9EHSMHS022.bigfish.com (10.236.130.32) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 16 Apr 2014 14:50:32 +0000 Received: from CO1PR05MB443.namprd05.prod.outlook.com (10.141.73.152) by BL2PRD0510HT002.namprd05.prod.outlook.com (10.255.100.37) with Microsoft SMTP Server (TLS) id 14.16.435.0; Wed, 16 Apr 2014 14:50:59 +0000 Received: from CO1PR05MB442.namprd05.prod.outlook.com (10.141.73.146) by CO1PR05MB443.namprd05.prod.outlook.com (10.141.73.152) with Microsoft SMTP Server (TLS) id 15.0.918.8; Wed, 16 Apr 2014 14:50:57 +0000 Received: from CO1PR05MB442.namprd05.prod.outlook.com ([169.254.13.244]) by CO1PR05MB442.namprd05.prod.outlook.com ([169.254.13.244]) with mapi id 15.00.0918.000; Wed, 16 Apr 2014 14:50:56 +0000 From: Ronald Bonica To: "Gunter Van de Velde (gvandeve)" , opsec wg mailing list Thread-Topic: Start of 2nd WGLC for draft-ietf-opsec-bgp-security Thread-Index: Ac9TCpCty6WW3UV9Rc+t1rBkEBAqQQGX/bdQAAN0kZAAAonwsA== Date: Wed, 16 Apr 2014 14:50:56 +0000 Message-ID: References: <67832B1175062E48926BF3CB27C49B24113958CB@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [66.129.241.17] x-forefront-prvs: 01834E39B7 Content-Type: multipart/alternative; boundary="_000_cda8642294584887a88ba505424a2c19CO1PR05MB442namprd05pro_" MIME-Version: 1.0 X-OriginatorOrg: juniper.net X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/EaU9bFz0I6EzGAOm67faDbp806U Cc: "draft-ietf-opsec-bgp-security@tools.ietf.org" , "kk@dropbox.com" Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 14:51:23 -0000 --_000_cda8642294584887a88ba505424a2c19CO1PR05MB442namprd05pro_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Folks, In Sections 5.1.1.1 and 5.1.1.2, you say, "Only prefixes with value "False"= in column "Global" MUST be discarded on Internet BGP peerings." This statement is mostly true, but I can think of a corner case. Assume tha= t two autonomous systems are cooperating to provide a DS-lite or some simil= ar service. They might agree to co-ordinate assignment of non-global routes= and exchange non-global routes with one another. = Ron From: Ronald Bonica Sent: Wednesday, April 16, 2014 9:34 AM To: 'Gunter Van de Velde (gvandeve)'; opsec wg mailing list Cc: draft-ietf-opsec-bgp-security@tools.ietf.org; kk@dropbox.com Subject: RE: Start of 2nd WGLC for draft-ietf-opsec-bgp-security Folks, This document is very comprehensive and well-written. Kudos to the authors. However, please take a look at the Forward. Ron From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Gunter Van de Veld= e (gvandeve) Sent: Wednesday, April 16, 2014 7:56 AM To: opsec wg mailing list Cc: draft-ietf-opsec-bgp-security@tools.ietf.org; kk@dropbox.com Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security Please find this reminder to query for your feedback. Brgds, G/ From: Gunter Van de Velde (gvandeve) Sent: 08 April 2014 11:18 To: opsec wg mailing list Cc: KK (kk@google.com); draft-ietf-opsec-bgp-security= @tools.ietf.org Subject: Start of 2nd WGLC for draft-ietf-opsec-bgp-security Dear OpSec WG, This starts a 2nd Working Group Last Call for draft-ietf-opsec-bgp-security= . Due to the time taken to integrate all comments from the first WGLC this 2n= d WGLC is initiated. All three authors have replied, stating that they do not know of any IPR as= sociated with this draft. The draft is available here: https://datatracker.ietf.org/doc/draft-ietf-op= sec-bgp-security/ Please review this draft to see if you think it is ready for publication an= d comments to the list, clearly stating your view. This WGLC ends 22-April-2014. Thanks, G/ --_000_cda8642294584887a88ba505424a2c19CO1PR05MB442namprd05pro_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Folks,

In Sections 5.1.=
1.1 and 5.1.1.2, you say, “Only prefixes wi=
th value "False" in column "Global" MUST be discarded o=
n Internet BGP peerings.”

This statement i=
s mostly true, but I can think of a corner case. Assume that two autonomous=
 systems are cooperating to provide a DS-lite or some similar service. They=
 might agree to co-ordinate assignment of non-global routes and exchange no=
n-global routes with one another.

  &nbs=
p;            &=
nbsp;           &nbs=
p;            &=
nbsp;           &nbs=
p;            &=
nbsp;           &nbs=
p;    Ron

From: Ronald Bonica
Sent: Wednesday, April 16, 2014 9:34 AM
To: 'Gunter Van de Velde (gvandeve)'; opsec wg mailing list
Cc: draft-ietf-opsec-bgp-security@tools.ietf.org; kk@dropbox.com
Subject: RE: Start of 2nd WGLC for draft-ietf-opsec-bgp-security

Folks,

This document is very = comprehensive and well-written. Kudos to the authors.

However, please take a= look at the Forward.

&nbs= p; &= nbsp; &nbs= p; &= nbsp; Ron

From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Gunter Van de Velde (gvandeve)
Sent: Wednesday, April 16, 2014 7:56 AM
To: opsec wg mailing list
Cc: = draft-ietf-opsec-bgp-security@tools.ietf.org; kk@dropbox.com
Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-secu= rity

Please = find this reminder to query for your feedback.

&n= bsp;

Brgds,<= o:p>

G/=

&n= bsp;

Dear OpSec WG,<= /span>

This starts a 2^nd Working Group Last Call for draft-iet= f-opsec-bgp-security.

Due to the time taken to integrate all comments from the first WGL= C this 2^nd WGLC is initiated.

All three authors have replied, stating that they do not know of a= ny IPR associated with this draft.<= o:p>

The draft is available here:<= span style=3D"font-family:"Arial","sans-serif";color:bl= ack"> https://datatracker.ietf.org/doc/draft-ietf-opsec-bgp-security/=

Please review this draft to see if you think it is ready for publi= cation and comments to the list, clearly stating your view.

This WGLC ends 22-April-2014.

Thanks,<= /p>

--_000_cda8642294584887a88ba505424a2c19CO1PR05MB442namprd05pro_-- From nobody Wed Apr 16 15:51:44 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F86E1A0359 for ; Wed, 16 Apr 2014 15:51:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.773 X-Spam-Level: X-Spam-Status: No, score=-9.773 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1HVaYmLpDM6C for ; Wed, 16 Apr 2014 15:51:39 -0700 (PDT) Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) by ietfa.amsl.com (Postfix) with ESMTP id DA3791A0299 for ; Wed, 16 Apr 2014 15:51:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3506; q=dns/txt; s=iport; t=1397688695; x=1398898295; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=pII9/rTbR2DY6Eh90VfTX81VIsjJyZ3NSo2H0b3vkoA=; b=Whh6zDXF8aom4ntELsGXHxk5ACflSsR36jMv3dIEGVp02Cqm6lFklNR2 Q9+ZkythpqnfTA9TkuQGsTwkzkwvr06m4ommXVqdNjOIjMdyUh0OAOT0L C1P6eX0VjL2U6Dv8mvurEh2Szk48aj5ZrtwJe46mUpaIOxMprkiTgGRIB I=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AhEFAHMIT1OtJV2a/2dsb2JhbABZgwY7V7t/hziBIRZ0giUBAQEDAQEBARpRCwULAgEIDgMEAQEoBycLFAkIAQEEDgWHdAgNqzCeTxeOLzMHgySBFASYZoE3kRKDMYIr X-IronPort-AV: E=Sophos;i="4.97,875,1389744000"; d="scan'208";a="36453681" Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-8.cisco.com with ESMTP; 16 Apr 2014 22:51:33 +0000 Received: from xhc-aln-x09.cisco.com (xhc-aln-x09.cisco.com [173.36.12.83]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id s3GMpXUS012784 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 16 Apr 2014 22:51:33 GMT Received: from xmb-rcd-x01.cisco.com ([169.254.1.229]) by xhc-aln-x09.cisco.com ([173.36.12.83]) with mapi id 14.03.0123.003; Wed, 16 Apr 2014 17:51:33 -0500 From: "Jerome Durand (jerduran)" To: Ronald Bonica Thread-Topic: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security Thread-Index: Ac9TCpCty6WW3UV9Rc+t1rBkEBAqQQGX/bdQAAN0kZAAAonwsAAbc/eA Date: Wed, 16 Apr 2014 22:51:32 +0000 Message-ID: <11F1FD94-5C9A-4653-BC34-214BA9A8A009@cisco.com> References: <67832B1175062E48926BF3CB27C49B24113958CB@xmb-aln-x12.cisco.com> In-Reply-To: Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.100.140] Content-Type: text/plain; charset="Windows-1252" Content-ID: <10E5BD0BC042294C9F660C527979FA77@emea.cisco.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/_Tzi1tWnApsxAmUeSShG2d1eBkk Cc: "draft-ietf-opsec-bgp-security@tools.ietf.org" , opsec wg mailing list , "kk@dropbox.com" Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 22:51:43 -0000 Thank you Ron for your comment and support, Actually I believe exceptions can more or less happen for every guideline l= isted in the document. My view is that it is better to stay on the generic = case and maybe better highlight in introduction that exceptions happen when= both peers agree to do so. Idea would be that normative language only refe= r to classic peerings (not the exception scenario) so we don't have to chan= ge MUST for SHOULD everywhere in the doc and lower the value of the doc. What do you think? Thanks Jerome Le 16 avr. 2014 =E0 16:50, Ronald Bonica a =E9crit : > Folks, > =20 > In Sections 5.1.1.1 and 5.1.1.2, you say, =93Only prefixes with value "Fa= lse" in column "Global" MUST be discarded on Internet BGP peerings.=94 > =20 > This statement is mostly true, but I can think of a corner case. Assume t= hat two autonomous systems are cooperating to provide a DS-lite or some sim= ilar service. They might agree to co-ordinate assignment of non-global rout= es and exchange non-global routes with one another. > =20 > = Ron > =20 > =20 > From: Ronald Bonica=20 > Sent: Wednesday, April 16, 2014 9:34 AM > To: 'Gunter Van de Velde (gvandeve)'; opsec wg mailing list > Cc: draft-ietf-opsec-bgp-security@tools.ietf.org; kk@dropbox.com > Subject: RE: Start of 2nd WGLC for draft-ietf-opsec-bgp-security > =20 > Folks, > =20 > This document is very comprehensive and well-written. Kudos to the author= s. > =20 > However, please take a look at the Forward. > =20 > Ron > =20 > =20 > From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Gunter Van de Ve= lde (gvandeve) > Sent: Wednesday, April 16, 2014 7:56 AM > To: opsec wg mailing list > Cc: draft-ietf-opsec-bgp-security@tools.ietf.org; kk@dropbox.com > Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security > =20 > Please find this reminder to query for your feedback. > =20 > Brgds, > G/ > =20 > From: Gunter Van de Velde (gvandeve)=20 > Sent: 08 April 2014 11:18 > To: opsec wg mailing list > Cc: KK (kk@google.com); draft-ietf-opsec-bgp-security@tools.ietf.org > Subject: Start of 2nd WGLC for draft-ietf-opsec-bgp-security > =20 > Dear OpSec WG, > =20 >=20 > This starts a 2nd Working Group Last Call for draft-ietf-opsec-bgp-securi= ty. > Due to the time taken to integrate all comments from the first WGLC this = 2nd WGLC is initiated. > =20 > All three authors have replied, stating that they do not know of any IPR = associated with this draft. > =20 > The draft is available here: https://datatracker.ietf.org/doc/draft-ietf-= opsec-bgp-security/ > =20 > Please review this draft to see if you think it is ready for publication = and comments to the list, clearly stating your view. > =20 >=20 > This WGLC ends 22-April-2014. > =20 >=20 > Thanks, > G/ > =20 > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec -- Jerome Durand Consulting Systems Engineer - Routing & Switching jerduran@cisco.com - +33 6 35 11 60 50 blogs: http://reseauxblog.cisco.fr - http://ipv6blog.cisco.fr twitter: @JeromeDurand linkedin: http://fr.linkedin.com/in/jeromedurand CISCO France 11, rue Camille Desmoulins 92782 Issy les Moulineaux CEDEX 9 FRANCE From nobody Wed Apr 16 16:14:43 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A1A71A03CA for ; Wed, 16 Apr 2014 16:14:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.773 X-Spam-Level: X-Spam-Status: No, score=-9.773 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pw1D4WF3dErp for ; Wed, 16 Apr 2014 16:14:35 -0700 (PDT) Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) by ietfa.amsl.com (Postfix) with ESMTP id DF1E21A03AC for ; Wed, 16 Apr 2014 16:14:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5489; q=dns/txt; s=iport; t=1397690053; x=1398899653; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=Ad0XisW1d8+Rn3IEluuLxGFHkUXi00wiMxtucj47CNU=; b=bNOkMkRRwwdJ+3/MZ2wosUfmyXaFDg1KKdMllmVSY6Dj6Y042d0nL+He OPH37BlBc7danEmUpAgVHmU1YUVwVtbaY4LewMjl2puKA7W9F79240J23 qOpCvbHZY1AxTpWMaRJLn04/KKiJcVnJmOW7LDwyJ8c/8CM0EccOgbUi4 s=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ag4FANUNT1OtJA2H/2dsb2JhbABZgwY7V8M3gSEWdIIlAQEBAwFyBxACAQhGMiUBAQQOBYd0CA3JdxeOLy4FB4MkgRQEmGaBN5ESgzGCKw X-IronPort-AV: E=Sophos;i="4.97,875,1389744000"; d="scan'208";a="36449051" Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-2.cisco.com with ESMTP; 16 Apr 2014 23:14:13 +0000 Received: from xhc-rcd-x12.cisco.com (xhc-rcd-x12.cisco.com [173.37.183.86]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id s3GNEDX7010194 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 16 Apr 2014 23:14:13 GMT Received: from xmb-rcd-x01.cisco.com ([169.254.1.229]) by xhc-rcd-x12.cisco.com ([173.37.183.86]) with mapi id 14.03.0123.003; Wed, 16 Apr 2014 18:14:13 -0500 From: "Jerome Durand (jerduran)" To: "George, Wes" Thread-Topic: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security Thread-Index: Ac9UN2+/T1QHbw+ATLC7yGU3XgLHJQAf9z4AABVG+QABOcUBAA== Date: Wed, 16 Apr 2014 23:14:12 +0000 Message-ID: <950E64EC-8DD6-47CD-9C21-2530577F9A6B@cisco.com> References:

In-Reply-To: Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.100.140] Content-Type: text/plain; charset="Windows-1252" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/RHP0H9io3q6T1omN0eD106uyv4c Cc: "draft-ietf-opsec-bgp-security@tools.ietf.org" , opsec wg mailing list Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 23:14:40 -0000 >> TCP sessions used by BGP can be secured with a variety of mechanisms. >> MD5 protection of TCP session header [14] was the first existing >> mechanism. >> It is now deprececated by TCP Authentication Option (TCP-AO, [10]) >> which >> offers stronger protection. IPsec can also be used for this purpose. >> While MD5 is still the most used mechanism due to its availability in >> vendor's equipment, TCP-AO and MD5 SHOULD be preferred when >> implemented. >=20 > Looks fine, although I think you meant to say =93TCP-AO SHOULD be preferr= ed=94 > not =93TCP-AO and MD5 SHOULD=94 in the last sentence. Indeed! >>> Section 3- may want to mention rate-limiting accepted traffic in >>> addition to strict filtering of unacceptable traffic >>=20 >> Maybe a note on that. We probably don't want to start discussing the >> right thresholds here. >=20 > Agree >=20 >>> 5.2.1 (or possibly section 8) - Filtering peer ASes inbound from >>> customers? (in this case =93peer=94 meaning a non-transit interconnect,= not >>> just someone you are connected to via BGP) I.e. If I know that I should >>> only receive routes with 701 in the path from 701 because I do not use >>> any other ASN as transit to reach 701, I should filter routes inbound >>> from other sources to ensure that they don=92t announce routes with tha= t >>> path. This is somewhere between the strict IRR based filters and the >>> loose filters, and depends on the topology of the network and my >>> business relationships, but I think it=92s a useful point to make to ad= d >>> some additional safety filtering to prevent =93my idiot customer is try= ing >>> to re-announce the internet to me=94 along with max-prefix, which you >>> already cover. >>=20 >> I think that first bullet of section 8 is saying this. We are saying we >> need to make sure we receive only identified ASes from customer, we >> probably don't need to add we have to filter the ones we don't want. Tel= l >> me if I didn't understand your point. Feel free to propose some modified >> text. >=20 > You=92re right, it=92s mostly saying that. I think the model you=92re adv= ocating > is a filter that explicitly permits certain ASNs, generated uniquely for > each customer, meaning each has an implicit deny of anything that isn=92t > explicitly permitted. That=92s certainly the better model. My suggestion = was > more for the second case =93if you cannot build filters=85=94, where buil= ding a > short list of explicitly denied ASNs that you should never see from *any* > downstream customer (i.e. The ASNs of your peers and/or upstream transit > providers) to a non-customer-specific filter that can be globally applied > on all customer BGP sessions provides a useful safety mechanism beyond > AS-path-length limits, and protects if the customer-specific filter is > inadvertently not applied (since that never happens :-) ). > Hope that=92s clearer. It is, thanks. I propose to slightly change the end of the first bullet the= n: o You SHOULD accept from customers only AS(4)-Paths containing ASNs belonging to (or authorized to transit through) the customer. If you can not build and generate filtering expressions to implement this, consider accepting only path lengths relevant to the type of customer you have (as in, if they are a leaf or have customers of their own), try to discourage excessive prepending in such paths. *This loose policy could be combined with filters for specific AS(4)-Paths that must not be accepted if advertised by the customer.* Please tell me if that does the job. Feel free to propose an laternative te= xt if not. >>> This may be something that the RFC editor will fix, but it would be >>> preferable to use the actual draft name or RFC number as the reference >>> tag instead of numeric tags, so that the reader knows what you are >>> referencing without having to jump to footnotes each time. >>=20 >> If RFC editor can fix it I buy the idea. Otherwise you need to explain t= o >> me how to do it easily :) >=20 > I just looked briefly at your XML compared with one of my drafts, and I > can=92t see how it=92s different, so I=92m actually not sure how to fix, = so I > guess let=92s don=92t worry about it. Good! Thanks agin for your suport! Jerome >=20 > Wes George >=20 >=20 > This E-mail and any of its attachments may contain Time Warner Cable prop= rietary information, which is privileged, confidential, or subject to copyr= ight belonging to Time Warner Cable. This E-mail is intended solely for the= use of the individual or entity to which it is addressed. If you are not t= he intended recipient of this E-mail, you are hereby notified that any diss= emination, distribution, copying, or action taken in relation to the conten= ts of and attachments to this E-mail is strictly prohibited and may be unla= wful. If you have received this E-mail in error, please notify the sender i= mmediately and permanently delete the original and any copy of this E-mail = and any printout. -- Jerome Durand Consulting Systems Engineer - Routing & Switching jerduran@cisco.com - +33 6 35 11 60 50 blogs: http://reseauxblog.cisco.fr - http://ipv6blog.cisco.fr twitter: @JeromeDurand linkedin: http://fr.linkedin.com/in/jeromedurand CISCO France 11, rue Camille Desmoulins 92782 Issy les Moulineaux CEDEX 9 FRANCE From nobody Wed Apr 16 22:55:45 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1479E1A0439 for ; Wed, 16 Apr 2014 22:55:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.302 X-Spam-Level: X-Spam-Status: No, score=-1.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_37=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bDJfYRRhTuda for ; Wed, 16 Apr 2014 22:55:38 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) by ietfa.amsl.com (Postfix) with ESMTP id BCEF61A0458 for ; Wed, 16 Apr 2014 22:55:37 -0700 (PDT) Received: from [2001:5c0:1000:a::c59] by web01.jbserver.net with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from ) id 1WafII-0002uJ-J7; Thu, 17 Apr 2014 07:55:30 +0200 Message-ID: <534F6CCF.9020506@si6networks.com> Date: Thu, 17 Apr 2014 02:55:27 -0300 From: Fernando Gont User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: "'opsec@ietf.org'" References: <20140416024729.24745.47144.idtracker@ietfa.amsl.com> In-Reply-To: <20140416024729.24745.47144.idtracker@ietfa.amsl.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/4-Mej62viW_2jJJDzhOxueQCz6c Subject: [OPSEC] Revision of the IPv6 Firewalls document (Fwd: New Version Notification for draft-gont-opsec-ipv6-firewall-reqs-01.txt) X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 05:55:42 -0000 Folks, We have published a revision of the IPv6 firewalls I-D. Please find it at: . We have incorporated virtually all the comments received so far... which have been a lot (both on- and off-list). Among the changes are: * We have clarified the requirements language. * We have clarified some of the existing requirements, and addded new ones. * We have incorporated many references that were missing in the -00 version. * We incorporated some words in the area of performance -- which tends to be pretty critical, as has been shown during the Berlin ipv6hackers meeting last year. If you provided feedback on the -00 version of the I-D, please do let us know if we have addressed your comments. If you haven't provided feedback on the -00 version, please do it for this one (-01). Thanks! Best regards, Fernando -------- Original Message -------- Subject: New Version Notification for draft-gont-opsec-ipv6-firewall-reqs-01.txt Date: Tue, 15 Apr 2014 19:47:29 -0700 From: internet-drafts@ietf.org To: Will Liu , "Shucheng LIU (Will)" , Fernando Gont , "Fernando Gont" , Marco Ermini , "Marco Ermini" A new version of I-D, draft-gont-opsec-ipv6-firewall-reqs-01.txt has been successfully submitted by Fernando Gont and posted to the IETF repository. Name: draft-gont-opsec-ipv6-firewall-reqs Revision: 01 Title: Requirements for IPv6 Enterprise Firewalls Document date: 2014-04-16 Group: Individual Submission Pages: 18 URL: http://www.ietf.org/internet-drafts/draft-gont-opsec-ipv6-firewall-reqs-01.txt Status: https://datatracker.ietf.org/doc/draft-gont-opsec-ipv6-firewall-reqs/ Htmlized: http://tools.ietf.org/html/draft-gont-opsec-ipv6-firewall-reqs-01 Diff: http://www.ietf.org/rfcdiff?url2=draft-gont-opsec-ipv6-firewall-reqs-01 Abstract: While there has been some work in the area of firewalls, concrete requirements for IPv6 firewalls have never been specified in the RFC series. The more limited experience with the IPv6 protocols and the more reduced number of firewalls that support IPv6 has made it rather difficult to infer what are reasonable features to expect in an IPv6 firewall. This has typically been a problem for network operators, who typically have to produce a "Request for Proposal" from scratch that describes such features. This document specifies a set of requirements for IPv6 firewalls, in order to establish some common- ground in terms of what features can be expected in them. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat From nobody Thu Apr 17 07:45:51 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B5D41A01CB for ; Thu, 17 Apr 2014 07:45:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.737 X-Spam-Level: X-Spam-Status: No, score=-0.737 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D_WevQm8VMiZ for ; Thu, 17 Apr 2014 07:45:49 -0700 (PDT) Received: from cdpipgw01.twcable.com (cdpipgw01.twcable.com [165.237.59.22]) by ietfa.amsl.com (Postfix) with ESMTP id 384411A0166 for ; Thu, 17 Apr 2014 07:45:49 -0700 (PDT) X-SENDER-IP: 10.136.163.12 X-SENDER-REPUTATION: None X-IronPort-AV: E=Sophos;i="4.97,879,1389762000"; d="scan'208";a="273396792" Received: from unknown (HELO PRVPEXHUB03.corp.twcable.com) ([10.136.163.12]) by cdpipgw01.twcable.com with ESMTP/TLS/RC4-MD5; 17 Apr 2014 10:45:17 -0400 Received: from PRVPEXVS15.corp.twcable.com ([10.136.163.79]) by PRVPEXHUB03.corp.twcable.com ([10.136.163.12]) with mapi; Thu, 17 Apr 2014 10:45:41 -0400 From: "George, Wes" To: "Jerome Durand (jerduran)" Date: Thu, 17 Apr 2014 10:45:41 -0400 Thread-Topic: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security Thread-Index: Ac9aS7S8oZ3MFxLCRwCLDTeb/CIbvw== Message-ID: References:

<950E64EC-8DD6-47CD-9C21-2530577F9A6B@cisco.com> In-Reply-To: <950E64EC-8DD6-47CD-9C21-2530577F9A6B@cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.4.1.140326 acceptlanguage: en-US Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/jyFF_egUcA5ws0SbtzSnoNULveM Cc: "draft-ietf-opsec-bgp-security@tools.ietf.org" , opsec wg mailing list Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 14:45:50 -0000 T24gNC8xNi8xNCwgNzoxNCBQTSwgIkplcm9tZSBEdXJhbmQgKGplcmR1cmFuKSIgPGplcmR1cmFu QGNpc2NvLmNvbT4gd3JvdGU6DQoNCj5JdCBpcywgdGhhbmtzLiBJIHByb3Bvc2UgdG8gc2xpZ2h0 bHkgY2hhbmdlIHRoZSBlbmQgb2YgdGhlIGZpcnN0IGJ1bGxldA0KPnRoZW46DQo+DQo+ICAgbyAg WW91IFNIT1VMRCBhY2NlcHQgZnJvbSBjdXN0b21lcnMgb25seSBBUyg0KS1QYXRocyBjb250YWlu aW5nIEFTTnMNCj4gICAgICBiZWxvbmdpbmcgdG8gKG9yIGF1dGhvcml6ZWQgdG8gdHJhbnNpdCB0 aHJvdWdoKSB0aGUgY3VzdG9tZXIuICBJZg0KPiAgICAgIHlvdSBjYW4gbm90IGJ1aWxkIGFuZCBn ZW5lcmF0ZSBmaWx0ZXJpbmcgZXhwcmVzc2lvbnMgdG8gaW1wbGVtZW50DQo+ICAgICAgdGhpcywg Y29uc2lkZXIgYWNjZXB0aW5nIG9ubHkgcGF0aCBsZW5ndGhzIHJlbGV2YW50IHRvIHRoZSB0eXBl IG9mDQo+ICAgICAgY3VzdG9tZXIgeW91IGhhdmUgKGFzIGluLCBpZiB0aGV5IGFyZSBhIGxlYWYg b3IgaGF2ZSBjdXN0b21lcnMgb2YNCj4gICAgICB0aGVpciBvd24pLCB0cnkgdG8gZGlzY291cmFn ZSBleGNlc3NpdmUgcHJlcGVuZGluZyBpbiBzdWNoIHBhdGhzLg0KPiAgICAgICpUaGlzIGxvb3Nl IHBvbGljeSBjb3VsZCBiZSBjb21iaW5lZCB3aXRoIGZpbHRlcnMgZm9yIHNwZWNpZmljDQo+ICAg ICAgQVMoNCktUGF0aHMgdGhhdCBtdXN0IG5vdCBiZSBhY2NlcHRlZCBpZiBhZHZlcnRpc2VkIGJ5 IHRoZQ0KPiAgICAgIGN1c3RvbWVyLioNCg0KSSBzdWdnZXN0IGEgc2xpZ2h0IGFkZGl0aW9uLSDi gJxUaGlzIGxvb3NlIHBvbGljeSBjb3VsZCBiZSBjb21iaW5lZCB3aXRoDQpmaWx0ZXJzIGZvciBz cGVjaWZpYyBBUyg0KS1QYXRocyB0aGF0IG11c3Qgbm90IGJlIGFjY2VwdGVkIGlmIGFkdmVydGlz ZWQNCmJ5IHRoZSBjdXN0b21lciwgc3VjaCBhcyB1cHN0cmVhbSB0cmFuc2l0IHByb3ZpZGVyIG9y IHBlZXIgQVNOcy7igJ0NCg0KSSB0aGluayB0aGUgZXhhbXBsZXMgbWFrZSBpdCBjbGVhcmVyIHdo YXQgd2UgbWVhbi4NCg0KV2VzDQoNCg0KVGhpcyBFLW1haWwgYW5kIGFueSBvZiBpdHMgYXR0YWNo bWVudHMgbWF5IGNvbnRhaW4gVGltZSBXYXJuZXIgQ2FibGUgcHJvcHJpZXRhcnkgaW5mb3JtYXRp b24sIHdoaWNoIGlzIHByaXZpbGVnZWQsIGNvbmZpZGVudGlhbCwgb3Igc3ViamVjdCB0byBjb3B5 cmlnaHQgYmVsb25naW5nIHRvIFRpbWUgV2FybmVyIENhYmxlLiBUaGlzIEUtbWFpbCBpcyBpbnRl bmRlZCBzb2xlbHkgZm9yIHRoZSB1c2Ugb2YgdGhlIGluZGl2aWR1YWwgb3IgZW50aXR5IHRvIHdo aWNoIGl0IGlzIGFkZHJlc3NlZC4gSWYgeW91IGFyZSBub3QgdGhlIGludGVuZGVkIHJlY2lwaWVu dCBvZiB0aGlzIEUtbWFpbCwgeW91IGFyZSBoZXJlYnkgbm90aWZpZWQgdGhhdCBhbnkgZGlzc2Vt aW5hdGlvbiwgZGlzdHJpYnV0aW9uLCBjb3B5aW5nLCBvciBhY3Rpb24gdGFrZW4gaW4gcmVsYXRp b24gdG8gdGhlIGNvbnRlbnRzIG9mIGFuZCBhdHRhY2htZW50cyB0byB0aGlzIEUtbWFpbCBpcyBz dHJpY3RseSBwcm9oaWJpdGVkIGFuZCBtYXkgYmUgdW5sYXdmdWwuIElmIHlvdSBoYXZlIHJlY2Vp dmVkIHRoaXMgRS1tYWlsIGluIGVycm9yLCBwbGVhc2Ugbm90aWZ5IHRoZSBzZW5kZXIgaW1tZWRp YXRlbHkgYW5kIHBlcm1hbmVudGx5IGRlbGV0ZSB0aGUgb3JpZ2luYWwgYW5kIGFueSBjb3B5IG9m IHRoaXMgRS1tYWlsIGFuZCBhbnkgcHJpbnRvdXQuDQo= From nobody Thu Apr 17 11:45:12 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5E241A019C for ; Thu, 17 Apr 2014 11:45:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.201 X-Spam-Level: X-Spam-Status: No, score=-104.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oh8fOqr24H_7 for ; Thu, 17 Apr 2014 11:45:04 -0700 (PDT) Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe002.messaging.microsoft.com [207.46.163.25]) by ietfa.amsl.com (Postfix) with ESMTP id 9A2821A017A for ; Thu, 17 Apr 2014 11:45:04 -0700 (PDT) Received: from mail198-co9-R.bigfish.com (10.236.132.226) by CO9EHSOBE042.bigfish.com (10.236.130.105) with Microsoft SMTP Server id 14.1.225.22; Thu, 17 Apr 2014 18:44:16 +0000 Received: from mail198-co9 (localhost [127.0.0.1]) by mail198-co9-R.bigfish.com (Postfix) with ESMTP id 749D23C02D4; Thu, 17 Apr 2014 18:44:16 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.240.101; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0510HT001.namprd05.prod.outlook.com; RD:none; EFVD:NLI X-SpamScore: -23 X-BigFish: VPS-23(zz9371Ic89bh542I1dbaI1432I4015Izz1f42h2148h1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6h208chzz8275ch1de098h1033IL17326ah8275bh8275dh1de097h186068h1954cbhz2fh109h2a8h839h947hd24hf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah224fh1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh1fe8h1ff5h2216h22d0h2336h2461h2487h24d7h2516h2545h255eh25cch25f6h2605h268bh26c8h26d3h9a9j1155h) Received-SPF: pass (mail198-co9: domain of juniper.net designates 157.56.240.101 as permitted sender) client-ip=157.56.240.101; envelope-from=rbonica@juniper.net; helo=BL2PRD0510HT001.namprd05.prod.outlook.com ; .outlook.com ; X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(6009001)(428001)(377454003)(13464003)(164054003)(189002)(199002)(51704005)(2656002)(4396001)(19580405001)(50986999)(76576001)(76176999)(87936001)(54356999)(86362001)(74502001)(46102001)(81342001)(16601075003)(66066001)(80022001)(76482001)(15975445006)(81542001)(99396002)(74662001)(80976001)(15202345003)(19580395003)(83322001)(74316001)(79102001)(20776003)(83072002)(85852003)(33646001)(77982001)(99286001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:CO1PR05MB442; H:CO1PR05MB442.namprd05.prod.outlook.com; FPR:FF9FF13E.9CF29590.BDC77F6F.8EEAF113.2047F; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received: from mail198-co9 (localhost.localdomain [127.0.0.1]) by mail198-co9 (MessageSwitch) id 139776025426545_24408; Thu, 17 Apr 2014 18:44:14 +0000 (UTC) Received: from CO9EHSMHS017.bigfish.com (unknown [10.236.132.232]) by mail198-co9.bigfish.com (Postfix) with ESMTP id EC0BE98006E; Thu, 17 Apr 2014 18:44:13 +0000 (UTC) Received: from BL2PRD0510HT001.namprd05.prod.outlook.com (157.56.240.101) by CO9EHSMHS017.bigfish.com (10.236.130.27) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 17 Apr 2014 18:44:14 +0000 Received: from CO1PR05MB442.namprd05.prod.outlook.com (10.141.73.146) by BL2PRD0510HT001.namprd05.prod.outlook.com (10.255.100.36) with Microsoft SMTP Server (TLS) id 14.16.435.0; Thu, 17 Apr 2014 18:44:57 +0000 Received: from CO1PR05MB442.namprd05.prod.outlook.com (10.141.73.146) by CO1PR05MB442.namprd05.prod.outlook.com (10.141.73.146) with Microsoft SMTP Server (TLS) id 15.0.918.8; Thu, 17 Apr 2014 18:44:55 +0000 Received: from CO1PR05MB442.namprd05.prod.outlook.com ([169.254.13.244]) by CO1PR05MB442.namprd05.prod.outlook.com ([169.254.13.244]) with mapi id 15.00.0918.000; Thu, 17 Apr 2014 18:44:55 +0000 From: Ronald Bonica To: "Jerome Durand (jerduran)" Thread-Topic: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security Thread-Index: Ac9TCpCty6WW3UV9Rc+t1rBkEBAqQQGX/bdQAAN0kZAAAonwsAAbc/eAAB8yBgA= Date: Thu, 17 Apr 2014 18:44:54 +0000 Message-ID: <4e776d1376d44c3c8e71f2a4a7d07d86@CO1PR05MB442.namprd05.prod.outlook.com> References: <67832B1175062E48926BF3CB27C49B24113958CB@xmb-aln-x12.cisco.com> <11F1FD94-5C9A-4653-BC34-214BA9A8A009@cisco.com> In-Reply-To: <11F1FD94-5C9A-4653-BC34-214BA9A8A009@cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [66.129.241.12] x-forefront-prvs: 01842C458A Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: juniper.net X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/twuT7P3Q32OiNBYAxgWXeYIKV5M Cc: "draft-ietf-opsec-bgp-security@tools.ietf.org" , opsec wg mailing list , "kk@dropbox.com" Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 18:45:10 -0000 Jerome, Your approach may work. Since you can't soften the 2119 definition of the w= ord "MUST", you will have to do something clever in the Introduction to res= trict the scope if the document's recommendations.=20 How will you do this? = Ron -----Original Message----- From: Jerome Durand (jerduran) [mailto:jerduran@cisco.com]=20 Sent: Wednesday, April 16, 2014 6:52 PM To: Ronald Bonica Cc: Gunter Van de Velde (gvandeve); opsec wg mailing list; draft-ietf-opsec= -bgp-security@tools.ietf.org; kk@dropbox.com Subject: Re: [OPSEC] Start of 2nd WGLC for draft-ietf-opsec-bgp-security Thank you Ron for your comment and support, Actually I believe exceptions can more or less happen for every guideline l= isted in the document. My view is that it is better to stay on the generic = case and maybe better highlight in introduction that exceptions happen when= both peers agree to do so. Idea would be that normative language only refe= r to classic peerings (not the exception scenario) so we don't have to chan= ge MUST for SHOULD everywhere in the doc and lower the value of the doc. What do you think? Thanks Jerome Le 16 avr. 2014 =E0 16:50, Ronald Bonica