From nobody Mon Oct 5 08:57:59 2015 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D22B1B3213; Mon, 5 Oct 2015 08:57:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.511 X-Spam-Level: X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RP0cJ6s-TLKh; Mon, 5 Oct 2015 08:57:50 -0700 (PDT) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F4BA1B31FE; Mon, 5 Oct 2015 08:57:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8976; q=dns/txt; s=iport; t=1444060644; x=1445270244; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=2hmYvAMGDAEn8eMIQn77S14g6VFJIB/wznuz2DDm02Q=; b=ePU57/qa22knopQ4235KIrodQFqcXr1BtzIK7G+LBA6IsV+3MYFC5Ps0 Epf9o7AF7+rNnYjOVZOPEYAgBxTr0kb7QtG4UQyRztn1/WnzSIXOwE0eP 4WXh+vT/Xih1f1MMVd3AZaQzjFa0r0s9slKz7mtso51UJEKuwSz1Pnnd4 I=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0AOAgDknBJW/40NJK1egydUbga+DQENgVoXDIV3AhyBFTgUAQEBAQEBAYEKhCQBAQEEAQEBIBE5AQkCEAIBCA4DAwECAwIfBwICAiULFQgIAgQBDQUUiBoNqHSUCAEBAQEBAQEBAQEBAQEBAQEBAQEBAReBIoVRAYR9hDUlGBsHBoJjgUMBBI0FiHcBhRaIAIFWR4NxgyOOQ4NuAR8BAUKCRIE+cYZ2AR8EH4EGAQEB X-IronPort-AV: E=Sophos;i="5.17,639,1437436800"; d="scan'208";a="34603285" Received: from alln-core-8.cisco.com ([173.36.13.141]) by rcdn-iport-4.cisco.com with ESMTP; 05 Oct 2015 15:57:23 +0000 Received: from XCH-RCD-013.cisco.com (xch-rcd-013.cisco.com [173.37.102.23]) by alln-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id t95FvKnN003267 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 5 Oct 2015 15:57:22 GMT Received: from xch-rcd-015.cisco.com (173.37.102.25) by XCH-RCD-013.cisco.com (173.37.102.23) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Mon, 5 Oct 2015 10:57:20 -0500 Received: from xch-rcd-015.cisco.com ([173.37.102.25]) by XCH-RCD-015.cisco.com ([173.37.102.25]) with mapi id 15.00.1104.000; Mon, 5 Oct 2015 10:57:20 -0500 From: "Eric Vyncke (evyncke)" To: Fernando Gont , "opsawg@ietf.org" Thread-Topic: [OPSEC] "On Firewalls in Internet Security" (Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-00.txt) Thread-Index: AQHQ71LND9NEJgM1I0iEabKS/qboHJ5do7gA Date: Mon, 5 Oct 2015 15:57:20 +0000 Message-ID: References: <20150915004941.13204.35415.idtracker@ietfa.amsl.com> <55F76EA7.6090405@si6networks.com> In-Reply-To: <55F76EA7.6090405@si6networks.com> Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.5.5.150821 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.60.138.46] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Cc: TSV Area , "'opsec@ietf.org'" , Internet Area , tsvwg , IPv6 Operations Subject: Re: [OPSEC] "On Firewalls in Internet Security" (Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-00.txt) X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2015 15:57:52 -0000 RmVybmFuZG8sIEZyZWQgYW5kIFBhdWwsDQoNClNvcnJ5IGZvciBiZWxhdGVkIHJlcGx5LCBoZXJl IGFyZSBhIGNvdXBsZSBvZiBjb21tZW50czoNCg0KVGhlIHRpdGxlIGlzIGEgbGl0dGxlIGFtYmln dW91cyBJTUhPIGl0IGlzICJPbiBGaXJld2FsbHMgaW4gU2VjdXJpdHkiDQooYmVjYXVzZSB0aGV5 IGFsc28gYXBwbHkgaW5zaWRlIGFuICdpbnRyYW5ldCcpIG9yICJPbiBGaXJld2FsbHMgaW4NCklu dGVybmV0IFByb3RvY29sIChJUCkgU2VjdXJpdHkiIG9yICJPbiBmaXJld2FsbHMgYW5kIFNlY3Vy aXR5IG9mIHRoZQ0KSW50ZXJuZXQiID8NCg0KVGhlIGludHJvZHVjdGlvbiBsb29rcyBtb3JlIGxp a2UgYW4gaGlzdG9yeSwgc28gc2hvdWxkIHBlcmhhcHMgYmUgcmVuYW1lZD8NCg0KVGVybWlub2xv Z3kgc2VjdGlvbiBzaG91bGQgcGVyaGFwcyBhcHBlYXIgbW9yZSBsaWtlIGFuIHVzdWFsIHRlcm1p bm9sb2d5DQpzZWN0aW9uIGFuZCBub3QgYXMgYSBmcmVlLWZvcm0gdGV4dD8NCg0KU2VjdGlvbiAz LjIgKGVuZCB0byBlbmQgcHJpbmNpcGxlKSBpcyBpbnRlcmVzdGluZyBidXQgaXMgYSBsaXR0bGUg Y29tcGxleA0KdG8gcmVhZC4NCg0KU2VjdGlvbiAzLjMsIHVuc3VyZSB3aGV0aGVyIEkgYW0gcmVh ZGluZyBpdCBjb3JyZWN0bHkgYnV0IEkgZG9uJ3QgYWdyZWUNCndpdGggdGhlIHN0YXRlbWVudCB0 aGF0IGZpcmV3YWxsIGNhbiBwcm90ZWN0IHRoZSAobmV0d29yaykgaW5mcmFzdHJ1Y3R1cmUNCmFn YWluc3QgRG9TIGF0dGFjayAoYXMgaGludGVkIGJ5ICJtZXNzYWdlIHZvbHVtZSBvdmVyd2hlbG1z IikuIFJhdGUNCmxpbWl0ZXJzIG9yIERvUyBzY3J1YmJpbmcgZGV2aWNlcyBkbyBub3QgcXVhbGlm eSBhcyAnZmlyZXdhbGwnIElNSE8uDQoNCkkgdGhpbmsgc2VjdGlvbiAzLjQgKGEgZ29vZCBvbmUp IHJhdGhlciBiZWxvbmdzIHRvIHNlY3Rpb24gNCBhbmQgc2hvdWxkDQphbGlnbiB0aGUgdGF4b25v bXkuDQoNClNlY3Rpb24gNC4xLCBzcGxpdCB0aGUgZmlyc3QgcGFyYWdyYXBoIGluIHR3byBwYXJ0 cy4gVGhlIHNlY29uZCBvbmUgYmVpbmcNCnRoZSBleGFtcGxlIGdpdmVuID0+IHRvIG1ha2UgaXQg Y2xlYXIgdGhhdCB0aGUgInNlc3Npb25zIG1heSBuZXZlciBiZQ0KaW5pdGlhdGVkIGZyb20gdGhl IG91dHNpZGUiIGJlbG9uZ3MgdG8gdGhlIGV4YW1wbGUgb25seQ0KDQpTZWN0aW9uIDQuMSwgMm5k IHBhcmFncmFwaCwgdGhlIHdvcmQgJ3Rlc3RpbmcnIGhhcyBhbiBhY3RpdmUgdG9uZSBpbiBteQ0K KG5vbiBuYXRpdmUpIEVuZ2xpc2gsIHdoeSBub3QgdXNpbmcgYSBtb3JlIHBhc3NpdmUgdmVyYiBz dWNoIGFzICJpbnNwZWN0Ig0Kb3IgImNoZWNrIiA/DQoNClNlY3Rpb24gNC4xLCBhdCB0aGUgcmlz ayBvZiBhcHBlYXJpbmcgYXMgJ3B1cmlzdCcsIEkgd291bGQgbW92ZSB0aGUgTkFUDQpzZWN0aW9u IGZyb20gdGhpcyBzZWN0aW9uIGFuZCBjcmVhdGUgb25lIG9uIHRoaXMgdG9waWMuDQoNClNlY3Rp b24gNC4yLCBvciByYXRoZXIgdGhlIHBlcmltZXRlciBleGlzdHMgYnV0IGl0IHZlcnkgdmVyeSBz bWFsbCA6IG9uZQ0KcGh5c2ljYWwgbGluayA6LSkgb3Igd2lkZXI6IG9uZSBsb2dpY2FsIHBlcmlt ZXRlciB3aXRob3V0IGFueSBzdHJpY3QNCmdlb2dyYXBoaWNhbCBib3VuZGFyaWVzLg0KDQpTZWN0 aW9uIDQuMiwgc2hvdWxkIG1ha2UgaXQgY2xlYXIgdGhhdCB0aGUgJ3RhZ2dpbmcnIGlzIHJlcXVp cmVkIChiZWluZw0KSUVFRSA4MDIuMVEgVkxBTiB0YWcgb3IgLi4uKSwgYW5kLCB0aGUgZW5kIG9m IHRoZSBzZWN0aW9uIGlzIHJhdGhlcg0KbmVnYXRpdmUgb24gdGhpcyBzcGVjaWZpYyBGVy4NCg0K U2VjdGlvbiA0LjMsIEkgbGlrZSBpdCBvZiBjb3Vyc2UgOi0pLCBhbmQgSSBhZ3JlZSB0aGVyZSBh cmUgbm93IHNjYWxhYmxlDQphbGdvcml0aG0gdG8gZGV0ZWN0IGFub21hbGllcyBldmVuIHdpdGgg YSBzaW5nbGUgbm9kZSAodGhhbmtzIHRvDQpzZWxmLWxlYXJuaW5nIDotKSkNCg0KU2VjdGlvbiA0 LjMsICJSZXB1dGF0aW9uIGRhdGFiYXNlcyBoYXZlIGEgYmFkIHJlcHV0YXRpb24iIGlzIGEgZnVu DQpzZW50ZW5jZSA6LSkNCg0KU2VjdGlvbiA1LCBJIHdvdWxkIGFsc28gdXNlIHRoZSB3b3JkcyBv ZiB3aGl0ZSBhbmQgYmxhY2sgbGlzdHMgYXMgdGhleSBhcmUNCndlbGwta25vd24uIEkgd29uZGVy IGFsc28gd2h5IHRoZXJlIGlzIGEgc3BlY2lmaWMgc2VjdGlvbiA1LjEgd2l0aG91dCBhDQpzZWN0 aW9uIDUuMj8gSSB3b3VsZCByZW1vdmUgdGhpcyBoZWFkaW5nIGFuZCBrZWVwIHRoZSB0ZXh0LiBE b24ndCBmb3JnZXQNCnRvIG1lbnRpb24gSFRUUCAyLjAgJiB3b3JrcyBzdWNoIGFzIFFVSUMuDQoN ClNlY3Rpb24gNiwgc2hvdWxkIGFsc28gbWVudGlvbiB0aGF0IEZUUCAmIFNJUCBjYW4gYmUgdXNl ZCBmb3IgZHluYW1pYw0KcG9ydHMuIEl0IHNob3VsZCBhbHNvIG1lbnRpb24vcmVwZWF0IHRoYXQg cG9ydCA4MCBpcyBub3Qgb25seSBhYm91dCBIVFRQDQpidXQgZm9yIG1hbnkgcHJvdG9jb2xzICd0 dW5uZWxlZCcgb3ZlciBIVFRQLg0KDQpTZWN0aW9uIDYsIHRlbXBvcmFyeSBhZGRyZXNzZXMgYXJl IGluZGVlZCBhbm5veWluZyBpbiBzb21lIGNhc2VzIGJ1dCBJUA0KYWRkcmVzc2VzIGNhbiBhbHNv IGJlIHNwb29mZWQuIFNob3VsZCBtZW50aW9uIGFudGktc3Bvb2Zpbmc/IEFuZC9vciBJUFNFQw0K QUg/DQoNClNlY3Rpb24gNyBpcyBhYm91dCBsYXllci0zL2xheWVyLTQgJ3BhY2tldCBmaWx0ZXJp bmcnIHdoaWNoIGlzIGEgc3BlY2lmaWMNCmtpbmQgb2YgZmlyZXdhbGxzIHdoaWxlIHRoZSBJLUQg dGl0bGUgYXBwZWFycyB0byBiZSBtb3JlIGdlbmVyaWMuIEkNCnN1Z2dlc3QgdG8ga2VlcCB0aGUg c2VjdGlvbiBidXQgbWFrZSB0aXRsZSBtb3JlIHNwZWNpZmljIGFuZCBhZGQgc29tZQ0KaW50cm9k dWN0aW9uIHNlbnRlbmNlcyB0byB0aGlzIHNlY3Rpb24uDQoNClNlY3Rpb24gNywgSSBsaWtlIHRo ZSBwb2ludCBhYm91dCBGVyBiZWNvbWluZyB0aGUgRG9TIDotKSAod2hpY2ggaXMgcGxhaW4NCnRy dWUpLiANCg0KU2VjdGlvbiA4LCBraW5kIG9mIHJlcGVhdHMgYSBmb3JtZXIgcG9pbnQuLi4gVXNl ZnVsIHRleHQgYnV0IHNob3VsZCB1bmlmeQ0KYW5kIGF0IGEgc2luZ2xlIGxvY2F0aW9uDQoNClNl Y3Rpb24gMTAgaXMgb2YgY291cnNlIGxvb2tpbmcgZm9yIGhlYXRlZCBjb21tZW50cyBmcm9tIHRo ZSBjb21tdW5pdHkuLi4NCkhlcmUgYXJlIGEgY291cGxlOg0KLSB3b25kZXIgd2hldGhlciB0aGUg SUVURiBjb3VsZCBoYXZlIHJlY29tbWVuZGF0aW9ucyBmb3IgYWxsIGNhc2VzPw0KTW9yZW92ZXIs IHNpdHVhdGlvbiB3aWxsIHByb2JhYmx5IGNvbnRpbnVlIHRvIGV2b2x2ZQ0KLSB6b25lLWJhc2Vk IHNob3VsZCBhbHNvIGFsbG93IElDTVAgaW5ib3VuZCA7LSkNCi0gZG8gd2UgcmVhbGx5IHdhbnQg dG8gdHJ1c3QgUENQPw0KLSByb2xlLWJhc2VkLCB0aGUgcm91dGluZyB0ZWNobmlxdWUgaXMgaW50 cm9kdWNlIG5vdyBhbmQgbm90IHByZXZpb3VzbHk/DQotIHRoZSByb3V0aW5nIHRlY2huaXF1ZSB3 b3VsZCBwcm9iYWJseSBiZSBjb21wbGV4IHRvIGludHJvZHVjZSBhbmQgaGF2ZQ0Kc29tZSBzY2Fs aW5nIGxpbWl0Pw0KDQpUaGVyZSBhcmUgYWxzbyBpbXBvcnRhbnQgKElNSE8pIHRvcGljcyBNSVNT SU5HOg0KLSBtb3JlIGFuZCBtb3JlIHRyYWZmaWMgYXJlIGVuY3J5cHRlZCwgZ29vZCBmb3IgcHJp dmFjeSwgYmFkIGZvciBmaXJld2FsbHMNCmFzIHRoZXkgYXJlIGJsaW5kIG5vdyBhbmQgbW9zdGx5 IHVzZWxlc3MNCi0gcmVjb21tZW5kYXRpb24gZm9yIE5PVCBCTE9DS0lORyB0cmFmZmljIG92ZXIg dGhlIEludGVybmV0IChleGNlcHQgdG8NCmVhY2ggSVNQIG93biBpbmZyYXN0cnVjdHVyZSk/DQot IGxvZ2dpbmcgLyBhdWRpdGluZyBmdW5jdGlvbiBpcyBtaXNzaW5nICh0YWxraW5nIGFib3V0IHNl Y3VyaXR5IGhlcmUpDQotIGxvZ2dpbmcgb2YgZXZlbnQgaXMgbWlzc2luZyAodGFsa2luZyBhYm91 dCBvcGVyYXRpb24gaGVyZSkNCg0KSG9wZSB0aGlzIGhlbHBzIHRvIGltcHJvdmUgdGhpcyAtMDAg dmVyc2lvbiB3aGljaCBpcyBhbHJlYWR5IHF1aXRlIGNvbXBsZXRlDQoNCi3DqXJpYw0KDQoNCg0K DQoNCg0KDQoNCg0KT24gMTUvMDkvMTUgMDM6MDQsICJPUFNFQyBvbiBiZWhhbGYgb2YgRmVybmFu ZG8gR29udCINCjxvcHNlYy1ib3VuY2VzQGlldGYub3JnIG9uIGJlaGFsZiBvZiBmZ29udEBzaTZu ZXR3b3Jrcy5jb20+IHdyb3RlOg0KDQo+Rm9sa3MsDQo+DQo+V2UgaGF2ZSBwdWJsaXNoZWQgYW4g SS1EIGVudGl0bGVkICJPbiBGaXJld2FsbHMgaW4gSW50ZXJuZXQgU2VjdXJpdHkiLg0KPlRoZSBJ LUQgaXMgYXZhaWxhYmxlIGF0Og0KPjxodHRwczovL3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFm dHMvZHJhZnQtZ29udC1vcHNhd2ctZmlyZXdhbGxzLWFuYWx5c2lzDQo+LTAwLnR4dD4uDQo+DQo+ T3VyIEktRCBjb3ZlcnMgYSBicm9hZCByYW5nZSBvZiB0b3BpY3MgKHJhbmdpbmcgZnJvbSBvcGVy YXRpb25zIHRvDQo+aW50ZXJuZXQgYW5kIHRyYW5zcG9ydCBhcmVhIHRvcGljcykgLS0gaGVuY2Ug dGhlIGNyb3NzcG9zdCBvZiB0aGlzDQo+YW5ub3VuY2VtZW50IHRvIG11bHRpcGxlIG1haWxpbmct bGlzdHMuDQo+DQo+V2hpbGUgd2UgKGNvLWF1dGhvcnMpIGFyZSBzdWJzY3JpYmVkIHRvIG1vc3Qg b2YgdGhlIGxpc3RzIHRvIHdoaWNoIHRoaXMNCj5hbm5vdW5jZW1lbnQgaXMgYmVpbmcgY3Jvc3Nw b3N0ZWQsIHdlIGV4cGVjdCAoZm9yIHRoZSBzYWtlIG9mIHVuaWZ5aW5nDQo+dGhlIGRpc2N1c3Np b24gaW4gYSBzaW5nbGUgcGxhY2UpIHRoZSBkaXNjdXNzaW9uIHRvIGhhcHBlbiBpbiB0aGUNCj5v cHNhd2dAaWV0Zi5vcmcgbWFpbGluZy1saXN0Lg0KPg0KPllvdXIgZmVlZGJhY2sgd2lsbCBiZSB2 ZXJ5IHdlbGNvbWUuDQo+DQo+VGhhbmtzIQ0KPg0KPkJlc3QgcmVnYXJkcywNCj5GZXJuYW5kbw0K Pg0KPg0KPg0KPg0KPi0tLS0tLS0tIEZvcndhcmRlZCBNZXNzYWdlIC0tLS0tLS0tDQo+U3ViamVj dDogTmV3IFZlcnNpb24gTm90aWZpY2F0aW9uIGZvcg0KPmRyYWZ0LWdvbnQtb3BzYXdnLWZpcmV3 YWxscy1hbmFseXNpcy0wMC50eHQNCj5EYXRlOiBNb24sIDE0IFNlcCAyMDE1IDE3OjQ5OjQxIC0w NzAwDQo+RnJvbTogaW50ZXJuZXQtZHJhZnRzQGlldGYub3JnDQo+VG86IFBhdWwgRS4gSG9mZm1h biA8cGF1bC5ob2ZmbWFuQHZwbmMub3JnPiwgRmVybmFuZG8gR29udA0KPjxmZ29udEBzaTZuZXR3 b3Jrcy5jb20+LCBGZXJuYW5kbyBHb250IDxmZ29udEBzaTZuZXR3b3Jrcy5jb20+LCBGcmVkDQo+ QmFrZXIgPGZyZWRAY2lzY28uY29tPiwgRnJlZCBCYWtlciA8ZnJlZEBjaXNjby5jb20+LCBQYXVs IEhvZmZtYW4NCj48cGF1bC5ob2ZmbWFuQHZwbmMub3JnPg0KPg0KPg0KPkEgbmV3IHZlcnNpb24g b2YgSS1ELCBkcmFmdC1nb250LW9wc2F3Zy1maXJld2FsbHMtYW5hbHlzaXMtMDAudHh0DQo+aGFz IGJlZW4gc3VjY2Vzc2Z1bGx5IHN1Ym1pdHRlZCBieSBGZXJuYW5kbyBHb250IGFuZCBwb3N0ZWQg dG8gdGhlDQo+SUVURiByZXBvc2l0b3J5Lg0KPg0KPk5hbWU6CQlkcmFmdC1nb250LW9wc2F3Zy1m aXJld2FsbHMtYW5hbHlzaXMNCj5SZXZpc2lvbjoJMDANCj5UaXRsZToJCU9uIEZpcmV3YWxscyBp biBJbnRlcm5ldCBTZWN1cml0eQ0KPkRvY3VtZW50IGRhdGU6CTIwMTUtMDktMTUNCj5Hcm91cDoJ CUluZGl2aWR1YWwgU3VibWlzc2lvbg0KPlBhZ2VzOgkJMTcNCj5VUkw6DQo+aHR0cHM6Ly93d3cu aWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzL2RyYWZ0LWdvbnQtb3BzYXdnLWZpcmV3YWxscy1hbmFs eXNpcy0NCj4wMC50eHQNCj5TdGF0dXM6DQo+aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9k b2MvZHJhZnQtZ29udC1vcHNhd2ctZmlyZXdhbGxzLWFuYWx5c2lzLw0KPkh0bWxpemVkOg0KPmh0 dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1nb250LW9wc2F3Zy1maXJld2FsbHMtYW5h bHlzaXMtMDANCj4NCj4NCj5BYnN0cmFjdDoNCj4gICBUaGlzIGRvY3VtZW50IGFuYWx5emVzIHRo ZSByb2xlIG9mIGZpcmV3YWxscyBpbiBJbnRlcm5ldCBzZWN1cml0eSwNCj4gICBhbmQgc3VnZ2Vz dHMgYSBsaW5lIG9mIHJlYXNvbmluZyBhYm91dCB0aGVpciB1c2FnZS4gIEl0IGFuYWx5emVzDQo+ ICAgY29tbW9uIGtpbmRzIG9mIGZpcmV3YWxscyBhbmQgdGhlIGNsYWltcyBtYWRlIGZvciB0aGVt Lg0KPg0KPg0KPg0KPg0KPg0KPlBsZWFzZSBub3RlIHRoYXQgaXQgbWF5IHRha2UgYSBjb3VwbGUg b2YgbWludXRlcyBmcm9tIHRoZSB0aW1lIG9mDQo+c3VibWlzc2lvbg0KPnVudGlsIHRoZSBodG1s aXplZCB2ZXJzaW9uIGFuZCBkaWZmIGFyZSBhdmFpbGFibGUgYXQgdG9vbHMuaWV0Zi5vcmcuDQo+ DQo+VGhlIElFVEYgU2VjcmV0YXJpYXQNCj4NCj4NCj4NCj4NCj5fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPk9QU0VDIG1haWxpbmcgbGlzdA0KPk9QU0VD QGlldGYub3JnDQo+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vcHNlYw0K DQo= From nobody Tue Oct 6 10:11:30 2015 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB8331ACF54 for ; Tue, 6 Oct 2015 10:11:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.912 X-Spam-Level: X-Spam-Status: No, score=-101.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YvMw4LjA3HQ3 for ; Tue, 6 Oct 2015 10:11:28 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [IPv6:2001:1900:3001:11::31]) by ietfa.amsl.com (Postfix) with ESMTP id AB6B61ACF24 for ; Tue, 6 Oct 2015 10:11:28 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id ECDED180208; Tue, 6 Oct 2015 10:10:17 -0700 (PDT) To: fernando@gont.com.ar, bclaise@cisco.com, joelja@bogus.com, gunter@vandevelde.cc, evyncke@cisco.com X-PHP-Originating-Script: 30:errata_mail_lib.php From: RFC Errata System Message-Id: <20151006171017.ECDED180208@rfc-editor.org> Date: Tue, 6 Oct 2015 10:10:17 -0700 (PDT) Archived-At: Cc: alexander.okonnikov@gmail.com, opsec@ietf.org, rfc-editor@rfc-editor.org Subject: [OPSEC] [Editorial Errata Reported] RFC6274 (4494) X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2015 17:11:30 -0000 The following errata report has been submitted for RFC6274, "Security Assessment of the Internet Protocol Version 4". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=6274&eid=4494 -------------------------------------- Type: Editorial Reported by: Alexander Okonnikov Section: 3.6 Original Text ------------- In Figure 3, an attacker sends ... Corrected Text -------------- In Figure 5, an attacker sends ... Notes ----- Text immediately below Figure 5 incorrectly references to incorrect figure number 3. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party (IESG) can log in to change the status and edit the report, if necessary. -------------------------------------- RFC6274 (draft-ietf-opsec-ip-security-07) -------------------------------------- Title : Security Assessment of the Internet Protocol Version 4 Publication Date : July 2011 Author(s) : F. Gont Category : INFORMATIONAL Source : Operational Security Capabilities for IP Network Infrastructure Area : Operations and Management Stream : IETF Verifying Party : IESG From nobody Fri Oct 9 03:25:49 2015 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 498151A8AAE; Fri, 9 Oct 2015 03:25:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 78aoGP_iibxw; Fri, 9 Oct 2015 03:25:42 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 287FF1A8AAD; Fri, 9 Oct 2015 03:25:41 -0700 (PDT) Received: from 17-182-245-190.fibertel.com.ar ([190.245.182.17] helo=[192.168.3.107]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from ) id 1ZkUrl-0005m9-HF; Fri, 09 Oct 2015 12:25:34 +0200 To: "Eric Vyncke (evyncke)" , "opsawg@ietf.org" References: <20150915004941.13204.35415.idtracker@ietfa.amsl.com> <55F76EA7.6090405@si6networks.com> From: Fernando Gont X-Enigmail-Draft-Status: N1110 Message-ID: <56179631.8060803@si6networks.com> Date: Fri, 9 Oct 2015 07:25:53 -0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Cc: IPv6 Operations , Internet Area , tsvwg , draft-gont-opsawg-firewalls-analysis@tools.ietf.org, "'opsec@ietf.org'" , TSV Area Subject: Re: [OPSEC] "On Firewalls in Internet Security" (Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-00.txt) X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Oct 2015 10:25:45 -0000 Hi, Eric, Thanks so much for your feedback! Please find my comments in-line.... On 10/05/2015 12:57 PM, Eric Vyncke (evyncke) wrote: > Fernando, Fred and Paul, > > Sorry for belated reply, here are a couple of comments: > > The title is a little ambiguous IMHO it is "On Firewalls in Security" > (because they also apply inside an 'intranet') or "On Firewalls in > Internet Protocol (IP) Security" or "On firewalls and Security of the > Internet" ? How about "On Firewalls in Network Security"? > The introduction looks more like an history, so should perhaps be renamed? How about splitting the historical part into a stand-alone section renamed as "Firewalls in the IETF" or the like? > Terminology section should perhaps appear more like an usual terminology > section and not as a free-form text? mm.. I guess that from the current contents we can define "firewall" and "perimeter"? > Section 3.2 (end to end principle) is interesting but is a little complex > to read. Any suggestions on how to improve the text? > Section 3.3, unsure whether I am reading it correctly but I don't agree > with the statement that firewall can protect the (network) infrastructure > against DoS attack (as hinted by "message volume overwhelms"). Rate > limiters or DoS scrubbing devices do not qualify as 'firewall' IMHO. Could you elaborate a bit? e.g., why wouldn't a rate-limited qualify as a firewall? > I think section 3.4 (a good one) rather belongs to section 4 and should > align the taxonomy. Yep. Looks like we could move this into the base Section 4. (Or were you meaning something else?) > Section 4.1, split the first paragraph in two parts. The second one being > the example given => to make it clear that the "sessions may never be > initiated from the outside" belongs to the example only OK, will do. > Section 4.1, 2nd paragraph, the word 'testing' has an active tone in my > (non native) English, why not using a more passive verb such as "inspect" > or "check" ? Agreed. Will do. > Section 4.1, at the risk of appearing as 'purist', I would move the NAT > section from this section and create one on this topic. Please let me think about this one. f you have any suggestions regarding whre in the I-D you'd put such a section, please let me know. > Section 4.2, or rather the perimeter exists but it very very small : one > physical link :-) or wider: one logical perimeter without any strict > geographical boundaries. Yes. :-) > Section 4.2, should make it clear that the 'tagging' is required (being > IEEE 802.1Q VLAN tag or ...), OK. > and, the end of the section is rather > negative on this specific FW. I see... any hints for improvement? > Section 4.3, I like it of course :-), and I agree there are now scalable > algorithm to detect anomalies even with a single node (thanks to > self-learning :-)) Could you elaborate a bit? :-) > Section 4.3, "Reputation databases have a bad reputation" is a fun > sentence :-) Indeed! :-) > Section 5, I would also use the words of white and black lists as they are > well-known. I wonder also why there is a specific section 5.1 without a > section 5.2? Section 5.2 was forthcomming... (will hopefuly be there in version -01 of the I-D) > I would remove this heading and keep the text. Don't forget > to mention HTTP 2.0 & works such as QUIC. Will do. > Section 6, should also mention that FTP & SIP can be used for dynamic > ports. Will do. > It should also mention/repeat that port 80 is not only about HTTP > but for many protocols 'tunneled' over HTTP. Will do. > Section 6, temporary addresses are indeed annoying in some cases but IP > addresses can also be spoofed. What we meant here is that things like IPv6 temporary addresses change such assumption. But yes, we should comment on spoofing. > Should mention anti-spoofing? And/or IPSEC > AH? Anti spoofing in terms of RPF, or something else? > Section 7 is about layer-3/layer-4 'packet filtering' which is a specific > kind of firewalls while the I-D title appears to be more generic. I > suggest to keep the section but make title more specific and add some > introduction sentences to this section. Good grief! Will do. > Section 8, kind of repeats a former point... Useful text but should unify > and at a single location You mean with Section 4.1? > Section 10 is of course looking for heated comments from the community... [FWIW, Section 10 will be split into a different document... such that the heat happens elsewhere :-) ] > Here are a couple: > - wonder whether the IETF could have recommendations for all cases? Certainly not for all -- but better to have something covered, than nothing :-) > Moreover, situation will probably continue to evolve > - zone-based should also allow ICMP inbound ;-) .... if they relate to an ongoing session? > There are also important (IMHO) topics MISSING: > - more and more traffic are encrypted, good for privacy, bad for firewalls > as they are blind now and mostly useless Yes and no. If you mean TLS, it prevents DPI, but still allows for filtering based on port numbers... > - recommendation for NOT BLOCKING traffic over the Internet (except to > each ISP own infrastructure)? not blocking which sort of traffic? > - logging / auditing function is missing (talking about security here) > - logging of event is missing (talking about operation here) Do you mean in the recommendations section, or elsewhere? Thanks so much! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Fri Oct 9 08:22:16 2015 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8981D1A8821 for ; Fri, 9 Oct 2015 08:22:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.511 X-Spam-Level: X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HqVp8AQoCVuV for ; Fri, 9 Oct 2015 08:22:13 -0700 (PDT) Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 295531A6FD2 for ; Fri, 9 Oct 2015 08:22:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2386; q=dns/txt; s=iport; t=1444404133; x=1445613733; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=KyMnrw13TNzp9nR4e0Lf4uSf8zsbb0QGyshqdiLJpwk=; b=lKhe4BBZUMfZLtVKC+Gs5DmW8RurBU/FhO1Jwp9G0bUKM4rNonCSO8A4 xNfRdrT6t4hr0GtzrE3qTIkOUvnqBTBgfhheT2J/fuitXmYAs4/8hA3NV u6d7sc9VkOZBHCxxXUnK2rgEwlTARDPMD5tR3a39AEUkFhUVltZMaDm4Y k=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0BoAgCn2hdW/4MNJK1EGoMmVG4GvWABDYFaIYJyggp/AhyBKTgUAQEBAQEBAYEKhCcBAQQjEUUQAgEIGgImAgICHxEVEAIEAQ0FiBkDEg07rxaOZQ2FJAEBAQEBAQEBAQEBAQEBAQEBAQEBAReBIoVRAYR9gT2BE4IKMweCaYFFBYc8CIZ6h1QBiyWBdIFYhDqOJIdIAR8BAUKCEQ0QgVRxAROGUIEGAQEB X-IronPort-AV: E=Sophos;i="5.17,658,1437436800"; d="scan'208";a="195792293" Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 09 Oct 2015 15:22:12 +0000 Received: from XCH-RCD-010.cisco.com (xch-rcd-010.cisco.com [173.37.102.20]) by alln-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id t99FMCtw030495 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 9 Oct 2015 15:22:12 GMT Received: from xch-rcd-015.cisco.com (173.37.102.25) by XCH-RCD-010.cisco.com (173.37.102.20) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Fri, 9 Oct 2015 10:22:08 -0500 Received: from xch-rcd-015.cisco.com ([173.37.102.25]) by XCH-RCD-015.cisco.com ([173.37.102.25]) with mapi id 15.00.1104.000; Fri, 9 Oct 2015 10:22:08 -0500 From: "Eric Vyncke (evyncke)" To: RFC Errata System , "fernando@gont.com.ar" , "Benoit Claise (bclaise)" , "joelja@bogus.com" , "gunter@vandevelde.cc" Thread-Topic: [Editorial Errata Reported] RFC6274 (4494) Thread-Index: AQHRAFoMmvZNkBeH6020eOcOCD8adJ5jwSwA Date: Fri, 9 Oct 2015 15:22:08 +0000 Message-ID: References: <20151006171017.ECDED180208@rfc-editor.org> In-Reply-To: <20151006171017.ECDED180208@rfc-editor.org> Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.5.5.150821 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.60.138.46] Content-Type: text/plain; charset="utf-8" Content-ID: <79C5D42733C9F748BAEB6CF8F47A3F29@emea.cisco.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Cc: "alexander.okonnikov@gmail.com" , "opsec@ietf.org" Subject: Re: [OPSEC] [Editorial Errata Reported] RFC6274 (4494) X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Oct 2015 15:22:14 -0000 SW5kZWVkLCB0aGUgdGV4dCBpbiBzZWN0aW9uIDMuNiBzaG91bGQgYmUgY29ycmVjdGVkIChldmVu IGlmIGl0IGlzIHJhdGhlcg0KY29zbWV0aWMgYXMgdGhlIGVycm9yIGlzIHByZXR0eSBvYnZpb3Vz KS4NCg0KVGhhbmtzIEFsZXhhbmRlciBmb3Igc3BvdHRpbmcgaXQgOi0pDQoNCi3DqXJpYw0KDQoN Ck9uIDYvMTAvMTUgMTk6MTAsICJSRkMgRXJyYXRhIFN5c3RlbSIgPHJmYy1lZGl0b3JAcmZjLWVk aXRvci5vcmc+IHdyb3RlOg0KDQo+VGhlIGZvbGxvd2luZyBlcnJhdGEgcmVwb3J0IGhhcyBiZWVu IHN1Ym1pdHRlZCBmb3IgUkZDNjI3NCwNCj4iU2VjdXJpdHkgQXNzZXNzbWVudCBvZiB0aGUgSW50 ZXJuZXQgUHJvdG9jb2wgVmVyc2lvbiA0Ii4NCj4NCj4tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLQ0KPllvdSBtYXkgcmV2aWV3IHRoZSByZXBvcnQgYmVsb3cgYW5kIGF0Og0K Pmh0dHA6Ly93d3cucmZjLWVkaXRvci5vcmcvZXJyYXRhX3NlYXJjaC5waHA/cmZjPTYyNzQmZWlk PTQ0OTQNCj4NCj4tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KPlR5cGU6 IEVkaXRvcmlhbA0KPlJlcG9ydGVkIGJ5OiBBbGV4YW5kZXIgT2tvbm5pa292IDxhbGV4YW5kZXIu b2tvbm5pa292QGdtYWlsLmNvbT4NCj4NCj5TZWN0aW9uOiAzLjYNCj4NCj5PcmlnaW5hbCBUZXh0 DQo+LS0tLS0tLS0tLS0tLQ0KPkluIEZpZ3VyZSAzLCBhbiBhdHRhY2tlciBzZW5kcyAuLi4NCj4N Cj5Db3JyZWN0ZWQgVGV4dA0KPi0tLS0tLS0tLS0tLS0tDQo+SW4gRmlndXJlIDUsIGFuIGF0dGFj a2VyIHNlbmRzIC4uLg0KPg0KPk5vdGVzDQo+LS0tLS0NCj5UZXh0IGltbWVkaWF0ZWx5IGJlbG93 IEZpZ3VyZSA1IGluY29ycmVjdGx5IHJlZmVyZW5jZXMgdG8gaW5jb3JyZWN0DQo+ZmlndXJlIG51 bWJlciAzLg0KPg0KPkluc3RydWN0aW9uczoNCj4tLS0tLS0tLS0tLS0tDQo+VGhpcyBlcnJhdHVt IGlzIGN1cnJlbnRseSBwb3N0ZWQgYXMgIlJlcG9ydGVkIi4gSWYgbmVjZXNzYXJ5LCBwbGVhc2UN Cj51c2UgIlJlcGx5IEFsbCIgdG8gZGlzY3VzcyB3aGV0aGVyIGl0IHNob3VsZCBiZSB2ZXJpZmll ZCBvcg0KPnJlamVjdGVkLiBXaGVuIGEgZGVjaXNpb24gaXMgcmVhY2hlZCwgdGhlIHZlcmlmeWlu ZyBwYXJ0eSAoSUVTRykNCj5jYW4gbG9nIGluIHRvIGNoYW5nZSB0aGUgc3RhdHVzIGFuZCBlZGl0 IHRoZSByZXBvcnQsIGlmIG5lY2Vzc2FyeS4NCj4NCj4tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLQ0KPlJGQzYyNzQgKGRyYWZ0LWlldGYtb3BzZWMtaXAtc2VjdXJpdHktMDcp DQo+LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCj5UaXRsZSAgICAgICAg ICAgICAgIDogU2VjdXJpdHkgQXNzZXNzbWVudCBvZiB0aGUgSW50ZXJuZXQgUHJvdG9jb2wNCj5W ZXJzaW9uIDQNCj5QdWJsaWNhdGlvbiBEYXRlICAgIDogSnVseSAyMDExDQo+QXV0aG9yKHMpICAg ICAgICAgICA6IEYuIEdvbnQNCj5DYXRlZ29yeSAgICAgICAgICAgIDogSU5GT1JNQVRJT05BTA0K PlNvdXJjZSAgICAgICAgICAgICAgOiBPcGVyYXRpb25hbCBTZWN1cml0eSBDYXBhYmlsaXRpZXMg Zm9yIElQIE5ldHdvcmsNCj5JbmZyYXN0cnVjdHVyZQ0KPkFyZWEgICAgICAgICAgICAgICAgOiBP cGVyYXRpb25zIGFuZCBNYW5hZ2VtZW50DQo+U3RyZWFtICAgICAgICAgICAgICA6IElFVEYNCj5W ZXJpZnlpbmcgUGFydHkgICAgIDogSUVTRw0KPg0KDQo= From nobody Tue Oct 20 02:54:21 2015 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B47F1B315A for ; Tue, 20 Oct 2015 02:49:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.91 X-Spam-Level: X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ioQ4pquN_WrH for ; Tue, 20 Oct 2015 02:49:42 -0700 (PDT) Received: from smtp-fr.alcatel-lucent.com (fr-hpida-esg-02.alcatel-lucent.com [135.245.210.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6BA21B3159 for ; Tue, 20 Oct 2015 02:49:41 -0700 (PDT) Received: from fr712usmtp2.zeu.alcatel-lucent.com (unknown [135.239.2.42]) by Websense Email Security Gateway with ESMTPS id A2F032AD9F5E5; Tue, 20 Oct 2015 09:49:37 +0000 (GMT) Received: from FR711WXCHHUB01.zeu.alcatel-lucent.com (fr711wxchhub01.zeu.alcatel-lucent.com [135.239.2.111]) by fr712usmtp2.zeu.alcatel-lucent.com (GMO) with ESMTP id t9K9nJPM003123 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 20 Oct 2015 11:49:39 +0200 Received: from FR711WXCHMBA06.zeu.alcatel-lucent.com ([169.254.2.12]) by FR711WXCHHUB01.zeu.alcatel-lucent.com ([135.239.2.111]) with mapi id 14.03.0195.001; Tue, 20 Oct 2015 11:49:19 +0200 From: "VAN DE VELDE, Gunter (Gunter)" To: "opsec@ietf.org" Thread-Topic: OPSEC IETF 94 - Call for Agenda Items Thread-Index: AQHRCxyXrZzCY5ufMUmEFTa18cvGTQ== Date: Tue, 20 Oct 2015 09:49:19 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [135.239.27.40] Content-Type: multipart/alternative; boundary="_000_B4790136599143CDAFD9868459B709C8alcatellucentcom_" MIME-Version: 1.0 Archived-At: X-Mailman-Approved-At: Tue, 20 Oct 2015 02:54:19 -0700 Subject: [OPSEC] OPSEC IETF 94 - Call for Agenda Items X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Oct 2015 09:49:43 -0000 --_000_B4790136599143CDAFD9868459B709C8alcatellucentcom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RGVhciBBbGwsDQoNCklmIHlvdSBoYXZlIGEgZHJhZnQgeW91IHdvdWxkIGxpa2UgdG8gZGlzY3Vz cyBkdXJpbmcgSUVURiA5NCwgcGxlYXNlIHNlbmQgeW91ciByZXF1ZXN0IGZvciBhZ2VuZGEgdGlt ZSB0byB0aGUgb3BzZWMgY2hhaXJzLiBQbGVhc2UgaW5jbHVkZSBpbiB0aGUgcmVxdWVzdCwgdGhl IHRpdGxlIGFuZCBmaWxlIG5hbWUgb2YgdGhlIGRyYWZ0LCB0aGUgc3BlYWtlcidzIG5hbWUsIGFu ZCBob3cgbXVjaCB0aW1lIHlvdSB3b3VsZCBuZWVkLiBXZSBoYXZlIDIuNSBob3VycyBhbGxvY2F0 ZWQgdG8gT1BTRUMgc2Vzc2lvbi4NCg0KV2Ugd2lsbCBwcmlvcml0aXNlIGRyYWZ0cyB0aGF0IGFy ZSBXRyBpdGVtcywgZHJhZnRzIHRoYXQgaGF2ZSBiZWVuIGFjdGl2ZWx5IGRpc2N1c3NlZCBvbiB0 aGUgbGlzdCwgYW5kIG90aGVyIGluZGl2aWR1YWwgc3VibWlzc2lvbnMgaW4gdGhhdCBvcmRlci4N Cg0KUmVnYXJkcywNCkd1bnRlciwgRXJpYw0K --_000_B4790136599143CDAFD9868459B709C8alcatellucentcom_ Content-Type: text/html; charset="utf-8" Content-ID: <9520CAC81EEBA04093CA1A23E465B91A@exchange.lucent.com> Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5IHN0eWxlPSJ3b3JkLXdy YXA6IGJyZWFrLXdvcmQ7IC13ZWJraXQtbmJzcC1tb2RlOiBzcGFjZTsgLXdlYmtpdC1saW5lLWJy ZWFrOiBhZnRlci13aGl0ZS1zcGFjZTsgY29sb3I6IHJnYigwLCAwLCAwKTsgZm9udC1zaXplOiAx NHB4OyBmb250LWZhbWlseTogQ2FsaWJyaSwgc2Fucy1zZXJpZjsiPg0KPGRpdj4NCjxkaXY+DQo8 ZGl2Pg0KPGRpdiBjbGFzcz0iIiBzdHlsZT0iZm9udC1mYW1pbHk6IFRpbWVzOyBsaW5lLWhlaWdo dDogMS4xNTsgbWFyZ2luLXRvcDogMHB0OyBtYXJnaW4tYm90dG9tOiAwcHQ7Ij4NCjxzcGFuIGNs YXNzPSIiIHN0eWxlPSJmb250LXNpemU6IDEzcHg7IGZvbnQtZmFtaWx5OiBBcmlhbDsgdmVydGlj YWwtYWxpZ246IGJhc2VsaW5lOyI+RGVhciBBbGwsPC9zcGFuPjwvZGl2Pg0KPGJyIGNsYXNzPSIi IHN0eWxlPSJmb250LWZhbWlseTogVGltZXM7Ij4NCjxzcGFuIGNsYXNzPSIiIHN0eWxlPSJmb250 LXNpemU6IDEzcHg7IGZvbnQtZmFtaWx5OiBBcmlhbDsgdmVydGljYWwtYWxpZ246IGJhc2VsaW5l OyI+PC9zcGFuPg0KPGRpdiBjbGFzcz0iIiBzdHlsZT0iZm9udC1mYW1pbHk6IFRpbWVzOyBsaW5l LWhlaWdodDogMS4xNTsgbWFyZ2luLXRvcDogMHB0OyBtYXJnaW4tYm90dG9tOiAwcHQ7Ij4NCjxz cGFuIGNsYXNzPSIiIHN0eWxlPSJmb250LXNpemU6IDEzcHg7IGZvbnQtZmFtaWx5OiBBcmlhbDsg dmVydGljYWwtYWxpZ246IGJhc2VsaW5lOyI+SWYgeW91IGhhdmUgYSBkcmFmdCB5b3Ugd291bGQg bGlrZSB0byBkaXNjdXNzIGR1cmluZyBJRVRGIDk0LCBwbGVhc2Ugc2VuZCB5b3VyIHJlcXVlc3Qg Zm9yIGFnZW5kYSB0aW1lIHRvIHRoZSBvcHNlYyBjaGFpcnMuIFBsZWFzZSBpbmNsdWRlIGluIHRo ZSByZXF1ZXN0LCB0aGUgdGl0bGUgYW5kIGZpbGUNCiBuYW1lIG9mIHRoZSBkcmFmdCwgdGhlIHNw ZWFrZXIncyBuYW1lLCBhbmQgaG93IG11Y2ggdGltZSB5b3Ugd291bGQgbmVlZC4gV2UgaGF2ZSAy LjUgaG91cnMgYWxsb2NhdGVkIHRvIE9QU0VDIHNlc3Npb24uPC9zcGFuPjwvZGl2Pg0KPGJyIGNs YXNzPSIiIHN0eWxlPSJmb250LWZhbWlseTogVGltZXM7Ij4NCjxzcGFuIGNsYXNzPSIiIHN0eWxl PSJmb250LXNpemU6IDEzcHg7IGZvbnQtZmFtaWx5OiBBcmlhbDsgdmVydGljYWwtYWxpZ246IGJh c2VsaW5lOyI+PC9zcGFuPg0KPGRpdiBjbGFzcz0iIiBzdHlsZT0iZm9udC1mYW1pbHk6IFRpbWVz OyBsaW5lLWhlaWdodDogMS4xNTsgbWFyZ2luLXRvcDogMHB0OyBtYXJnaW4tYm90dG9tOiAwcHQ7 Ij4NCjxzcGFuIGNsYXNzPSIiIHN0eWxlPSJmb250LXNpemU6IDEzcHg7IGZvbnQtZmFtaWx5OiBB cmlhbDsgdmVydGljYWwtYWxpZ246IGJhc2VsaW5lOyI+V2Ugd2lsbCBwcmlvcml0aXNlIGRyYWZ0 cyB0aGF0IGFyZSBXRyBpdGVtcywgZHJhZnRzIHRoYXQgaGF2ZSBiZWVuIGFjdGl2ZWx5IGRpc2N1 c3NlZCBvbiB0aGUgbGlzdCwgYW5kIG90aGVyIGluZGl2aWR1YWwgc3VibWlzc2lvbnMgaW4gdGhh dCBvcmRlci48L3NwYW4+PC9kaXY+DQo8YnIgY2xhc3M9IiIgc3R5bGU9ImZvbnQtZmFtaWx5OiBU aW1lczsiPg0KPHNwYW4gY2xhc3M9IiIgc3R5bGU9ImZvbnQtc2l6ZTogMTNweDsgZm9udC1mYW1p bHk6IEFyaWFsOyB2ZXJ0aWNhbC1hbGlnbjogYmFzZWxpbmU7Ij48L3NwYW4+DQo8ZGl2IGNsYXNz PSIiIHN0eWxlPSJmb250LWZhbWlseTogVGltZXM7IGxpbmUtaGVpZ2h0OiAxLjE1OyBtYXJnaW4t dG9wOiAwcHQ7IG1hcmdpbi1ib3R0b206IDBwdDsiPg0KPHNwYW4gY2xhc3M9IiIgc3R5bGU9ImZv bnQtc2l6ZTogMTNweDsgZm9udC1mYW1pbHk6IEFyaWFsOyB2ZXJ0aWNhbC1hbGlnbjogYmFzZWxp bmU7Ij5SZWdhcmRzLDwvc3Bhbj48L2Rpdj4NCjxzcGFuIGNsYXNzPSIiIHN0eWxlPSJmb250LXNp emU6IDEzcHg7IGZvbnQtZmFtaWx5OiBBcmlhbDsgdmVydGljYWwtYWxpZ246IGJhc2VsaW5lOyI+ R3VudGVyLCBFcmljPC9zcGFuPjwvZGl2Pg0KPGRpdj4NCjxkaXYgaWQ9Ik1BQ19PVVRMT09LX1NJ R05BVFVSRSI+PC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+ DQo= --_000_B4790136599143CDAFD9868459B709C8alcatellucentcom_-- From nobody Sat Oct 31 18:34:41 2015 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BB361B4CD2; Sat, 31 Oct 2015 18:34:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.912 X-Spam-Level: X-Spam-Status: No, score=-101.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZNPREctl8VE6; Sat, 31 Oct 2015 18:34:27 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [IPv6:2001:1900:3001:11::31]) by ietfa.amsl.com (Postfix) with ESMTP id 21EFE1B4D23; Sat, 31 Oct 2015 18:34:24 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id 3CADB180006; Sat, 31 Oct 2015 18:33:35 -0700 (PDT) To: alexander.okonnikov@gmail.com, fernando@gont.com.ar X-PHP-Originating-Script: 30:errata_mail_lib.php From: RFC Errata System Message-Id: <20151101013335.3CADB180006@rfc-editor.org> Date: Sat, 31 Oct 2015 18:33:35 -0700 (PDT) Archived-At: Cc: opsec@ietf.org, iesg@ietf.org, rfc-editor@rfc-editor.org Subject: [OPSEC] [Errata Verified] RFC6274 (4494) X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Nov 2015 01:34:29 -0000 The following errata report has been verified for RFC6274, "Security Assessment of the Internet Protocol Version 4". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=6274&eid=4494 -------------------------------------- Status: Verified Type: Editorial Reported by: Alexander Okonnikov Date Reported: 2015-10-06 Verified by: Joel Jaeggli (IESG) Section: 3.6 Original Text ------------- In Figure 3, an attacker sends ... Corrected Text -------------- In Figure 5, an attacker sends ... Notes ----- Text immediately below Figure 5 incorrectly references to incorrect figure number 3. -------------------------------------- RFC6274 (draft-ietf-opsec-ip-security-07) -------------------------------------- Title : Security Assessment of the Internet Protocol Version 4 Publication Date : July 2011 Author(s) : F. Gont Category : INFORMATIONAL Source : Operational Security Capabilities for IP Network Infrastructure Area : Operations and Management Stream : IETF Verifying Party : IESG