Last Call Review of draft-ietf-opsec-protect-control-plane-
review-ietf-opsec-protect-control-plane-secdir-lc-zorn-2010-12-16-00

Request Review of draft-ietf-opsec-protect-control-plane
Requested rev. no specific revision (document currently at 06)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-12-14
Requested 2010-11-22
Draft last updated 2010-12-16
Completed reviews Secdir Last Call review of -?? by Glen Zorn
Assignment Reviewer Glen Zorn
State Completed
Review review-ietf-opsec-protect-control-plane-secdir-lc-zorn-2010-12-16
Review completed: 2010-12-16

Review
review-ietf-opsec-protect-control-plane-secdir-lc-zorn-2010-12-16

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

Section 3.1 says:

   o  Permit RADIUS authentication and accounting replies from RADIUS
      servers 198.51.100.9, 198.51.100.10, 2001:DB8:100::9, and 2001:
      DB8:100::10 that are listening on UDP ports 1645 and 1646.  Note
      that this doesn't account for a server using Internet Assigned
      Numbers Authority (IANA) ports 1812 and 1813 for RADIUS.

So, in other words, RADIUS traffic on the ports (officially assigned for
more than ten years now) will be blocked.  This seems like a very poor
example.