errata logo graphic

Found 1 record.

Status: Verified (1)

RFC6192, "Protecting the Router Control Plane", March 2011

Source of RFC: opsec (ops)

Errata ID: 3906

Status: Verified
Type: Editorial

Reported By: Nick Hilliard
Date Reported: 2014-03-02
Verifier Name: Benoit Claise
Date Verified: 2014-04-15

Section A.1 says:

[...]
   ip access-list extended DNS
    permit udp 198.51.100.0 0.0.0.252 eq domain any
   ipv6 access-list DNSv6
    permit udp 2001:DB8:100:1::/64 eq domain any
    permit tcp 2001:DB8:100:1::/64 eq domain any
   ip access-list extended NTP
    permit udp 198.51.100.4 255.255.255.252 any eq ntp
   ipv6 access-list NTPv6
    permit udp 2001:DB8:100:2::/64 any eq ntp
   ip access-list extended SSH
    permit tcp 198.51.100.128 0.0.0.128 any eq 22
   ipv6 access-list SSHv6
    permit tcp 2001:DB8:100:3::/64 any eq 22
   ip access-list extended SNMP
    permit udp 198.51.100.128 0.0.0.128 any eq snmp
[...]

It should say:

[...]
   ip access-list extended DNS
    permit udp 198.51.100.0 0.0.0.3 eq domain any
   ipv6 access-list DNSv6
    permit udp 2001:DB8:100:1::/64 eq domain any
    permit tcp 2001:DB8:100:1::/64 eq domain any
   ip access-list extended NTP
    permit udp 198.51.100.4 0.0.0.3 any eq ntp
   ipv6 access-list NTPv6
    permit udp 2001:DB8:100:2::/64 any eq ntp
   ip access-list extended SSH
    permit tcp 198.51.100.128 0.0.0.127 any eq 22
   ipv6 access-list SSHv6
    permit tcp 2001:DB8:100:3::/64 any eq 22
   ip access-list extended SNMP
    permit udp 198.51.100.128 0.0.0.127 any eq snmp
[...]

Notes:

The bitfield masks in the Cisco Configuration example in section A.1 look incorrect. The authors may have intended the following meanings:

ip access-list extended DNS
all hosts between 198.51.100.0 and 198.51.100.3 instead of all addresses in the range 198.51.100.0/24 which are evenly divisible by 4

ip access-list extended NTP
all hosts between 198.51.100.4 and 198.51.100.7 instead of all addresses in the range 0.0.0.0/0 which are evenly divisible by 4

ip access-list extended SSH
all hosts between 198.51.100.128 and 198.51.100.255 instead of 198.51.100.128/32

ip access-list extended SNMP
all hosts between 198.51.100.128 and 198.51.100.255 instead of 198.51.100.128/32


Report New Errata