Re: [secdir] Security area review of draft-ietf-mpls-tp-nm-framework-04
Scott Mansfield <scott.mansfield@ericsson.com> Mon, 15 February 2010 17:23 UTC
Return-Path: <scott.mansfield@ericsson.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0763828C1EF; Mon, 15 Feb 2010 09:23:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.535
X-Spam-Level:
X-Spam-Status: No, score=-3.535 tagged_above=-999 required=5 tests=[AWL=3.064, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pkYyEnrl-j7V; Mon, 15 Feb 2010 09:23:25 -0800 (PST)
Received: from imr1.ericy.com (imr1.ericy.com [198.24.6.9]) by core3.amsl.com (Postfix) with ESMTP id 1272928C1E1; Mon, 15 Feb 2010 09:23:24 -0800 (PST)
Received: from eusaamw0711.eamcs.ericsson.se ([147.117.20.178]) by imr1.ericy.com (8.13.1/8.13.1) with ESMTP id o1FHQbrD024087; Mon, 15 Feb 2010 11:26:37 -0600
Received: from EUSAACMS0701.eamcs.ericsson.se ([169.254.1.106]) by eusaamw0711.eamcs.ericsson.se ([147.117.20.178]) with mapi; Mon, 15 Feb 2010 12:24:54 -0500
From: Scott Mansfield <scott.mansfield@ericsson.com>
To: pat cain <pcain2@mail2.coopercain.com>, "draft-ietf-mpls-tp-nm-framework@tools.ietf.org" <draft-ietf-mpls-tp-nm-framework@tools.ietf.org>, "draft-ietf-mpls-tp-nm-framework.chairs@tools.ietf.org" <draft-ietf-mpls-tp-nm-framework.chairs@tools.ietf.org>
Date: Mon, 15 Feb 2010 12:24:07 -0500
Thread-Topic: Security area review of draft-ietf-mpls-tp-nm-framework-04
Thread-Index: AcqsQ0lXYQjh7jT0SbSDo/DvdLO3gwCICrLA
Message-ID: <FDC72027C316A44F82F425284E1C4C3201E6FE66FD@EUSAACMS0701.eamcs.ericsson.se>
References: <02e701caac43$55881b50$009851f0$@coopercain.com>
In-Reply-To: <02e701caac43$55881b50$009851f0$@coopercain.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Tue, 16 Feb 2010 00:19:44 -0800
Cc: Adrian Farrel <adrian@olddog.co.uk>, Loa Andersson <loa@pi.nu>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Security area review of draft-ietf-mpls-tp-nm-framework-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2010 17:23:26 -0000
The editor's have reviewed the security directorate's comments and agree to replace the first two paragraphs of Section 8 by the paragraph suggested by Pat (with a slight modification that adds a sentence about who is authorized to access the interfaces)... Pat's original suggestion "Many of the EMF Interfaces (Section 2.3) are critical to proper NE operation and need to be protected from denial of service conditions or attack. The EMF Interfaces that use or access private information should be protected from eavesdropping or being accessed by unauthorized network elements, systems, or users." The editors proposal... The ability for the authorized network operator to access EMF interfaces (section 2.3) when needed is critical to proper operation. Therefore the EMF interfaces need to be protected from denial of service conditions or attack. The EMF Interfaces that use or access private information should be protected from eavesdropping or being accessed by unauthorized network elements, systems, or users. Regards, -scott. -----Original Message----- From: pat cain [mailto:pcain2@mail2.coopercain.com] Sent: Friday, February 12, 2010 7:27 PM To: draft-ietf-mpls-tp-nm-framework@tools.ietf.org; draft-ietf-mpls-tp-nm-framework.chairs@tools.ietf.org Cc: iesg@ietf.org; secdir@ietf.org Subject: Security area review of draft-ietf-mpls-tp-nm-framework-04 Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document provides the network management framework for the Transport Profile for Multi-Protocol Label Switching (MPLS-TP). This framework relies on the management terminology from the ITU-T to describe the management architecture that could be used for an MPLS-TP management network. The Security Considerations section is the basis of my comment. I don't think the first two sentences are sentences. At least I think they need to be restated to clarify their meaning. The section states: " Provisions to any of the network mechanisms designed to satisfy the requirements described herein need to prevent their unauthorized use and provide a means for an operator to prevent denial of service attacks if those network mechanisms are used in such an attack. Solutions need to provide mechanisms to prevent private information from being accessed by unauthorized eavesdropping, or being directly obtained by an unauthenticated network element, system or user." Using terminology from the document, I think the paragraphs should really say something to the effect of: "Many of the EMF Interfaces (Section 2.3) are critical to proper NE operation and need to be protected from denial of service conditions or attack. The EMF Interfaces that use or access private information should be protected from eavesdropping or being accessed by unauthorized network elements, systems, or users. " Since the next part of the section points the reader to the ITU and other RFC documents, it should flow okay. Although I am by no means an MPLS expert, the rest of the document looked fine. [As a side note, normally the term 'unauthorized eavesdropping' is not used. Eavesdropping is always performed by an unauthorized party; if they are authorized it's called 'network monitoring'. ;) ] Pat Cain
- [secdir] Security area review of draft-ietf-mpls-… pat cain
- Re: [secdir] Security area review of draft-ietf-m… Scott Mansfield