[secdir] SECDIR Review of draft-ietf-teas-actn-framework-13
Catherine Meadows <catherine.meadows@nrl.navy.mil> Tue, 01 May 2018 16:51 UTC
Return-Path: <catherine.meadows@nrl.navy.mil>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30B521273B1; Tue, 1 May 2018 09:51:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7fYq_2ydNOX0; Tue, 1 May 2018 09:51:38 -0700 (PDT)
Received: from ccs.nrl.navy.mil (mx0.ccs.nrl.navy.mil [IPv6:2001:480:20:118:118::211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 862BC12DB6B; Tue, 1 May 2018 09:51:36 -0700 (PDT)
Received: from ashurbanipal.fw5540.net (fw5540.nrl.navy.mil [132.250.196.100]) by ccs.nrl.navy.mil (8.14.4/8.14.4) with ESMTP id w41GpYGu026400 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Tue, 1 May 2018 12:51:35 -0400
From: Catherine Meadows <catherine.meadows@nrl.navy.mil>
Content-Type: multipart/alternative; boundary="Apple-Mail=_AF1DCCAE-3956-4F8B-84AC-4FE6DA232327"
Date: Tue, 01 May 2018 12:51:34 -0400
Message-Id: <8B342EAB-8678-4FC4-B793-3BEA944AC523@nrl.navy.mil>
To: secdir@ietf.org, iesg@ietf.org, draft-ietf-teas-actn-framework.all@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
X-CCS-MailScanner: No viruses found.
X-CCS-MailScanner-Info: See: http://www.nrl.navy.mil/ccs/support/email
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/QNNckzI-Bkd-9HNEigpQ5g7nWMQ>
Subject: [secdir] SECDIR Review of draft-ietf-teas-actn-framework-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 May 2018 16:51:42 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready with Nits. This draft describes a framework for abstraction and control of traffic engineered networks (ACTN). According to the abstract, a traffic engineered network is a network that uses any connection-oriented technology under the control of a distributed or centralized control plane to support dynamic provisioning of end-to-end connectivity. Abstraction in this context is a technique can be applied across a single or multiply domains to create a single virtualized network under the control of a network operator or owner. This is thus a very broad topic, and the ID is informational only. The most important part is probably the description of the ACTN base architecture. It describes three components: the Customer Network Controller (CNC) responsible for communicating the customer’s requirements to the network provider , the Multi-Domain Servicing Coordinator (MDSC), responsible for implementing ACTN functions, and the Provisioning Network Controller (PNC), responsible for configuration and topology management. It also describes as the interfaces between them. The document also gives a description of some more advanced ACTN architectures, a description of several topology abstraction methods, and an example of an advanced ACTN application: a multi-destination servers. The security considerations section, while it lists some general considerations that would hold for any kind of network, mainly concentrates on the two interfaces between the components: the CNC-MDSC (CMI) and the MDSC-PNC (MPI) interfaces. It gives a good overview of the types of security risks that might arise with respect to the two interfaces, and the means for mitigating them. For the rest, it defers security considerations to the specific applications, which I assume would be handled by other working groups. I believe that this is reasonable for an informational document that is providing a general framework. A nit: I couldn’t parse the last sentence of Section 9.3: Which MDSC the PNC exports topology information to, and the level of detail (full or abstracted) should also be authenticated and specific access restrictions and topology views, should be configurable and/or policy-based. I think it may be the commas are misplaced, and what you really want to say is this: Which MDSC the PNC exports topology information to, and the level of detail (full or abstracted), should also be authenticated, and specific access restrictions and topology views should be configurable and/or policy-based. Cathy Meadows Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Ave., S.W. Washington DC, 20375 phone: 202-767-3490 fax: 202-404-7942 email: catherine.meadows@nrl.navy.mil <mailto:catherine.meadows@nrl.navy.mil>
- [secdir] SECDIR Review of draft-ietf-teas-actn-fr… Catherine Meadows
- Re: [secdir] SECDIR Review of draft-ietf-teas-act… Leeyoung