[secdir] Secdir review of draft-ietf-mpls-tp-security-framework-08

Brian Weis <bew@cisco.com> Wed, 20 February 2013 01:39 UTC

Return-Path: <bew@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id D76BD21F8815; Tue, 19 Feb 2013 17:39:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.584
X-Spam-Status: No, score=-110.584 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 0SrlkRaS1Gk8; Tue, 19 Feb 2013 17:39:44 -0800 (PST)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com []) by ietfa.amsl.com (Postfix) with ESMTP id 25D0421F8818; Tue, 19 Feb 2013 17:39:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1174; q=dns/txt; s=iport; t=1361324384; x=1362533984; h=from:content-transfer-encoding:subject:date:message-id: cc:to:mime-version; bh=zEe9i0qig9d2C64LcUdVURIcdK4dJU7ZoroSYipG3T8=; b=b3i50itHYvxawUQpb+MLpUPy0B9V1QRKJvPNiGTVyLOsMMc3FeNKfypd wRZ6pvNQ9WrFQKVZnRsZanQBhtcM2fvRhM/NsNgCgkk7Y6r1II8GmzIN1 hk1c81nh8vpo7CmD1YPxKEb44EhGnZ0zc2GcLSpkA/8WESOlForKNXms1 c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av4EAAEoJFGrRDoI/2dsb2JhbABFwEeBDhZzgmA/gT4BiCOwNJAgjw6CZmEDiGaNRZBYgyg
X-IronPort-AV: E=Sophos;i="4.84,698,1355097600"; d="scan'208";a="70185956"
Received: from mtv-core-3.cisco.com ([]) by mtv-iport-3.cisco.com with ESMTP; 20 Feb 2013 01:39:44 +0000
Received: from dhcp-10-155-209-77.cisco.com (dhcp-10-155-209-77.cisco.com []) by mtv-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r1K1dhRa030434 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 20 Feb 2013 01:39:43 GMT
From: Brian Weis <bew@cisco.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 19 Feb 2013 17:39:44 -0800
Message-Id: <005B9D08-4206-4E54-9EBA-54768ADBBA95@cisco.com>
To: "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
X-Mailer: Apple Mail (2.1499)
Cc: draft-ietf-mpls-tp-security-framework.all@tools.ietf.org
Subject: [secdir] Secdir review of draft-ietf-mpls-tp-security-framework-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 01:39:45 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This document provides a security framework for Multiprotocol Label Switching Transport Profile (MPLS-TP). It is based upon RFC 5920 ("MPLS and GMPLS security framework"), but particularly addresses MPLS-TP extensions. It starts with a good background on the security reference models, highlighting "trusted zones" and "untrusted zones" of various network architectures. It then outlines threats in an MPLS network that are either particularly important to MPLS-TP.

The primary mitigation for threats to the infrastructure is to use some form of packet authentication, and this is well covered. It also stresses threats and mitigations to using a network management system used to provision MPLS-TP network elements. Draft -08 is much improved over -07, and I believe is ready to publish.