[secdir] review of draft-ietf-mpls-loss-delay-03
Stephen Kent <kent@bbn.com> Mon, 13 June 2011 00:03 UTC
Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0D3111E813A for <secdir@ietfa.amsl.com>; Sun, 12 Jun 2011 17:03:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FKnw61DIxYkp for <secdir@ietfa.amsl.com>; Sun, 12 Jun 2011 17:03:21 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 1160011E807C for <secdir@ietf.org>; Sun, 12 Jun 2011 17:03:20 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:37491 helo=[198.18.54.182]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1QVuch-000K5B-Of; Sun, 12 Jun 2011 20:03:20 -0400
Mime-Version: 1.0
Message-Id: <p06240800ca1af8a1d167@[128.89.89.178]>
Date: Sun, 12 Jun 2011 19:20:22 -0400
To: secdir@ietf.org
From: Stephen Kent <kent@bbn.com>
Content-Type: multipart/alternative; boundary="============_-904199097==_ma============"
Cc: swallow@cisco.com, loa@pi.nu, rcallon@juniper.net, danfrost@cisco.com, stbryant@cisco.com
Subject: [secdir] review of draft-ietf-mpls-loss-delay-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jun 2011 00:03:22 -0000
I reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The abstract for draft-ietf-mpls-tp-loss-delay-profile-03 describes it as "a profile of the general MPLS loss, delay, and throughput measurement techniques that suffices [sic] to meet the specific requirements of MLS-TP." It is a very brief (5 pages, including boilerplate) document intended as an informational RFC. The document that forms the basis for this profile, draft-ietf-mpls-loss-delay-01, is also in progress. The security considerations section of this document refers to the base document cited above. Since this document is a profile of that one, this is a reasonable indirection. (I note that the document under review cites version 1 of that base document, and that version 2 is now current, something that can be addressed later.) I looked at the security considerations section of the base specification. It is two paragraph in length. The first paragraph does a reasonable job of describing the top level security concerns associated with the exchange of performance monitoring messages in a context such as this. (The text would be better if the third concern were identified as "confidentiality.") The second paragraph, however, states: If reception or alteration of performance-related data by unauthorized devices is an operational concern, authentication and/or encryption procedures should be used to ensure message integrity and confidentiality. Such procedures are outside the scope of this document, but have general applicability to OAM protocols in MPLS networks. First, this paragraph is poorly worded (e.g., the mixed uses of "authentication," "encryption," "integrity," and "confidentiality"). Second, there is concrete reference to any candidate security mechanisms that can provide such services. I am not aware of any IETF standards that might offer such services for MPLS traffic. If there are none, this second paragraph is not adequate; if there are, they should be cited here.
- [secdir] review of draft-ietf-mpls-loss-delay-03 Stephen Kent
- Re: [secdir] review of draft-ietf-mpls-loss-delay… Dan Frost
- Re: [secdir] review of draft-ietf-mpls-loss-delay… Stephen Kent
- Re: [secdir] review of draft-ietf-mpls-loss-delay… Dan Frost
- Re: [secdir] review of draft-ietf-mpls-loss-delay… Stephen Kent