[secdir] review of draft-ietf-mpls-loss-delay-03
Stephen Kent <kent@bbn.com> Mon, 13 June 2011 00:03 UTC
Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0D3111E813A for <secdir@ietfa.amsl.com>; Sun, 12 Jun 2011 17:03:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FKnw61DIxYkp for <secdir@ietfa.amsl.com>; Sun, 12 Jun 2011 17:03:21 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 1160011E807C for <secdir@ietf.org>; Sun, 12 Jun 2011 17:03:20 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:37491 helo=[198.18.54.182]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1QVuch-000K5B-Of; Sun, 12 Jun 2011 20:03:20 -0400
Mime-Version: 1.0
Message-Id: <p06240800ca1af8a1d167@[128.89.89.178]>
Date: Sun, 12 Jun 2011 19:20:22 -0400
To: secdir@ietf.org
From: Stephen Kent <kent@bbn.com>
Content-Type: multipart/alternative; boundary="============_-904199097==_ma============"
Cc: swallow@cisco.com, loa@pi.nu, rcallon@juniper.net, danfrost@cisco.com, stbryant@cisco.com
Subject: [secdir] review of draft-ietf-mpls-loss-delay-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jun 2011 00:03:22 -0000
I reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
The abstract for draft-ietf-mpls-tp-loss-delay-profile-03 describes
it as "a profile of the general MPLS loss, delay, and throughput
measurement techniques that suffices [sic] to meet the specific
requirements of MLS-TP." It is a very brief (5 pages, including
boilerplate) document intended as an informational RFC. The document
that forms the basis for this profile, draft-ietf-mpls-loss-delay-01,
is also in progress.
The security considerations section of this document refers to the
base document cited above. Since this document is a profile of that
one, this is a reasonable indirection. (I note that the document
under review cites version 1 of that base document, and that version
2 is now current, something that can be addressed later.) I looked at
the security considerations section of the base specification. It is
two paragraph in length. The first paragraph does a reasonable job of
describing the top level security concerns associated with the
exchange of performance monitoring messages in a context such as
this. (The text would be better if the third concern were identified
as "confidentiality.") The second paragraph, however, states:
If reception or alteration of performance-related data by
unauthorized devices is an operational concern, authentication
and/or encryption procedures should be used to ensure message
integrity and confidentiality. Such procedures are outside the
scope of this document, but have general applicability to OAM
protocols in MPLS networks.
First, this paragraph is poorly worded (e.g., the mixed uses of
"authentication," "encryption," "integrity," and "confidentiality").
Second, there is concrete reference to any candidate security
mechanisms that can provide such services. I am not aware of any IETF
standards that might offer such services for MPLS traffic. If there
are none, this second paragraph is not adequate; if there are, they
should be cited here.
- [secdir] review of draft-ietf-mpls-loss-delay-03 Stephen Kent
- Re: [secdir] review of draft-ietf-mpls-loss-delay… Dan Frost
- Re: [secdir] review of draft-ietf-mpls-loss-delay… Stephen Kent
- Re: [secdir] review of draft-ietf-mpls-loss-delay… Dan Frost
- Re: [secdir] review of draft-ietf-mpls-loss-delay… Stephen Kent