[secdir] Review of draft-ietf-ccamp-gmpls-mln-extensions-11

Shawn M Emery <Shawn.Emery@Sun.COM> Wed, 03 March 2010 06:59 UTC

Return-Path: <Shawn.Emery@Sun.COM>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id B52F128C238; Tue, 2 Mar 2010 22:59:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.046
X-Spam-Status: No, score=-6.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id NwuGERGoeCWG; Tue, 2 Mar 2010 22:59:38 -0800 (PST)
Received: from brmea-mail-4.sun.com (brmea-mail-4.Sun.COM []) by core3.amsl.com (Postfix) with ESMTP id C522228C101; Tue, 2 Mar 2010 22:59:37 -0800 (PST)
Received: from fe-amer-09.sun.com ([]) by brmea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id o236xaWV004451; Wed, 3 Mar 2010 06:59:39 GMT
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII; format=flowed
Received: from conversion-daemon.mail-amer.sun.com by mail-amer.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) id <0KYP00K001Y0RE00@mail-amer.sun.com>; Tue, 02 Mar 2010 23:59:36 -0700 (MST)
Received: from [] ([unknown] []) by mail-amer.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) with ESMTPSA id <0KYP00AEW23C8M40@mail-amer.sun.com>; Tue, 02 Mar 2010 23:59:36 -0700 (MST)
Date: Tue, 02 Mar 2010 23:57:30 -0700
From: Shawn M Emery <Shawn.Emery@Sun.COM>
Sender: Shawn.Emery@Sun.COM
To: secdir@ietf.org
Message-id: <4B8E085A.2060500@sun.com>
User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv: Gecko/20100117 Lightning/1.0b1 Thunderbird/3.0
Cc: draft-ietf-ccamp-gmpls-mln-extensions.all@tools.ietf.org, iesg@ietf.org
Subject: [secdir] Review of draft-ietf-ccamp-gmpls-mln-extensions-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2010 06:59:38 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors. Document editors and WG chairs should treat 
these comments just like any other last call comments.

This draft describes protocol extensions for interfacing with 
Generalized Multi Protocol Label Switching (GMPLS) 
Multi-Layer/Multi-Region Networks.

The security considerations section does exist and references 
draft-ietf-mpls-mpls-and-gmpls-security-framework for the various 
attacks and their possible solutions regarding MPLS/GMPLS.  The section 
then discloses that a call controller should not be reachable from an 
external Traffic Engineering domain.  Then discusses that in order to 
prevent MITM attacks that IKE MUST be used between edge nodes and 
terminating calls.  After reading this draft and the security-framework 
draft it seems that they cover the threat models sufficiently.

General comments:


Editorial comments:


PSC and L2SC are expanded, therefore:
s/TDM/Time-Division Multiplexing (TDM)/

- -