Re: [secdir] secdir review of draft-ietf-mpls-tp-itu-t-identifiers

Huub helvoort <> Mon, 07 January 2013 13:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 45EE921F86F7; Mon, 7 Jan 2013 05:58:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.299
X-Spam-Status: No, score=-6.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MeTssiQ1NogC; Mon, 7 Jan 2013 05:58:44 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id A77A621F86D4; Mon, 7 Jan 2013 05:58:43 -0800 (PST)
Received: from (EHLO ([]) by (MOS 4.3.5-GA FastPath queued) with ESMTP id ANG82104; Mon, 07 Jan 2013 13:58:42 +0000 (GMT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 14.1.323.3; Mon, 7 Jan 2013 13:57:35 +0000
Received: from ([]) by ([]) with mapi id 14.01.0323.003; Mon, 7 Jan 2013 13:58:38 +0000
From: Huub helvoort <>
To: "" <>, 'Dan Harkins' <>
Thread-Topic: secdir review of draft-ietf-mpls-tp-itu-t-identifiers
Thread-Index: AQHN6eU/uyehI2LrqU+v9clAyT9105g64XsAgAME2gs=
Date: Mon, 07 Jan 2013 13:58:37 +0000
Message-ID: <73E555AA235F3846B8051DB38C8776272E57FA00@lhreml509-mbx>
References: <>, <00a001cdeb5a$a4efb7d0$eecf2770$>
In-Reply-To: <00a001cdeb5a$a4efb7d0$eecf2770$>
Accept-Language: en-GB, en-US, zh-CN
Content-Language: en-GB
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mailman-Approved-At: Mon, 07 Jan 2013 06:02:43 -0800
Cc: "" <>, "" <>, "" <>
Subject: Re: [secdir] secdir review of draft-ietf-mpls-tp-itu-t-identifiers
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 07 Jan 2013 13:58:45 -0000

Hello Dan,

Thank you for the review.

Adrian already addressed your concerns, I would like to provide soem extra information.
See my comments in-line [Huub]

From: Adrian Farrel []
Sent: 05 January 2013 16:37
To: 'Dan Harkins'
Subject: RE: secdir review of draft-ietf-mpls-tp-itu-t-identifiers

Hi Dan,

The authors may care to comment further, but I think there are two points...

The regulatory codes are centrally allocated so the "screw-ups" that you refer
to are within those domains. That reduces the scope of the problem and also
reduces its impact.

[Huub] correct, each country is responsible for allocating and using unique operator
identification codes: the ICC. This is explained on this page:
To make them globally unique the CC has to be added.

 But maybe the document would benefit from a note on the
"risks of misconfiguration". I am not sure that that would belong in the
Security Considerations section, but space could certainly be found in the

[Huub] would a reference to  be enough?

Yes, Corrigenda are stable ITU-T references. They are found on the same web page
that gives download pointers for the Recommendations they correct.

[Huub] see

Best regards, Huub.

Always remember that you are unique...just like everyone else...

> -----Original Message-----
> From: [] On Behalf Of Dan
> Harkins
> Sent: 03 January 2013 19:05
> To:;; draft-ietf-mpls-tp-itu-t-
> Subject: secdir review of draft-ietf-mpls-tp-itu-t-identifiers
>   Hello, and happy new year,
>   I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>   This draft creates a new globally unique identifier for the Transport
> Profile of MPLS. RFC 6370, which created identifiers for MPLS-TP,
> uses the operator's AS as a globally unique identifier but this draft
> proposes an alternative: use the ITU-T Carrier Codes. It then goes
> about changing the identifiers created by RFC 6370 by substituting
> the ITU-T Carrier Code for the AS.
>   The security considerations state that the draft merely extends an
> information model and does not propose any protocol changes and
> therefore it does not introduce any new security concerns. This seems
> acceptable except that this extension relies on the global uniqueness
> of the ITU-T Carrier Codes (as RFC 6370 relies on the AS to be
> globally unique). Apparently "national regulatory authorities"
> ensure that they are unique in their regulatory domain (which is an
> ISO 3166-1 identified code) so as long as they don't screw up
> anything all is well. I think it might be worth mentioning the
> assumption that the "national regulatory authorities" will not make a
> mistake and what happens if they do. RFC 6370 relied on IANA to
> not make a mistake; this draft relies on all 249 entities that have an
> official code in ISO 3166-1 to not make a mistake.
>   Also, there is a normative reference to a "Corrigendum" of an ITU-T
> recommendation on "OAM functions and mechanisms for Ethernet
> based networks". I have never encountered such a document. Is it
> a stable reference?
>   regards,
>   Dan.