Skip to main content

Last Call Review of draft-ietf-ccamp-gmpls-ether-svcs-
review-ietf-ccamp-gmpls-ether-svcs-secdir-lc-hoffman-2010-02-20-00

Request Review of draft-ietf-ccamp-gmpls-ether-svcs
Requested revision No specific revision (document currently at 04)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-02-22
Requested 2010-02-11
Authors Don Fedyk , Lou Berger
Draft last updated 2010-02-20
Completed reviews Secdir Last Call review of -?? by Paul E. Hoffman
Assignment Reviewer Paul E. Hoffman
State Completed
Review review-ietf-ccamp-gmpls-ether-svcs-secdir-lc-hoffman-2010-02-20
Completed 2010-02-20
review-ietf-ccamp-gmpls-ether-svcs-secdir-lc-hoffman-2010-02-20-00
Greetings again. This is a last-call review of
draft-ietf-ccamp-gmpls-ether-svcs-04, focusing on security issues.

This document does not introduce any new security concerns. The Security
Considerations section says:

   This document introduces new message object formats for use in GMPLS
   signaling [RFC3473].  It does not introduce any new signaling
   messages, nor change the relationship between LSRs that are adjacent
   in the control plane. As such, this document introduces no additional
   security considerations.  See [RFC3473] for relevant security
   considerations.

RFC 3473 is GMPLS signalling with RSVP-TE. RSVP has hop-by-hop integrity
protection that is often used in real-world deployments; no privacy is assumed
in the signalling. However, RSVP-TE introduces non-hop-by-hop notifications
that are adopted by draft-ietf-ccamp-gmpls-ether-svcs. Unlike the rest of
RSVP-TE, those notifications have no integrity protection unless that operators
run the protocol under a security service like IPsec, which they apparently
rarely do in real-world deployments. To be clear,
draft-ietf-ccamp-gmpls-ether-svcs doesn't make anything in RSVP-TE any worse,
it just uses the existing completely-unprotected notifications. The lack of
security is an operational issue, not a protocol issue.

--Paul Hoffman, Director
--VPN Consortium