Last Call Review of draft-ietf-ccamp-gmpls-ethernet-arch-

Request Review of draft-ietf-ccamp-gmpls-ethernet-arch
Requested rev. no specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-01-01
Requested 2009-12-09
Authors Lou Berger, Loa Andersson, Don Fedyk
Draft last updated 2009-12-18
Completed reviews Secdir Last Call review of -?? by David McGrew
Assignment Reviewer David McGrew 
State Completed
Review review-ietf-ccamp-gmpls-ethernet-arch-secdir-lc-mcgrew-2009-12-18
Review completed: 2009-12-18


I have reviewed this document as part of the security directorate's  

ongoing effort to review all IETF documents being processed by the  

IESG.  These comments were written primarily for the benefit of the  

security area directors.  Document editors and WG chairs should treat  

these comments just like any other last call comments.

Section 9, Security Considerations.

"The architecture for GMPLS controlled "transport" Ethernet assumes  

that the network consists of trusted devices"   I believe what is  

meant is "The architecture for GMPLS controlled "transport" Ethernet  

assumes    that the GMPLS core network consists of trusted devices".   

This is fairly vague, and it would be useful to use the terms from  

draft-ietf-mpls-mpls-and-gmpls-security-framework-07, and say  

something like "A GMPLS controlled "transport" Ethernet system should  

assume that users and devices attached to UNIs may behave maliciously,  

negligently, or incorrectly.  Providers are trusted to not be  


The document refers the reader to draft-ietf-mpls-mpls-and-gmpls- 

security-framework-07 for most security considerations, which is a  

fair thing to do.

draft-ietf-mpls-mpls-and-gmpls-security-framework-07 recommends  

encryption, so I suggest adding a reference to IEEE 802.1AE Media  

Access Control (MAC) Security, like this: "Cryptography can be used to  

protect against many attacks described in [draft-ietf-mpls-mpls-and- 

gmpls-security-framework-07].  One option for protecting "transport"  

Ethernet is the use of 802.1AE Media Access Control Security, which  

provides encryption and authentication."

Nit: Section 1. "SONET/SDH TDM" needs a comma