Last Call Review of draft-ietf-detnet-mpls-oam-13
review-ietf-detnet-mpls-oam-13-secdir-lc-orman-2023-12-23-00

                     Security review of 
Operations, Administration and Maintenance (OAM) for Deterministic
          Networks (DetNet) with MPLS Data Plane
                 draft-ietf-detnet-mpls-oam-13

Do not be alarmed.  I generated this review of this document as part
of the security directorate's ongoing effort to review all IETF
documents being processed by the IESG.  These comments were written
with the intent of improving security requirements and considerations
in IETF drafts.  Comments not addressed in last call may be included
in AD reviews during the IESG review.  Document editors and WG chairs
should treat these comments just like any other last call comments.

Deterministic networks are intended to address the requirements of
real-time applications by reducing packet drops.  This document
defines format and usage principles of the DetNet service "Associated
Channel" over a DetNet network with the MPLS data plane.

The security considerations note that RFC 9055 "Deterministic
Networking (DetNet) Security Considerations" has a comprehensive
discussion of issues.  The OAM packets with an MPLS data plane do not
seem to introduce any significant new considerations.

RFC 8655 "Deterministic Networking Architecture" notes that all QoS
mechanisms have a generic privacy exposure because the markings may
help an attacker correlative flows and thus target particular packets
more effectively.  The OAM packets for MPLS described in the document
under consideration do seem to add headers that correlate to the
underlying network flows, and these might be an attack surface that is
new.  This could be mentioned in the security (privacy) section.

Hilarie