Skip to main content

Last Call Review of draft-ietf-mpls-tp-security-framework-07
review-ietf-mpls-tp-security-framework-07-genart-lc-romascanu-2013-01-31-00

Request Review of draft-ietf-mpls-tp-security-framework
Requested revision No specific revision (document currently at 09)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2013-02-06
Requested 2013-01-24
Authors Luyuan Fang , Ben Niven-Jenkins , Scott Mansfield , Richard F. Graveman
I-D last updated 2013-01-31
Completed reviews Genart Last Call review of -07 by Dan Romascanu (diff)
Genart Telechat review of -08 by Dan Romascanu (diff)
Secdir Last Call review of -07 by Brian Weis (diff)
Assignment Reviewer Dan Romascanu
State Completed
Request Last Call review on draft-ietf-mpls-tp-security-framework by General Area Review Team (Gen-ART) Assigned
Reviewed revision 07 (document currently at 09)
Result Ready w/issues
Completed 2013-01-31
review-ietf-mpls-tp-security-framework-07-genart-lc-romascanu-2013-01-31-00
I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART,
please see the FAQ at

<

http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Please resolve these comments along with any other Last Call comments you may
receive.

Document: draft-ietf-mpls-tp-security-framework-07
Reviewer: Dan Romascanu
Review Date: 1/31/13
IETF LC End Date: 2/6/13
IESG Telechat date: (if known)

Summary: Ready with Issues

This is a short, well-written and useful document that supplements RFC 5920
with information on reference models, security threats and defense techniques
specific to MPLS-TP. There is one major issue which I believe should be fixed
and is not too difficult to fix if the authors agree.

Major issues:

One of the major features of extending MPLS in MPLS-TP is rightly identified in
the words of the Abstract as the 'strong emphasis on static provisioning
supported by network management systems'. However Sections 3 and 4 miss to
describe accurately the threats introduced by provisioning tools and the
defensive techniques that need to be put in place in order to address these
threats.

Section 3 speaks about 'attacks to NMS' but this is quite vague (what kind of
attacks?) and incomplete, as it is not only the NMS that can be attacked but
also the communication between the NMS and the routers that are being
provisioned, as well as the access of the users to the provisioning tools.
Threats like disclosure of information, masquerade (as NMS) or access of
unauthorized users to the provisioning information and controls need to be
clearly articulated here.

In Section 4 the corresponding defensive techniques need to be listed, or at
least make clear that techniques like entity authentication for identity
verification, encryption for confidentiality, message integrity and replay
detection to ensure the validity of message streams, as well as users access
control and events logging need to apply also for NMS applications and
provisioning traffic.

Minor issues:

Nits/editorial comments:

1. Several acronyms are not expanded at first occurrence: PE/T-PE, GAL

2. Inconsistent abbreviation: T-PE in the text, TPE in figures 2-5

3. The first sentence in Section 3 seems broken grammatically:

> This section discuss various network security threats which are to
   MPLS-TP and may endanger MPLS-TP networks.