Last Call Review of draft-ietf-mpls-tp-security-framework-07
review-ietf-mpls-tp-security-framework-07-secdir-lc-weis-2013-02-21-00

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

This document provides a security framework for Multiprotocol Label Switching
Transport Profile (MPLS-TP). It is based upon RFC 5920 ("MPLS and GMPLS
security framework"), but particularly addresses MPLS-TP extensions. It starts
with a good background on the security reference models, highlighting "trusted
zones" and "untrusted zones" of various network architectures. It then outlines
threats in an MPLS network that are either particularly important to MPLS-TP.

The primary mitigation for threats to the infrastructure is to use some form of
packet authentication, and this is well covered. It also stresses threats and
mitigations to using a network management system used to provision MPLS-TP
network elements. Draft -08 is much improved over -07, and I believe is ready
to publish.

Brian