Last Call Review of draft-ietf-mpls-tp-security-framework-07

Request Review of draft-ietf-mpls-tp-security-framework
Requested rev. no specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2013-02-19
Requested 2013-01-25
Authors Luyuan Fang, Ben Niven-Jenkins, Scott Mansfield, Richard Graveman
Draft last updated 2013-02-21
Completed reviews Genart Last Call review of -07 by Dan Romascanu (diff)
Genart Telechat review of -08 by Dan Romascanu (diff)
Secdir Last Call review of -07 by Brian Weis (diff)
Assignment Reviewer Brian Weis
State Completed
Review review-ietf-mpls-tp-security-framework-07-secdir-lc-weis-2013-02-21
Reviewed rev. 07 (document currently at 09)
Review result Ready
Review completed: 2013-02-21


I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This document provides a security framework for Multiprotocol Label Switching Transport Profile (MPLS-TP). It is based upon RFC 5920 ("MPLS and GMPLS security framework"), but particularly addresses MPLS-TP extensions. It starts with a good background on the security reference models, highlighting "trusted zones" and "untrusted zones" of various network architectures. It then outlines threats in an MPLS network that are either particularly important to MPLS-TP.

The primary mitigation for threats to the infrastructure is to use some form of packet authentication, and this is well covered. It also stresses threats and mitigations to using a network management system used to provision MPLS-TP network elements. Draft -08 is much improved over -07, and I believe is ready to publish.