I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at
<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Please resolve these comments along with any other Last Call comments you may receive. Document: draft-ietf-mpls-tp-security-framework-07 Reviewer: Dan Romascanu Review Date: 1/31/13 IETF LC End Date: 2/6/13 IESG Telechat date: (if known) Summary: Ready with Issues This is a short, well-written and useful document that supplements RFC 5920 with information on reference models, security threats and defense techniques specific to MPLS-TP. There is one major issue which I believe should be fixed and is not too difficult to fix if the authors agree. Major issues: One of the major features of extending MPLS in MPLS-TP is rightly identified in the words of the Abstract as the 'strong emphasis on static provisioning supported by network management systems'. However Sections 3 and 4 miss to describe accurately the threats introduced by provisioning tools and the defensive techniques that need to be put in place in order to address these threats. Section 3 speaks about 'attacks to NMS' but this is quite vague (what kind of attacks?) and incomplete, as it is not only the NMS that can be attacked but also the communication between the NMS and the routers that are being provisioned, as well as the access of the users to the provisioning tools. Threats like disclosure of information, masquerade (as NMS) or access of unauthorized users to the provisioning information and controls need to be clearly articulated here. In Section 4 the corresponding defensive techniques need to be listed, or at least make clear that techniques like entity authentication for identity verification, encryption for confidentiality, message integrity and replay detection to ensure the validity of message streams, as well as users access control and events logging need to apply also for NMS applications and provisioning traffic. Minor issues: Nits/editorial comments: 1. Several acronyms are not expanded at first occurrence: PE/T-PE, GAL 2. Inconsistent abbreviation: T-PE in the text, TPE in figures 2-5 3. The first sentence in Section 3 seems broken grammatically: > This section discuss various network security threats which are to MPLS-TP and may endanger MPLS-TP networks. _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
