Thank you for addressing my comments. >From my perspective the document is now ready.
Regards, Dan > -----Original Message----- > From: Luyuan Fang (lufang) [mailto:[email protected]] > Sent: Wednesday, February 06, 2013 7:52 AM > To: Romascanu, Dan (Dan); [email protected] > Cc: [email protected]; [email protected]; [email protected]; > [email protected]; [email protected]; ms- > [email protected]; [email protected]; [email protected]; > [email protected] > Subject: Re: Gen-ART Review of draft-ietf-mpls-tp-security-framework-07 > > Hi Dan, > > Thank you very much for your review and detailed comments, really > appreciate your discussion and helpful suggestions. > > I updated the document, addressed all your comments. It is reflected in > the 08 version just posted. > http://www.ietf.org/internet-drafts/draft-ietf-mpls-tp-security- > framework-0 > 8.txt > > > We acknowledged your help in the document. > > Please see in-line. > > -----Original Message----- > From: <Romascanu>, "Dan (Dan)" <[email protected]> > Date: Thursday, January 31, 2013 2:09 AM > To: "[email protected]" <[email protected]> > Cc: Luyuan Fang <[email protected]>, "[email protected]" > <[email protected]>, "[email protected]" > <[email protected]>, "[email protected]" <[email protected]>, > "[email protected]" <[email protected]>, > Nabil Bitar <[email protected]>, "[email protected]" > <[email protected]>, "[email protected]" > <[email protected]>, "[email protected]" > <[email protected]>, "[email protected]" <[email protected]> > Subject: Gen-ART Review of draft-ietf-mpls-tp-security-framework-07 > > >I am the assigned Gen-ART reviewer for this draft. For background on > >Gen-ART, please see the FAQ at > > > ><http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > > > >Please resolve these comments along with any other Last Call comments > >you may receive. > > > >Document: draft-ietf-mpls-tp-security-framework-07 > >Reviewer: Dan Romascanu > >Review Date: 1/31/13 > >IETF LC End Date: 2/6/13 > >IESG Telechat date: (if known) > > > >Summary: Ready with Issues > > > >This is a short, well-written and useful document that supplements RFC > >5920 with information on reference models, security threats and defense > >techniques specific to MPLS-TP. There is one major issue which I > >believe should be fixed and is not too difficult to fix if the authors > agree. > > > >Major issues: > > > >One of the major features of extending MPLS in MPLS-TP is rightly > >identified in the words of the Abstract as the 'strong emphasis on > >static provisioning supported by network management systems'. However > >Sections 3 and 4 miss to describe accurately the threats introduced by > >provisioning tools and the defensive techniques that need to be put in > >place in order to address these threats. > > > >Section 3 speaks about 'attacks to NMS' but this is quite vague (what > >kind of attacks?) and incomplete, as it is not only the NMS that can be > >attacked but also the communication between the NMS and the routers > >that are being provisioned, as well as the access of the users to the > >provisioning tools. Threats like disclosure of information, masquerade > >(as NMS) or access of unauthorized users to the provisioning > >information and controls need to be clearly articulated here. > > [luyuan] Good points. In Section 3, the following text is added (after > the paragraph talks "attacks to NMS"): > > > Attacks to NMS may come from external attackers, or insiders. Outside > attacks are initiated outside of the trusted zone by unauthorized user > of the MPLS-TP network management systems. Insider attack is initiated > from inside of the trusted zone by an entity with authorized access to > the management systems, but performs unapproved harmful functions to the > MPLS-TP networks. These attacks may be directly targeted to the NMS, or > via the compromised communication channels between the NMS and the > network devices that are being provisioned, or through the access of the > users to the provisioning tools. The security threat may include > disclosure of information, generating false OAM messages, taking down > MPLS-TP LSPs, connecting to the wrong MPLS-TP tunnel end points, and DoS > attacks to the MPLS-TP networks. > > > > > > > >In Section 4 the corresponding defensive techniques need to be listed, > >or at least make clear that techniques like entity authentication for > >identity verification, encryption for confidentiality, message > >integrity and replay detection to ensure the validity of message > >streams, as well as users access control and events logging need to > >apply also for NMS applications and provisioning traffic. > > > > [luyuan] Agreed. The following paragraph is added at the end of the > section 4, pretty much based on your suggestions. > > It is important to point out the following security defense techniques > which are particularly critical for NMS due to the strong emphasis on > static provisioning supported by NMS in MPLS-TP deployment. These > techniques include: Entity authentication for identity verification, > encryption for confidentiality, message integrity and replay detection > to ensure the validity of message streams, as well as users access > control and events logging which must be applied for NMS and > provisioning applications. > > > >Minor issues: > > > >Nits/editorial comments: > > > >1. Several acronyms are not expanded at first occurrence: PE/T-PE, GAL > > [luyuan] Fixed. We initially had terminology section, it was taken out > during the last call discussion. I added the section back with a new > list of terms that are relevant to this document. > > > >2. Inconsistent abbreviation: T-PE in the text, TPE in figures 2-5 > > [luyuan] Fixed. > > > >3. The first sentence in Section 3 seems broken grammatically: > > > >> This section discuss various network security threats which are to > > MPLS-TP and may endanger MPLS-TP networks. > > [luyuan] Fixed. > New text: This section discusses various network security threats that > are unique to MPLS-TP and may endanger MPLS-TP networks. > > > > > Thanks, > Luyuan _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
