Last Call Review of draft-ietf-ccamp-gmpls-ethernet-arch-
review-ietf-ccamp-gmpls-ethernet-arch-secdir-lc-mcgrew-2009-12-18-00

Request Review of draft-ietf-ccamp-gmpls-ethernet-arch
Requested rev. no specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-01-01
Requested 2009-12-09
Draft last updated 2009-12-18
Completed reviews Secdir Last Call review of -?? by David McGrew
Assignment Reviewer David McGrew
State Completed
Review review-ietf-ccamp-gmpls-ethernet-arch-secdir-lc-mcgrew-2009-12-18
Review completed: 2009-12-18

Review
review-ietf-ccamp-gmpls-ethernet-arch-secdir-lc-mcgrew-2009-12-18

I have reviewed this document as part of the security directorate's  


ongoing effort to review all IETF documents being processed by the  


IESG.  These comments were written primarily for the benefit of the  


security area directors.  Document editors and WG chairs should treat  


these comments just like any other last call comments.



Section 9, Security Considerations.


"The architecture for GMPLS controlled "transport" Ethernet assumes  


that the network consists of trusted devices"   I believe what is  


meant is "The architecture for GMPLS controlled "transport" Ethernet  


assumes    that the GMPLS core network consists of trusted devices".   


This is fairly vague, and it would be useful to use the terms from  


draft-ietf-mpls-mpls-and-gmpls-security-framework-07, and say  


something like "A GMPLS controlled "transport" Ethernet system should  


assume that users and devices attached to UNIs may behave maliciously,  


negligently, or incorrectly.  Providers are trusted to not be  


malicious."


The document refers the reader to draft-ietf-mpls-mpls-and-gmpls- 


security-framework-07 for most security considerations, which is a  


fair thing to do.


draft-ietf-mpls-mpls-and-gmpls-security-framework-07 recommends  


encryption, so I suggest adding a reference to IEEE 802.1AE Media  


Access Control (MAC) Security, like this: "Cryptography can be used to  


protect against many attacks described in [draft-ietf-mpls-mpls-and- 


gmpls-security-framework-07].  One option for protecting "transport"  


Ethernet is the use of 802.1AE Media Access Control Security, which  


provides encryption and authentication."



Nit: Section 1. "SONET/SDH TDM" needs a comma
regards,


David