Last Call Review of draft-ietf-mpls-tp-nm-framework-
review-ietf-mpls-tp-nm-framework-secdir-lc-cain-2010-02-20-00

Request Review of draft-ietf-mpls-tp-nm-framework
Requested rev. no specific revision (document currently at 05)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-02-16
Requested 2010-01-29
Draft last updated 2010-02-20
Completed reviews Secdir Last Call review of -?? by Patrick Cain
Assignment Reviewer Patrick Cain
State Completed
Review review-ietf-mpls-tp-nm-framework-secdir-lc-cain-2010-02-20
Review completed: 2010-02-20

Review
review-ietf-mpls-tp-nm-framework-secdir-lc-cain-2010-02-20

Hi,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document provides the network management framework for the
Transport Profile for Multi-Protocol Label Switching (MPLS-TP).

This framework relies on the management terminology from the ITU-T to
describe the management architecture that could be used for an
MPLS-TP management network.

The Security Considerations section is the basis of my comment. I don't
think the first two sentences are sentences. At least I think they need to
be restated to clarify their meaning. The section states: " 
   Provisions to any of the network mechanisms designed to satisfy the
   requirements described herein need to prevent their unauthorized use
   and provide a means for an operator to prevent denial of service
   attacks if those network mechanisms are used in such an attack.

   Solutions need to provide mechanisms to prevent private information
   from being accessed by unauthorized eavesdropping, or being directly
   obtained by an unauthenticated network element, system or user."

Using terminology from the document, I think the paragraphs should really
say something to the effect of:
"Many of the EMF Interfaces (Section 2.3) are critical to proper NE
operation and 
need to be protected from denial of service conditions or attack. The EMF
Interfaces
that use or access private information should be protected from
eavesdropping or being
accessed by unauthorized network elements, systems, or users. 
"
Since the next part of the section points the reader to the ITU and other
RFC documents, it should flow okay.

Although I am by no means an MPLS expert, the rest of the document looked
fine.


[As a side note, normally the term 'unauthorized eavesdropping' is not used.
Eavesdropping is always performed by an unauthorized party; if they are
authorized it's called 'network monitoring'.  ;) ]

Pat Cain