MPLS Transport Profile (MPLS-TP) Security Framework
RFC 6941
Note: This ballot was opened for revision 08 and is now closed.
(Stewart Bryant) Yes
(Adrian Farrel) Yes
(Ron Bonica) No Objection
(Gonzalo Camarillo) No Objection
(Benoît Claise) No Objection
Comment (2013-02-20 for -08)
No email
send info
send info
Minor editorial comment OLD Security reference model 1(a) An MPLS-TP network with Single Segment Pseudowire (SS-PW) from PE1 to PE2. The trusted zone is PE1 to PE2 as illustrated in Figure 1. NEW Security reference model 1(a) An MPLS-TP network with Single Segment Pseudowire (SS-PW) from PE1 to PE2. The trusted zone is PE1 to PE2 as illustrated in Figure 1.
(Ralph Droms) No Objection
(Wesley Eddy) No Objection
(Stephen Farrell) No Objection
Comment (2013-02-18 for -08)
No email
send info
send info
I guess as an abstract framework there's not much to critique here, so feel free to take or leave the following comments. - I think you're right to focus on the NMS. I'm not sure if there's any way to validate what's going on from two independent points on the n/w using different vendor's kit, but that might be something to consider. - I think there's a missing threat, which is running insufficiently audited or even malicious vendor supplied (i.e. genuine) code on devices. Not all operators seem to be trusting of all vendors these days. - The inside==trusted; outside==there-be-dragons model is probably less useful than was once the case. Many "inside" systems end up being compromisable via e.g. laptops that get connected in the wrong places or USB sticks etc. While that ought not happen, it does. That does call into question the "full control" statements in section 2 here. Section 3 does however consider this to an extent. - The use of isolated infrastructure wasn't that effective in the face of a determined attacker in e.g. the case of stuxnet. And that was with an air gap reportedly, whereas use of "non-IP based communication paths" seems more like just security by obscurity.
(Brian Haberman) No Objection
(Russ Housley) No Objection
Barry Leiba No Objection
Comment (2013-02-12 for -08)
No email
send info
send info
Luyuan Fang handled all my comments during last call, so I have nothing left now. :-)
(Pete Resnick) No Objection
(Robert Sparks) No Objection
(Martin Stiemerling) No Objection
(Sean Turner) No Objection
Comment (2013-02-20 for -08)
No email
send info
send info
1) s4: Contains the following: Authentication includes entity authentication for identity verification, encryption for confidentiality, management system authentication, peer-to-peer authentication, ... Now my head is full of cough medicine but does authentication really include encryption for confidentiality? Should that bit be struck from the sentence? 2) s4: r/authentication,the/authentication, the 3) For what it's worth I agree with Stephen's comments.