[Last-Call] Secdir telechat review of draft-ietf-detnet-mpls-11

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Reviewer: Watson Ladd
Review result: Has Nits

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the  IESG. 
These comments were written primarily for the benefit of the  security area
directors.  Document editors and WG chairs should treat  these comments just
like any other last call comments.

The summary of the review is has nits.

First the good parts: this document has a very well-thought Security
Considerations section that describes the threats unique to this setting and
makes a reference to an upcoming architecture draft. However, I found analysis
of how the protocol should be deployed or configured or is designed to address
those threats to be lacking in a few places. The discussion of DOS attacks is
good: it says to avoid impacts on the DetNet services traffic must be policed
or dropped at the edge. I would like to see a similar statement made about the
consequences and mitigations for interior network corruption. It reads almost
like a sentence or two was inadvertently deleted.

However, if I understand the MPLS architecture correctly a compromised node can
inject a label stack that results in interference with the DetNet flows, and
this is quite difficult to avoid in the general case. I'm not knowledgeable in
this area by any means.  Perhaps it's necessary to say that all the MPLS nodes
are assumed to be trusted and otherwise the DetNet services cannot be provided.

I think this can be addressed pretty quickly.

Sincerely,
Watson Ladd



-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux