Hi Stephen / Ethan, Many thanks for the review. Draft-ietf-detnet-mpls-over-udp-ip focuses on the scenario where two DetNet MPLS nodes are interconnected via an IP sub-network and covers data plane aspects. Security aspects of DetNet are covered in DetNet Security draft. DetNet flows are identified using a "6-tuple", what includes UDP, TCP, etc. In my view using UDP/IP encapsulation between DetNet nodes - covered in draft-ietf-detnet-mpls-over-udp-ip - is a subset of the general DetNet IP flow case, where the 6-tuple is used for DetNet flow identification. So, no extra security scenario here. Thanks & Cheers Bala'zs -----Original Message----- From: Grossman, Ethan A. <eagros@xxxxxxxxx> Sent: Thursday, September 24, 2020 10:28 PM To: Stephen Farrell <stephen.farrell@xxxxxxxxx>; secdir@xxxxxxxx Cc: last-call@xxxxxxxx; detnet@xxxxxxxx; draft-ietf-detnet-mpls-over-udp-ip.all@xxxxxxxx Subject: RE: [Detnet] Secdir last call review of draft-ietf-detnet-mpls-over-udp-ip-06 Thanks Stephen. FWIW it isn't too late to add some text to the DetNet Security draft regarding DetNet over UDP, if someone can think up something useful to say. I suppose one could simply mention UDP in the same breath as TCP (implying that the same general security guidelines apply, if that's our stance). Any thoughts (from anyone)? Thanks, Ethan (as Editor, DetNet Security draft) -----Original Message----- From: detnet <detnet-bounces@xxxxxxxx> On Behalf Of Stephen Farrell via Datatracker Sent: Thursday, September 24, 2020 11:15 AM To: secdir@xxxxxxxx Cc: last-call@xxxxxxxx; detnet@xxxxxxxx; draft-ietf-detnet-mpls-over-udp-ip.all@xxxxxxxx Subject: [Detnet] Secdir last call review of draft-ietf-detnet-mpls-over-udp-ip-06 Reviewer: Stephen Farrell Review result: Ready (Sorry for the missed review deadline.) Other than general doubts about "I'll only use this in one administrative domain", the only specific thing that concerned me here was that draft-ietf-detnet-security doesn't seem to include any analysis of detnet/UDP (and indeed says that detnet runs over IP) and the security considerations section here is purely by reference. Given that draft-ietf-detnet-security seems to have done a reasonable job of analysis, it's a pity to not have that for the detnet/UDP case. All that said, I don't have any concrete problems to highlight with detnet/UDP, though of course I've not been thinking about this as $dayjob, so there may be issues there. _______________________________________________ detnet mailing list detnet@xxxxxxxx https://www.ietf.org/mailman/listinfo/detnet -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
