Security Framework for MPLS and GMPLS Networks draft-fang-mpls-gmpls-security-framework-00.txt

1. Security Framework for MPLS and GMPLS Networksdraft-fang-mpls-gmpls-security-framework-00.txt Luyuan Fang Michael Behringer Ross Callon Jean-Luis Le Roux Raymond Zhang Paul Knight Yaakov Stein Nabil Bitar Jerry Ash Monique Morrow March 19, 2007 68 IETF, Prague, Czech Republic

2. Status Update • IETF 67 - San Diego • Project first proposed at MPLS WG. • Design team formed (members are list in the front page). • IETF 68 - Prague • 00 draft posted in March 2007 before the meeting. • 00 draft presented at MPLS WG and CCAMP WG. • Background info on the motivation of this draft • Security questions raised by Security ADs and reviewers with several recent drafts in MPLS and CCAMP WGs. • A single document, MPLS/GMPLS Security Framework, to address MPLS/GMPLS general security issues would be useful. • Other draft in MPLS/GMPLS WGs may reference this framework document, and must address the security considerations specific to the individual spec.

3. Objectives and Plans • To provide general security implications, requirements and guidelines for MPLS/GMPLS, especially Inter-provider MPLS/GMPLS. • Quickly gather feedback from MPLS WG, GMPLS WG, Security ADs/Chairs, and anyone in IETF interested in the topic. • Deliver subsequent revisions and working toward Informational RFC to meet the needs of MPLS and CCAMP WGs.

4. Document Scope • In scope: • MPLS/GMPLS network protocol and operation related security issues, e.g. • Using LDP, RSVE-TE, PCE, P2MP with LDP with P2MP, MPLS L2 and L3 VPN, PW, MPLS Inter-Provider options, etc. • Operation of MPLS network – MPLS network should be less secure than non-MPLS networks • Core protection • isolation, filtering, authentication, resource (e.g. LSP) limitation, etc. • MPLS related attacks and mitigation • MPLS inter-provider security threats and network protection best practice • Out of the Scope • Attack to a router or a network which is not MPLS/GMPLS enabled • General Security considerations and Internet best practice guidelines

5. Outline of the 00 draft • Introduction • Security Reference Model • Trusted Zone: Provider A MPSL/GMPLS network • Trusted Zone, Trusted neighbor, Authorized but untrusted neighbor • Security Threats – Intra-AS, Inter-AS, and Inter-provider • Attacks on the Data Plane • Attacks on the Control Plane • Defensive Techniques for MPLS/GMPLS Networks • Authentication • Cryptographic techniques • Anti-label spoofing • Monitoring, Detection, and Reporting of Security Attacks • Service Provider General Security Requirements • Protection within the Core • Protection on the User Access Link • Inter-provider Security Requirements • Control Plane Protection • Data Plane Protection • References

6. Next Steps • Getting feedbacks from MPLS and CCAMP WG meetings, mailing list, meeting with Routing and Security Ads/Chairs/participants. • Design team to refine the work, reflect the feedback, issue new revision before IETF 69. • Asking for to be adapted as Working Group work item. • We appreciate your feedback and your support to move this work forward.