1. 1 Security Framework for MPLS-TP draft-fang-mpls-tp-security-framework-04.txt Luyuan Fang lufang@cisco.com Ben Niven-Jenkins ben@niven-jenkins.co.uk Scott Mansfieldscott.mansfield@ericsson.com Raymond Zhang raymond.zhang@bt.com Nabil Bitarnabil.bitar@verizon.com Masahiro Daikokums-daikoku@kddi.com Lei WangLei.wang@telenor.com November 11, 2010 79 IETF, Beijing, China

2. 2 Objectives and Scope Objectives: –Identify and address MPLS-TP specific security issues. Define MPLS-TP security reference models Provide MPLS-TP security requirements Identify MPLS-TP security threats Provide MPLS-TP security threat mitigation recommendations Intended category: Informational Scope: –In scope: Directly related with MPLS-TP –Out of scope: Any functions/application not specific to MPLS-TP. e.g. General MPLS/GMPLS Security, General IP/Internet Security best practice.. –Other drafts for MPLS-TP can point to this draft for general MPLS-TP security discussion, and discuss any specific security issues for the specific protocol proposals as needed. –Focus is on the inter-connection between trusted and untrusted zones

3. Security Issues need to be fully addressed Areas may be attacked –GAL/GACH (control plane attack, DoS attack, message intercept) –NMS –Loopback –MIP/MEP assignment –NMS and control plane interaction –MIP/MEP assignment and attacks –Data plane –GMPLS control plane Security threats –ID Spoofing –Label spoofing –DoS attack –Topology discovery –Data intercept –Performance degradation

4. Client Network Layer Native Service (Attachment Circuit) -PE1T-PE2 Native Service (Attachment Circuit) P CE1 CE2 TP-LSP Svc LSP1 TP-LSP MPLS-TP Security Reference Model 3 (added in version 4) MPLS-TP Security Model 3 Trusted Zone Untrusted Zone Transport LSP PW1 Svc LSP2 Packet Transport Service Untrusted Zone

5. 5 Next Steps Agree on Security Trust models and identify potential MPLS-TP specific attacks Complete security requirements, threats, mitigations More input/comments from WG Ask for WG adoption