[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
subIP draft-tsenevir-smpls-01.txt
NAME of I-D:
http://search.ietf.org/internet-drafts/draft-tsenevir-smpls-01.txt
(New contact information is: tissa@force10networks.com)
SUMMARY:
This I-D specifies a mechanism for securing the MPLS data plane, ie securing
any data carried over MPLS. This work is split into two aspects: use of IKE
to establish the required security association for secure MPLS and
definition of the encapsulation formats required for the encryption and
authentication of MPLS payloads. Extensions, under the form of a new Domain
of Interpretation, are defined for the use of IKE to set up Security
Associations for secure MPLS. Also, two methods are presented to transport
IKE messages between edge LSRs: IKE over RSVP and IKE over a separate IP
channel. A new RSVP object is defined to exchange security association
messages as part of the LSP setup messages. It is thought that the use of a
separate IP channel facilitates scaling, especially in the environment where
multiple LSPs terminate between the same two edge LSRs.
RELATED DOCUMENTS:
http://search.ietf.org/internet-drafts/draft-tsenevir-smpls-doi-00.txt
http://search.ietf.org/internet-drafts/draft-tsenevir-mpls-lauth-00.txt
http://search.ietf.org/internet-drafts/draft-schrijvp-mpls-ldp-end-to-end-au
th-03.txt
WHERE DOES IT FIT IN THE PICTURE OF THE SUB-IP WORK
MPLS/CCAMP
WHY IS IT TARGETED AT THIS WG (AREA)
This document describes mechanisms to secure the MPLS data plane. The choice
of the working groups within the Sub-IP Area depend on the interpretation of
Secure MPLS. If Secure MPLS is considered as part of the Core MPLS protocol
it may be considered at MPLS WG. On the other hand if this is considered as
Control of MPLS it may be considered at CCAMP WG.
JUSTIFICATION
Broader definition of CCAMP working group includes specifying control of
technologies such as MPLS. Providing security at each level of technology is
in essence a control process of that protocol. As an example IPsec is
considered security control plane of IP. Increasingly MPLS is used as a wide
area protocol to carry various kinds of IP and sub-IP payloads. In some
scenarios use of IPsec to secure the data plane may be either not possible
or an overkill. Existence of well-defined security plane is a prime
requirement in any protocol. MPLS lacks any serious work in the security
plane. Hence we propose to consider Secure MPLS as a Working item either in
CCAMP or MPLS WG. The Secure MPLS work item attempts to specify security
requirements of MPLS and provide solutions to address each of the
requirements.
Milestones
June 2001: Submit first version of MPLS security requirement
December 2001: Submit solutions for Security plane of MPLS
Submit DOI for Secure MPLS
Begin Discussion of MPLS security requirements
March 2002: Begin Discussion of Security Plane solutions
Begin discussion of Secure MPLS DOI
Update MPLS security requirements based on discussion
June 2002: Update Security Plane Solution based on the discussion
Submit Secure MPLS DOI to IESG as possible RFC
Submit MPLS security requirement document to IESG as
possible informational RFC
December 2002: Submission of Security Plane solution to IESG as possible RFC