IETF Logo Mail Archive

Re: [Gen-art] [Last-Call] Genart last call review of draft-ietf-pce-pceps-tls13-02

Christer Holmberg <christer.holmberg@ericsson.com> Tue, 12 December 2023 11:57 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C7D6C403967; Tue, 12 Dec 2023 03:57:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.11
X-Spam-Level:
X-Spam-Status: No, score=-7.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pHn4q90k-9_0; Tue, 12 Dec 2023 03:57:29 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on2041.outbound.protection.outlook.com [40.107.8.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6D3CC14F5ED; Tue, 12 Dec 2023 03:57:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=einccnY4lltBN7kb5FvKNeaz+QFXk3ku3zPDxhcpUd831KqLHqLiA0cvLYNLCsgPnJI/KpirDrlTP/6CRAobpqLW82WHN2LJvOBMHa927bG+cHiE9RU+4HM8s83syepaKEMFZTaN0MM1Uel/I/b8fAhZbREWcCjKDAxEZqWReYCv2TihGkEcmlT1OPyT/rHqCMmRP4b5EI2tO1y/vWk3HQ6sWQacZzi4ONuF1Tsu5KdVV8JLvJpzqrWt2T3myET9pLxKpWOceYlYCJ201k/QUfLoWJK/SFJ1q0crYU1vWDp7nEZKoHJWgrjUNkRv/kEROi+cDGmvgbENOegNtxV4Yg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VsftDgDwtLlHJsfHDexXL/VvpgObej+kFy+HlIBAGbc=; b=aerBiwzqVBJRDe6Fk9Ow8QoaW5R+IT2SOuADaFMkqqt1oxKLuAHveo3D4Z0FR2F2swrjKuIzc+/BkDFZ+7SvdVXwbS/YYu7XqlvV1Xlu5CmUW254MW4z4y+ENJQm/cS/zUgAXKIKumpyqrh0wSgpiH0Eoe6Dz57FqzA4g9bdMF8iIJE+lR54Egvp787Y2e55na/T/HaDn8bkeLfG5xRemGzlFw691vCmBEURh5QDCG+3PB5jrPSC6VsxkuV5Q5jKtSayNSpmFjtEZVgzERpzuDTGnHxixj5wMvqYLXEZUEnnccB8rqY/8KWVUZfrPOzPYBnRqoZcdOmDChdlZSvt9g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VsftDgDwtLlHJsfHDexXL/VvpgObej+kFy+HlIBAGbc=; b=tsr/1REeJFlRxYnaAv1a82WcELbfK5NkZO4KxZJN7kWuAIz5CgrJGJLKGbrnMkYBPBe6A/C1PhuElUiNuugmFg5WecL0aBAMxObyxUP1NvRcvsDw8Y2vyFjbKNNgh45bTRRpht4MSM19OEsYzPlz1If9BJ+mDYBJhmCKVZSwCiLbFfm6/py1V9uQOU6vaKftKPjG1hIqMwSf5CXxphCnPWVAHtAIcSVSjIJsKCabAO8SVEWoRJNB5sWV6MjYjFmBtKmSPXDeEtv8jxnAg3Fg4Xi1GYoTu3cUiyZjHflqp9wEfiY0TQY2tOezikbxWxNnzK4n71KMjcko2bsrS8hWtw==
Received: from HE1PR07MB4441.eurprd07.prod.outlook.com (2603:10a6:7:9f::27) by AS8PR07MB7461.eurprd07.prod.outlook.com (2603:10a6:20b:2af::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7068.33; Tue, 12 Dec 2023 11:57:25 +0000
Received: from HE1PR07MB4441.eurprd07.prod.outlook.com ([fe80::3d66:e435:8600:e27f]) by HE1PR07MB4441.eurprd07.prod.outlook.com ([fe80::3d66:e435:8600:e27f%4]) with mapi id 15.20.7068.031; Tue, 12 Dec 2023 11:57:24 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Dhruv Dhody <dd@dhruvdhody.com>, Russ Housley <housley@vigilsec.com>
CC: IETF Gen-ART <gen-art@ietf.org>, "draft-ietf-pce-pceps-tls13.all@ietf.org" <draft-ietf-pce-pceps-tls13.all@ietf.org>, Last Call <last-call@ietf.org>, "pce@ietf.org" <pce@ietf.org>
Thread-Topic: [Last-Call] Genart last call review of draft-ietf-pce-pceps-tls13-02
Thread-Index: AQHaKet3hnuvU8+51EunOqBXUOvjYLCj6uvAgACThwCAAJxzgIAAdCaA
Date: Tue, 12 Dec 2023 11:57:24 +0000
Message-ID: <HE1PR07MB44414CE4C8B21E22A4A29F8B938EA@HE1PR07MB4441.eurprd07.prod.outlook.com>
References: <170203631643.25271.3343940506201552538@ietfa.amsl.com> <0CCFDFF7-BA6A-4DE3-939F-CD82F2FDD9E0@vigilsec.com> <HE1PR07MB4441EEDA5501B8B5C1500893938FA@HE1PR07MB4441.eurprd07.prod.outlook.com> <3E9A1A76-65BF-4B46-9432-D16FF55AC92B@vigilsec.com> <CAP7zK5Y2U=nMURXBxgVv_znHd96xNuh37NCkbEeaj4x-9xAjXg@mail.gmail.com>
In-Reply-To: <CAP7zK5Y2U=nMURXBxgVv_znHd96xNuh37NCkbEeaj4x-9xAjXg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: HE1PR07MB4441:EE_|AS8PR07MB7461:EE_
x-ms-office365-filtering-correlation-id: 2a60d124-438f-4962-6371-08dbfb09817f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: h2r2epVfBbn//Vh7EsSTzqvcnyed+QP4SrCdBv43IQSirnlGp5aL7O0qeRFJMr+nLC4VHJEMIdI767QIz/D7WlYgmMFGWHdJsQQmsn0vo2QzLZg4S9IDKxQpl4wLl7/Xi443hRlsCIL5MVpJcxwFeVi5LPpwHI6dYyeLAi+483/+xAytYO6Ol/bjEQTn/F8BWtfqhScZS2YbTQl5NZE25rOu/jUOszGw6lDwTCDrQEJ54NHS87fzMhmZBt6p7jNhyT/NjsIIpLpQwdR0dBjuLN58kWvhx6qyDzDF7VFQkDP5sYRE2hUJz/T9hqatqHvQ8pARK4km5StQqAWUmJSkSXv7ADDtsnlSuLiYpa9JzkA5/lIGjyWbzEh1F+nC97QOoqUFQo5+hvAZDv+ikLVr9DfWlbn8Jee/QnO3gSBNfg5EKan916PW91WkFG9rg3az+ogHBsFMZbxfiK7TUxLaSkMNv7skGyb831wjBVnvst/TKfmvR7/TykSL74me0NNPW2lTud5pOijqmOqY69FUT7R63olobSrkYAfJerUGcC5d5ZF0QVKpYuDPx52imGD6yWVPTPXNPHilNIsH5iwpf5kretqKchQODGUyxHtGBbsKP5wzdI6NVGjl5DY+PTRExMtnClVBHuc8A9f6UBcptQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB4441.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(376002)(366004)(346002)(396003)(136003)(230922051799003)(1800799012)(186009)(451199024)(64100799003)(55016003)(38070700009)(66946007)(76116006)(66446008)(66476007)(64756008)(54906003)(38100700002)(99936003)(82960400001)(66556008)(86362001)(33656002)(83380400001)(26005)(6506007)(9686003)(53546011)(7696005)(966005)(2906002)(4001150100001)(316002)(110136005)(122000001)(71200400001)(478600001)(4326008)(5660300002)(8676002)(8936002)(44832011)(41300700001)(66574015)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: x1kKplqrVnd8XtzWhWYLBcS1X6BwFZGP//CmOdCQiIA7km75nj4T02usN8KmLAtjtN5lvvrSwb7QVO8ghxYqjPktpA0n3CyvKZz1z8fKygz/vv25oGcpC3P/gSp0LOHPcO0zDPD1jQQ5rTbrPcsvSdtP4ffNwgvyIaVP/tCssREFdi/822v+f1uLIHu4Sj7hZ8oFyKI9rU2msDDVanW+/zoP3QycPKme+TI8jbDtFgpzvrt8OGontae548F8kTU6VtknmCdA1M7T8IvI0RzLJUcJxnKAY2AQKShcFPV/7EaBwHJ1UPGrwt5M2XlOicPKQlw/i049WUGNUhhJpe85bWlxAfwxfX3o5/UqZaxiR1hVtFjJG5Dku00t5+UeKgFyvcGaY4YXKAI0WQtL53IjBbL+P0/SNfWueAAmqoNseE8XkG2S+vLCd8/IjU7m1q4EH/Z/cpwc1CsYKJBQbL0rPUeqlIR+NV39fqovvsuiQ6gqeGXXoZqsXCPyn7Burl7Jen3z73Dm08DLJkR54yJUmNqIqofOUBT/aBlUgexDrTc5IyIy65d3M6M8DAx/aHeaITqvgp1tez+49NsiSmh1CZ/AhPfgr24zvs02nZLnqWsTJw9QE3Gk6qH6We44NTOItiHDNpyOrfSd7efjIMql2wcCeYrpXbv/K3wVRijA/rWq1TGzf78dEEhckmCoMeHtf5wPk7Ykxm88FP6VDv9go87Lk3p6GgRcyu//Dc5zc7rQDJChDB36r3sV+7Xl5LmazaM7zF5sgMA1x5zD/m49Q1C/xty4gOOGj+MlrXBP+f8kmtBWS+hx5QrgDKcKkLlx6HmDjZSCrh78b8zhUn0Y7iGGdTvVmKavBZ4EBN+ZEjfJoMdMZocqDjSYVNE4lusDw1h88XlVM+fIC0kvB+55hQ1SzyZIiPIJQvZkqQ7Q2q6mYJmrnr/j+kRo2WzYAhEDKI+rRCyDBWODD+MjyLmkTq8GTEU30FGCUViq/tW4N4xIaY6atHDzSdCJUaJRE1xo/Tb9Yo5AgNP6wJwTKiZmFZHrgHYz/UYOuEvkpdlbx9ONrLI+FR8TO/Plj4cEFI/Ugg9vI0KuA3+cIVGZBM0pcBcnZTzXxIjePclgpxqedDmMQ4Gmnuiu08jj4IEU5RMbOYYV9BFSIR1+eS20wsgvJLImuGV6Ww2Iy59/Dwxzr1Ik2UHyl0FqD9HorVxOp9eElppfAEUZa8YiqBUK2/ZE97WNAJhadM7cibzdf6US6DFsQkcZ4TY8JMmXJc3cP72rfULFOsxjcV1khWTzZo3R+34NfdiCrSVD2uUv06IwkeN7flTHemu0+76ySb2wDith3Kxi6IAn7xdWLslnAeFyuUPp5eMM8s6LZg9ByxjRNgK+PnzOg3T45tNtzRIFGPaWlESzr2fdcK54WWJ62heotg5TjD5O8HXreeUJ4kfRBo6XDExgR42kBJQv92/t6aYKf+wY/3o9Uxsr6Im9MWd8phm1nFVRV0GmFgaNNOYGkhckWMOu0bdLxHKNJcDAoXXadB1wt23DBiJHTkUSgiQbG2IcXbc/1wJxPxMXpLLDPLlddKKZEe1sTJ22RsiKYDEckvs1v7+gm7lD2Up2rlkeDw==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_005B_01DA2D03.223680C0"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB4441.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2a60d124-438f-4962-6371-08dbfb09817f
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Dec 2023 11:57:24.8388 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SuwFztPDeSdEjCjSJaRSLtibHGd7HcHhoOt4RBZengveGgbuwuYKn/tWu2Ki/TA380XHyr4TBDmdcG3cOQSgdfwXTH9w3Xbn14lRmdEqy2w=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB7461
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/XxrKyDCzih9LmCkKKo_abIXzS6U>
Subject: Re: [Gen-art] [Last-Call] Genart last call review of draft-ietf-pce-pceps-tls13-02
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Dec 2023 11:57:34 -0000

Hi Dhruv and Russ,

>>> Section 2.3 of RFC 8446 explains that the security provided to early data 
>>> is
>>> weaker than the security provided to other kinds of TLS data.  This is the 
>>> reason that
>>> PCEPS MUST NOT make use of early data.  Will a note with a pointer to this 
>>> text (or a
>>> pointer to the same part of draft-ietf-tls-rfc8446bis) resolve this minor 
>>> issue?
>>
>> The second Note already points to the text in Section 2.3 of 8446. My issue 
>> is
>> not the fact that early data security is weaker, but why that is an issues 
>> for
>> PCEPS. Is there some specific property of requirement for PCEPS behind the
>> MUST NOT?
>
> Russ: We are simply saying that PCEPS MUST NOT use early data.  We could not 
> find a case where it is needed today, and we are
> concerned that sone future evolution of PCEPS might use it without 
> understanding the associated security risk.
>
> Dhruv: And the same guidance has been issued in RFC9190 and 
> draft-ietf-netconf-over-tls13 (past IETF LC).

Ok, I had a look, and the MUST NOT text in the pceps draft seems to be 
aligned. I guess people are aware of the security risks with early data, so no 
further justification is needed :)

So, I am fine with the current text, and withdraw my minor issue Q1.

Regards,

Christer



>> On Dec 8, 2023, at 6:51 AM, Christer Holmberg via Datatracker
>> <mailto:noreply@ietf.org> wrote:
>>
>> Reviewer: Christer Holmberg
>> Review result: Almost Ready
>>
>> I am the assigned Gen-ART reviewer for this draft. The General Area
>> Review Team (Gen-ART) reviews all IETF documents being processed by
>> the IESG for the IETF Chair.  Please treat these comments just like
>> any other last call comments.
>>
>> For more information, please see the FAQ at
>>
>> <https://wiki.ietf.org/en/group/gen/GenArtFAQ>.
>>
>> Document: draft-ietf-pce-pceps-tls13-02
>> Reviewer: Christer Holmberg
>> Review Date: 2023-12-08
>> IETF LC End Date: 2023-12-19
>> IESG Telechat date: Not scheduled for a telechat
>>
>> Summary: The document is well written, and easy to understand. I do
>> have one Minor issue/question and a few Editorial issues/questions
>> that I would like the authors to address.
>>
>> Major issues: N/A
>>
>> Minor issues:
>>
>> Q1:Section 3 adds text saying that PCEPS implementations MUST NOT use
>> early data, and there are a couple of notes about what early data is.
>> However, I cannot find text which explains the "MUST NOT use". If the
>> case where early media is permitted does not apply to PCEPS it would
>> be good to add text which explains it. It would also be good to
>> explain the reason in the Introduction of this document.
>>
>> Nits/editorial comments:
>>
>> Q2:In a few places the text says "TLS protocol", and in other places "TLS".
>> Would it be possible to use "TLS" everywhere?
>>
>> Q3: Section 6 indicates that there are no known implementations when
>> version
>> -02 of the draft was posted. If that is still the case when the RFC is
>> published, could the whole section be removed?
>>
>> Q4: Related to Q3, if the section remains (e.g., because there are
>> known implementations), I suggest to say "time of publishing this
>> document" instead of "time of posting of this Internet-Draft".
>>
>>
>> --
>> last-call mailing list
>> mailto:last-call@ietf.org
>> https://www.ietf.org/mailman/listinfo/last-call
> -- 
> last-call mailing list
> mailto:last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call

v2.23.0 | Report a Bug | By Email