RE: Secdir last call review of draft-ietf-teas-pce-central-control-04
Adrian Farrel <afarrel@juniper.net> Wed, 30 August 2017 18:11 UTC
Return-Path: <afarrel@juniper.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7FDC1326EA; Wed, 30 Aug 2017 11:11:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TWIR_MLUpWMf; Wed, 30 Aug 2017 11:11:07 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0103.outbound.protection.outlook.com [104.47.38.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13A53132355; Wed, 30 Aug 2017 11:11:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=h0HId4kAMVZIL8nr6O7Pg/+aClZ8o7CakDNWAaPeiY8=; b=LYMie2bNCCtsMY9ccaSoAn3fwjcrpMgHhkpR08Zw7msKxhauHqbAFCcltUl+ZtUSDI2Pd7PeDBm/AAiE6EWagOzT82yjynFZ1F6by25xdt46uEWfxPlJMDfsvssFweYd+OCQd/IDQN71wQoZ4+ZTsG6ElHaqBVkoW6lpLHOtrVs=
Received: from CO2PR05MB971.namprd05.prod.outlook.com (10.141.226.17) by CO2PR05MB668.namprd05.prod.outlook.com (10.141.230.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.13.2; Wed, 30 Aug 2017 18:11:04 +0000
Received: from CO2PR05MB971.namprd05.prod.outlook.com ([10.141.226.17]) by CO2PR05MB971.namprd05.prod.outlook.com ([10.141.226.17]) with mapi id 15.20.0013.005; Wed, 30 Aug 2017 18:11:04 +0000
From: Adrian Farrel <afarrel@juniper.net>
To: Matthew Miller <linuxwolf+ietf@outer-planes.net>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-teas-pce-central-control.all@ietf.org" <draft-ietf-teas-pce-central-control.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "teas@ietf.org" <teas@ietf.org>
Subject: RE: Secdir last call review of draft-ietf-teas-pce-central-control-04
Thread-Topic: Secdir last call review of draft-ietf-teas-pce-central-control-04
Thread-Index: AQHTIaO9swi/FejJaU6mn0gkr6jvyqKdMj5w
Date: Wed, 30 Aug 2017 18:11:04 +0000
Message-ID: <CO2PR05MB9715B65A021C5E6F79CECDEBB9C0@CO2PR05MB971.namprd05.prod.outlook.com>
References: <150410652452.21632.6924902183838903689@ietfa.amsl.com>
In-Reply-To: <150410652452.21632.6924902183838903689@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=afarrel@juniper.net;
x-originating-ip: [193.110.55.10]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CO2PR05MB668; 6:PSyP2gD04QaumuEeYzOEvUMA0iErn9ngaixYAE7dlQxq8wv/0DKyO4zW7hfOjcVctZ9XkxSwSmxh7/i9VY0vil0C0uCL9krXbpsD3F7T+CYZ9RSNoUHO3SNiQdm6E9R7ORBHAnCNB3WVmuy/I3y6vwV4slljAxmuA6Zq0BnBUButxb5a+Grrus/TrSE0QhlELODWlIHFUTmzR9HqaYsI8E1e0mm2nv/Bn/y2P5THb3qvDpN5O7wukx+N4elnLG3iTftoroBXV0ZC/JfimfIi1PwlmSTh1StFaA5qEf5pHMmvaaaBP4gdI3fZB62EBjTupDhxC/SLoZcTuORl/ASP4Q==; 5:xtp7Iy1Te7cJ5qf49Moa8vSNqx+9C7fqi616E+FKusCmWV4Q5lZa04caY1Q6hN1hcEyTaWyD6AVVVf6jG7dynDSj9rlyzEyeo0/ipUqkhyAWTilxipLqDMFx6f26DkCNYfF1yk1jpi35O70PhNG02w==; 24:nSncw90/TdaNsYjubfENV9qHCEfRdAxpRaAHslUd94AvibcK22/Bd4dxcrtSz/zY0E0/v8jOObPI6O1Puhge9Ycr8H/252S2OqIC6bhNoj0=; 7:+97kWB2Vc5JwDnL62BxkSrstxOm5WVbM5vRAOwHwIRScF0+7JSQMkoxJcIxVZKmUI4R6u7KSB9MqzXEo6twckAzWiN7dncaTvL4WNufds7mWGgDSO0b5fERFERdBqJvqWr+su/Dek0MfLdnEuTjnp63spRzb/XvicNUCd21PVCdgjUOTR0bpP7UKNb3ogczr0X82efI45bdPYMgXnD/kFDsb3fqejo2Jryw23jtHxTw=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 67763ad8-6349-4e68-4dc6-08d4efd27ab7
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CO2PR05MB668;
x-ms-traffictypediagnostic: CO2PR05MB668:
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-microsoft-antispam-prvs: <CO2PR05MB668B11B289CAB53C491F98CBB9C0@CO2PR05MB668.namprd05.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(93006095)(93001095)(100000703101)(100105400095)(10201501046)(6055026)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123558100)(20161123562025)(20161123555025)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CO2PR05MB668; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CO2PR05MB668;
x-forefront-prvs: 041517DFAB
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(13464003)(377424004)(189002)(199003)(74316002)(97736004)(4326008)(105586002)(2906002)(106356001)(33656002)(7696004)(3660700001)(230783001)(3280700002)(229853002)(6436002)(7736002)(76176999)(77096006)(305945005)(54356999)(6506006)(50986999)(2950100002)(66066001)(101416001)(5660300001)(53546010)(68736007)(2501003)(189998001)(14454004)(99286003)(55016002)(8676002)(6116002)(3846002)(81156014)(81166006)(102836003)(9686003)(54906002)(53936002)(8936002)(478600001)(25786009)(86362001)(6246003)(2900100001); DIR:OUT; SFP:1102; SCL:1; SRVR:CO2PR05MB668; H:CO2PR05MB971.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Aug 2017 18:11:04.5367 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR05MB668
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/0Vilx1KlxQdNCwixl3HvQEbz6Vg>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Aug 2017 18:11:10 -0000
Thanks Matthew, The point I was aiming for is that control planes are often operated with a "domain of trust" or "chain of trust" model (for better or worse) but that management systems are often operated with secure channels between management station and managed node. I think, in other words, that the point covered by the text is true in today's networks. Best, Adrian -----Original Message----- From: Matthew Miller [mailto:linuxwolf+ietf@outer-planes.net] Sent: 30 August 2017 16:22 To: secdir@ietf.org Cc: draft-ietf-teas-pce-central-control.all@ietf.org; ietf@ietf.org; teas@ietf.org Subject: Secdir last call review of draft-ietf-teas-pce-central-control-04 Reviewer: Matthew Miller Review result: Has Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Document: Reviewer: Matthew A. Miller Review Date: 2017-08-30 IETF LC End Date: 2017-08-25 IESG Telechat date: 2017-08-31 Summary: This document is ready for publication as Informational, with one potential nit. This document describes an overall architecture (with some variants) utilizing central PCE-based controller for SDN, and its implication on PCEP. The document notes the tradeoffs between the variants, including some of the vulnerabilities. My nit is in the Security Considerations; I'm not sure how likely in practice a central controller architecture will be operated with "higher level of security", and therefore not sure it's worth calling out like this. I can see how a central controller makes management easier, and that has a potential benefit of better visibility into the network's operation and finding problems (including security-related) sooner and better. Otherwise I think the rest of this section addresses the concerns that a central controller architecture has.
- Secdir last call review of draft-ietf-teas-pce-ce… Matthew Miller
- RE: Secdir last call review of draft-ietf-teas-pc… Adrian Farrel