Re: [Lsr] WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05
"Ketan Talaulikar (ketant)" <ketant@cisco.com> Fri, 23 July 2021 15:20 UTC
Return-Path: <ketant@cisco.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAF2B3A1024; Fri, 23 Jul 2021 08:20:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.895
X-Spam-Level:
X-Spam-Status: No, score=-11.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=WZfBWcxh; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=rhUd/qc7
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wiSABJo-mIqO; Fri, 23 Jul 2021 08:20:01 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC8BC3A1025; Fri, 23 Jul 2021 08:20:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=31228; q=dns/txt; s=iport; t=1627053600; x=1628263200; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=YiugQ8wBbywr3adpPbAN+P9Wyn7cbpMODFmiK6qWffg=; b=WZfBWcxhqdB607w+iqHzuYZfme/dB55mps5qqd6wweKe3y0JnpjtKwxR xCWiRMuJ9tEclwtZaHXbMqScqyDygobX8NyueTcYvhOQbmHY/z6erC0MR 93KDQYn5kuz+o9PS25P/uIAAl5aN8mpqxJREQtpc7VwNudLIWRQkWHkoF g=;
IronPort-PHdr: A9a23:cd5BUxxzTBUWVa3XCzM5ngc9DxPP8534OwcP4dwmhq5ANKO58MeqME/e4KBri1nEFcXe5ulfguXb+6bnRSQb4JmHvXxDFf4EVxIMhcgM2QB1BsmDBB73KffwZGo7EdhMElh/8CLzPU1cAs2rYVrUrzW75iITHROqMw1zK6z1F4fegt7x2fq1/sjYYh5Dg3y2ZrYhRCg=
IronPort-HdrOrdr: A9a23:4Cmw468hOweNPMrz601uk+F6db1zdoMgy1knxilNoENuE/BwxvrBoB1E73DJYW4qKQ4dcdDpAtjmfZquz+8K3WBxB8biYOCCgguVxe5ZnPDfKlHbakjDH6tmpNtdmstFeZ3N5DpB/LzHCWCDer5KqrTqgcPY59s2jU0dMD2CAJsQiTuRfzzranGeMzM2fKbReqDsgvZvln6FQzA6f867Dn4KU6zovNvQjq/rZhYAGloO9BSOpSnA0s+4LzGomjMlFx9fy7Yr9mbI1ybj4L+4jv29whjAk0fO8pVtnsf7wNcrPr3PtiFVEESotu+bXvUnZ1SwhkFynAhp0idyrDD4mWZlAy200QKIQoj6m2q35+Cq6kde15ar8y7pvZKkm72ieNr/YPAx2b6wtXDimhcdVZhHodF29nPcuJxNARzamiPho9DOShFxj0Kx5WEviOgJkhVkIMYjgZJq3MciFXluYd099ePBmfcaOfgrCNuZ6OddcFucYXyctm5zwMa0VnB2GhudWEANtsGczjATxRlCvgQl7d1amm1F+IM2SpFC6eiBOqN0lKtWRstTaa5mHu8OTca+F2SISxPRN2CZJ0jhCcg8Sj7wgo+y5K9w6PCheZQOwpd3kJPdUElAvWp3YE7qAd3m5uwCzvkMehT1Yd3J8LAR23FUgMyIeFPbC1z0dLl1qbrTnxw2OLyuZ8qO
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BzCADL3fpg/4gNJK1aHAEBAQEBAQcBARIBAQQEAQGCGYEjMFEHd1o3MQKERYNIA4U5iF0Dj2yKRIFCgREDVAsBAQENAQE3CgQBAYRYAheCZAIlOBMCBAEBARIBAQUBAQECAQYEexOFaA2GQgEBAQEDEgsGChMBASkOAQ8CAQgRAwEBARYLAwQDAgICMBQJCAIEAQ0FCBqCUIF+VwMvAQ6cawGBOgKKH3qBMoEBggcBAQYEBIE6Ag5BgyMYgjQDBoE6gnyCcVNIAQGEN4IsJxyBSUSBFUOCMjA+gmIBAQIBgRZJHg0JCYJYNoIugi4QWwZhAwQUGyICezYpBTUTBQ8COpELIoNGiDo3nQiCEQqDJoo3lCISg2OLXpcilgqCHIoYk1MTDYRnAgQCBAUCDgEBBoF3JIFZcBU7gmlQGQ6OHwwBFRWDOoUUhUpzAgsrAgYBCgEBAwmLQQEB
X-IronPort-AV: E=Sophos;i="5.84,264,1620691200"; d="scan'208,217";a="889152968"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Jul 2021 15:19:24 +0000
Received: from mail.cisco.com (xbe-aln-005.cisco.com [173.36.7.20]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 16NFJO5a001104 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Fri, 23 Jul 2021 15:19:24 GMT
Received: from xfe-rcd-004.cisco.com (173.37.227.252) by xbe-aln-005.cisco.com (173.36.7.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Fri, 23 Jul 2021 10:19:24 -0500
Received: from xfe-aln-004.cisco.com (173.37.135.124) by xfe-rcd-004.cisco.com (173.37.227.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Fri, 23 Jul 2021 10:19:23 -0500
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-004.cisco.com (173.37.135.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Fri, 23 Jul 2021 10:19:23 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Z/6Qz2X4chOaSYheuaPDedpLpyweLMPGmbQ/oLd0IqPNnV9z28pusi5ahEyQojImbe8YHrdyC0bxSmhCunTkPcLhPLax+fpG6dcvkpRVgyOsYuQx+XgAchgFdhmmT/vLxKFHVLbjz1jA0o/ErUKij7EiYX5f7je56OeMjlFLRFzp2shJz451qwg1Zi8lvJsKrqOauqQnKpcwqt61u7rkLuvkaVBki/SFKs2ENXk8i1XmhVzVV54DmJvbylv7Wg01u7Sodudf01HzMNaBCsb8yC7wcA8i1weCq5jmQUSbXzaQlxoNMqU9ZzrgSvGRFAURr+ZeLh0h+DnuivJhZaI9Jw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YiugQ8wBbywr3adpPbAN+P9Wyn7cbpMODFmiK6qWffg=; b=IO+mDd3G6X4tM9eBTmDpAvsTFGY2q25kVJEO9Xd2J+9Jn39+4j2ao8bI+xSs8+h5RRrl78kJoRn4IzfueDjbJjfRhfTBJrPBZCIDhBZBOo9t9/rGoM8KeNkorWKyv0KKCYoD4wVbC6HLE8/t05Nh5KoaRJSBoE+2FRvhrWaKBiFRg7LvTrgFVTAbPwqzG6fbTz2YkhKv1gFVhCmLjjBu3XudeFD28hfpInPBEzVQ6NhYNzEJLMMIN6vuBgppzM55OTXIdOP0/AsvIWArb86HBC40QTn4BpteD+FTD+PETPE4SciEuNEWWH7ZQbnpiAIvWcPI2bKSPugqre4ai+oQZg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YiugQ8wBbywr3adpPbAN+P9Wyn7cbpMODFmiK6qWffg=; b=rhUd/qc7YpDET0hJSxHJ3QsI8GR5Olddv+j77uBQAPNh2IAyFpzCHUGuHT9mFkiVwQ90GNv9TTlMe5DBJnxRFuve1XWGZ/dOLvEOw6gF1d4n6nv/mT+MlrTMdkcoDNuCvJG++Hh55DY5QjckT6Gw/p6NgkvEeZIh8QvXJTlgZ6w=
Received: from MW3PR11MB4570.namprd11.prod.outlook.com (2603:10b6:303:5f::22) by CO1PR11MB5108.namprd11.prod.outlook.com (2603:10b6:303:92::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20; Fri, 23 Jul 2021 15:19:21 +0000
Received: from MW3PR11MB4570.namprd11.prod.outlook.com ([fe80::7c01:5b00:b7b8:3e87]) by MW3PR11MB4570.namprd11.prod.outlook.com ([fe80::7c01:5b00:b7b8:3e87%5]) with mapi id 15.20.4352.029; Fri, 23 Jul 2021 15:19:21 +0000
From: "Ketan Talaulikar (ketant)" <ketant@cisco.com>
To: "Acee Lindem (acee)" <acee=40cisco.com@dmarc.ietf.org>, "lsr@ietf.org" <lsr@ietf.org>
CC: "draft-ietf-lsr-pce-discovery-security-support@ietf.org" <draft-ietf-lsr-pce-discovery-security-support@ietf.org>, "pce@ietf.org" <pce@ietf.org>
Thread-Topic: WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05
Thread-Index: AQHXfk/a3VV5rFqXJ0ijRIDgih43Y6tQgbtw///KEgCAAGFdcA==
Date: Fri, 23 Jul 2021 15:19:21 +0000
Message-ID: <MW3PR11MB457090D0D06B684C596D4F3DC1E59@MW3PR11MB4570.namprd11.prod.outlook.com>
References: <7CF74D7B-A6B8-4255-9493-30E8DA95C45D@cisco.com> <MW3PR11MB45705BAF545DF8220DEC32A2C1E59@MW3PR11MB4570.namprd11.prod.outlook.com> <98817A40-CF34-49D4-B49C-38E586F17513@cisco.com>
In-Reply-To: <98817A40-CF34-49D4-B49C-38E586F17513@cisco.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: efa60d03-9077-4432-a486-08d94ded3f6f
x-ms-traffictypediagnostic: CO1PR11MB5108:
x-microsoft-antispam-prvs: <CO1PR11MB5108C2CB1C8EDB5E652EE55DC1E59@CO1PR11MB5108.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6oE7bGshRHbSGT/EW7xQOMub857zthj84RFVmUEifD21VpqQ3oGRmYkeXc/D1+aipcx3CEt9W2z8nj9ovfidqnE4lYBFlPXxE7LykVcFul7FZYK2QHy9W1Ot1RyBISdpZ4gIWJKT/ShY2mH4fpgWlX1UEzE7ooe9ykxZRiEMjWEU5pBDdGKnjbws7aJ21wgqYYkZvcjXWlQRo4XYZI9AdO4lUcnhy+lSWwg9bfZHNQMF7kMdmyJaKXPy20U7mObPBsfRl+is1JeMZCugP8ZQK0ZBKN8S6Albxgbzx6Ue1/ZYmrl0/VgUptJbLFvAnqblpWYtpb0L+/lMKJTw271x0tFS2ZysYI7mz5Ye/IKxmfFeRa2JrZrrs2Rly0VCy6JlZ9l7ehx+3OZIv8G0grClyiVTmgWAr7mQJkXfbcDfXCm5zWhE3EsDSNqaak8IflU6VkwwIGWyT+Gg6QbXEuKiM4gYyNRCDzytzOBJgLnPLQlHp9Zic2r26BjuB3gp5UPiWSCul/y3DMoy4dqeNeoE9DW7x01w3NgWDmu/b8ecoZTBKbMWfwNilClA38M+nK+zryGSEn8GsWCPDFbpNfOAl1zNS7aFiZUzmg2pjigaJjvdZSF36Qf7CEWmBwK+QFvc/gfMArwl5NOwQ8i/w3f52vVgh2bArmzqF7h0cKYYSeWk7aodvM+iu/htS5Q905euaOUmmZ5NE5338PlM9lrkeCXBDQXS03AVW9otF1JAj91qe5mbEnFYCt+9dYP3K2jJqKUcnHi1eps2CjVpCMctHFf84uePA4UMpOZPq8np0emCKSJAlaZBYD9jNyls2ZCAZTHU9VnPfIchVD+qwFCcoQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW3PR11MB4570.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(376002)(366004)(39860400002)(136003)(396003)(8676002)(4326008)(316002)(186003)(53546011)(66946007)(26005)(2906002)(64756008)(66476007)(966005)(9326002)(7696005)(86362001)(5660300002)(76116006)(8936002)(66446008)(15650500001)(83380400001)(66556008)(6506007)(478600001)(38100700002)(122000001)(110136005)(55016002)(54906003)(9686003)(71200400001)(33656002)(166002)(52536014)(38070700004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7rFTX6pMNrls5PXDjSZpK96Ysy2r3aBEb54Tk4QthcG5QgK9/rT4VP0TNltN4Z3JiHj0ZTWxUuTt54osZXwia1K1VoqtbW8I+/jdlP6XcMJGSHnQK7uvkP0gHnqHXTX6qyFBVV55QkFQAP1juI+4hXUbXG9p32pxmvBaeMiSsouhrjOlKzolTfmy8Rrk5YsonYeHknxVLwpl2l+HUj+aCXThNwq8hGu9HDmMutfn/o6G0k+WnQg/vMPXojUpd/ogPE/jRL8liZkbf+Y87X1DF4lUgN4gW9wX1+mYtV3WenOJiTIK0R1Zk5oQvzWwbQ2o3DZQeFS6JNoSqoyqQkp4htqwLgIxhHvODU258Zf/UPscedG9tXWbvaxoyNajnzy/QwrK/CVesr9JpfF83pBk3EFhWprogDxP9HCqbcA2fMu/qkBf1VXRxEx8Q323kqFTe+G3YjHxN7SrcaccIs73Zy5QiRnbfy3x1tEKZuo7sQCpsJYxCgNC6rqyxhDuSbaW+GC/9oHDGxOHXW8j0aUZz5RYp2K5+sRLyrcojs7foyA6bdZ1FjYvElxm6cisvNFO3Bn87Cs3Wlqo+w6GiL2Gzb+ksRFo6ZO6zYwl9YNVnKvbuLmTIbkhfrEijFNpO/QQnADzjxRPmRjYmmYzomBoqoKWs7AZibqDm6JqrQA4NPHV3wo7NPad0yQJJKU0pCB/TFEgPa9uicPSMyBquk25a6fRmvCjsNxWPNu/mgYRz1ZyIOu8zPpZO+vUBnMjnz6EKtc5ZyFTB0HzW1SRtSyuiFjLf7bCu0CMeYyDv7+b0nOswBKqIlM4bBEGkSTwkyRdR33WxDiQU4UfqDz25N2s32LdlZxByQm4haMBlnoEWQPR0GIPFPTK6pQtbEAjPPf7HvrGtepBudFWFQj72HSYlwn7EkMiDGjvdZK57MJYVNUbYs+1+BSixfdZbePwDdo4+E2aCqx+TwPcxTQ0ez8PsDBD4OuTcfeWJ5XKZPz1XPboIBHg2gkBnwejk1ELXPj9qElKeyouMpkUQBQKEsrn213/OllYVfry/fR2y55cPygQTiPYjvcd2eHZ5AgfjFrMk4eFYPPdgpu2vkyfI0OT+1tSxMOvbC7xWkwo3RNIN5A+A6Ly9netN3aZwGZzl8wsQPrmOnvxJ8ZVe4YxsSmf4AP1nGVjrCWZbktQr4KvRW3DWS3ih5EGwFFdPW9VR7nZU0mpjH+yj1UtG5qlkqpE6WLb/3cY7vSunj2y7qJrIw/HhleMjQdqUNclrn1/OqzGAJQseaSE9LLaKBc0tKaGOuUlsSMWJERoDc2rLaBZGRWL8SLzv3UDG+RCYynb1Gju
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MW3PR11MB457090D0D06B684C596D4F3DC1E59MW3PR11MB4570namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW3PR11MB4570.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: efa60d03-9077-4432-a486-08d94ded3f6f
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2021 15:19:21.3956 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: njrn4YX0o8FQSc3/xxXhUiDk7RQ+H+Db6Tv23C/4W2VT89mmNwgBAEaJLhrc9GX4oo6Dr7H2IXkNDTVV6BdOhA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB5108
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.20, xbe-aln-005.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/0AxpMBlWehK_vXFHiLWmBHbGMjc>
Subject: Re: [Lsr] WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jul 2021 15:20:07 -0000
Hi Acee, Agree about the keychain provisioning part. The distribution via IGP for the key selections and the handling of the same in PCEP sounded new to me. Is there any precedent for this? How does it all work actually and what is needed on the PCE and PCC to handle the change/transitions – this is all missing – probably needs a PCEP spec? This is many PCCs trying to connect to a PCE. I was trying to understand this better and how all that weighs against a potential for attack/disruption by someone doing a M-i-M or replay attack. Just some questions … as this seemed something new to me and the spec does not provide any pointers. Thanks, Ketan From: Acee Lindem (acee) <acee=40cisco.com@dmarc.ietf.org> Sent: 23 July 2021 18:52 To: Ketan Talaulikar (ketant) <ketant@cisco.com>; lsr@ietf.org Cc: draft-ietf-lsr-pce-discovery-security-support@ietf.org; pce@ietf.org Subject: Re: WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05 Hi Ketan, From: "Ketan Talaulikar (ketant)" <ketant=40cisco.com@dmarc.ietf.org<mailto:ketant=40cisco.com@dmarc.ietf.org>> Date: Friday, July 23, 2021 at 9:10 AM To: Acee Lindem <acee@cisco.com<mailto:acee@cisco.com>>, "lsr@ietf.org<mailto:lsr@ietf.org>" <lsr@ietf.org<mailto:lsr@ietf.org>> Cc: "draft-ietf-lsr-pce-discovery-security-support@ietf.org<mailto:draft-ietf-lsr-pce-discovery-security-support@ietf.org>" <draft-ietf-lsr-pce-discovery-security-support@ietf.org<mailto:draft-ietf-lsr-pce-discovery-security-support@ietf.org>>, "pce@ietf.org<mailto:pce@ietf.org>" <pce@ietf.org<mailto:pce@ietf.org>> Subject: RE: WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05 Hello All, I have reviewed this draft and have the following comments for the authors to address and the WG to consider: 1) Is there any precedent for the advertisement of auth keychain info (ID/name) in such a manner that is flooded across the IGP domain? When the actual keychain anyway needs to be configured on all PCCs what is really the value in their advertisement other than possibly exposure to attack? I hope the security directorate reviewer looks at this closely and we get some early feedback specifically on this aspect. The key-chain mechanism was standardized in RFC 8177 and is referenced by all the routing protocol YANG models. While key-chains, as well as, pre-shared keys need to be configured, having multiple configured key-chains that are selectable via discovery is obviously more operationally secure than having a single one. Thanks, Acee 2) In sec 3.2 and 3.3, new sub-TLVs are being introduced. Their ASCII art pictures represent the OSPF TLVs. The ISIS TLV structure is different. While this will be obvious to most in this WG, I would request this to be clarified – perhaps by introducing separate diagrams for both protocols or skipping the art altogether. 3) RFC5088 applies to both OSPFv2 and OSPFv3. This is however not clear in the text of this document. 4) Looks like RFC5088 asked for the PCE Capabilities Flags registry to be created as a top-level IANA OSPF registry - https://datatracker.ietf.org/doc/html/rfc5088#section-7.2 – so it should have been placed here : https://www.iana.org/assignments/ospf-parameters/ospf-parameters.xhtml. What seems to have happened is that it got created under OSPFv2 which is wrong - https://www.iana.org/assignments/ospfv2-parameters/ospfv2-parameters.xml#ospfv2-parameters-14. Since this draft updates RFC5088, it is necessary for this document to fix this error. I would support Les in that perhaps all of this (i.e. everything under/related to PCED TLV) ought to be moved under the IANA Common IGP registry here : https://www.iana.org/assignments/igp-parameters/igp-parameters.xhtml 5) The document needs to be more specific and clear about which IANA registries to be used to avoid errors that have happened in the past (see (3) above). 6) Appendix A, I believe what the authors intended here was that whether to use MD5 auth or not was part of discovery but static configuration on the PCE and PCC? The keychain introduced in this document can also be used along with MD5. Honestly, I don’t see a strong reason to not include MD5 in the signalling except that it is deprecated (even if widely deployed). This document would not conflict or contradict with RFC5440 if it did include a bit for MD5 support as well. As follow-on, perhaps this document should also update RFC5440 – specifically for the security section? I see RFC8253 introducing TLS that updates RFC5440 but nothing that introduces TCP-AO?. In any case, these are aspects for PCE WG so I will leave those to the experts there. Thanks, Ketan From: Lsr <lsr-bounces@ietf.org<mailto:lsr-bounces@ietf.org>> On Behalf Of Acee Lindem (acee) Sent: 21 July 2021 22:16 To: lsr@ietf.org<mailto:lsr@ietf.org> Cc: draft-ietf-lsr-pce-discovery-security-support@ietf.org<mailto:draft-ietf-lsr-pce-discovery-security-support@ietf.org> Subject: [Lsr] WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05 This begins a 3-week WG Last Call, ending on August 4th, 2021, for draft-ietf-lsr-pce-discovery-security-support. Please indicate your support or objection to this list before the end of the WG last call. The longer WG last call is to account for IETF week. https://datatracker.ietf.org/doc/draft-ietf-lsr-pce-discovery-security-support/ Thanks, Acee
- [Lsr] WG Last Call for IGP extension for PCEP sec… Acee Lindem (acee)
- Re: [Lsr] WG Last Call for IGP extension for PCEP… Les Ginsberg (ginsberg)
- Re: [Lsr] WG Last Call for IGP extension for PCEP… Acee Lindem (acee)
- Re: [Lsr] WG Last Call for IGP extension for PCEP… Ketan Talaulikar (ketant)
- Re: [Lsr] WG Last Call for IGP extension for PCEP… Acee Lindem (acee)
- Re: [Lsr] WG Last Call for IGP extension for PCEP… Ketan Talaulikar (ketant)
- Re: [Lsr] WG Last Call for IGP extension for PCEP… Acee Lindem (acee)
- Re: [Lsr] WG Last Call for IGP extension for PCEP… Ketan Talaulikar (ketant)
- Re: [Lsr] WG Last Call for IGP extension for PCEP… Qin Wu
- Re: [Lsr] WG Last Call for IGP extension for PCEP… maqiufang (A)
- Re: [Lsr] WG Last Call for IGP extension for PCEP… Gyan Mishra
- Re: [Lsr] WG Last Call for IGP extension for PCEP… Acee Lindem (acee)