Re: [Lsr] New Version Notification for draft-wu-lsr-pce-discovery-security-support-00.txt
Jeff Tantsura <jefftant.ietf@gmail.com> Mon, 27 August 2018 04:26 UTC
Return-Path: <jefftant.ietf@gmail.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB2E3130E51 for <lsr@ietfa.amsl.com>; Sun, 26 Aug 2018 21:26:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bntL2EMs0M3W for <lsr@ietfa.amsl.com>; Sun, 26 Aug 2018 21:26:30 -0700 (PDT)
Received: from mail-pl1-x644.google.com (mail-pl1-x644.google.com [IPv6:2607:f8b0:4864:20::644]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49714130E53 for <lsr@ietf.org>; Sun, 26 Aug 2018 21:26:30 -0700 (PDT)
Received: by mail-pl1-x644.google.com with SMTP id u11-v6so3561344plq.5 for <lsr@ietf.org>; Sun, 26 Aug 2018 21:26:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Y8s1jDF0OarQfqTU3bsv11akIf5om0d7z3EhvATanhk=; b=R7yG2TsFnZtxjK2WqWx01FFcD5g3LsbaaCW1umxLH1uNr5ySZ+0I4255Ss9tFsDGmo EnWGVUrgzMQBZYuH5qfTL7kIxvXtwUq3oaMq+aMMff8F6kMnMLb701O4vU1e7ClJ9NGh EJyPa6gFEzLV99KFsL/QVB1lWUOAo18lkR/F0znMWtZdUFaBxbgeP52oauPmfEWXFSHw uNJHRAFN4UPbm6fUhczCUA3mR/5KEIh2eBJ+bZI+ETB1Uvtxqj4KsGBDbDCkvMRCU/lr g9+3ELjsH449yV0C5ampHlnuArlkUT4GWhG1bk9K3jGjcyisW3OG6mwY/ZdMW6gmhAd3 yQ0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Y8s1jDF0OarQfqTU3bsv11akIf5om0d7z3EhvATanhk=; b=HHXcJTj52SHLZ5oMBoUfxlUkNWCVRESocH68D+bvAS+JzSrXN+oKMqX7oHB9DG3wSz p6ouH1ojL4NCbCGrNJM1BUFZk7Y5lXWB9bG/ZKyt3/rLvvQCn5u/NGvd3Ugj7XfPLY2B bdJ786fxuprfPmCArZ6tfDrzzsNYZfgf462C5J0BoE//vHWtokJMvWKVVEWGuEj86Zjz ISLccaOwUFZIzraZiuN7HT47fx9hEkwSfvqZq5ENeeVOKsiu75rHZl9IlGjUScTNVXcD HmnDvKm8wLW6YDwiPrEN64f50PBtSLjYjA9RlvcfFiChhAEZfLbSU6helMoPX97y1sDD NcAg==
X-Gm-Message-State: APzg51DQ+w3WbcIylPSmmPJJHfR3kdCygrUoOGSjQ9WWhjJcNWG21chL XUIcsfbyxVpJLAl8Czz79QmwulYQ
X-Google-Smtp-Source: ANB0VdZSomrSo+N1NRCuy5oBiBPXFh8eZgCrVEHaRpa7b4bk4bH6vmV9FR9oWD+e2wj4ucTE9p1a/g==
X-Received: by 2002:a17:902:aa8f:: with SMTP id d15-v6mr11511450plr.64.1535343989532; Sun, 26 Aug 2018 21:26:29 -0700 (PDT)
Received: from [192.168.1.8] (c-73-189-13-44.hsd1.ca.comcast.net. [73.189.13.44]) by smtp.gmail.com with ESMTPSA id 64-v6sm21955972pfi.89.2018.08.26.21.26.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 26 Aug 2018 21:26:28 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Jeff Tantsura <jefftant.ietf@gmail.com>
X-Mailer: iPhone Mail (15G77)
In-Reply-To: <0A2BC8DB-CB49-4228-8BFA-A7378F828EAF@cisco.com>
Date: Sun, 26 Aug 2018 21:26:27 -0700
Cc: Qin Wu <bill.wu@huawei.com>, "lsr@ietf.org" <lsr@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3B2C11F9-EE5A-484F-926C-280A0C281405@gmail.com>
References: <B8F9A780D330094D99AF023C5877DABA9AFD7A4C@nkgeml513-mbx.china.huawei.com> <5111BA63-43CD-4341-BA11-E439A4C3E54F@cisco.com> <B8F9A780D330094D99AF023C5877DABA9AFD96DC@nkgeml513-mbx.china.huawei.com> <0A2BC8DB-CB49-4228-8BFA-A7378F828EAF@cisco.com>
To: "Acee Lindem (acee)" <acee=40cisco.com@dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/7cSwD0_IEPim27FE_UqZ_0umnxg>
Subject: Re: [Lsr] New Version Notification for draft-wu-lsr-pce-discovery-security-support-00.txt
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2018 04:26:33 -0000
+1 Having actual key in the protocol - similar issues as with BGP(see recent BGP discussion with Linda), would be a severe security risk. Regards, Jeff > On Aug 25, 2018, at 10:41, Acee Lindem (acee) <acee=40cisco.com@dmarc.ietf.org> wrote: > > Hi Qin, > > I believe it is a significant security exposure to include the actual keys in IGPs. What I was suggesting was to include an identifier of the key to be used. > > Thanks, > Acee > > On 8/24/18, 10:56 PM, "Qin Wu" <bill.wu@huawei.com> wrote: > > Hi, Acee: > -----邮件原件----- > 发件人: Acee Lindem (acee) [mailto:acee@cisco.com] > 发送时间: 2018年8月24日 22:23 > 收件人: Qin Wu; lsr@ietf.org > 主题: Re: New Version Notification for draft-wu-lsr-pce-discovery-security-support-00.txt > > Hi Qin, > > On 8/23/18, 11:03 PM, "Qin Wu" <bill.wu@huawei.com> wrote: > > Hi, Folks: > draft-wu-pce-discovery-pceps-support-07 has been resubmitted to LSR as draft-wu-lsr-pce-discovery-security-support-00 based on Chairs' suggestion. > https://tools.ietf.org/html/draft-wu-lsr-pce-discovery-security-support-00 > This draft define IGP extension for PCEP security support, > 1.TCP AO which has been published as RFC5295. > 2.PCEP over TLS which has been published as RFC8253 recently. > > One issue raised by chair is shared key support for TCP-AO, how do you get shared key? > > I guess my point was is that if you are distributing shared keys, you probably know whether or not TCP-AO is supported. Having said that, possibly the draft should include some sort of key-id for TCP-AO or TLS usage. For example, the key-chain name from RFC 8177. We don't need to decide now. > > [Qin]: RFC5088 " OSPF Protocol Extensions for PCE discovery" said: > " > PCE discovery information is, by nature, fairly static and does not > change with PCE activity. Changes in PCE discovery information may > occur as a result of PCE configuration updates, PCE > deployment/activation, PCE deactivation/suppression, or PCE failure. > Hence, this information is not expected to change frequently. > " > So security capability as part of PCE discovery information should also be static. > > RFC5926 section 3.1 said: > " > In TCP-AO's manual key mode, this is a key shared by both peers, entered via some interface to their > respective configurations. The Master_Key is used as the seed for the KDF. > " > My impression TCP-AO relies on manual installation for shared key. But TLS has key management protocol to exchange shared key,e.g., one defined in RFC4279. > We can either negotiate shared key for TCP-AO in the PCE discovery phase or during PCE configuration phase. For TLS usage, this is not needed, in my opinion. > To support shared key negotiation during PCE discovery phase, we need to define a IGP PCED Sub-TLV for TCP-AO, I am not sure this is allowed according to RFC5088, > It looks this new IGP PCEP TLV is a companion Sub-TLV for PCE-CAP-FLAGS Sub-TLV. > If adding a new Sub-TLV is allowed, we can add algorithm identifier and key chain name,key identifier altogether. > > If negotiating shared key during PCE configuration phase, it is clearly beyond scope of this draft. > Thanks, > Acee > > > we believe to support TCP-AO, RFC5296 should also be implemented, which provide PSK and associated ciphersuit. > Let us know if you have any other opinion? > > -Qin > -----邮件原件----- > 发件人: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] > 发送时间: 2018年8月24日 10:57 > 收件人: Daniel King; wangzitao; Dhruv Dhody; wangzitao; Diego R. Lopez; Diego Lopez; Qin Wu > 主题: New Version Notification for draft-wu-lsr-pce-discovery-security-support-00.txt > > > A new version of I-D, draft-wu-lsr-pce-discovery-security-support-00.txt > has been successfully submitted by Qin Wu and posted to the IETF repository. > > Name: draft-wu-lsr-pce-discovery-security-support > Revision: 00 > Title: IGP extension for PCEP security capability support in the PCE discovery > Document date: 2018-08-23 > Group: Individual Submission > Pages: 6 > URL: https://www.ietf.org/internet-drafts/draft-wu-lsr-pce-discovery-security-support-00.txt > Status: https://datatracker.ietf.org/doc/draft-wu-lsr-pce-discovery-security-support/ > Htmlized: https://tools.ietf.org/html/draft-wu-lsr-pce-discovery-security-support-00 > Htmlized: https://datatracker.ietf.org/doc/html/draft-wu-lsr-pce-discovery-security-support > > > Abstract: > When a Path Computation Element (PCE) is a Label Switching Router > (LSR) participating in the Interior Gateway Protocol (IGP), or even a > server participating in IGP, its presence and path computation > capabilities can be advertised using IGP flooding. The IGP > extensions for PCE discovery (RFC 5088 and RFC 5089) define a method > to advertise path computation capabilities using IGP flooding for > OSPF and IS-IS respectively. However these specifications lack a > method to advertise PCEP security (e.g., Transport Layer > Security(TLS),TCP Authentication Option (TCP-AO)) support capability. > > This document proposes new capability flag bits for PCE-CAP-FLAGS > sub-TLV that can be announced as attribute in the IGP advertisement > to distribute PCEP security support information. > > > > > Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > > > > _______________________________________________ > Lsr mailing list > Lsr@ietf.org > https://www.ietf.org/mailman/listinfo/lsr
- Re: [Lsr] New Version Notification for draft-wu-l… Qin Wu
- Re: [Lsr] New Version Notification for draft-wu-l… Acee Lindem (acee)
- Re: [Lsr] New Version Notification for draft-wu-l… Qin Wu
- Re: [Lsr] New Version Notification for draft-wu-l… Acee Lindem (acee)
- Re: [Lsr] New Version Notification for draft-wu-l… Qin Wu
- Re: [Lsr] New Version Notification for draft-wu-l… Jeff Tantsura