Re: [Lsr] I-D Action: draft-ietf-lsr-pce-discovery-security-support-01.txt

"Les Ginsberg (ginsberg)" <ginsberg@cisco.com> Mon, 03 June 2019 14:54 UTC

Return-Path: <ginsberg@cisco.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 117301202AA for <lsr@ietfa.amsl.com>; Mon, 3 Jun 2019 07:54:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Hk9BQFez; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=N9ol7RJo
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P1UO4Fb0LNEg for <lsr@ietfa.amsl.com>; Mon, 3 Jun 2019 07:54:28 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AC1C1202A6 for <lsr@ietf.org>; Mon, 3 Jun 2019 07:54:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10774; q=dns/txt; s=iport; t=1559573668; x=1560783268; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=5dsoPNGkr+SAstJgGrsJzccnXD9eywBr6G9EdlULGAk=; b=Hk9BQFezKJmFLj7Ll6sXxWEfFgxQi+019FfD982fevNYdgz+VQvEXOf3 S8quNsxQzaz0zqXmremQa/sDUglz5azusSK/6m+5xv7r9Cm2bQATbVIMh ZMLsWXRV3X7+k9wR9Zwns8zIpMEmcJ19nVevGXpenIDw3HttrqvxFSumV E=;
IronPort-PHdr: =?us-ascii?q?9a23=3AH2AA5B1YdVjFj/DjsmDT+zVfbzU7u7jyIg8e44?= =?us-ascii?q?YmjLQLaKm44pD+JxKGt+51ggrPWoPWo7JfhuzavrqoeFRI4I3J8RVgOIdJSw?= =?us-ascii?q?dDjMwXmwI6B8vQBkz9N/TndSMSF8VZX1gj9Ha+YgBY?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AIAAADNPVc/5FdJa1mGgEBAQEBAgE?= =?us-ascii?q?BAQEHAgEBAQGBUQUBAQEBCwGBPSknA2pVIAQLKIQUg0cDhFKKIEqCDZcvgS6?= =?us-ascii?q?BJANUCQEBAQwBARgLCgIBAYRAAheCeyM0CQ4BAwEBBAEBAgEEbRwMhUoBAQE?= =?us-ascii?q?BAgEBARAiDAEBLAwEBwQCAQYCDgMEAQEFIwUCAiULFAkIAQEEARIIEQmDAYF?= =?us-ascii?q?qAw4PAQIMA41wkGACgTiIX2sIgS+CeQEBBYEyARNBgnMYgg8JgQgsAYtZF4F?= =?us-ascii?q?AP4EQAUaCTD6CYQEBAgEBFoExGBUPgmA2giaTIpRQgQsJAoINhj+BS4tDgiJ?= =?us-ascii?q?ohgmNW40AhwuPEwIEAgQFAg4BAQWBTziBWHAVGiGCbAmCBoElAQeCQ4UUhT9?= =?us-ascii?q?yDIEdkCwBAQ?=
X-IronPort-AV: E=Sophos;i="5.60,547,1549929600"; d="scan'208";a="281713614"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Jun 2019 14:54:26 +0000
Received: from XCH-ALN-019.cisco.com (xch-aln-019.cisco.com [173.36.7.29]) by rcdn-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id x53EsQ9C000990 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 3 Jun 2019 14:54:26 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-ALN-019.cisco.com (173.36.7.29) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 3 Jun 2019 09:54:25 -0500
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 3 Jun 2019 10:54:24 -0400
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 3 Jun 2019 09:54:24 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5dsoPNGkr+SAstJgGrsJzccnXD9eywBr6G9EdlULGAk=; b=N9ol7RJoZ4LwqAHkcXIn3iho9X7q4tkTN+AHKDjap2V7BqiadgDYVdVzlxsQtc2QakmH127Z3Wehz27azhcjgXzgO+aHCa/i6TS75dkxhui5vIQmKudtG/xREczAQFfVcmNMwpxQwvmjReHAVD44Ss8oDM6pLruiStIPiUP3qaQ=
Received: from BYAPR11MB3638.namprd11.prod.outlook.com (20.178.237.19) by BYAPR11MB3061.namprd11.prod.outlook.com (20.177.226.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1922.17; Mon, 3 Jun 2019 14:54:22 +0000
Received: from BYAPR11MB3638.namprd11.prod.outlook.com ([fe80::ace2:8693:202d:5a30]) by BYAPR11MB3638.namprd11.prod.outlook.com ([fe80::ace2:8693:202d:5a30%7]) with mapi id 15.20.1943.018; Mon, 3 Jun 2019 14:54:22 +0000
From: "Les Ginsberg (ginsberg)" <ginsberg@cisco.com>
To: Qin Wu <bill.wu@huawei.com>, "lsr@ietf.org" <lsr@ietf.org>
Thread-Topic: [Lsr] I-D Action: draft-ietf-lsr-pce-discovery-security-support-01.txt
Thread-Index: AdUZ/kOJZ3UGJI/OTMGkC0pgYhv1RwAHIUrg
Date: Mon, 3 Jun 2019 14:54:22 +0000
Message-ID: <BYAPR11MB36382CB598A4031FFA357989C1140@BYAPR11MB3638.namprd11.prod.outlook.com>
References: <B8F9A780D330094D99AF023C5877DABAA495F655@nkgeml513-mbx.china.huawei.com>
In-Reply-To: <B8F9A780D330094D99AF023C5877DABAA495F655@nkgeml513-mbx.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ginsberg@cisco.com;
x-originating-ip: [2001:420:c0c8:1002::146]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d69c88b4-1d9a-4155-2972-08d6e8335d7c
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:BYAPR11MB3061;
x-ms-traffictypediagnostic: BYAPR11MB3061:
x-ms-exchange-purlcount: 6
x-microsoft-antispam-prvs: <BYAPR11MB3061A8E00B0B84DFE69DDD84C1140@BYAPR11MB3061.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0057EE387C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(396003)(366004)(136003)(376002)(39860400002)(54094003)(189003)(199004)(13464003)(55016002)(6436002)(186003)(256004)(6246003)(14444005)(110136005)(6306002)(9686003)(7696005)(76176011)(6116002)(2906002)(66446008)(229853002)(15650500001)(99286004)(25786009)(53936002)(66556008)(66476007)(73956011)(66946007)(64756008)(478600001)(8676002)(81156014)(966005)(14454004)(81166006)(316002)(305945005)(68736007)(76116006)(71190400001)(71200400001)(86362001)(486006)(476003)(46003)(8936002)(446003)(53546011)(6506007)(102836004)(2501003)(5660300002)(66574012)(7736002)(52536014)(74316002)(33656002)(11346002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR11MB3061; H:BYAPR11MB3638.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: NU4Jz/Uv4DJr0/BMIab999mN71dUkq/xN7G8+BkrWRNQRm7SSr2qYaxPbFTbaDmk1kNLsorJ2QXQvxe8zKJ3sq2YONS3kQA7nBW0GxH85ks7ClrKjbcYjJSABBM83l/DOjDC1eHPb8YDlAo+OZqWG+vEfjg8I7ZzTzrmWz0ZWrDgIbglxCXWD6MCa4OUQu2wxSyWPZaE+cPUtsyggWvWJHkoUZOPpZHgHcn50A7RrPM8BbIlUYS6pkPf1w/Ydk9D5rtu+KcQ4FMnooJN2dvmNT5zPujucPW5VRjlNYi79Elz/fi/tIKxhPiiBb/H5kmxcuqp1nDmyi3C7ksmGM5qPM2UWWcwDuTlwvC8VMjmk2/N4U2tErLuEU/VIF0TSI8DJUqZWhejFXdSvzOedI3wEVOGglhJZKK+FkQIIFi+kK8=
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d69c88b4-1d9a-4155-2972-08d6e8335d7c
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jun 2019 14:54:22.7019 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ginsberg@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3061
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.29, xch-aln-019.cisco.com
X-Outbound-Node: rcdn-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/9FueT6V1ikhQQZ10yluG-9CWAGs>
Subject: Re: [Lsr] I-D Action: draft-ietf-lsr-pce-discovery-security-support-01.txt
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2019 14:54:31 -0000

Qin -

Thanx for the prompt response.
Responses inline.

> -----Original Message-----
> From: Qin Wu <bill.wu@huawei.com>;
> Sent: Monday, June 03, 2019 5:09 AM
> To: Les Ginsberg (ginsberg) <ginsberg@cisco.com>;; lsr@ietf.org
> Subject: RE: [Lsr] I-D Action: draft-ietf-lsr-pce-discovery-security-support-
> 01.txt
> 
> Hi, Les:
> Thanks for your comments, see my reply inline.
> -----邮件原件-----
> 发件人: Lsr [mailto:lsr-bounces@ietf.org] 代表 Les Ginsberg (ginsberg)
> 发送时间: 2019年6月3日 14:22
> 收件人: lsr@ietf.org
> 主题: Re: [Lsr] I-D Action: draft-ietf-lsr-pce-discovery-security-support-01.txt
> 
> A few - somewhat tardy - concerns about this draft.
> 
> 1)During adoption call it was mentioned that PCE WG had not taken a
> position on this draft. Since I don't follow PCE WG (apologies) I need to ask -
> has that status changed??
> 
> Due to low priority of this work in PCE and heavy agenda when we
> proceeded this work earlier in PCE, we made very little progress.
> This has been a little bit changed during adoption call and we authors were
> also active in both PCE and LSR WG
> see the following link:
> https://mailarchive.ietf.org/arch/msg/lsr/wVZ7iELBEqYzvnKwdRR8MNoN6zQ
> 

[Les:] Yes - I had noted Julien's post in my search of the archives. But he was making comments as an individual on the content of the draft. I do not see that he was making any comment regarding the position of the PCE WG.
I am wondering if in the intervening 6 months the PCE WG has taken a position on this.

> 2)As discussed during the adoption call, the draft removes the restriction
> specified in RFC 5088/5089 of not allowing further PCE related
> advertisements in Router Capability TLV/Router Information LSA.
> Acee had mentioned that he thought this was no longer a concern because in
> RFC 7770 multiple OSPF Router Information LSA support was introduced. But
> this is really not relevant to the reason that the restriction was originally
> introduced.
> 
> The restriction was introduced because of general concern that using IGPs to
> advertise information not directly relevant to the operation of the IGP as a
> routing protocol is sub-optimal and negatively impacts the performance of
> the primary IGP functions.
> [Qin]: It seems your argument also applies to RFC5088/5089.


[Les:] Indeed - which is why the limitation of "this much and no more" was put into RFC 5088/5089.

> 
> I am aware that this is a line that has been crossed (in modest ways) more
> than once - and I am not categorically opposing the extensions proposed -
> but I do wonder if this is the most appropriate way to advertise the new
> attributes - particularly since this does not solve the general case - it only
> applies when the PCE is also an LSR. I think a broader discussion of this issue
> is warranted.
> [Qin]: Sure, but RFC5088/89 has already provide way to carry additional info.
> We could use some other out-band mechanism to carry additional info
> beyond PCED sub-TLVs defined in RFC5088/89, but do you think
> 1. use one protocol to convey all information needed
> 2. use two protocol to convey information separately
> Which one is optimal?

[Les:] What are you going to do when the PCE is not also an LSR?
My concern is two fold:

1)That we further use the IGPs to carry non-IGP information.
(Again - this would not be the first time - but we should do this carefully.)

2)That in cases where the PCE is NOT an LSR this extension would be of no use - so it seems you will have to define an alternate means of signaling this info anyway.

> 
> 3)If the draft goes forward in its current form, it updates RFC 5088/5089 in a
> significant way (the removal of restriction against additional PCE related IGP
> advertisements) - in which case I wonder if it would be better to write an RFC
> 5088/89 bis document rather than an extension document.
> [Qin]: We don't' have too many changes going to RFC5088/89, so it is expense
> to make bis document, it is cheaper to leverage RFC updates attribute tool.

[Les:] Given that the draft contradicts what is written in RFC 5088/5089, by writing a bis draft readers do not have to consult two different documents to get the full story.
The "extra work" is modest because you simply cut and paste the original text and then make the necessary modifications and additions.

I am not insisting on this - but asking you to consider it - as it would make life easier for future readers.

   Les

> And, BTW, do you know why the HTML version of the document has no table
> of contents?
> [Qin]:It is weird, seems we are using wrong boilerplate, I will see how to fix
> this.
> 
>    Les
> 
> 
> > -----Original Message-----
> > From: Lsr <lsr-bounces@ietf.org>; On Behalf Of internet-drafts@ietf.org
> > Sent: Sunday, June 02, 2019 8:45 PM
> > To: i-d-announce@ietf.org
> > Cc: lsr@ietf.org
> > Subject: [Lsr] I-D Action:
> > draft-ietf-lsr-pce-discovery-security-support-01.txt
> >
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> > This draft is a work item of the Link State Routing WG of the IETF.
> >
> >         Title           : IGP extension for PCEP security capability support in the PCE
> > discovery
> >         Authors         : Diego R. Lopez
> >                           Qin Wu
> >                           Dhruv Dhody
> >                           Michael Wang
> >                           Daniel King
> > 	Filename        : draft-ietf-lsr-pce-discovery-security-support-01.txt
> > 	Pages           : 10
> > 	Date            : 2019-06-02
> >
> > Abstract:
> >    When a Path Computation Element (PCE) is a Label Switching Router
> >    (LSR) participating in the Interior Gateway Protocol (IGP), or even a
> >    server participating in IGP, its presence and path computation
> >    capabilities can be advertised using IGP flooding.  The IGP
> >    extensions for PCE discovery (RFC 5088 and RFC 5089) define a method
> >    to advertise path computation capabilities using IGP flooding for
> >    OSPF and IS-IS respectively.  However these specifications lack a
> >    method to advertise PCEP security (e.g., Transport Layer
> >    Security(TLS), TCP Authentication Option (TCP-AO)) support
> >    capability.
> >
> >    This document proposes new capability flag bits for PCE-CAP-FLAGS
> >    sub-TLV that can be announced as attribute in the IGP advertisement
> >    to distribute PCEP security support information.  In addition, this
> >    document updates RFC 5088 and RFC 5089 to allow advertisement of Key
> >    ID or Key Chain Name Sub-TLV to support TCP AO security capability.
> >
> >
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-ietf-lsr-pce-discovery-security
> > -
> > support/
> >
> > There are also htmlized versions available at:
> > https://tools.ietf.org/html/draft-ietf-lsr-pce-discovery-security-supp
> > ort-01
> > https://datatracker.ietf.org/doc/html/draft-ietf-lsr-pce-discovery-sec
> > urity-
> > support-01
> >
> > A diff from the previous version is available at:
> > https://www.ietf.org/rfcdiff?url2=draft-ietf-lsr-pce-discovery-securit
> > y-
> > support-01
> >
> >
> > Please note that it may take a couple of minutes from the time of
> > submission until the htmlized version and diff are available at tools.ietf.org.
> >
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> >
> > _______________________________________________
> > Lsr mailing list
> > Lsr@ietf.org
> > https://www.ietf.org/mailman/listinfo/lsr
> 
> _______________________________________________
> Lsr mailing list
> Lsr@ietf.org
> https://www.ietf.org/mailman/listinfo/lsr