Re: [Pce] WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05

"maqiufang (A)" <maqiufang1@huawei.com> Thu, 05 August 2021 09:05 UTC

Return-Path: <maqiufang1@huawei.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BC733A0936; Thu, 5 Aug 2021 02:05:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VYNqHxGTGxg5; Thu, 5 Aug 2021 02:05:00 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C900F3A0932; Thu, 5 Aug 2021 02:04:59 -0700 (PDT)
Received: from fraeml707-chm.china.huawei.com (unknown [172.18.147.200]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4GgN3F4QdVz6F8Gm; Thu, 5 Aug 2021 17:04:41 +0800 (CST)
Received: from dggeme718-chm.china.huawei.com (10.1.199.114) by fraeml707-chm.china.huawei.com (10.206.15.35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2176.2; Thu, 5 Aug 2021 11:04:56 +0200
Received: from dggeme770-chm.china.huawei.com (10.3.19.116) by dggeme718-chm.china.huawei.com (10.1.199.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2176.2; Thu, 5 Aug 2021 17:04:54 +0800
Received: from dggeme770-chm.china.huawei.com ([10.8.68.58]) by dggeme770-chm.china.huawei.com ([10.8.68.58]) with mapi id 15.01.2176.012; Thu, 5 Aug 2021 17:04:54 +0800
From: "maqiufang (A)" <maqiufang1@huawei.com>
To: "ketant@cisco.com" <ketant@cisco.com>
CC: "lsr@ietf.org" <lsr@ietf.org>, "draft-ietf-lsr-pce-discovery-security-support@ietf.org" <draft-ietf-lsr-pce-discovery-security-support@ietf.org>, "pce@ietf.org" <pce@ietf.org>, "acee=40cisco.com@dmarc.ietf.org" <acee=40cisco.com@dmarc.ietf.org>
Thread-Topic: WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05
Thread-Index: AQHXfk/a3VV5rFqXJ0ijRIDgih43Y6tQgbtwgBQvHfCAAAB2QA==
Date: Thu, 5 Aug 2021 09:04:54 +0000
Message-ID: <67d8fbb116fd416487263cf78c86ed11@huawei.com>
References: <7CF74D7B-A6B8-4255-9493-30E8DA95C45D@cisco.com> <MW3PR11MB45705BAF545DF8220DEC32A2C1E59@MW3PR11MB4570.namprd11.prod.outlook.com> <be884c4202a748a896d3c17a4e052e25@huawei.com>
In-Reply-To: <be884c4202a748a896d3c17a4e052e25@huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.123.93]
Content-Type: multipart/alternative; boundary="_000_67d8fbb116fd416487263cf78c86ed11huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/-zdij-ycNm5h7vInnyIBjAhVv1s>
X-Mailman-Approved-At: Thu, 05 Aug 2021 02:09:52 -0700
Subject: Re: [Pce] WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2021 09:05:06 -0000

Hi, Ketan,

Thanks for your comments. Please see my reply inline.

发件人: Pce [mailto:pce-bounces@ietf.org] 代表 Ketan Talaulikar (ketant)
发送时间: 2021年7月23日 21:10
收件人: Acee Lindem (acee) <acee=40cisco.com@dmarc.ietf.org<mailto:acee=40cisco.com@dmarc.ietf.org>>; lsr@ietf.org<mailto:lsr@ietf.org>
抄送: draft-ietf-lsr-pce-discovery-security-support@ietf.org<mailto:draft-ietf-lsr-pce-discovery-security-support@ietf.org>; pce@ietf.org<mailto:pce@ietf.org>
主题: Re: [Pce] WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05

Hello All,

I have reviewed this draft and have the following comments for the authors to address and the WG to consider:

1)      Is there any precedent for the advertisement of auth keychain info (ID/name) in such a manner that is flooded across the IGP domain? When the actual keychain anyway needs to be configured on all PCCs what is really the value in their advertisement other than possibly exposure to attack? I hope the security directorate reviewer looks at this closely and we get some early feedback specifically on this aspect.
[Qiufang Ma] See Acee’s response, thanks Acee.

2)      In sec 3.2 and 3.3, new sub-TLVs are being introduced. Their ASCII art pictures represent the OSPF TLVs. The ISIS TLV structure is different. While this will be obvious to most in this WG, I would request this to be clarified – perhaps by introducing separate diagrams for both protocols or skipping the art altogether.
[Qiufang Ma] Good catch, I prefer to skip the art altogether.

3)      RFC5088 applies to both OSPFv2 and OSPFv3. This is however not clear in the text of this document.
[Qiufang Ma] This draft is built on top of RFC 5088, therefore the extension defined in this draft is applied to both OSPFv2 and OSPFv3. I understand your confusion in the IANA and will fix this in the IANA.

4)      Looks like RFC5088 asked for the PCE Capabilities Flags registry to be created as a top-level IANA OSPF registry - https://datatracker.ietf.org/doc/html/rfc5088#section-7.2 – so it should have been placed here : https://www.iana.org/assignments/ospf-parameters/ospf-parameters.xhtml. What seems to have happened is that it got created under OSPFv2 which is wrong - https://www.iana.org/assignments/ospfv2-parameters/ospfv2-parameters.xml#ospfv2-parameters-14. Since this draft updates RFC5088, it is necessary for this document to fix this error. I would support Les in that perhaps all of this (i.e. everything under/related to PCED TLV) ought to be moved under the IANA Common IGP registry here : https://www.iana.org/assignments/igp-parameters/igp-parameters.xhtml
[Qiufang Ma] I tend to agree with you. but I am not sure how to move other existing created registry for Path Computation Element (PCE) Capability Flags available at
https://www.iana.org/assignments/ospfv2-parameters/ospfv2-parameters.xml#ospfv2-parameters-14  to the new location you recommended.
https://www.iana.org/assignments/igp-parameters/igp-parameters.xhtml
I need to request the guidance from our chairs and AD for this.
5)      The document needs to be more specific and clear about which IANA registries to be used to avoid errors that have happened in the past (see (3) above).
[Qiufang Ma] Please see above.
6)      Appendix A, I believe what the authors intended here was that whether to use MD5 auth or not was part of discovery but static configuration on the PCE and PCC? The keychain introduced in this document can also be used along with MD5. Honestly, I don’t see a strong reason to not include MD5 in the signalling except that it is deprecated (even if widely deployed). This document would not conflict or contradict with RFC5440 if it did include a bit for MD5 support as well. As  follow-on, perhaps this document should also update RFC5440 – specifically for the security section? I see RFC8253 introducing TLS that updates RFC5440 but nothing that introduces TCP-AO?. In any case, these are aspects for PCE WG so I will leave those to the experts there.
[Qiufang Ma] See Qin's reply to Acee. I hope your comment get addressed over there. My personally opinion is MD5 is weak and should be deprecated, thus it doesn't worth new protocol extension for TCP MD5 support.

Best Regards,
Qiufang Ma

Thanks,
Ketan

From: Lsr <lsr-bounces@ietf.org<mailto:lsr-bounces@ietf.org>> On Behalf Of Acee Lindem (acee)
Sent: 21 July 2021 22:16
To: lsr@ietf.org<mailto:lsr@ietf.org>
Cc: draft-ietf-lsr-pce-discovery-security-support@ietf.org<mailto:draft-ietf-lsr-pce-discovery-security-support@ietf.org>
Subject: [Lsr] WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05

This begins a 3-week WG Last Call, ending on August 4th, 2021, for draft-ietf-lsr-pce-discovery-security-support. Please indicate your support or objection to this list before the end of the WG last call. The longer WG last call is to account for IETF week.

  https://datatracker.ietf.org/doc/draft-ietf-lsr-pce-discovery-security-support/


Thanks,
Acee