IETF Logo Mail Archive

Re: [Pce] WG Last Call for draft-ietf-pce-pcep-yang-19

tom petch <ietfc@btconnect.com> Fri, 07 October 2022 15:59 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26201C14F748 for <pce@ietfa.amsl.com>; Fri, 7 Oct 2022 08:59:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OartD4lNPBzn for <pce@ietfa.amsl.com>; Fri, 7 Oct 2022 08:59:55 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2130.outbound.protection.outlook.com [40.107.21.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3C40C14F73E for <pce@ietf.org>; Fri, 7 Oct 2022 08:59:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gCU+n/MUJ3IDIaf8dJcCP42+WE0FftNjCSYdmnjcZHOvjRq+w3Xq2erAn0Sfx6KjQO0eC/gfkvPSTrWPxbdqQ+YMxDP1RuSXlUqdI65ekJBY6qaLlIOglxflFq2HhsnEaLeEpYYsvtFIpH5rSjTjF10liHE4s6g0rVpuaDcM4CD4/Is0aq0FbKiSAYEzIc9lPlWwOcOBhS5zhwqfdo6AJrHhUSs9OKMyk1skiVJfEPfDX7RNjjXVni12GSuD9JacdHUIprihorxqVYDu8W8Jla8KpvdCoGJJkHe6IqtyzLVpVBBeN5yOQFgeFijfpAPSIBemrKOUFAn/pcE+POgtXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hrrhlMnReBORgQQTlfWP0ldVbM28zYIm7KTXfICA6sY=; b=YxrocH56iuUyJQ9/XuE0bvGZniJUsbaK71xPCoN3BTcgOWHfShAmIILP8G0nO58IalpfADhe7+9eLoKmqhxt0ERsOVwM19ayyqH5rntQsxbieev/jDcRwf+LVAgHCbUcaN6j57AVBYsvoRVvOIYEfxnKpU136TkvAsAvTNv/Yg7XvI6xonAbL3FH+0+yxSfmNq+fezOJ3xoopu4+9JT4VujYpBFi4kS0lpR6+rERJoMF5t0EowzLHmQBF9znbqVVwBNVX7m0GuywfkPkClJTtJZag0yj8zt9B8IxhXHQK8yiX+ZlVCz7+Zjc8WXi2M9GINPm+RmdGd8U9JpkncLQZQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hrrhlMnReBORgQQTlfWP0ldVbM28zYIm7KTXfICA6sY=; b=N+u62yrpEODzJv/wiwt7gTLBo/QBV0bSsub9OStDQf6GYixL6/ta2ey7TXQHxuE8KIk6UYK0x1w8XTX8KV+PJMWS5XJYIGtcIx4dHMUypYo400KIpr5dz1Pp9A0hZK1Nc0bkGnVafiqINJdh+wtyy0UOnmc+hlcrJ7nMciqsOao=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by PAXPR07MB8697.eurprd07.prod.outlook.com (2603:10a6:102:243::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.11; Fri, 7 Oct 2022 15:59:52 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::d188:3110:6650:e155]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::d188:3110:6650:e155%9]) with mapi id 15.20.5709.010; Fri, 7 Oct 2022 15:59:52 +0000
From: tom petch <ietfc@btconnect.com>
To: Dhruv Dhody <dhruv.ietf@gmail.com>
CC: "julien.meuric@orange.com" <julien.meuric@orange.com>, "pce@ietf.org" <pce@ietf.org>
Thread-Topic: [Pce] WG Last Call for draft-ietf-pce-pcep-yang-19
Thread-Index: AQHY0agp+SKthfRihE+fI17gKTPE/a38dzfMgAY40ISAAA+fgIAAZMbX
Date: Fri, 07 Oct 2022 15:59:51 +0000
Message-ID: <AM7PR07MB6248481DA594DABE165D11ADA05F9@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <0d3e71b7-738b-a5f6-852d-0e46f24129f5@orange.com> <AM7PR07MB6248F14E883EDC71E5F85EDAA05B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <AM7PR07MB6248A61A222C94766BBD0853A05F9@AM7PR07MB6248.eurprd07.prod.outlook.com> <CAB75xn4-v_qfQK1h6u+YxW=2gGZiEngRNkqG+GhyvNduwV03cg@mail.gmail.com>
In-Reply-To: <CAB75xn4-v_qfQK1h6u+YxW=2gGZiEngRNkqG+GhyvNduwV03cg@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=btconnect.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AM7PR07MB6248:EE_|PAXPR07MB8697:EE_
x-ms-office365-filtering-correlation-id: 548db527-fd1c-4024-9f47-08daa87cf832
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: weZ0fZKytwBBIGk90yRjJijUTUoRAWgodSDeiCP8Te8gAIISK4m3hU6nReCpbEGQVLSk8oduPYNV2j5ypIiQ+Df8Yv/9o6uaxAlUtJLAfhMxrPEjnSA8yRbSSer2XdobjETU7gW9QJQQmia/jd9HeY8T2s4XV/PJVg9JshIEuGaLtdpYrmoJDI5k0CR9MoL1kIfefpjL0tIPu34ihY3Ykfi7TasVM8buIncF0PVBzD2zaQv6e+G0+GxCej28+nBplMIho/TH6lRQzBzwNoku0HznEihmYKoHmi2zpsN4JkKhLFt19dg9Vok6Jcz3A+GJCMIp/ujH0CSUG1YR9ydTvKn33OgK7ReRitswHSSRP7EEcNQbqvIICGA/h+tLmjYmwB05+Kp/YJonYEqtjKz/cZ4zeE1GTdqYj1grWh7bLCFDacm6lswNAH8F9xzwdAf++8OAmpTUapalcj1BwzmUxqPknNA9yFt2nP0aTZISvjSf/Nt/qH+c3NvNHjZxNoVf2mwPzlnspYSqs/kdv6w4Y5d3Qsb0cOs8ZSSPXkLGDuvWLHDU5FXSo5wDikrfNOFSRpHHeBcYSJOQmA5y4FQ44WJU/92qDwB8Im9LC1tEPA4sWtFi6AoKelnhSrTYSxZsrlxfbuodCySYkHf3Rt25grJHQf6m5TcLJLVVUKtXFZ0xZqEx4PmJPrHVOZiId/3Hxnzjkv4E5GwkJSdduCB8MlI4zd5toITWfURkE3+82aGKrqFDwBv6/ygZOR5S3TAQLtGWM/IEzhEmuxk1CQEP/WxcnDzjTPS0Afrmt9vmgJ0UkN1sAaN/mSU6s9bhWbgTzY/9tVhhimC6Cid8rSB/UipVGTWfbx9JKgPQSnMIA3LFBABSewkUFM7RxYww1aF5
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(396003)(376002)(346002)(39860400002)(136003)(366004)(451199015)(55016003)(4326008)(86362001)(5660300002)(316002)(6916009)(54906003)(41300700001)(8936002)(52536014)(38070700005)(122000001)(38100700002)(82960400001)(26005)(2906002)(186003)(91956017)(66476007)(66446008)(76116006)(66556008)(66946007)(64756008)(8676002)(71200400001)(478600001)(53546011)(33656002)(83380400001)(6506007)(9686003)(7696005)(966005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Z9aYE2nBer5eNGuL5mVjrTjuK4WqhBtm0+h0iZaWZTGW4sS6xaMEb59S2/Umwj3ev9hDhkJ1S3E7WHNbjWMIX0IKHsysFn74hhc1ozgTIuzDd0y/XzSE+5HJ6FTltfB7RFhBu43xBV2bnS6EDHMfqWK7zdDwxMHhcXruRvbOiWknML/r0cd2LbM38mQVIpW39MGL6nl48X3QZciNF0VcOgezZQcEi12m38kIxkRLX9lyjDkaF2PmWpnsLfhS5+mNi33XCMI7F6K1SCF4xBrGaT37FX1avrRmjD3haScDMu4Or9TVFqBTNWOHpmFFK83rj4o5KQpABbJXDpNNztiriHDFDwYZ6EGZ5daeRObV5ii43qXQBMOcyfwmw++M7B6bbTi1ItncKazvB43OuKEvsB1rOFEntIDNKtSV/YH+yh62hbBixC1c4ZdcCca4nBqu21h/MoLwm6vmKT2eZxjVhgokbr8gc4D6mUKYJE5kND0ZoB3la13YPNcPY3HhDuKDqQgOS9xLPdjs4TBrbgriN6XSUvcZUQCIs7IFIMvy4KEc88X+2KLoEyuAXU7YrdVv4vG/VlKNS8yGgzdq4xkLE310Mn0lEqhhD97y5MgbYxOSHnAgfFHd/pBjrhsl5hR69GvIVeoGVLtrQoaS2aQKuxh10ZVxNFDdzYgtjvGPfs+qpCBBPwdpNQAzxWK9FyO+EjkZ4QeyAv87X9YdIcGfZPhxdIRu33Pd5Oi/RCUSdIu9bqSUBBVX5BankjtOOA2EWw0/XxsZRB1eSHnsxf3GIq+YtMY/ID/O8fRse3ec61YbrD7qDhnikZph95RPlBQW6oclhA1fSAM4McKlnM60rM9BAZEuX8+0T9eBnbn8GMivGXxuPS0eblkMyGZHIgl1PWxtmD5kT5YGuhIFNhd5H1NNwiXeoxYC4CvrN9x02YOahtBbjoXGkSQ10982hIrUDrA7/ybFD4Ttp4/5KbJiOHcU1+Dn3ObEc94rtl7BkBoffDSnf/bnOiaA5BN789zsDRDXa4ZdXmfcQqdtxQ94uxpOySPMlEF0Z6c1WuxHQLF5ONcobKcWpeD8SJeoI49lP+0U4V5dHXZA75SfcLJvjE01Dk1sO9w0tVshQQnbe7i3cN3Hrd4wRPH/8TfyV3Y5U5PciJwVVaFFpS6x6HuH0CNCIewnoGdAGQE83g0mpqY2AKozfi7F88tVM+yV4vfsS+igrjLdT5OfhlNNqOjalW5Lz3NhorziYKR+2uVFUSZ0YaJc+pJm5s/30mO8qSXqejrlVw4cSie6tq2GAmae7zMxJCQRtJ2beE1t8LpMdrPKYND/QFOLRXReFFMA2aCD/6wyaghDTDN8LYmBSmR1fpE4ar/q+P/uNYGZjkEus2CFmqQZW8cBb3M2KBcPpA6W/PlYGAQ0hyUAYpFmlutFPXPEeDvHM4lQAuGTTVpG7gD4qlcr48ALOBdu5pdKjyxr7jOXYdBe7A63OgyTNZUw2omZ33dvYZF0G3CGZdE7WkCbRBLkB9BjZXWr5CajfHiO5BppmQW375siYZmvnJvJGJPGw9DKFbsH5iuKDSWZMmDVDi2xOHqvplZXknq/rzm8
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 548db527-fd1c-4024-9f47-08daa87cf832
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Oct 2022 15:59:51.9511 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0WFsDiDLfA0icHVgLsxAg81IRh5ngtz3dCR40Dmt9DtKbfiRh/opZ78S5Eqac83DBeIr07LyUqKV8Ik9F24QcA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR07MB8697
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/3uU6kBCZGTtJDX3QFJrUe5afBtI>
Subject: Re: [Pce] WG Last Call for draft-ietf-pce-pcep-yang-19
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2022 15:59:57 -0000

From: Dhruv Dhody <dhruv.ietf@gmail.com>
Sent: 07 October 2022 10:45

Hi Tom, WG,

I was about to send a note to the WG but you beat me to it. You made a valid point regarding TLS 1.3. But I suggest a different approach.

RFC 8253 states that TLS v1.2 or "later" is supported for PCEP. IMHO, a draft fixing the issues with TLS 1.3 for PCEPS is a much better idea than saying no TLS 1.3. Sean, Russ and I published - https://www.ietf.org/id/draft-dhody-pce-pceps-tls13-00.html. Note that a similar effort is also being made in NetConf WG.

Coming to the PCEP-YANG, I plan to add a section in the draft that would talk about how to enable TLS 1.2 and TLS 1.3 for PCEP. Thoughts?

<tp>
     I think that the current txt in -19 is unclear, misleading perhaps.
PCEP over TLS references RFC8253 which is fine but then mentions 8446 which is not fine since there is no caveat about early data and such like; and the netconf-tls import is categoric TLS1,3 or else - TLS1.2 is NOT RECOMMENDED.      I think that Netconf is not helpful here -  TLS1.2 is going to be used for years, embedded devices, network boxes and such like and is fit for purpose even if cryptoananlysts can find weaknesses therein.  I think then that protocols like PCE have a problem and would say the TLS1.3 is under consideration.  If the IESG will not accept that, then your new I-D will be needed, as a Normative Reference..                                                                                                       

I have seen statements in other WG to the effect that of course TLS1.2 is just fine and we have no intention of doing anything else and one such I-D is past the IESG.

Meanwhile I note the 'How to ... over 13' I-Ds and wish I had written one as I intended in March:-(

Tom Petch

Thanks!
Dhruv (co-author hat on, co-chair hat off)

On Fri, Oct 7, 2022 at 2:25 PM tom petch <ietfc@btconnect.com<mailto:ietfc@btconnect.com>> wrote:
From: Pce <pce-bounces@ietf.org<mailto:pce-bounces@ietf.org>> on behalf of tom petch <ietfc@btconnect.com<mailto:ietfc@btconnect.com>>
Sent: 03 October 2022 11:02

From: Pce <pce-bounces@ietf.org<mailto:pce-bounces@ietf.org>> on behalf of julien.meuric@orange.com<mailto:julien.meuric@orange.com> <julien.meuric@orange.com<mailto:julien.meuric@orange.com>>
Sent: 26 September 2022 14:01

Hi PCE WG,

This message starts a 2-week WG Last Call for
draft-ietf-pce-pcep-yang-19. Please review and share any feedback using
the PCE mailing list.
This WGLC will end on Tuesday October 11.

<tp>
There are several little problems with this I-D, which I will post in due course, but one big one that I think needs outside assistance and will take time to resolve, namely the lack of security.

This imports netconf-tls groupings and the netconf  I-D says basically security is nothing to do with us, that is up to the user of the grouping.  It recommends TLS1.3 and says TLS1.2 is obsolete and not recommended.

Trouble is, for most users TLS1.3 is not recommended because it is insecure because it introduces new features which are fine for web access and dangerous for almost other cases (eg early data).  There are a number of IETF documents looking at this and nailing down all the things you must not do with TLS1.3 in an operational environment (which is what most of the IETF is about).  RFC9190 section 2 is an example of what I mean but from tracking the evolution of that RFC I suspect that that got watered down by the supporters of TLS1.3.

This I-D needs the equivalent (or else a MUST NOT for TLS1.3!).  Many of those involved with security in the IETF will not understand the issue, how dangerous TLS1.3 is for anything other than web access.

<tp2>
I note the submission of draft-dhody ... TLS13.

I wonder what that plan is; for pcep-yang to ban TLS1.3 and have a reference to this I-D? or what?

I think that PSK need more treatment.  My take is that RFC8446 bans PSK except when used for resumption where a session has been set up using certificates.  I see two documents addressing this issue, - 9257, 9258 - but I have yet to read them.

Tom Petch


Tom Petch

Thanks,

Julien



_______________________________________________
Pce mailing list
Pce@ietf.org<mailto:Pce@ietf.org>
https://www.ietf.org/mailman/listinfo/pce

_______________________________________________
Pce mailing list
Pce@ietf.org<mailto:Pce@ietf.org>
https://www.ietf.org/mailman/listinfo/pce

v2.23.0 | Report a Bug | By Email