Re: [Pce] Review of draft-dhody-pce-pceps-tls13
Sean Turner <sean@sn3rd.com> Wed, 18 October 2023 01:34 UTC
Return-Path: <sean@sn3rd.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78D52C14CE4B for <pce@ietfa.amsl.com>; Tue, 17 Oct 2023 18:34:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.11
X-Spam-Level:
X-Spam-Status: No, score=-7.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uj0jXbD4WoBQ for <pce@ietfa.amsl.com>; Tue, 17 Oct 2023 18:34:11 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C16EC15199C for <pce@ietf.org>; Tue, 17 Oct 2023 18:34:10 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id af79cd13be357-77574c2cffdso534105985a.0 for <pce@ietf.org>; Tue, 17 Oct 2023 18:34:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; t=1697592850; x=1698197650; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=x41dZQ/q6nDmM1pBDVsRPnPVAC8m4SCt0wiXj9LspZE=; b=bNz+I0hsSNO+SenlvrOv2edIO9HfJd3AOhNyHbXvggDQsJsuRZiEGp0G26mScnzpWd U90JMKLJBjPVvxmwOum+wMXwzQ1RgFMlGmOeYLrzti40grRraDi8u4gjZtxS5IGIsCOG El4UU4aruRZic2y3XoFRBcP3ZbNjq+eNaVCdc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697592850; x=1698197650; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=x41dZQ/q6nDmM1pBDVsRPnPVAC8m4SCt0wiXj9LspZE=; b=rT52TROf+SQ2N8v1bnK2ywYeH+jvQeihcBYiQWtVP5cMtBSSskuOdLoQDQ1nRfHfhT DN3WdDt76tS8SHcQP74oLobyoNpcq1NYS0hFE+3sDi/SlLuH3LFvweJdtxATykbArI0A TJwO/NM9SKQBtNMDz3zY/kxYe8Ko47PPXm5CELG7AkcTQ+ce2y/J6J8ToVS8Ei8U5UTM /93X5HIkWVpB0vVq7YOtYKm8CrE9jxD+jivmgw7fbKC70n8SSJD1/cE4XQg+uAVNGN5b QsrBIGoMroBj+UrmnoLHb4eKb1kT1WaOsjboGINCPYZlIhHgz/lT8qNkIrzuXEHpJM6K Gt/g==
X-Gm-Message-State: AOJu0Yxzz1YHu7fYDAaGn4sZkn6l/bHxwjML+9FKa+cqPSrNp40FaP0i /xpnl4CsaHd3SJHCRTlYlmQoGQ==
X-Google-Smtp-Source: AGHT+IHgoPEFniNMfRYfXGl50G5GEpL9HtgjvpdM/U0kXToILhnMnoF7rHr4aDrIhmiQyTQnBvyixQ==
X-Received: by 2002:a05:620a:19a1:b0:774:19a4:117a with SMTP id bm33-20020a05620a19a100b0077419a4117amr5020569qkb.19.1697592849944; Tue, 17 Oct 2023 18:34:09 -0700 (PDT)
Received: from smtpclient.apple ([2600:4040:253b:7300:b19c:e498:fa58:474e]) by smtp.gmail.com with ESMTPSA id f19-20020a05620a20d300b00773f008da40sm177287qka.125.2023.10.17.18.34.09 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Oct 2023 18:34:09 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.15\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <SJ0PR11MB5136766C98C5B5D25D73A813C2FAA@SJ0PR11MB5136.namprd11.prod.outlook.com>
Date: Tue, 17 Oct 2023 21:34:08 -0400
Cc: "pce@ietf.org" <pce@ietf.org>, "pce-chairs@ietf.org" <pce-chairs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <07A4D544-71E1-4CDD-A99D-2D0737B891CE@sn3rd.com>
References: <SJ0PR11MB5136766C98C5B5D25D73A813C2FAA@SJ0PR11MB5136.namprd11.prod.outlook.com>
To: "Stephane Litkowski (slitkows)" <slitkows@cisco.com>
X-Mailer: Apple Mail (2.3654.120.0.1.15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/5EBnkSeD5q7c55V9e2PfnIY88-0>
Subject: Re: [Pce] Review of draft-dhody-pce-pceps-tls13
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Oct 2023 01:34:21 -0000
Stephane, Thanks for the comments and sorry it’s taken me so long to respond. These comments made me entirely rethink what’s in the I-D. I was way too focused on maintaining alignment with draft-ietf-netconf-over-tls13 and that should not have been something to fixate on. > On Sep 19, 2023, at 09:26, Stephane Litkowski (slitkows) <slitkows@cisco.com> wrote: > > Hi WG, > > Chairs requested me to review draft-dhody-pce-pceps-tls13. > Here are couple of comments regarding the draft, I’m not an expert in this area, so my comments may sometimes be inaccurate: > > Intro: > • As RFC8253 is already making TLS 1.2 as required (Section 3.4 of RFC8253), why does this draft cares about “address support requirements for TLS 1.2” ? What is missing in RFC8253 ? > > > > Section 4: > • The two first paragraph related to TLS1.2 are already covered by RFC8253 section 3.4, what is changing ? > > • Regarding: “Implementations that support TLS 1.3 [I-D.ietf-tls-rfc8446bis] are REQUIRED to support the mandatory-to-implement cipher suites listed in Section 9.1 of [I-D.ietf-tls-rfc8446bis].¶ > • This is already mandated as per TLS1.3 draft (Section 9.1), so is the purpose of defining specific requirement for PCEP app ? In thinking about what’s missing, I have come to realization that really only two things are: 1) A statement about what to do if an PCEPS implementation supports more than one version of TLS. I tend to think that if a connection can support a later version it should. 2) A statement about not supporting TLS 1.3’s early data. And, maybe some text about what early data is and why we’re saying anything about it at all. I think we can do that by adding two restrictions to those that are already listed in s3.4 Step 1 and a couple of notes. So, I thought what if we recast the entire draft to do exactly that. Let me know what you think about the following PR: https://github.com/ietf-wg-pce/draft-ietf-pce-pceps-tls13/pull/11 > Security considerations: > • I don’t see Security considerations of RFC8253 referred in the section ? shouldn’t the draft build on top of it ? Is there any new consideration compared to RFC8253 brought by TLS1.3? Yeah those ought to be there too. See the following PR: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ > > Brgds, > > Stephane Cheers, spt
- [Pce] Review of draft-dhody-pce-pceps-tls13 Stephane Litkowski (slitkows)
- Re: [Pce] Review of draft-dhody-pce-pceps-tls13 Sean Turner
- Re: [Pce] Review of draft-dhody-pce-pceps-tls13 Sean Turner
- Re: [Pce] Review of draft-dhody-pce-pceps-tls13 slitkows.ietf