Re: [Pce] Alexey Melnikov's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT)
Dhruv Dhody <dhruv.dhody@huawei.com> Mon, 07 August 2017 14:41 UTC
Return-Path: <dhruv.dhody@huawei.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CA37132011; Mon, 7 Aug 2017 07:41:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.231
X-Spam-Level:
X-Spam-Status: No, score=-2.231 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w38cZIwXjE56; Mon, 7 Aug 2017 07:41:48 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E82D132342; Mon, 7 Aug 2017 07:41:46 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml702-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DSX13233; Mon, 07 Aug 2017 14:41:44 +0000 (GMT)
Received: from BLREML701-CAH.china.huawei.com (10.20.4.170) by lhreml702-cah.china.huawei.com (10.201.108.43) with Microsoft SMTP Server (TLS) id 14.3.301.0; Mon, 7 Aug 2017 15:41:43 +0100
Received: from BLREML501-MBB.china.huawei.com ([10.20.5.200]) by blreml701-cah.china.huawei.com ([::1]) with mapi id 14.03.0301.000; Mon, 7 Aug 2017 20:11:30 +0530
From: Dhruv Dhody <dhruv.dhody@huawei.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: Alexey Melnikov <aamelnikov@fastmail.fm>, The IESG <iesg@ietf.org>, "cmargaria@juniper.net" <cmargaria@juniper.net>, "draft-ietf-pce-pceps@ietf.org" <draft-ietf-pce-pceps@ietf.org>, "pce@ietf.org" <pce@ietf.org>, "pce-chairs@ietf.org" <pce-chairs@ietf.org>
Thread-Topic: [Pce] Alexey Melnikov's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT)
Thread-Index: AQHTDEAWa0wCnLOXH0eQPSyn6ZYwFaJyejWw///Q9QCAAYO08IAB3NgAgANLs0A=
Date: Mon, 07 Aug 2017 14:41:30 +0000
Message-ID: <23CE718903A838468A8B325B80962F9B8CB99517@blreml501-mbb>
References: <150175472723.9824.8664411936101979517.idtracker@ietfa.amsl.com> <23CE718903A838468A8B325B80962F9B8CB9867E@blreml501-mbb> <1501768430.1127539.1062021760.5848DD02@webmail.messagingengine.com> <23CE718903A838468A8B325B80962F9B8CB98DC9@blreml501-mbb> <CABcZeBOE_3QggT0PiojJOCR=mYnPN1_B=1efBLvMuU5ukG9wDg@mail.gmail.com>
In-Reply-To: <CABcZeBOE_3QggT0PiojJOCR=mYnPN1_B=1efBLvMuU5ukG9wDg@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.76.63]
Content-Type: multipart/alternative; boundary="_000_23CE718903A838468A8B325B80962F9B8CB99517blreml501mbb_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020202.59887C29.006A, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 24805ca8536bced5928eb87bc9831287
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/72BlCpfPN10E-3rYSpQSpT_v-qU>
Subject: Re: [Pce] Alexey Melnikov's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT)
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2017 14:41:51 -0000
Hi Eric, From: Eric Rescorla [mailto:ekr@rtfm.com] Sent: 05 August 2017 22:58 To: Dhruv Dhody <dhruv.dhody@huawei.com> Cc: Alexey Melnikov <aamelnikov@fastmail.fm>; The IESG <iesg@ietf.org>; cmargaria@juniper.net; draft-ietf-pce-pceps@ietf.org; pce@ietf.org; pce-chairs@ietf.org Subject: Re: [Pce] Alexey Melnikov's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT) On Fri, Aug 4, 2017 at 11:41 AM, Dhruv Dhody <dhruv.dhody@huawei.com<mailto:dhruv.dhody@huawei.com>> wrote: Hi Alexey, > -----Original Message----- > From: Alexey Melnikov [mailto:aamelnikov@fastmail.fm<mailto:aamelnikov@fastmail.fm>] > Sent: 03 August 2017 19:24 > To: Dhruv Dhody <dhruv.dhody@huawei.com<mailto:dhruv.dhody@huawei.com>>; The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> > Cc: cmargaria@juniper.net<mailto:cmargaria@juniper.net>; draft-ietf-pce-pceps@ietf.org<mailto:draft-ietf-pce-pceps@ietf.org>; pce@ietf.org<mailto:pce@ietf.org>; > pce-chairs@ietf.org<mailto:pce-chairs@ietf.org> > Subject: Re: [Pce] Alexey Melnikov's Discuss on draft-ietf-pce-pceps-15: > (with DISCUSS and COMMENT) > > Hi, > > On Thu, Aug 3, 2017, at 02:36 PM, Dhruv Dhody wrote: > > Hi Alexey, > > > > Thanks for your comments, see inline... > > > > > -----Original Message----- > > > From: Pce [mailto:pce-bounces@ietf.org<mailto:pce-bounces@ietf.org>] On Behalf Of Alexey Melnikov > > > Sent: 03 August 2017 15:35 > > > To: The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> > > > Cc: cmargaria@juniper.net<mailto:cmargaria@juniper.net>; draft-ietf-pce-pceps@ietf.org<mailto:draft-ietf-pce-pceps@ietf.org>; > > > pce@ietf.org<mailto:pce@ietf.org>; pce-chairs@ietf.org<mailto:pce-chairs@ietf.org> > > > Subject: [Pce] Alexey Melnikov's Discuss on draft-ietf-pce-pceps-15: > > > (with DISCUSS and COMMENT) > > > > > > Alexey Melnikov has entered the following ballot position for > > > draft-ietf-pce-pceps-15: Discuss > > > -------------------------------------------------------------------- > > > -- > > > DISCUSS: > > > -------------------------------------------------------------------- > > > -- > > > > > > I am very glad to see this document and I will be switching to "Yes" > > > once we discuss the following issues: > > > > > > 1) > > > +-+-+ +-+-+ > > > |PCC| |PCE| > > > +-+-+ +-+-+ > > > | | > > > | StartTLS | > > > | msg | > > > |------- | > > > | \ StartTLS | > > > | \ msg | > > > | \ ---------| > > > | \/ | > > > | /\ | > > > | / -------->| > > > | / | > > > |<------ | > > > |:::::::::TLS:::::::::| TLS Establishment > > > |:::::Establishment:::| Failure > > > | | > > > |<--------------------| Send Error-Type TBA2 > > > | PCErr | Error-Value 3/4 > > > | | > > > > > > Figure 2: Both PCEP Speaker supports PCEPS (strict), but cannot > > > establish TLS > > > > > > Firstly, I think you also need to demonstrate a case when the server > > > end of TLS is refusing to startTLS before trying TLS negotiation > > > (e.g. if it doesn't have certificate configured). In this case you > > > need to send PCErr in the clear. I think earlier text suggest that > this case is possible. > > > > > [[Dhruv Dhody]] No, the only error to StartTLS is by an implementation > > that does not understand the message. > > In case certificate is not configured we would start TLS negotiation, > > which would fail. > > I think you should clarify this. > > I have implemented StartTLS in both IMAP and LDAP and this is not > necessarily how it works there: before TLS negotiation starts it is > possible for the server end to reject negotiation in cleartext. > [[Dhruv Dhody]] Error can be added here, More on this, see reply below. > > > Secondly, does the case depicted on this picture mean that TLS was > > > negotiated successfully, but TLS identities were not successfully > verified? > > > (I.e. the PCErr is sent over the TLS layer). If TLS failed to > > > negotiate, you don't have a channel to send data on, as the other > > > end will get confused. I think you just have to close connection in > such case. > > > > > [[Dhruv Dhody]] No, the PCErr is sent in clear over the TCP connection > > (underlying transport). > > EKR also made a similar point. I updated the text to include this - > > > > Note that, the PCEP implementation MUST send the PCErr message once > > the TLS connection has been closed i.e. the TLS close_notify > > [RFC5246] has been received from the peer. As per [RFC5246], if the > > data may be carried over the underlying transport after the TLS > > connection is closed, the TLS implementation must receive the > > responding close_notify alert before indicating to the application > > layer that the TLS connection has ended. > > Hmm, I am not sure this will ever work. I know that implementations of TLS > in other protocols I worked on can't read any cleartext TCP data after TLS > has failed. > [[Dhruv Dhody]] One way to resolve this issue would be we move these errors from after TLS negotiation to before it, so that they become the response to StartTLS as suggested by your previous comment. We would not be sending error in clear text in case of TLS negotiation failure. So basically the change would look something like - OLD: After the exchange of StartTLS messages, if a PCEP speaker cannot establish a TLS connection for some reason (e.g. the required mechanisms for certificate revocation checking are not available), it MUST return a PCErr message (in clear) with Error-Type set to [TBA2 by IANA] (PCEP StartTLS failure) and Error-value set to: o 3 (not without TLS) if it is not willing to exchange PCEP messages without the solicited TLS connection, and it MUST close the TCP session. o 4 (ok without TLS) if it is willing to exchange PCEP messages without the solicited TLS connection, and it MUST close the TCP session. The receiver MAY choose to attempt to re-establish the PCEP session without TLS next. The attempt to re-establish the PCEP session without TLS SHOULD be limited to only once. NEW: If a PCEP speaker that is unwilling or unable to negotiate TLS receives a StartTLS messages, it MUST return a PCErr message (in clear) with Error-Type set to [TBA2 by IANA] (PCEP StartTLS failure) and Error-value set to: o 3 (not without TLS) if it is not willing to exchange PCEP messages without the solicited TLS connection, and it MUST close the TCP session. o 4 (ok without TLS) if it is willing to exchange PCEP messages without the solicited TLS connection, and it MUST close the TCP session. The receiver MAY choose to attempt to re-establish the PCEP session without TLS next. The attempt to re-establish the PCEP session without TLS SHOULD be limited to only once. After the exchange of StartTLS messages, if the TLS negotiation fails for some reason (e.g. the required mechanisms for certificate revocation checking are not available), both peers SHOULD immediately close the connection. Since the initiator has no way to know if the peer is willing to accept PCEP connection without TLS, based on the local policy, it MAY attempt to re-establish the PCEP session without TLS. The attempt to re-establish the PCEP session without TLS SHOULD be limited to only once. This will technically work, but is there a reason you don't specify a parameter to STARTTLS which expresses your policy? -Ekr [[[Dhruv Dhody]]] It could be done that way as well, but at this late stage we should avoid making a change that would require adding a new PCEP object. As there is no way to add this in current StartTLS message encoding. Regards, Dhruv Working version: https://github.com/dhruvdhody-huawei/ietf/blob/master/draft-ietf-pce-pceps-16.txt Diff: https://tools.ietf.org/rfcdiff?url1=draft-ietf-pce-pceps-15&url2=https://raw.githubusercontent.com/dhruvdhody-huawei/ietf/master/draft-ietf-pce-pceps-16.txt Regards, Dhruv > > > So maybe you need 3 figures describing the above 3 cases.
- [Pce] Alexey Melnikov's Discuss on draft-ietf-pce… Alexey Melnikov
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Dhruv Dhody
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Alexey Melnikov
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Dhruv Dhody
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Eric Rescorla
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Dhruv Dhody
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Eric Rescorla
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Dhruv Dhody
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Eric Rescorla
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Dhruv Dhody