[Pce] Roman Danyliw's No Objection on draft-ietf-pce-pcep-flowspec-10: (with COMMENT)

Roman Danyliw via Datatracker <noreply@ietf.org> Wed, 26 August 2020 19:57 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: pce@ietf.org
Delivered-To: pce@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6567D3A092F; Wed, 26 Aug 2020 12:57:55 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-pce-pcep-flowspec@ietf.org, pce-chairs@ietf.org, pce@ietf.org, Julien Meuric <julien.meuric@orange.com>, julien.meuric@orange.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.14.1
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <159847187489.17269.2128556004841645905@ietfa.amsl.com>
Date: Wed, 26 Aug 2020 12:57:55 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/9G9ExK5-YbihZJVxYy0HKIwOX-4>
Subject: [Pce] Roman Danyliw's No Objection on draft-ietf-pce-pcep-flowspec-10: (with COMMENT)
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2020 19:57:56 -0000

Roman Danyliw has entered the following ballot position for
draft-ietf-pce-pcep-flowspec-10: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-pce-pcep-flowspec/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thank you for an approachable document.

Thank you to the SECDIR reviewer (Scott G. Kelly)

** Section 12.  To refine what Ben Kaduk noted about the applicability of
[RFC6952], Section 2.5 seems to apply for me.

** Section 12.  Per “Therefore, implementations or deployments concerned with
protecting privacy MUST apply the mechanisms described in the documents
referenced above.”, it might be helpful to explicitly call out the specific
guidance to follow.  I believe that it’s to use either IPSec per Section 10.4 –
6 of RFC5440 or TLS per RFC8523 to provide transport security properties.  The
legacy references to TCP-AO and TCP MD5 in those documents don’t help here.

** Section 12.  Per “Although this is not directly a security issue per se, the
confusion and unexpected forwarding behavior may be engineered or exploited by
an attacker.  Therefore, implementers and operators SHOULD pay careful
attention to the Manageability Considerations described in Section 13.”, I
completely agree.  I would say it a bit more strongly that this complexity
could be a security issue.  I’m envisioning a situation where the complex
forwarding behaviors might create gaps in the monitoring and inspection of
particular traffic or provide a path that avoids expected mitigations.