Re: [Pce] Review of draft-dhody-pce-pceps-tls13
Sean Turner <sean@sn3rd.com> Wed, 18 October 2023 02:35 UTC
Return-Path: <sean@sn3rd.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A159FC1519B1 for <pce@ietfa.amsl.com>; Tue, 17 Oct 2023 19:35:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dgZDKZkBOkK3 for <pce@ietfa.amsl.com>; Tue, 17 Oct 2023 19:35:33 -0700 (PDT)
Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DFF3C1519AF for <pce@ietf.org>; Tue, 17 Oct 2023 19:35:33 -0700 (PDT)
Received: by mail-qt1-x836.google.com with SMTP id d75a77b69052e-419c8911049so43081091cf.1 for <pce@ietf.org>; Tue, 17 Oct 2023 19:35:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; t=1697596532; x=1698201332; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=EcQB7DZVJDVzpa6QGvZ7WvrGLsGVRgOmGxuMBx3iTqc=; b=ikRG7DfZzkFyAVw+53toLZ3oFHkwqaPEPnQqU9JraqjimeFlSNdk86ypzU31JTZXe5 p2rtHkI638OpJSQ+9qqk3FGS1sZZZnjp55vIWlYzzN5WngXiBVu8U/Lh93zzCX29V7K4 0rctu8UoY8Fanf5LATW19hI31/4vzh2h08w0Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697596532; x=1698201332; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EcQB7DZVJDVzpa6QGvZ7WvrGLsGVRgOmGxuMBx3iTqc=; b=XYcKSKqPl5TQmRV9RHp+sI03tFIgIFtK2ElxhQnaUAnBsQqFQ/+i5cTzZj7kgNev6F 88fHbmrYhzoX8CCVn3VvUGgp10qPVR7Q4lmof7GQKmf02dlnBGFwEL+U1rHH7bsF5lWt t+AuOs11IobZ/LyWI0FJmx1PaAp8c3v2+ZVlK0ZFU9cJh4d7TUgdtnbxJs2Y00KToqjj 2Fd/qnFajRxRk55mtYp8fe2fsyNdMZeqQovQkR2UBqHIlmn4SQwni2a0eHGNMr3NHHMt 6ceITK8dj3yz73ncnLedcg+rXDYLVbBQhLI+tsRg2sn06GjYv63MTQMXPhjj8dNYGLn0 p9eA==
X-Gm-Message-State: AOJu0YwR3KepwzXslLDFh4ljo3TXU3ZgE7Mn6yIe8TE3r0GZrDzT0+Bt sU2QizXWu6o0G2giWJe09WrzdA==
X-Google-Smtp-Source: AGHT+IGz1Hvm2C31gk4A7iRSgF/0+tMzow/8oyD0dmYgVdvheX8I6w5QCIQ+sqT8un7R/xm339YE0w==
X-Received: by 2002:a05:622a:1116:b0:41b:7759:124a with SMTP id e22-20020a05622a111600b0041b7759124amr4476270qty.12.1697596532524; Tue, 17 Oct 2023 19:35:32 -0700 (PDT)
Received: from smtpclient.apple ([2600:4040:253b:7300:b19c:e498:fa58:474e]) by smtp.gmail.com with ESMTPSA id x18-20020ac87a92000000b004181b41e793sm1078901qtr.50.2023.10.17.19.35.31 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Oct 2023 19:35:32 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.15\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <07A4D544-71E1-4CDD-A99D-2D0737B891CE@sn3rd.com>
Date: Tue, 17 Oct 2023 22:35:31 -0400
Cc: "pce@ietf.org" <pce@ietf.org>, "pce-chairs@ietf.org" <pce-chairs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <74D1B316-8D48-439A-9034-88A24AF26A63@sn3rd.com>
References: <SJ0PR11MB5136766C98C5B5D25D73A813C2FAA@SJ0PR11MB5136.namprd11.prod.outlook.com> <07A4D544-71E1-4CDD-A99D-2D0737B891CE@sn3rd.com>
To: "Stephane Litkowski (slitkows)" <slitkows@cisco.com>
X-Mailer: Apple Mail (2.3654.120.0.1.15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/BRL87m2-ZJgIN-zl_issmw8lToc>
Subject: Re: [Pce] Review of draft-dhody-pce-pceps-tls13
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Oct 2023 02:35:37 -0000
> On Oct 17, 2023, at 21:34, Sean Turner <sean@sn3rd.com> wrote: > > Stephane, > > Thanks for the comments and sorry it’s taken me so long to respond. These comments made me entirely rethink what’s in the I-D. I was way too focused on maintaining alignment with draft-ietf-netconf-over-tls13 and that should not have been something to fixate on. > >> On Sep 19, 2023, at 09:26, Stephane Litkowski (slitkows) <slitkows@cisco.com> wrote: >> >> Hi WG, >> >> Chairs requested me to review draft-dhody-pce-pceps-tls13. >> Here are couple of comments regarding the draft, I’m not an expert in this area, so my comments may sometimes be inaccurate: >> >> Intro: >> • As RFC8253 is already making TLS 1.2 as required (Section 3.4 of RFC8253), why does this draft cares about “address support requirements for TLS 1.2” ? What is missing in RFC8253 ? >> >> >> >> Section 4: >> • The two first paragraph related to TLS1.2 are already covered by RFC8253 section 3.4, what is changing ? >> >> • Regarding: “Implementations that support TLS 1.3 [I-D.ietf-tls-rfc8446bis] are REQUIRED to support the mandatory-to-implement cipher suites listed in Section 9.1 of [I-D.ietf-tls-rfc8446bis].¶ >> • This is already mandated as per TLS1.3 draft (Section 9.1), so is the purpose of defining specific requirement for PCEP app ? > > In thinking about what’s missing, I have come to realization that really only two things are: > > 1) A statement about what to do if an PCEPS implementation supports more than one version of TLS. I tend to think that if a connection can support a later version it should. > > 2) A statement about not supporting TLS 1.3’s early data. And, maybe some text about what early data is and why we’re saying anything about it at all. > > I think we can do that by adding two restrictions to those that are already listed in s3.4 Step 1 and a couple of notes. So, I thought what if we recast the entire draft to do exactly that. Let me know what you think about the following PR: > https://github.com/ietf-wg-pce/draft-ietf-pce-pceps-tls13/pull/11 > > >> Security considerations: >> • I don’t see Security considerations of RFC8253 referred in the section ? shouldn’t the draft build on top of it ? Is there any new consideration compared to RFC8253 brought by TLS1.3? > > Yeah those ought to be there too. See the following PR: > https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ #cutpastefail try: https://github.com/ietf-wg-pce/draft-ietf-pce-pceps-tls13/pull/10 >> Brgds, >> >> Stephane > > Cheers, > spt >
- [Pce] Review of draft-dhody-pce-pceps-tls13 Stephane Litkowski (slitkows)
- Re: [Pce] Review of draft-dhody-pce-pceps-tls13 Sean Turner
- Re: [Pce] Review of draft-dhody-pce-pceps-tls13 Sean Turner
- Re: [Pce] Review of draft-dhody-pce-pceps-tls13 slitkows.ietf