Re: [Pce] [Lsr] WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05

Gyan Mishra <hayabusagsm@gmail.com> Sun, 08 August 2021 07:35 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74DFA3A1F8C; Sun, 8 Aug 2021 00:35:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d6y2E8g37ILm; Sun, 8 Aug 2021 00:35:25 -0700 (PDT)
Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4B023A2042; Sun, 8 Aug 2021 00:35:16 -0700 (PDT)
Received: by mail-pj1-x102a.google.com with SMTP id j1so23067821pjv.3; Sun, 08 Aug 2021 00:35:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UEAb+tM0S219P2AKGnHN5/3U0dsRdTQUG/L9KW7AX8U=; b=ObtUz7LMzxiJc2yU7YYsv1bc8ql1NwMtMqFtSnO49MREIGhE5CKVXQ4AeHZD7f8tIx BlzI+QUTnmGTJW2JRDK9pD/k4Kcy9QG8hGDLVc1uve138W2qgvc976TmPeFXxFgquXEa OyRfE7hDMT/0aM5Ib/3hZapFaHnAY05kfrkhlin8atB9dBh2LwRUxcQQj6b6ZnnE88JE 1aU+Fvkc6FzQ7fTHiEHlmlLBhDVd0fsJ0PZEzuTUb6mBe4aynQmjNpvWqMaZxLvvSCcu f+sBaMLqRnb0kbVZU3iL4Mzdzs3eT34FrEd4A2/965UhKoF553hkX8fHXxHcy7lox1oZ FoXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UEAb+tM0S219P2AKGnHN5/3U0dsRdTQUG/L9KW7AX8U=; b=B59RxSDxkNcQQ/+8i2u7Hwv5UsLFTZb9umoVy5lW623FWUcr3VkamJ2Z7ipwNL1vSH COe/GQiSMkfdEThVT14oOIJMgNUkQ1958dy0FJkn6nRMGCO2zKxxtBWwrvLozodrh3s+ AqEkBKT40bg1k/5IwcfFz5uWpIxreTT3GX52dFBTatTfwYQ2YTsW32owIkte8Wsh3NfX UpkYurn28CEfPgKzV9JL6Dd7uOapT8UwYGk/IDwJKl5gpLTcUpAfS3iE0/et2sR0CBTl JCFCeAE+OlLUcM0lvf9MFIsIrKF+M9xvh64lTk50CPZU40GnwNkV2mP7eIeuQ7aAsRGH Mo/g==
X-Gm-Message-State: AOAM531IQvanM+TddpgP5AjYt8Ri4Mcj/NLzzDPQpgasZWHr/XTz2Ici nDSSyvCEI7KEad/VWbVjHwJ+nXuBw8hdt/Tucg4=
X-Google-Smtp-Source: ABdhPJxNuklrGqR3GQ2dn9evoqzCPxz4i7klMDeWwR7FXFsZGofxRq87HPq4cuNgqAMNxIGbMTV+VzF/NWE6rP9KLxk=
X-Received: by 2002:a17:902:6a8c:b029:12d:28a:1d4b with SMTP id n12-20020a1709026a8cb029012d028a1d4bmr5296633plk.22.1628408114527; Sun, 08 Aug 2021 00:35:14 -0700 (PDT)
MIME-Version: 1.0
References: <7CF74D7B-A6B8-4255-9493-30E8DA95C45D@cisco.com> <MW3PR11MB45705BAF545DF8220DEC32A2C1E59@MW3PR11MB4570.namprd11.prod.outlook.com> <be884c4202a748a896d3c17a4e052e25@huawei.com> <67d8fbb116fd416487263cf78c86ed11@huawei.com>
In-Reply-To: <67d8fbb116fd416487263cf78c86ed11@huawei.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Sun, 8 Aug 2021 03:35:03 -0400
Message-ID: <CABNhwV2PWrUKG61TLKXajmDbqnQi0LoLqpkZ-cy6=y=L=ANCiQ@mail.gmail.com>
To: "maqiufang (A)" <maqiufang1@huawei.com>
Cc: "acee=40cisco.com@dmarc.ietf.org" <acee=40cisco.com@dmarc.ietf.org>, "draft-ietf-lsr-pce-discovery-security-support@ietf.org" <draft-ietf-lsr-pce-discovery-security-support@ietf.org>, "ketant@cisco.com" <ketant@cisco.com>, "lsr@ietf.org" <lsr@ietf.org>, "pce@ietf.org" <pce@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003741e305c9074fca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/Cs_XldHRpIohRVCtFpGO3eUhRps>
Subject: Re: [Pce] [Lsr] WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Aug 2021 07:35:38 -0000

I support progressing this document.

I agree with the IANA related questions asked by Ketan and responses given
 by authors.


Kind Regards

Gyan




On Thu, Aug 5, 2021 at 5:05 AM maqiufang (A) <maqiufang1@huawei.com> wrote:

> Hi, Ketan,
>
>
>
> Thanks for your comments. Please see my reply inline.
>
>
>
> *发件人**:* Pce [mailto:pce-bounces@ietf.org <pce-bounces@ietf.org>] *代表 *Ketan
> Talaulikar (ketant)
> *发送时间:* 2021年7月23日 21:10
> *收件人:* Acee Lindem (acee) <acee=40cisco.com@dmarc.ietf.org>rg>; lsr@ietf.org
> *抄送:* draft-ietf-lsr-pce-discovery-security-support@ietf.org; pce@ietf.org
> *主题:* Re: [Pce] WG Last Call for IGP extension for PCEP security
> capability support in the PCE discovery -
> draft-ietf-lsr-pce-discovery-security-support-05
>
>
>
> Hello All,
>
>
>
> I have reviewed this draft and have the following comments for the authors
> to address and the WG to consider:
>
>
>
> 1)      Is there any precedent for the advertisement of auth keychain
> info (ID/name) in such a manner that is flooded across the IGP domain? When
> the actual keychain anyway needs to be configured on all PCCs what is
> really the value in their advertisement other than possibly exposure to
> attack? I hope the security directorate reviewer looks at this closely and
> we get some early feedback specifically on this aspect.
>
> *[Qiufang Ma] See Acee’s response, thanks Acee.*
>
>
>
> 2)      In sec 3.2 and 3.3, new sub-TLVs are being introduced. Their
> ASCII art pictures represent the OSPF TLVs. The ISIS TLV structure is
> different. While this will be obvious to most in this WG, I would request
> this to be clarified – perhaps by introducing separate diagrams for both
> protocols or skipping the art altogether.
>
> *[Qiufang Ma] Good catch, I prefer to skip the art altogether.*
>
>
>
> 3)      RFC5088 applies to both OSPFv2 and OSPFv3. This is however not
> clear in the text of this document.
>
> *[Qiufang Ma] This draft is built on top of RFC 5088, therefore the
> extension defined in this draft is applied to both OSPFv2 and OSPFv3. I
> understand your confusion in the IANA and will fix this in the IANA.*
>
>
>
> 4)      Looks like RFC5088 asked for the PCE Capabilities Flags registry
> to be created as a top-level IANA OSPF registry -
> https://datatracker.ietf.org/doc/html/rfc5088#section-7.2 – so it should
> have been placed here :
> https://www.iana.org/assignments/ospf-parameters/ospf-parameters.xhtml.
> What seems to have happened is that it got created under OSPFv2 which is
> wrong -
> https://www.iana.org/assignments/ospfv2-parameters/ospfv2-parameters.xml#ospfv2-parameters-14.
> Since this draft updates RFC5088, it is necessary for this document to fix
> this error. I would support Les in that perhaps all of this (i.e.
> everything under/related to PCED TLV) ought to be moved under the IANA
> Common IGP registry here :
> https://www.iana.org/assignments/igp-parameters/igp-parameters.xhtml
>
> *[Qiufang Ma] I tend to agree with you. but I am not sure how to move
> other existing created registry for Path Computation Element (PCE)
> Capability Flags available at*
>
> *https://www.iana.org/assignments/ospfv2-parameters/ospfv2-parameters.xml#ospfv2-parameters-14
> <https://www.iana.org/assignments/ospfv2-parameters/ospfv2-parameters.xml#ospfv2-parameters-14>
>  to the new location you recommended.*
>
> *https://www.iana.org/assignments/igp-parameters/igp-parameters.xhtml
> <https://www.iana.org/assignments/igp-parameters/igp-parameters.xhtml> *
>
> *I need to request the guidance from our chairs and AD for this.*
>
> 5)      The document needs to be more specific and clear about which IANA
> registries to be used to avoid errors that have happened in the past (see
> (3) above).
>
> *[Qiufang Ma] Please see above.*
>
> 6)      Appendix A, I believe what the authors intended here was that
> whether to use MD5 auth or not was part of discovery but static
> configuration on the PCE and PCC? The keychain introduced in this document
> can also be used along with MD5. Honestly, I don’t see a strong reason to
> not include MD5 in the signalling except that it is deprecated (even if
> widely deployed). This document would not conflict or contradict with
> RFC5440 if it did include a bit for MD5 support as well. As  follow-on,
> perhaps this document should also update RFC5440 – specifically for the
> security section? I see RFC8253 introducing TLS that updates RFC5440 but
> nothing that introduces TCP-AO?. In any case, these are aspects for PCE WG
> so I will leave those to the experts there.
>
> *[Qiufang Ma] See Qin's reply to Acee. I hope your comment get addressed
> over there. My personally opinion is MD5 is weak and should be deprecated,
> thus it doesn't worth new protocol extension for TCP MD5 support.*
>
>
>
> *Best Regards,*
>
> *Qiufang Ma*
>
>
>
> Thanks,
>
> Ketan
>
>
>
> *From:* Lsr <lsr-bounces@ietf.org> *On Behalf Of *Acee Lindem (acee)
> *Sent:* 21 July 2021 22:16
> *To:* lsr@ietf.org
> *Cc:* draft-ietf-lsr-pce-discovery-security-support@ietf.org
> *Subject:* [Lsr] WG Last Call for IGP extension for PCEP security
> capability support in the PCE discovery -
> draft-ietf-lsr-pce-discovery-security-support-05
>
>
>
> This begins a 3-week WG Last Call, ending on August 4th, 2021, for
> draft-ietf-lsr-pce-discovery-security-support. Please indicate your support
> or objection to this list before the end of the WG last call. The longer WG
> last call is to account for IETF week.
>
>
>
>
> https://datatracker.ietf.org/doc/draft-ietf-lsr-pce-discovery-security-support/
>
>
>
>
>
> Thanks,
>
> Acee
>
>
>
>
> _______________________________________________
> Lsr mailing list
> Lsr@ietf.org
> https://www.ietf.org/mailman/listinfo/lsr
>
-- 

<http://www.verizon.com/>

*Gyan Mishra*

*Network Solutions A**rchitect *

*Email gyan.s.mishra@verizon.com <gyan.s.mishra@verizon.com>*



*M 301 502-1347*