Re: [Pce] WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05

"Acee Lindem (acee)" <acee@cisco.com> Fri, 23 July 2021 13:22 UTC

Return-Path: <acee@cisco.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C6243A1C67; Fri, 23 Jul 2021 06:22:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.594
X-Spam-Level:
X-Spam-Status: No, score=-9.594 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=VGjtAUqY; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=WgU1N18m
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8plul0zDKoJe; Fri, 23 Jul 2021 06:22:16 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86E133A1C68; Fri, 23 Jul 2021 06:22:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=25399; q=dns/txt; s=iport; t=1627046536; x=1628256136; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=jFPwvOcW6FXq5LmKzJVKn6OXGsyqO3qhiT6CULYn6/8=; b=VGjtAUqYGr7JMixB9zESLkUyklSjJDIjSni18KgS5loMPRpNpocP7Saa bJRQn8ZDQDObDcgZXfuzSTPYBGn8grAiLO5XKI8ZDboEaYHQ4H6m0gx5c HNNrtW5+5+w+TAoSXV0LZKwO/xnTHmpTwFADhzpeKm4Z8DHI0m3BOcJg+ w=;
X-IPAS-Result: =?us-ascii?q?A0BdAwCZwfpgl40NJK1aHgEBCxIMgzwwUX5aNzEChEWDS?= =?us-ascii?q?AOFOYhlA5owgUKBEQNUCwEBAQ0BATcKBAEBhFgCF4JkAiU4EwIEAQEBAQMCA?= =?us-ascii?q?wEBAQEFAQEFAQEBAgEGBBQBAQEBAQEBAXKFaA2GQgEBAQEDEgsGChMBASkOA?= =?us-ascii?q?Q8CAQgRAwEBARYOBwICAjAdCAIEAQ0FIoJPAYF+VwMvAQ6cagGBOgKKH3qBM?= =?us-ascii?q?oEBggcBAQYEBIE6Ag5BgysYgjQDBoE6gnyCcVNIAQGEN4IsJxyCDYEVJxyCM?= =?us-ascii?q?jA+gmIBAQIBgRZnDRKCWDaCLoIva2oEFBsiAns2YxMFDwKRRYNoiDo3nQiCE?= =?us-ascii?q?QqDJoo3lAkFJoNji16XIpYKghyKGJNTIIRnAgQCBAUCDgEBBoF3IoFbcBU7K?= =?us-ascii?q?gGCPlAZDo4fDAEMCRWDOoUUhUpzAgsrAgYBCgEBAwmLQQEB?=
IronPort-PHdr: A9a23:+9VA+RKu0cLbPLMQodmcuYEyDhhOgF28FgIQ44AszbNDbqrl+I7tb wTT5vRo2VnOW4iTq/dJkPHfvK2oX2scqY2Av3YPfN0pNVcFhMwakhZmDJuDDkv2f/LvZjYxW sVPSFEj+Gu0YgBZHc/kbAjUpXu/pTcZBhT4M19zIeL4Uo7fhsi6zaa84ZrWNg5JnzG6J7h1K UbekA==
IronPort-HdrOrdr: A9a23:zD9n4qBN1kNB1fzlHemF55DYdb4zR+YMi2TDtnoQdfUxSKelfq +V7ZEmPHPP5Qr5O0tApTnjAsa9aFXG9ZB05oENPbCtGCH+oW6pJol+7Y3kqgeQeRHW0PVc26 dme7V/D9O1NlRziMKS2njaLz9I+rDumpxA7t2x854Cd21XV50=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.84,264,1620691200"; d="scan'208,217";a="728081450"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Jul 2021 13:22:15 +0000
Received: from mail.cisco.com (xbe-aln-004.cisco.com [173.36.7.19]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id 16NDMFLh028239 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Fri, 23 Jul 2021 13:22:15 GMT
Received: from xfe-rtp-004.cisco.com (64.101.210.234) by xbe-aln-004.cisco.com (173.36.7.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Fri, 23 Jul 2021 08:22:15 -0500
Received: from xfe-aln-001.cisco.com (173.37.135.121) by xfe-rtp-004.cisco.com (64.101.210.234) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Fri, 23 Jul 2021 09:22:13 -0400
Received: from NAM04-MW2-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-001.cisco.com (173.37.135.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Fri, 23 Jul 2021 08:22:13 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QUHLXRYr/vhQ9BlrQIaa6CjBlNriRCSuCuYn+hvzDCS14KGoDPy+mrzmT4OJGQe/HmL5VzaBe4Nv/qgrJsCBeIE+6Tptyir/0KfH/4g0VQVB7M3vHXXH5tPL/L8HrIQXNK8ssQf326H60jCbnkwcIzTRijFMSoVf+1H4Zq0MfjKsLS1ZxZRpSBbJ9gmz4H94le6CWPjkJ+KGAFyjlwEhvayTfmEqZdv33ob9Pt9oImYkIEfvklb5pQr4pOiebPLFmnZckA2Xa2wgAcPYmTd/8vXed6Gvlzy5fYcVmxI9BzodDNPBcKZwJm4s9lRppoL1Wzgk8Fzvo+6ioZpiSjdaDQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jFPwvOcW6FXq5LmKzJVKn6OXGsyqO3qhiT6CULYn6/8=; b=fbMpYJ1NVC60INkDTer7/cQinphURl+HOzdw69eu6DGvDQtuG+40FGPv129gOOW+yBdMQ4EEZtJMT+saMR8y6vJ0IkccYaR858In7CLT6iXvDHmppniCeDMC1jcV1gy3GHBJN41q/iLVR5JcxJ2AQluf/B2M6XWxlGkGvo8d7VEh87lD4jhPD7+IHXAtyVoYMzyDo+rDJKNbshea5DKYbgsk39ZsX9XdAvhubPUxlzSfBpEkVnLobZ+aBEdeXqJkkIGztNHzyAOLGUzNby48WaMBlm1aAbtyBz4kqMi4GuIEGVgQliVkaStiwhJ1AktC83ZOZ+3HfZe4/RXPJpuQHQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jFPwvOcW6FXq5LmKzJVKn6OXGsyqO3qhiT6CULYn6/8=; b=WgU1N18mUzbNH6yWFArZGJn9LU6iCMKYccKm0nSpYkO0unqL1OrKKFM3hZ4l3hpgn1H1HX2nTgh+NRHWWbWxSxgdVjDTyKSrfTfOWsdRhXf66MQYQjF2+T/72QhvhqwjMWCDm5rmBuDfUvqadJaWzP0oKPLyS7UW0MI/aHRDD+I=
Received: from BYAPR11MB2887.namprd11.prod.outlook.com (2603:10b6:a03:89::27) by BYAPR11MB3158.namprd11.prod.outlook.com (2603:10b6:a03:1c::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.29; Fri, 23 Jul 2021 13:22:12 +0000
Received: from BYAPR11MB2887.namprd11.prod.outlook.com ([fe80::dc2e:765f:512c:b39e]) by BYAPR11MB2887.namprd11.prod.outlook.com ([fe80::dc2e:765f:512c:b39e%7]) with mapi id 15.20.4331.034; Fri, 23 Jul 2021 13:22:11 +0000
From: "Acee Lindem (acee)" <acee@cisco.com>
To: "Ketan Talaulikar (ketant)" <ketant=40cisco.com@dmarc.ietf.org>, "lsr@ietf.org" <lsr@ietf.org>
CC: "draft-ietf-lsr-pce-discovery-security-support@ietf.org" <draft-ietf-lsr-pce-discovery-security-support@ietf.org>, "pce@ietf.org" <pce@ietf.org>
Thread-Topic: WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05
Thread-Index: AQHXfk/a3VV5rFqXJ0ijRIDgih43Y6tQgbtw///KEgA=
Date: Fri, 23 Jul 2021 13:22:11 +0000
Message-ID: <98817A40-CF34-49D4-B49C-38E586F17513@cisco.com>
References: <7CF74D7B-A6B8-4255-9493-30E8DA95C45D@cisco.com> <MW3PR11MB45705BAF545DF8220DEC32A2C1E59@MW3PR11MB4570.namprd11.prod.outlook.com>
In-Reply-To: <MW3PR11MB45705BAF545DF8220DEC32A2C1E59@MW3PR11MB4570.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.51.21071101
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b9337508-2a91-488f-0758-08d94ddce16d
x-ms-traffictypediagnostic: BYAPR11MB3158:
x-microsoft-antispam-prvs: <BYAPR11MB3158B93C13363B88D71E62BFC2E59@BYAPR11MB3158.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oZMU3TOBAkbeyzv7zwFSDwqV9WgZoV6wyvaHSnr2PdaUOGrzUjQvKFnxTU8LOlx1W8JPxzZWM+rashWW0/5h7QgEvBLY2IaFljh9Gwd3uhV6rGLQ/DGyDvOut9M5z3A8cLeA3NRCf+OuWp+Z34TiOxrfSuDJ59Iuz3owEaVFf1kepZkjs15rxALdMxh4Zo59ys4azeV6hGWpQIFkzu7fAmCvNMgW8DbDxHtn0NSLNCc7TGmgTgzDcD1E0zvgS+Om2PKJIOUR6ue8x1Qs9uECgWbSTzVxG8TJ8mXnoHjPr0BJ7blyjCkAZzaqujevgaFBqhfJHBqXSEP61jx3kzqSQtW0LJ8cBy2r/7bBOAJ0OVMW0StvB3LO0htsKYTEdtDWsFGI8sGAEYF1J74upKjl8bwRjYsai7ozOZx42VqBYx1IkHlxHXPn29xSj9fwGh6DFSOFrRqHP7QWttKtM/18eLxX1CSXbLye/OML2x6YdZ1JO+kEHVOBKbRyyx4ThMg1619BebcgfRXkKym0KrM9EdAY8XwN2R3rIVyCvbMrRGXz0MPjgIZUitE6oC9Lc27cf0O8Dp3zsAFZ6UE/SK5X+GnDUcYgeIfT9MWzP0LTazAXPYFkL/vUZg3N9RPlcOV2rj/IoxnIebyH8TUEEoc/EGrnCCD8vsKcA35BTk+5mSSeYyNF0p8bQTYw3ehEsW7w4IJJ6ESa1bjutYDH3/Qic5mQorL4HmsLIpT5T7z299jQ5V23OMZG79HxYVZYBYZ/IXQ50/Xml8XcNjFxJ0BY7CIP60km1eR4UFEP3U0hF202S5c7WQ88CPRoNIfPC6pfXSxwCKxgqZ20I291Q1Yz+x4qIdtOEHGKaZ3K2gIhHB4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB2887.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(6486002)(8676002)(966005)(83380400001)(6512007)(66476007)(66946007)(54906003)(66556008)(122000001)(76116006)(66446008)(38100700002)(15650500001)(2616005)(508600001)(5660300002)(8936002)(316002)(186003)(9326002)(33656002)(4326008)(71200400001)(2906002)(110136005)(64756008)(53546011)(26005)(166002)(6506007)(86362001)(36756003)(38070700004)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?Qnk0K29yM1V2QUlieThPbTYvN25JZHlDNlY5L0dlUWJJVlVXRjhGRVhnd3JW?= =?utf-8?B?Sk56VmNmVnJkTUhtSGpUWmJuNmIyT3d5Tk9HZzNxbE1TdXFGQURqSzdkblRJ?= =?utf-8?B?SElsdEN5UDQrM3BnVW50SGUwVkI1c3N4K3lHNFNFN21SckgvaTkrbFZYM0Rz?= =?utf-8?B?WThlaysxNHVYRnBTbFhLTGFJVlpraVp3dGdWZmdNa1Z0OW4xWEttd2I1Vzhp?= =?utf-8?B?bWxkVVRVaVI0RXBSSlV4dzZTZmhSZ1pscHFPd3hJc0ErOXlwTlh4NGNNRm15?= =?utf-8?B?RStUZnd3bG40ekM2azI3Y2wyVHRsS0JxN0YvSUtiWnRKN2NaUVp0Q2pKOXZs?= =?utf-8?B?eEtrWHN2d1ZmR3MxUEhnOTZBb1Vab3pnanlFY21HVTNOYy8yWUtZWjBMMzZN?= =?utf-8?B?aVE3K2lYbWNsS2VZMXAveWtYYkJvc0ppemFQcW1JbjBHcEpDQkRrdFJlNzEx?= =?utf-8?B?dm1MUExaalBHaE1xVWxYanJFQjRBNkdHWUxMcG1uTSsvbTRtTHZJaGhrWlRx?= =?utf-8?B?WVJmWjVHazRlWnllMTRqaHFrZzVDV1YyZVplSnVjQ2V3KzUwR3NNb293aWwz?= =?utf-8?B?Tm5BUkdFVVBrVUowN0p1TFFZRVVTRytPMWRwNHpiNFRIVWhsamYzNllCQlBU?= =?utf-8?B?SFhtSkFYbzFmU2xHR0VPMnRYZ2hQaTQvZFJaOGFOY2xNckdhM2hVYjR4TXFK?= =?utf-8?B?RWxXVkxaM3hkdmJvNUxIcG5HUjFtT3BYNXlvbklZQXR1czFiUVlOQTJYdzlG?= =?utf-8?B?WXcvcTByNTR1OS9tQW1RR3lRNlJSeGJuYkNqSXpZSUZUczJWR2pvUGNhNFB3?= =?utf-8?B?VERndkNMNUxwQ1BPRURMVXQrdkhJekNyZDVvLzdVY2hLTWhnc01GMlhMY0ZU?= =?utf-8?B?MnhvUDMwQXQ5Nnh3eEpTbS9YQ0daVEE3Nk9zYXM5NVZhRHdrbjZBYU1ET1Yw?= =?utf-8?B?M2pncUxyakM5NmQxeTh6bXlKOGt3TkFibmJLOXdPV3hObnVKMElaQXM2VFZq?= =?utf-8?B?TkxSc2xYekhlejFMTkFPVUZLbWRMTG5KOEZubmI2NHhhejdmaFJIOUV2bjhL?= =?utf-8?B?cHZpT1Yyakt1VTVGdGdNbSs5VU9jUDNhUUVRaFFObFp3YkdvdTlEMlkwQThP?= =?utf-8?B?TWF5VytMYzZkdVpIc2tHUytjQ2E4UnFjNnpDWHErV1lLVEpVOXdseGk4bDV0?= =?utf-8?B?NTAyUDlEaVZuNk93MU9ZVVFWaXEycUpRUnVTMzF5NjBRMXU2ZjVwcVR3dFlX?= =?utf-8?B?SUtrSFM2NjlpUGNpeks0ZExvVnNFSXIzalNDemJ1djhlcVlMbEtpcElFUnUr?= =?utf-8?B?cG5SUjgzOHM0bGxrWFhrdGpsSXpnNVIzUkd6Tkx1dzJ5WnhJajBXT0FwcTA5?= =?utf-8?B?dWQzUk96ZVdPRy9GTDU3c2VacnRjY3NsM2VaZ2JoaDdsLytGTFJaMithaG5S?= =?utf-8?B?U1dYVit0SmZFck9KRy9yK3MyOHR3WDlKdDFha0UvVkxuQU41OE8vb1dkVksv?= =?utf-8?B?ei9QR2hzUEpKM0kvVU5ZK1lJbkJMZUhJTUU0Y05Jem5aNkQ3TTV2L3d5b2cr?= =?utf-8?B?WS9qdkRzMjhIbFJrMkFnbTUxdFZHQUVPU0RrZmhKTkVqbk1ZenZiTnVxeHVu?= =?utf-8?B?MTEzQ3J4bUNTcmFBVGNaVXBHbEozcUZEaDhzb3BGRXQ3c2FJTXplWWRQQU1D?= =?utf-8?B?WTJYcEczVElJcFc3bjRaK093WnNWUXQvQzMrcHFuTHR3WGtYQ2VxdEhOZUdM?= =?utf-8?B?dDlpK0I5ZDBQRW9YdnZvb0J5Vks5aGNxSnhKL2x1NCtST1FLbUVUVnFFaVcv?= =?utf-8?B?bFdXUWpEOGh1aFJWbGN5QT09?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_98817A40CF3449D4B49C38E586F17513ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB2887.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b9337508-2a91-488f-0758-08d94ddce16d
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2021 13:22:11.8749 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DJbRPeeWG1EjaZIOkZEZA9i0IpX7Rk9V8bBeanOn0TNQ6AkYB/RHiW1VGoitZuKf
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3158
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.19, xbe-aln-004.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/Db2ztXRBQWM-dBxgIyMh5Rwbc1w>
Subject: Re: [Pce] WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jul 2021 13:22:22 -0000

Hi Ketan,

From: "Ketan Talaulikar (ketant)" <ketant=40cisco.com@dmarc.ietf.org>
Date: Friday, July 23, 2021 at 9:10 AM
To: Acee Lindem <acee@cisco.com>om>, "lsr@ietf.org" <lsr@ietf.org>
Cc: "draft-ietf-lsr-pce-discovery-security-support@ietf.org" <draft-ietf-lsr-pce-discovery-security-support@ietf.org>rg>, "pce@ietf.org" <pce@ietf.org>
Subject: RE: WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05

Hello All,

I have reviewed this draft and have the following comments for the authors to address and the WG to consider:


1)      Is there any precedent for the advertisement of auth keychain info (ID/name) in such a manner that is flooded across the IGP domain? When the actual keychain anyway needs to be configured on all PCCs what is really the value in their advertisement other than possibly exposure to attack? I hope the security directorate reviewer looks at this closely and we get some early feedback specifically on this aspect.

The key-chain mechanism was standardized in RFC 8177 and is referenced by all the routing protocol YANG models. While key-chains, as well as, pre-shared keys need to be configured, having multiple configured key-chains that are selectable via discovery is obviously more operationally secure than having a single one.

Thanks,
Acee


2)      In sec 3.2 and 3.3, new sub-TLVs are being introduced. Their ASCII art pictures represent the OSPF TLVs. The ISIS TLV structure is different. While this will be obvious to most in this WG, I would request this to be clarified – perhaps by introducing separate diagrams for both protocols or skipping the art altogether.

3)      RFC5088 applies to both OSPFv2 and OSPFv3. This is however not clear in the text of this document.

4)      Looks like RFC5088 asked for the PCE Capabilities Flags registry to be created as a top-level IANA OSPF registry - https://datatracker.ietf.org/doc/html/rfc5088#section-7.2 – so it should have been placed here : https://www.iana.org/assignments/ospf-parameters/ospf-parameters.xhtml. What seems to have happened is that it got created under OSPFv2 which is wrong - https://www.iana.org/assignments/ospfv2-parameters/ospfv2-parameters.xml#ospfv2-parameters-14. Since this draft updates RFC5088, it is necessary for this document to fix this error. I would support Les in that perhaps all of this (i.e. everything under/related to PCED TLV) ought to be moved under the IANA Common IGP registry here : https://www.iana.org/assignments/igp-parameters/igp-parameters.xhtml

5)      The document needs to be more specific and clear about which IANA registries to be used to avoid errors that have happened in the past (see (3) above).

6)      Appendix A, I believe what the authors intended here was that whether to use MD5 auth or not was part of discovery but static configuration on the PCE and PCC? The keychain introduced in this document can also be used along with MD5. Honestly, I don’t see a strong reason to not include MD5 in the signalling except that it is deprecated (even if widely deployed). This document would not conflict or contradict with RFC5440 if it did include a bit for MD5 support as well. As  follow-on, perhaps this document should also update RFC5440 – specifically for the security section? I see RFC8253 introducing TLS that updates RFC5440 but nothing that introduces TCP-AO?. In any case, these are aspects for PCE WG so I will leave those to the experts there.

Thanks,
Ketan

From: Lsr <lsr-bounces@ietf.org> On Behalf Of Acee Lindem (acee)
Sent: 21 July 2021 22:16
To: lsr@ietf.org
Cc: draft-ietf-lsr-pce-discovery-security-support@ietf.org
Subject: [Lsr] WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05

This begins a 3-week WG Last Call, ending on August 4th, 2021, for draft-ietf-lsr-pce-discovery-security-support. Please indicate your support or objection to this list before the end of the WG last call. The longer WG last call is to account for IETF week.

  https://datatracker.ietf.org/doc/draft-ietf-lsr-pce-discovery-security-support/


Thanks,
Acee