IETF Logo Mail Archive

Re: [Pce] Shepherd review of draft-ietf-pce-pceps

Dhruv Dhody <dhruv.ietf@gmail.com> Tue, 28 March 2017 04:05 UTC

Return-Path: <dhruv.ietf@gmail.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B45A512922E; Mon, 27 Mar 2017 21:05:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.298
X-Spam-Level:
X-Spam-Status: No, score=-1.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_COMMENT_SAVED_URL=1.391, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_HTML_ATTACH=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JjFoeBcVWwxR; Mon, 27 Mar 2017 21:05:05 -0700 (PDT)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DC18127B31; Mon, 27 Mar 2017 21:05:04 -0700 (PDT)
Received: by mail-qk0-x22f.google.com with SMTP id r142so27096322qke.2; Mon, 27 Mar 2017 21:05:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ctvnBt5qhzxI4aQr9SieVGFw/j82dT1za4XnTeJ5nOE=; b=CBb/pn7aoRR3Q4JhwwVRCOUFNEXTyWQMaGq/Raicfq285ZuW/lgPQM2jmO0suhy1NR 4AWjap8NgbqMFks0VBypioCXuQCiqxqF/uZFJjDw0kD9InzpKorvf+e7ColBRvJxviGY lWtDgeZd5ib8uBkc5HQ0FP46zkRSnoC5j7ZNB/rOKDDIrXxcuM+tZzBaTqmQYdS2GCPT 9hZHGkC5HQNu83mWSrikq5epWH2Ga+hM/rv2WmFZ39eDFG7UWN3tVP48zqekH7dIQ8Nt yFBVyHnI1CrKoyC62wDs7lt3M72k7Ta0cgt1SBHfRG4/4GOCM/FTBcWA/zVn+e26rTMz Tc3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ctvnBt5qhzxI4aQr9SieVGFw/j82dT1za4XnTeJ5nOE=; b=g4Il1k5yyQd4pmGR3nyC0tchICSlAVm62ZNMSMtvDWvSH8Tz0SDTUs8ql0Zn8xaonI MlV1pWmOdiwOTdQQnZQZpnfXncra13FuuB7l8nYucOnASzZLXtj21jMjaKBPqKYDLs6c l+5Tl4Gd5Gb7OsYk0ut77gWzO+5kPrxcqVb3WfyZ/HjsJrOK4UeJIEwzRKHvADMZSHE9 pgPhoTgXwPSPQd1SX7VeqLoZIY4nGFJE/erdPZtRKMB7xw/N4JmX9TB2ybY9hJKJ6eIO Jgswxjxcb3Ae7SXmqu+aebIfYvOzNd+zURnuMOGn/QgWv6ruY/dEqQ4HnyWRcyIdwli9 qn6g==
X-Gm-Message-State: AFeK/H0bRRyGJD5zFEBJCTXkqZ13v5jwm2DYzdQe/emwz3+Wc/DoLECeJmJpbtPtPhsaH5V2sLOr+Jb0NsBdUQ==
X-Received: by 10.55.103.193 with SMTP id b184mr19689500qkc.264.1490673903405; Mon, 27 Mar 2017 21:05:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.200.53.152 with HTTP; Mon, 27 Mar 2017 21:05:02 -0700 (PDT)
In-Reply-To: <CADOd8-vJiCcaOjuYUhdvWsUw9QfcQqYpGH-W_BczeaGjoagBwg@mail.gmail.com>
References: <CADOd8-vJiCcaOjuYUhdvWsUw9QfcQqYpGH-W_BczeaGjoagBwg@mail.gmail.com>
From: Dhruv Dhody <dhruv.ietf@gmail.com>
Date: Mon, 27 Mar 2017 23:05:02 -0500
Message-ID: <CAB75xn4WVvOS7tDwiDRf5qhFC3oQMqBc+=yn2n0_B9kADESr6Q@mail.gmail.com>
To: Cyril Margaria <cyril.margaria@gmail.com>
Cc: draft-ietf-pce-pceps@ietf.org, "pce@ietf.org" <pce@ietf.org>, "dhruv.dhody@huawei.com" <dhruv.dhody@huawei.com>
Content-Type: multipart/mixed; boundary="94eb2c0578c07d4465054bc2906e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/FvUVDBt18dvWGxuuf3Gfsfw1j7w>
Subject: Re: [Pce] Shepherd review of draft-ietf-pce-pceps
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 04:05:12 -0000

Hi Cyril,

Thanks for being our shepherd and providing review comments. Please see
inline...

On Mon, Mar 27, 2017 at 12:10 PM, Cyril Margaria <cyril.margaria@gmail.com>
wrote:

> Dear authors, PCE WG
>
> I am the shepherd for this document, Please find below my shepherd's
> review of the aforementioned I-D.
>
>
> * General
>
> The document does not need much work to to progress, they are mainly
> clarifications.
>
> * Detailed comments.
>
> Section 3.2
> --
> "Thus the PCEP session is secured via TLS from the
>    start before exchange of any other PCEP message including the Open
>    message."
>
> This sentence comes after the reference to discovery procedures while it
> refers to when the startTLS message is to be used.
> This could be rephrased.
>

​[Dhruv]: How about -

This message MUST be the first PCEP message
issued by the PCEP speaker, willing to use TLS. Note that, this includes the
open message




> --
> "Securing via TLS of an existing PCEP session is not
>    permitted, the session must be closed and re-established with TLS as
>    per the procedure described in this document"
>
>  Should the must be replaced by MUST?
>
>
>
​[Dhruv] Ack​



> --
> "If the PCEP speaker supports PCEPS but cannot establish a TLS
>    connection for some reason"
>
> I believe that in that case both speakers must support PCEPS in order for
> them to send the startTLS and start TLS negotiation. Its unclear when those
> errors can be sent, shouldn't they be sent after the TLS negotiations have
> taken place?
> This comment is repeated in the next sections/comments.
>

​[Dhruv]: Yes, this is after startTLS messages have been exchanged, and once
the PCEP speaker finds out that the TLS connection cannot be established.

We could reword this to -

After the exchange of startTLS messages, if the PCEP speaker cannot
establish a TLS connection
for some reason...


>
> Section 3.3.
>
> --
> "On receiving a StartTLS message from the PCEP
>    peer (i.e.  when the PCEP speaker has sent and received StartTLS
>    message) it is ready to start TLS negotiation and establishment and
>    move to steps described in Section 3.4."
>
> From section 3.2  a peer MAY also send Error-Type set to [TBA2 by IANA]
> (PCEP StartTLS failure) and Error-value 3 (not without TLS) or 4 (ok
> without TLS).
> At which point of the PCEP session are the PCErr sent? is it in step 3 of
>  section 3.4?
>
>
>
​[Dhruv]: Yes. It is the error handling part of step 3 IMHO. ​



> --
> "Once the TCP connection has been successfully established and the
>    StartTLS message sent, the sender MUST start a timer called
>    StartTLSWait timer, after the expiration of which, if no StartTLS
>    message has been received, it sends a PCErr message and releases the
>    TCP connection with Error-Type set to [TBA2 by IANA] and Error-value
>    set to 5 (no StartTLS message received before the expiration of the
>    StartTLSWait timer)."
>
> the following text would be more clear in my opinion
>
> ​​
> "Once the TCP connection has been successfully established and the
>    StartTLS message sent, the sender MUST start a timer called
>    StartTLSWait timer, after the expiration of which, if no StartTLS
>    message has been received, it MUST send a PCErr message and releases the
>    TCP connection with Error-Type set to [TBA2 by IANA] and Error-value
>    set to 5 (no StartTLS message received before the expiration of the
>    StartTLSWait timer)."
>

​[Dhruv]: Ack. ​



>
> Section 3.5
>
>
>
> --
> "PCEPS implementations SHOULD provide mechanisms for
>    associating peer identities with different levels of access and/or
>    authoritativeness, and they MUST provide a mechanism for establish a
>    default level for properly identified peers. "
>
> typo "
> ​​
> for establish" -> "for
> ​​
> establishing"
>
> "PCEPS implementations SHOULD provide mechanisms for
>    associating peer identities with different levels of access and/or
>    authoritativeness, and they MUST provide a mechanism for establishing a
>    default level for properly identified peers. "
>
>
​[Dhruv]: Ack. ​



> --
>
> " Implementations
>    that want to support a wide variety of trust models should expose as
>    many details of the presented certificate to the administrator as
>    possible so that the trust model can be implemented by the
>    administrator. "
>
> should -> SHOULD or it could be rephrased if its not the intent.
>
>
​​[Dhruv]: Ack. ​
​



> --
> "As a suggestion, at least the following parameters of
>    the X.509 certificate should be exposed:"
>
> it can be rephrased as
> "
> ​​
> At least the following parameters of
>    the X.509 certificate SHOULD be exposed:"
>
> or
>
> "its
> ​​
> RECOMMENDED that at least the following parameters of
>    the X.509 certificate are exposed:"
>
>
>
​​​[Dhruv]: Ack. ​​



> Section 3.6
> --
>
> Section 3.2
> ​​
> defines error-values for TLS negotiation failures, should they be used in
> that section? i.e the peer SHOULD send a PCErr and MUST terminate the
> session?
>
>
>
​[Dhruv]: Yes, updated the text to -

   In case the initial TLS negotiation or the peer identity check fails,
   according to the procedures listed in this document, the peer MUST
   send the PCErr message as per the Section 3.2 and then MUST terminate
   the session.



> Section 4.
>
> --
> I am not sure if the second and third paragraph are relevant for PCEPS
> session establishement. Could you indicate what is the relation between
> PCEPS and dns resolution?
>
>
​[Dhruv​]: If DNS is used to discover the PCE IP address, it can also
specify if the PCE supports TLS via the NAPTR records, you can find an
example of this in
https://tools.ietf.org/html/draft-wu-pce-dns-pce-discovery-09#section-6.2.1

Thus this is similar to learning the PCEPS capability via IGP.



>
> Section 6.1
>
> --
>
> Following rfc5226, please  clarify the request for new allocation and
> indicate which registry need to be updated, for instance:
>
>  IANA is requested to allocate new message types within the "PCEP
>  Messages" sub-registry of the PCEP Numbers registry, as follows:
>
>                  Value     Meaning
>          Reference
>                    TBA1      The Start TLS Message (StartTLS)         This
> document
>
> Section 6.2
>
> --
> same as section 6.1, a possible text can be:
>
> IANA is requested to allocate new Error Types and Error Values within
>    the " PCEP-ERROR Object Error Types and Values" sub-registry of the
>    PCEP Numbers registry, as follows:
>
>
>
>
​[Dhruv]: Ack​



> Section 8.2
>
> --
> should the YANG modules also be updated?
>
>
​[Dhruv]: How about - ​

​   An implementation SHOULD allow the operator to configure the PCEPS
   capability as well as various TLS related parameters, as well as view
   the current TLS status for a PCEP session.  To serve this purpose,
   the PCEP YANG module [I-D.ietf-pce-pcep-yang] can be extended to
   include TLS related configuration and state.​



​Thanks for your comments! ​I have attached the diff file.

Working XML:
https://github.com/dhruvdhody-huawei/ietf/blob/master/draft-ietf-pce-pceps-12.xml

​We can update a new version after a confirmation from you! ​

​Regards,
Dhruv​



>
> Thanks,
> Cyril
>

v2.23.0 | Report a Bug | By Email