[Pce] Eric Rescorla's No Objection on draft-ietf-pce-pceps-17: (with COMMENT)

[Eric Rescorla <ekr@rtfm.com>]

Eric Rescorla has entered the following ballot position for
draft-ietf-pce-pceps-17: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-pce-pceps/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

This document needs a significant editorial pass. I found a number of
writing errors, e.g., "Securing via TLS of an existing PCEP session is
not permitted,"

S 1.
   defining their application in depth.  Moreover, [RFC6952] remarks the
   importance of ensuring PCEP communication privacy, especially when

The term here is "confidentiality"

S 3.2.
The whole description of how you can race StartTLS iff you know you
are TLS only is really hard to understand until you get to the
diagrams. I would write something like:

   The PCC initiates the use of TLS by sending a StartTLS message
   The PCE agrees to the use of TLS by responding with its own
   StartTLS message. If the PCE is configured to only do TLS, it
   may send the StartTLS message immediately upon TCP connection
   establishment; otherwise it MUST wait for the PCC's first
   message to see whether it is an Open or StartTLS message.



S 3.4.
          +  Implementations SHOULD indicate their trusted CAs.  For TLS
             1.2, this is done using [RFC5246], Section 7.4.4,
             "certificate_authorities" (server side) and [RFC6066],
             Section 6 "Trusted CA Indication" (client side).

Do common stacks do this? I know NSS does not.


   To support TLS re-negotiation both peers MUST support the mechanism
   described in [RFC5746].  Any attempt to initiate a TLS handshake to
   establish new cryptographic parameters not aligned with [RFC5746]
   SHALL be considered a TLS negotiation failure.

Is there a reason to allow renegotiation at all?


S 3.5
   [I-D.ietf-pce-stateful-sync-optimizations] specify a Speaker Entity
   Identifier TLV (SPEAKER-ENTITY-ID), as an optional TLV that MAY be
   included in the OPEN Object.  It contains a unique identifier for the
   node that does not change during the lifetime of the PCEP speaker.
   An implementation would thus expose the speaker entity identifier as
   part of the X509v3 certificate, so that an implementation could use
   this identifier for the peer identification trust model.

This seems underspecified. Is there an OID assigned?


S 4.1.
   DANE [RFC6698] defines a secure method to associate the certificate
   that is obtained from a TLS server with a domain name using DNS,
   i.e., using the TLSA DNS resource record (RR) to associate a TLS
   server certificate or public key with the domain name where the
   record is found, thus forming a "TLSA certificate association".  The
   DNS information needs to be protected by DNS Security (DNSSEC).  A
   PCC willing to apply DANE to verify server identity MUST conform to
   the rules defined in section 4 of [RFC6698].  The server's domain
   name must be authorized separately, as TLSA does not provide any
   useful authorization guarantees.

This is also underspecified. Which DANE types are you suggesting you
use?


S  7.
   Some TLS ciphersuites only provide integrity validation of their
   payload, and provide no encryption.  This specification does not
   forbid the use of such ciphersuites, but administrators must weight
   carefully the risk of relevant internal data leakage that can occur
   in such a case, as explicitly stated by [RFC6952].

Why don't you forbid it?