IETF Logo Mail Archive

Re: [Pce] Secdir last call review of draft-ietf-lsr-pce-discovery-security-support-05

"Acee Lindem (acee)" <acee@cisco.com> Mon, 09 August 2021 17:01 UTC

Return-Path: <acee@cisco.com>
X-Original-To: expand-draft-ietf-lsr-pce-discovery-security-support.all@virtual.ietf.org
Delivered-To: pce@ietfa.amsl.com
Received: by ietfa.amsl.com (Postfix, from userid 65534) id D8A943A0B29; Mon, 9 Aug 2021 10:01:40 -0700 (PDT)
X-Original-To: xfilter-draft-ietf-lsr-pce-discovery-security-support.all@ietfa.amsl.com
Delivered-To: xfilter-draft-ietf-lsr-pce-discovery-security-support.all@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21B8C3A0B22; Mon, 9 Aug 2021 10:01:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Level:
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=cC1oMvlC; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=OBbEo5HB
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VHk7Wg3S6AiE; Mon, 9 Aug 2021 10:01:34 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D85213A0AAD; Mon, 9 Aug 2021 10:01:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9102; q=dns/txt; s=iport; t=1628528494; x=1629738094; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=24F1BP89KiU2w5MhOV6U7wg4c66rjBas25HkmPkYW7g=; b=cC1oMvlCNHHn71wvIZgfXsrfVpcKOA94SehQBzyTMkJkMAStsekxCWZA VQuoL4ArV6PK/9Ib+0RrmIM4V3QfwdZ3fMqQkf2Gr3gOlWYwd0BM1fDtI 3MTpwvyK6xyJlj1apRm4iGWSoMWzpTRZ/qqY2xjc1r837zZJhpL744AEu A=;
X-IPAS-Result: A0AnAgArXhFhl5tdJa1aHgEBCxIMQIFOC4FTUX5aNzEChEWDSAOFOYhmA5o0gS6BJQNUCwEBAQ0BASoLDAQBAYRYAheCQgIlNAkOAQIEAQEBAQMCAwEBAQEFAQEFAQEBAgEGBBQBAQEBAQEBAYEIhWgNhkIBAQEBAwEBEBERDAEBJQQDCwELBAIBBgIRBAEBAQICIwMCAgIlCxQBCAgBAQQBDQUigk8BglUDLwEOjXSPNAGBOgKKH3qBMYEBggcBAQYEBIU4GII0AwaBECqCfIQPgmqDeiccgg2BFAEnDBCCYj6CYgEBAoFGGCaCcTaCLoJwWwYCMA8jBA0VIQ4CWyQZPQINBhgCDxQBBBGVNagiCoMomGyFXwUmg2WLYAOXJ5YPn2sCgiWDCQIEAgQFAg4BAQaBYDmBW3AVOyoBgj5QGQ6LR4JYDQwJg0+FFIVKcwILKwIGAQoBAQMJilABAQ
IronPort-PHdr: A9a23:Fffo5h2PSJXgQqq+smDPtVBlVkEcU/3cNQ8O4Z1hgLVLIeyv/JXna UrY4/glzFrERp7S5P8Mje3K+7vhVmoN7dfk0jgCfZVAWgVDhZAQmAotU8WEEkb8avXtan9yE MFLTlQw+Xa9PABcE9r/YFuHpHq04HYSFxzzOBAzKP7yH9vZjt+80Ka5/JiACzg=
IronPort-HdrOrdr: A9a23:ZGoRSKNT/i5y/MBcT5f255DYdb4zR+YMi2TDiHoRdfUFSKKlfp 6V88jzjSWE9wr4WBkb6Le90DHpewKeyXcH2/huAV7EZnilhILIFvAj0WKG+V3d8kLFh5VgPM tbAs1D4ZjLfCRHZKXBkUyF+rQbsaO6GcmT7I+0pRoAPGIaCZ2IrT0JdzpzeXcGIjWucKBJbK Z0kfA33gZIF05nCviTNz0gZazuttfLnJXpbVotHBg88jSDijuu9frTDwWY9g12aUIK/Z4StU z+1yDp7KSqtP+2jjXG0XXI0phQkNz9jvNeGc23jNQPIDmEsHfuWG0hYczFgNkGmpD21L8Yqq iWn/7mBbUo15rlRBDtnfIq4Xi87N9h0Q6/9bbSuwqTnSWwfkNLNyMGv/MHTvMcgHBQ7e2VF8 lwrjykXtNsfGH9dG6W3am6azh60kWzunYsiugVkjhWVpYfcqZYqcgF8FpSC4poJlO01GkLKp giMCjn3ocbTbpaVQGRgkB/hNi3GngjFBaPRUYP/sSTzjhNhXh8i08V3tYWkHsM/I80D8As3Z WEDo140LVVCsMGZ6N0A+kMBcOxF2zWWBrJdGafO07uGq0LM2/E75T3/LI27ue3f4Fg9up9pL 3RFFdD8WIicUPnDsODmJVN7xDWWW24GS/gz8lPjqIJ8IEUhICbehFrbWpe5fdIj89vdvEzas zDcK6+WcWTWFcGMbw5qDHDZw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.84,308,1620691200"; d="scan'208";a="753439879"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 09 Aug 2021 17:01:32 +0000
Received: from mail.cisco.com (xbe-rcd-003.cisco.com [173.37.102.18]) by rcdn-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 179H1WZq001384 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Mon, 9 Aug 2021 17:01:32 GMT
Received: from xfe-rtp-003.cisco.com (64.101.210.233) by xbe-rcd-003.cisco.com (173.37.102.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Mon, 9 Aug 2021 12:01:31 -0500
Received: from xfe-rtp-002.cisco.com (64.101.210.232) by xfe-rtp-003.cisco.com (64.101.210.233) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Mon, 9 Aug 2021 13:01:30 -0400
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xfe-rtp-002.cisco.com (64.101.210.232) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Mon, 9 Aug 2021 13:01:30 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XaFf1k5MG3UJVE0o3R+SbZrvePluNhPzLl9k0Y3ssHe8uo9GEE+OLEY56479CLsItN0isvhOz3xhDrNgoXgAG63joEeafTCYLyktZ8O/eLTSTrkGhDlwmcrMxNksMcM/EhKm/IgbR2pssjz/XOY/YpxQzpDvZeaEvJ1VFZ4+d7TCQUQSH7SF6layqmizBJd4JidmhGS6VjjDF8PnyN5htp+3T6WiAjjw+Lojougt9chcVyL5H5iu+FLsE9pQT+0r5Q9DKnzMbEkaCkb5upVfBKko0lXEMWYVapUrbxrGKHDDO+8xSF3Db2uqKtDrocukiYsy7ozaJ8bAY3sO2lvgWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=24F1BP89KiU2w5MhOV6U7wg4c66rjBas25HkmPkYW7g=; b=bJVBA+EIUQ4MoElUZvKi3Q79riks5HHxkHsSY6zA+iNIBnR4Szfma0+KBzW16tsuLgC0aMWweHAry23mP2lfXg0Q7BOVWJ+g16egUzD2eyrVWJh1Osd8eAR+PJOkQrM7CUlxOcNXcjSPMgJvvFBtW5VlvdGGIc+eotoA1tbanx2hc3XfKOKXrG5kCvhs9sEPJS0U9bIfNFj2d2gd8KCUVLSqoLOJiv/7h36i3flWkf+TdNNRpMTERc/ikKaNnFfsLgj8B3Fd5+zaSC60YSC94NjJsoLIAAWGVGcFWV8uhndG0vtL9GqbuFrkOxrTgoxnMDNkUfaaxxXaVV50zrN98g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=24F1BP89KiU2w5MhOV6U7wg4c66rjBas25HkmPkYW7g=; b=OBbEo5HBEA27SsQBHfpY6ya21bw0G8TCXDmliLPr3TXr/EEflE10LsCuM0jzSRmZlFWNUB1Em60m2e8afSm4wiR7MqzksMGfm49ejy96dbPURb8cnb8s8QP3TZZ3CHkJ4L2pnEmxMsdkDO0WOBieGkZMjlHktxhSYQjRB9mrG8U=
Received: from BYAPR11MB2887.namprd11.prod.outlook.com (2603:10b6:a03:89::27) by SJ0PR11MB5056.namprd11.prod.outlook.com (2603:10b6:a03:2d5::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.17; Mon, 9 Aug 2021 17:01:27 +0000
Received: from BYAPR11MB2887.namprd11.prod.outlook.com ([fe80::a19c:e0ca:19d9:19e2]) by BYAPR11MB2887.namprd11.prod.outlook.com ([fe80::a19c:e0ca:19d9:19e2%3]) with mapi id 15.20.4394.022; Mon, 9 Aug 2021 17:01:27 +0000
From: "Acee Lindem (acee)" <acee@cisco.com>
To: "Les Ginsberg (ginsberg)" <ginsberg@cisco.com>, Yaron Sheffer <yaronf.ietf@gmail.com>, Qin Wu <bill.wu@huawei.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-lsr-pce-discovery-security-support.all@ietf.org" <draft-ietf-lsr-pce-discovery-security-support.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "lsr@ietf.org" <lsr@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-lsr-pce-discovery-security-support-05
Thread-Index: AdeNHypPK1Aju325Q+6DWq9xSrH09wABXpCAAANbtfD//9krAA==
Date: Mon, 09 Aug 2021 17:01:27 +0000
Message-ID: <80F36E66-0599-429B-95BF-2F204397BF19@cisco.com>
References: <a54b52bd71be4f8380f5288197c683bb@huawei.com> <0D7D6324-9F23-4E67-B66B-D0A7DD640035@gmail.com> <BY5PR11MB4337CA31809B87189E5B39BBC1F69@BY5PR11MB4337.namprd11.prod.outlook.com>
In-Reply-To: <BY5PR11MB4337CA31809B87189E5B39BBC1F69@BY5PR11MB4337.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.51.21071101
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 252b829d-308f-4360-3011-08d95b5753e9
x-ms-traffictypediagnostic: SJ0PR11MB5056:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <SJ0PR11MB50563A9411BCF0F159CCDE5BC2F69@SJ0PR11MB5056.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Ig/C5vU5OwrXcjkzorbQicHny2ySO0e06YX7rMNJkHX/aBqPpsFOVDlAgfDhsdQzL2/6yNntvWTtYY9pL+qb0L/dHGJPrNdEcHOHz+xpwLqL7TmnYDBTeU6tj6Ij1dOO6ppu8/uX65kC6yz89f1TDexDA1xkOvHI7rtQpziHzZ6xEMvPqjHYX3xFn2WXeVu7FyvQI67JfI6+MOy1KusNeduPQH2hwNf9w5eyyodUYGni5n2sCXq8rVh+DO1b/96kJHUpcAPEfZlyUQ7tMzEXXN99+valLJs3h0yIyaFrZRXzvROfAW1LsP7nIO6gDxWSCUKYgILzhrlqZC3yiHifcitGVSANpiBFRPNHthpt60Gi2H0Q2SEg5gDR5lHF/EzEHqFlhB9E5lNnokyi9orKeHy7cM9kIeTgXGFl1KNz3uY6oe+eD41OFNqKL3ihg4sZju/mAIwxPcsf8vXTSYPFfM42rguwCD9Uj2LlEVP0Wm8s93vhLXtH9h8YgF0NBA7faIM0QAXTX2yS4ROmAdCbTuBTQDLaVFh6dxlq7P1eDFDazaWcSsP/ui5p2kFgHzfPwzY6V0QvodoF2K8jOGmOhBLUzFE0xbqwR+DeZxYAqcOMM7xIqMY2Fiy75pj6lA8WI0z+xKG/2phgRt456elYjxxv3GvWRkE9di645D8GvbbtUCX9O0Ye2S4LvCYPKROgwng0bUsdR+mYs2Mi1gy7Q6AMfkTPQ+/R1oQb9CYpwiCtuMIW59ei9LtCKOY5k2kbKM560s3ixeoQbCpaloCSXfg7c9FO3Y31a1S3BkM8Uu5jAnF0aI5vRhAEjdoF4emSDFDyV2EEkY+rzEDBujT/Zzoa5FV8EgXTeLxrKBgpbOo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB2887.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(33656002)(71200400001)(6512007)(186003)(76116006)(6486002)(8936002)(8676002)(86362001)(53546011)(54906003)(110136005)(91956017)(966005)(83380400001)(6506007)(4326008)(2906002)(508600001)(15650500001)(26005)(316002)(2616005)(66556008)(5660300002)(38070700005)(64756008)(36756003)(122000001)(66946007)(66476007)(66446008)(38100700002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: HcG8jk6786e0NBTETm4ZrKgeH7gw6fh2Pky6IX1ZbxF5D2uiDBV1IOsviWiUW+gDjSmAibeeb10qnSs6NXfor1ftKFEyamWn111cosZP5x201lMf/t5jRKA6w/81mZnObpzJ9RFaBXdwfYd98Um73+F46cZa5NRhD6DXW4i7zxeIhqZqiX40q9ufVU333kaWrEyXVxgOo/3dZrn4fxs3VXlViVwoDrDTIQdHPd/ALjaI5mwDV1VOydmBej6F4BQEuXf6fI6li4b09aIMTHijoF5f8gKcYV29q/Uor9LlKtrNKENe1T3ZUSzIPW8CriCKJfdvKNueesudesX86al9Akio4Thl2a5DIHNKYkuE2549cw55E7sGQPcVBoExHO+kJOMcXoxAxZIy0EvAp6kzAbWJ7K8svHX/VKC6977dnGTrarLohL25OGG4+gf7870RqWdTsswAXY6RxK5ZS36XrRhVPyPC4KEluIknLFk06A3LoV373vM97T+fi82lTZHznR+tk2ZWfKehK/UHsPiyjs8xVVl8QC4nwqA2KX5wgWojpbdFhJ2ovEdxBegPgAPkUk8BQqN0i/ZIxY1eDrbeEZnhKlmw/VIf8NdLmFe8dqCEWYkT1JjLAywbx0bgvMFA2DkNrL1zzorAbjz/GTeQbE0JtilhgHzCklJSTAH1nhgp3fO6MO8fwt4h168UGYMO3Srb+JeZojRRs57nMODZ5UzzP2Jg8TvQYyum5sUBtrUtew24C0OJw5HtS0EvShONBvsZK2eIz5ANk3vWzBU4usvD6fYF012mHYyx4hSseIsdnjSzG9e9yGdWZKRc7yQbA5r9wIOPAgPmpPqr6eGxgKiWp1l4bVwtRPiyRf8glnNr2QSyvlVW30DzzJskij8G2suR1SbC9UdEK8fHs9yebT6dBA3pb/CHfQRTLvDRHDxv/Qk6Uw3SaGO9lWNMvurRpPTSK1umHecE7or7/bs4s5zm3ADTiwIIyMwcvPPNaP23bIF3VcOyqOao74gbJgGDqsua458hO8R3iUgFijqY0TYmeoNSltSZTCoQRybNZnuI6wUlvQveWB3nR4mU83wo1vIgo9xRz1NF+41eWKkCLCuysCo8xYGRgIwoRX5gPZNGyUpwMcXVXoeWwaKHMDHM2xii0iZmBw3rrp1NcXva616XAuMQ9FMeCTGB9Q+k79+mYU8lDBwlELT6E2T6f+MKzN3kyhjlfboEtikbhP3F7a59BWMFaaSj4mbzY8azALSp6zZrTVQvjD9bx7kxRUCOOhPN4yl7EIwsIqqm8PJu1feAsJchm5krS3fhYPJfVscoUYIyIeAV8NKh7GNnnJX2
Content-Type: text/plain; charset="utf-8"
Content-ID: <3AD2C8D8B1E3B44E9CD5F5310DE709E2@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB2887.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 252b829d-308f-4360-3011-08d95b5753e9
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Aug 2021 17:01:27.5520 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QyQB2ETFDvA7oQBRqRPQF9i1UaxOmF34bwqEbdQAVDr7hBPB3a1ccMfYNXWoeDVu
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB5056
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.18, xbe-rcd-003.cisco.com
X-Outbound-Node: rcdn-core-4.cisco.com
Resent-From: alias-bounces@ietf.org
Resent-To: maqiufang1@huawei.com, acee@cisco.com, jgs@juniper.net, bill.wu@huawei.com, aretana.ietf@gmail.com, diego.r.lopez@telefonica.com, dhruv.ietf@gmail.com, lsr@ietf.org, martin.vigoureux@nokia.com, pce@ietf.org, chopps@chopps.org, daniel@olddog.co.uk, yingzhen.ietf@gmail.com
Resent-Message-Id: <20210809170140.D8A943A0B29@ietfa.amsl.com>
Resent-Date: Mon, 09 Aug 2021 10:01:40 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/N79WT14J8CZ2qzHo_8D6FS7-ptI>
Subject: Re: [Pce] Secdir last call review of draft-ietf-lsr-pce-discovery-security-support-05
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Aug 2021 17:01:41 -0000

Agree with Les.
Thanks,
Acee

On 8/9/21, 11:36 AM, "Les Ginsberg (ginsberg)" <ginsberg@cisco.com> wrote:

    Yaron/Qin -

    For IS-IS security please also see RFC 5310.
    For OSPF security please see RFC 5709.

    Regarding the debate about MUST vs SHOULD, as I see it advertisement of this information is an option. The IGP might not have access to this information in a given implementation/deployment - and I can easily imagine that some customers might prefer NOT to advertise this information in an IGP even if it were available.

    It is useful to check the wording used in https://www.rfc-editor.org/rfc/rfc5089.html#section-4 . There, those sub-TLVs which are necessary for the PCED sub-TLV to be useful at all are required - but other sub-TLVs are optional. I think these new sub-TLVs fall into the latter category.

       Les

    > -----Original Message-----
    > From: Lsr <lsr-bounces@ietf.org> On Behalf Of Yaron Sheffer
    > Sent: Monday, August 9, 2021 6:44 AM
    > To: Qin Wu <bill.wu@huawei.com>; secdir@ietf.org
    > Cc: draft-ietf-lsr-pce-discovery-security-support.all@ietf.org; last-
    > call@ietf.org; lsr@ietf.org
    > Subject: Re: [Lsr] Secdir last call review of draft-ietf-lsr-pce-discovery-
    > security-support-05
    > 
    > Hi Qin,
    > 
    > Thank you for your response.
    > 
    > * RFC 3567 (for IS-IS) is obsoleted by RFC 5304. Unfortunately RFC 5304 still
    > uses HMAC-MD5, which would be considered insecure nowadays.
    > * RFC 2154 is very old and Experimental (and only supports RSA-MD5
    > signatures). I'm not an OSPF expert by any means, but I'm willing to bet that
    > there are no production implementations of this RFC. (I'm willing to be
    > proven wrong). Is there another RFC that defines a protection mechanism
    > for OSPF?
    > 
    > All in all, there appear to be no good options for the IGP.
    > 
    > To your last point, when I mentioned decoupling the mechanisms, I was
    > suggesting to use the extension you define even if the IGP *cannot* be
    > secured. If you think this is reasonable, please add such text to the Security
    > Considerations.
    > 
    > Thanks,
    > 	Yaron
    > 
    > On 8/9/21, 16:09, "Qin Wu" <bill.wu@huawei.com> wrote:
    > 
    >     Thanks Yaron for valuable comments, please see my reply inline below.
    >     -----邮件原件-----
    >     >发件人: Yaron Sheffer via Datatracker [mailto:noreply@ietf.org]
    >     >发送时间: 2021年8月6日 3:25
    >     >收件人: secdir@ietf.org
    >     >抄送: draft-ietf-lsr-pce-discovery-security-support.all@ietf.org; last-
    > call@ietf.org; lsr@ietf.org
    >     >主题: Secdir last call review of draft-ietf-lsr-pce-discovery-security-
    > support-05
    > 
    >     >Reviewer: Yaron Sheffer
    >     >Review result: Not Ready
    > 
    >     >This document defines a mechanism (a TLV) to advertise the PCE Protocol
    > security required (use of TCP-AO and its key ID, or alternatively use of TLS)
    > within the routing protocol being used.
    > 
    >     >* Sec. 3.1: I don't understand why "SHOULD advertise" and not MUST.
    > Especially given the strict client behavior defined later.
    >     [Qin]: I believe "SHOULD advertise" is consistent with client behavior
    > defined later, i.e., we apply SHOULD NOT language to the client behavior.
    >     I am not sure we should change it into strong language with MUST. Since if
    > IGP advertisement doesn't include TCP-AO
    >      support flag bit or TLS support flag bit, NMS may fall back to configure both
    > PCC and PCE server to support TCP-AO or TLS. That's one of reason I think
    > why we choose to use SHOULD language.
    > 
    >     >* Sec. 3.1: should we also say something about the case where both
    > methods are advertised, and whether we recommend for the client to use
    > one of them over the other?
    > 
    >     [Qin]: It is up to local policy, which has bee clarified in the end of section
    > 3.1. Hope this clarify.
    > 
    >     >* Sec. 4: typo (appears twice) - "to be carried in the PCED TLV of the for
    > use".
    > 
    >     [Qin]:Thanks, have fixed them in the local copy.
    > 
    >     >* Sec. 7: this phrase appears to be essential to security of this mechanism:
    > "it MUST be insured that the IGP is protected for authentication and integrity
    > of the PCED TLV". I would expect more guidance: how can this property be
    > ensured in the relevant IGPs?
    >     [Qin]:I think mechanism defined in [RFC3567] and [RFC2154] can be used to
    > ensure authenticity and integrity of OSPF LSAs or ISIS LSPs and their TLVs.
    > Here is the proposed changes:
    >     OLD TEXT:
    >     "
    >        Thus before advertisement of
    >        the PCE security parameters, it MUST be insured that the IGP is
    >        protected for authentication and integrity of the PCED TLV if the
    >        mechanism described in this document is used.
    >     "
    >     NEW TEXT:
    >     "
    >        Thus before advertisement of
    >        the PCE security parameters, it MUST be insured that the IGP is
    >        protected for authentication and integrity of the PCED TLV with
    > mechanisms defined in [RFC3567][RFC2154] if the
    >        mechanism described in this document is used.
    >     "
    >     >* Also, a possibly unintended consequence of this requirement is that if
    > the IGP cannot be protected in a particular deployment/product, this
    > mechanism would not be used. Please consider if this is likely to happen and
    > whether we want to forego PCEP transport >security in such cases. My gut
    > feel (not based on experience in such networks) is that the threat models
    > are different enough that we should decouple the security of IGP from that
    > of PCEP.
    > 
    >     [Qin] I agree IGP security should be separated from PCEP security. IGP
    > extension defined in this document is used by the PCC to select PCE server
    > with appropriate security mechanism. On the other hand, Operator can
    > either use IGP advertisement for PCEP security capability or rely on local
    > policy to select PCE. If operator feels IGP advertisement is not secure, he can
    > fall back to local policy or rely on manual configuration. Hope this clarifies.
    > 
    > 
    > 
    > _______________________________________________
    > Lsr mailing list
    > Lsr@ietf.org
    > https://www.ietf.org/mailman/listinfo/lsr

v2.23.0 | Report a Bug | By Email