[Pce] Eric Rescorla's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Tue, 01 August 2017 16:38 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: pce@ietf.org
Delivered-To: pce@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CF03131E96; Tue, 1 Aug 2017 09:38:47 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Eric Rescorla <ekr@rtfm.com>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-pce-pceps@ietf.org, Cyril Margaria <cmargaria@juniper.net>, pce-chairs@ietf.org, cmargaria@juniper.net, pce@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.58.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <150160552743.9608.12510518895697614960.idtracker@ietfa.amsl.com>
Date: Tue, 01 Aug 2017 09:38:47 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/Rg_C5Sb4ZRfSdwX1bTj3MezJcTM>
Subject: [Pce] Eric Rescorla's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT)
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Aug 2017 16:38:47 -0000
Eric Rescorla has entered the following ballot position for draft-ietf-pce-pceps-15: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-pce-pceps/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- 1. This needs a cite to RFC 6125 to define how to do name validation. 2. You require TLS_RSA_WITH_AES_128_GCM_SHA256, but this is not consistent with modern recommendations, which are for algorithms that provide forward secrecy. You should be recommending TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 with P-256, which is consistent with the recommendations for TLS 1.3 (and UTA, IIRC). 3, It's clear to me how authentication of the PCE works in that the PCC connects to it using a domain name or IP address and therefore can check the PCC's certificate against that, but it's not clear to me what the PCE does when the client connects? Is it supposed to have a list of valid peers? 4. The error reporting mechanism you describe in S 3.2 is unusual: After the exchange of StartTLS messages, if a PCEP speaker cannot establish a TLS connection for some reason (e.g. the required mechanisms for certificate revocation checking are not available), it MUST return a PCErr message (in clear) with Error-Type set to [TBA2 by IANA] (PCEP StartTLS failure) and Error-value set to: I am not aware of any other protocol that does this, and it's a bit problematic because you either need to (a) require that you always send a TLS alert so that the receiver knows that the next byte is a PCE message or (b) specify some mechanism for demuxing PCE and TLS. Even in the former category, many TLS stacks are greedy about their IO, so they will read the alert + the PCE message and then discard the message. Instead you should either: (a) specify that you always send TLS alerts and don't send PCE errors (TLS alerts are pretty rich) (b) send any post-handshake alerts over the TLS connection. Failing that, you need to provide detailed instructions about how to make this work. 5. It seems like it would be a good idea to specify a pinning mechanism so you could say "always do TLS in future". Is that something that was discussed? 6. * TLS with X.509 certificates using certificate fingerprints: Implementations MUST allow the configuration of a list of trusted certificates, identified via fingerprint of the Distinguished Encoding Rules (DER) encoded certificate octets. Implementations MUST support SHA-256 as defined by [SHS] as the hash algorithm for the fingerprint. What does "trusted" mean here? I think it means "one I would accept as a counterparty" rather than "can sign other certs". In any case, this must be clear. A bunch of other stuff is underspecified (see below). ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- This document needs a significant editorial pass. I found a number of writing errors, e.g., "Securing via TLS of an existing PCEP session is not permitted," S 1. defining their application in depth. Moreover, [RFC6952] remarks the importance of ensuring PCEP communication privacy, especially when The term here is "confidentiality" S 3.2. The whole description of how you can race StartTLS iff you know you are TLS only is really hard to understand until you get to the diagrams. I would write something like: The PCC initiates the use of TLS by sending a StartTLS message The PCE agrees to the use of TLS by responding with its own StartTLS message. If the PCE is configured to only do TLS, it may send the StartTLS message immediately upon TCP connection establishment; otherwise it MUST wait for the PCC's first message to see whether it is an Open or StartTLS message. S 3.4. + Implementations SHOULD indicate their trusted CAs. For TLS 1.2, this is done using [RFC5246], Section 7.4.4, "certificate_authorities" (server side) and [RFC6066], Section 6 "Trusted CA Indication" (client side). Do common stacks do this? I know NSS does not. To support TLS re-negotiation both peers MUST support the mechanism described in [RFC5746]. Any attempt to initiate a TLS handshake to establish new cryptographic parameters not aligned with [RFC5746] SHALL be considered a TLS negotiation failure. Is there a reason to allow renegotiation at all? S 3.5 [I-D.ietf-pce-stateful-sync-optimizations] specify a Speaker Entity Identifier TLV (SPEAKER-ENTITY-ID), as an optional TLV that MAY be included in the OPEN Object. It contains a unique identifier for the node that does not change during the lifetime of the PCEP speaker. An implementation would thus expose the speaker entity identifier as part of the X509v3 certificate, so that an implementation could use this identifier for the peer identification trust model. This seems underspecified. Is there an OID assigned? S 4.1. DANE [RFC6698] defines a secure method to associate the certificate that is obtained from a TLS server with a domain name using DNS, i.e., using the TLSA DNS resource record (RR) to associate a TLS server certificate or public key with the domain name where the record is found, thus forming a "TLSA certificate association". The DNS information needs to be protected by DNS Security (DNSSEC). A PCC willing to apply DANE to verify server identity MUST conform to the rules defined in section 4 of [RFC6698]. The server's domain name must be authorized separately, as TLSA does not provide any useful authorization guarantees. This is also underspecified. Which DANE types are you suggesting you use? S 7. Some TLS ciphersuites only provide integrity validation of their payload, and provide no encryption. This specification does not forbid the use of such ciphersuites, but administrators must weight carefully the risk of relevant internal data leakage that can occur in such a case, as explicitly stated by [RFC6952]. Why don't you forbid it?
- [Pce] Eric Rescorla's Discuss on draft-ietf-pce-p… Eric Rescorla
- Re: [Pce] Eric Rescorla's Discuss on draft-ietf-p… Dhruv Dhody
- Re: [Pce] Eric Rescorla's Discuss on draft-ietf-p… Dhruv Dhody