Re: [Pce] Alexey Melnikov's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT)
Dhruv Dhody <dhruv.dhody@huawei.com> Tue, 08 August 2017 13:40 UTC
Return-Path: <dhruv.dhody@huawei.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E90941324C5; Tue, 8 Aug 2017 06:40:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.219
X-Spam-Level:
X-Spam-Status: No, score=-4.219 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NKu3FPfFK5pZ; Tue, 8 Aug 2017 06:40:50 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97A661324C1; Tue, 8 Aug 2017 06:40:48 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml702-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DME86865; Tue, 08 Aug 2017 13:40:46 +0000 (GMT)
Received: from BLREML406-HUB.china.huawei.com (10.20.4.43) by lhreml702-cah.china.huawei.com (10.201.108.43) with Microsoft SMTP Server (TLS) id 14.3.301.0; Tue, 8 Aug 2017 14:40:44 +0100
Received: from BLREML501-MBB.china.huawei.com ([10.20.5.200]) by BLREML406-HUB.china.huawei.com ([10.20.4.43]) with mapi id 14.03.0301.000; Tue, 8 Aug 2017 19:10:34 +0530
From: Dhruv Dhody <dhruv.dhody@huawei.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: Alexey Melnikov <aamelnikov@fastmail.fm>, "draft-ietf-pce-pceps@ietf.org" <draft-ietf-pce-pceps@ietf.org>, "pce@ietf.org" <pce@ietf.org>, The IESG <iesg@ietf.org>, "pce-chairs@ietf.org" <pce-chairs@ietf.org>, "cmargaria@juniper.net" <cmargaria@juniper.net>
Thread-Topic: [Pce] Alexey Melnikov's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT)
Thread-Index: AQHTDEAWa0wCnLOXH0eQPSyn6ZYwFaJyejWw///Q9QCAAYO08IAB3NgAgANLs0D//7ZbAIABnrxA///IBIAADExgAA==
Date: Tue, 08 Aug 2017 13:40:33 +0000
Message-ID: <23CE718903A838468A8B325B80962F9B8CB99D93@blreml501-mbb>
References: <150175472723.9824.8664411936101979517.idtracker@ietfa.amsl.com> <23CE718903A838468A8B325B80962F9B8CB9867E@blreml501-mbb> <1501768430.1127539.1062021760.5848DD02@webmail.messagingengine.com> <23CE718903A838468A8B325B80962F9B8CB98DC9@blreml501-mbb> <CABcZeBOE_3QggT0PiojJOCR=mYnPN1_B=1efBLvMuU5ukG9wDg@mail.gmail.com> <23CE718903A838468A8B325B80962F9B8CB99517@blreml501-mbb> <CABcZeBOCnEi4JS+NQ9NSjxf_1DEJEyOwaOSHPaMG-+=FmBn0=A@mail.gmail.com> <23CE718903A838468A8B325B80962F9B8CB99B99@blreml501-mbb> <CABcZeBO4bpFv7rHd-OsaxJ59gc=ke_qmJXOrp0aCo-tZqMZxZw@mail.gmail.com>
In-Reply-To: <CABcZeBO4bpFv7rHd-OsaxJ59gc=ke_qmJXOrp0aCo-tZqMZxZw@mail.gmail.com>
Accept-Language: en-GB, zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.78.239]
Content-Type: multipart/alternative; boundary="_000_23CE718903A838468A8B325B80962F9B8CB99D93blreml501mbb_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020205.5989BF5F.0013, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 2584350350601a73558ae0ccd163daa1
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/RihqeFyGcSp02JR3riq5x-lf7AE>
Subject: Re: [Pce] Alexey Melnikov's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT)
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Aug 2017 13:40:54 -0000
Hi Eric, From: Eric Rescorla [mailto:ekr@rtfm.com] Sent: 08 August 2017 18:18 To: Dhruv Dhody <dhruv.dhody@huawei.com> Cc: Alexey Melnikov <aamelnikov@fastmail.fm>; draft-ietf-pce-pceps@ietf.org; pce@ietf.org; The IESG <iesg@ietf.org>; pce-chairs@ietf.org; cmargaria@juniper.net Subject: Re: [Pce] Alexey Melnikov's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT) On Tue, Aug 8, 2017 at 4:01 AM, Dhruv Dhody <dhruv.dhody@huawei.com<mailto:dhruv.dhody@huawei.com>> wrote: Hi Eric, From: Eric Rescorla [mailto:ekr@rtfm.com<mailto:ekr@rtfm.com>] Sent: 07 August 2017 20:54 To: Dhruv Dhody <dhruv.dhody@huawei.com<mailto:dhruv.dhody@huawei.com>> Cc: Alexey Melnikov <aamelnikov@fastmail.fm<mailto:aamelnikov@fastmail.fm>>; draft-ietf-pce-pceps@ietf.org<mailto:draft-ietf-pce-pceps@ietf.org>; pce@ietf.org<mailto:pce@ietf.org>; The IESG <iesg@ietf.org<mailto:iesg@ietf.org>>; pce-chairs@ietf.org<mailto:pce-chairs@ietf.org>; cmargaria@juniper.net<mailto:cmargaria@juniper.net> Subject: Re: [Pce] Alexey Melnikov's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT) On Mon, Aug 7, 2017 at 7:41 AM, Dhruv Dhody <dhruv.dhody@huawei.com<mailto:dhruv.dhody@huawei.com>> wrote: Hi Eric, From: Eric Rescorla [mailto:ekr@rtfm.com<mailto:ekr@rtfm.com>] Sent: 05 August 2017 22:58 To: Dhruv Dhody <dhruv.dhody@huawei.com<mailto:dhruv.dhody@huawei.com>> Cc: Alexey Melnikov <aamelnikov@fastmail.fm<mailto:aamelnikov@fastmail.fm>>; The IESG <iesg@ietf.org<mailto:iesg@ietf.org>>; cmargaria@juniper.net<mailto:cmargaria@juniper.net>; draft-ietf-pce-pceps@ietf.org<mailto:draft-ietf-pce-pceps@ietf.org>; pce@ietf.org<mailto:pce@ietf.org>; pce-chairs@ietf.org<mailto:pce-chairs@ietf.org> Subject: Re: [Pce] Alexey Melnikov's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT) On Fri, Aug 4, 2017 at 11:41 AM, Dhruv Dhody <dhruv.dhody@huawei.com<mailto:dhruv.dhody@huawei.com>> wrote: Hi Alexey, > -----Original Message----- > From: Alexey Melnikov [mailto:aamelnikov@fastmail.fm<mailto:aamelnikov@fastmail.fm>] > Sent: 03 August 2017 19:24 > To: Dhruv Dhody <dhruv.dhody@huawei.com<mailto:dhruv.dhody@huawei.com>>; The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> > Cc: cmargaria@juniper.net<mailto:cmargaria@juniper.net>; draft-ietf-pce-pceps@ietf.org<mailto:draft-ietf-pce-pceps@ietf.org>; pce@ietf.org<mailto:pce@ietf.org>; > pce-chairs@ietf.org<mailto:pce-chairs@ietf.org> > Subject: Re: [Pce] Alexey Melnikov's Discuss on draft-ietf-pce-pceps-15: > (with DISCUSS and COMMENT) > > Hi, > > On Thu, Aug 3, 2017, at 02:36 PM, Dhruv Dhody wrote: > > Hi Alexey, > > > > Thanks for your comments, see inline... > > > > > -----Original Message----- > > > From: Pce [mailto:pce-bounces@ietf.org<mailto:pce-bounces@ietf.org>] On Behalf Of Alexey Melnikov > > > Sent: 03 August 2017 15:35 > > > To: The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> > > > Cc: cmargaria@juniper.net<mailto:cmargaria@juniper.net>; draft-ietf-pce-pceps@ietf.org<mailto:draft-ietf-pce-pceps@ietf.org>; > > > pce@ietf.org<mailto:pce@ietf.org>; pce-chairs@ietf.org<mailto:pce-chairs@ietf.org> > > > Subject: [Pce] Alexey Melnikov's Discuss on draft-ietf-pce-pceps-15: > > > (with DISCUSS and COMMENT) > > > > > > Alexey Melnikov has entered the following ballot position for > > > draft-ietf-pce-pceps-15: Discuss > > > -------------------------------------------------------------------- > > > -- > > > DISCUSS: > > > -------------------------------------------------------------------- > > > -- > > > > > > I am very glad to see this document and I will be switching to "Yes" > > > once we discuss the following issues: > > > > > > 1) > > > +-+-+ +-+-+ > > > |PCC| |PCE| > > > +-+-+ +-+-+ > > > | | > > > | StartTLS | > > > | msg | > > > |------- | > > > | \ StartTLS | > > > | \ msg | > > > | \ ---------| > > > | \/ | > > > | /\ | > > > | / -------->| > > > | / | > > > |<------ | > > > |:::::::::TLS:::::::::| TLS Establishment > > > |:::::Establishment:::| Failure > > > | | > > > |<--------------------| Send Error-Type TBA2 > > > | PCErr | Error-Value 3/4 > > > | | > > > > > > Figure 2: Both PCEP Speaker supports PCEPS (strict), but cannot > > > establish TLS > > > > > > Firstly, I think you also need to demonstrate a case when the server > > > end of TLS is refusing to startTLS before trying TLS negotiation > > > (e.g. if it doesn't have certificate configured). In this case you > > > need to send PCErr in the clear. I think earlier text suggest that > this case is possible. > > > > > [[Dhruv Dhody]] No, the only error to StartTLS is by an implementation > > that does not understand the message. > > In case certificate is not configured we would start TLS negotiation, > > which would fail. > > I think you should clarify this. > > I have implemented StartTLS in both IMAP and LDAP and this is not > necessarily how it works there: before TLS negotiation starts it is > possible for the server end to reject negotiation in cleartext. > [[Dhruv Dhody]] Error can be added here, More on this, see reply below. > > > Secondly, does the case depicted on this picture mean that TLS was > > > negotiated successfully, but TLS identities were not successfully > verified? > > > (I.e. the PCErr is sent over the TLS layer). If TLS failed to > > > negotiate, you don't have a channel to send data on, as the other > > > end will get confused. I think you just have to close connection in > such case. > > > > > [[Dhruv Dhody]] No, the PCErr is sent in clear over the TCP connection > > (underlying transport). > > EKR also made a similar point. I updated the text to include this - > > > > Note that, the PCEP implementation MUST send the PCErr message once > > the TLS connection has been closed i.e. the TLS close_notify > > [RFC5246] has been received from the peer. As per [RFC5246], if the > > data may be carried over the underlying transport after the TLS > > connection is closed, the TLS implementation must receive the > > responding close_notify alert before indicating to the application > > layer that the TLS connection has ended. > > Hmm, I am not sure this will ever work. I know that implementations of TLS > in other protocols I worked on can't read any cleartext TCP data after TLS > has failed. > [[Dhruv Dhody]] One way to resolve this issue would be we move these errors from after TLS negotiation to before it, so that they become the response to StartTLS as suggested by your previous comment. We would not be sending error in clear text in case of TLS negotiation failure. So basically the change would look something like - OLD: After the exchange of StartTLS messages, if a PCEP speaker cannot establish a TLS connection for some reason (e.g. the required mechanisms for certificate revocation checking are not available), it MUST return a PCErr message (in clear) with Error-Type set to [TBA2 by IANA] (PCEP StartTLS failure) and Error-value set to: o 3 (not without TLS) if it is not willing to exchange PCEP messages without the solicited TLS connection, and it MUST close the TCP session. o 4 (ok without TLS) if it is willing to exchange PCEP messages without the solicited TLS connection, and it MUST close the TCP session. The receiver MAY choose to attempt to re-establish the PCEP session without TLS next. The attempt to re-establish the PCEP session without TLS SHOULD be limited to only once. NEW: If a PCEP speaker that is unwilling or unable to negotiate TLS receives a StartTLS messages, it MUST return a PCErr message (in clear) with Error-Type set to [TBA2 by IANA] (PCEP StartTLS failure) and Error-value set to: o 3 (not without TLS) if it is not willing to exchange PCEP messages without the solicited TLS connection, and it MUST close the TCP session. o 4 (ok without TLS) if it is willing to exchange PCEP messages without the solicited TLS connection, and it MUST close the TCP session. The receiver MAY choose to attempt to re-establish the PCEP session without TLS next. The attempt to re-establish the PCEP session without TLS SHOULD be limited to only once. After the exchange of StartTLS messages, if the TLS negotiation fails for some reason (e.g. the required mechanisms for certificate revocation checking are not available), both peers SHOULD immediately close the connection. Since the initiator has no way to know if the peer is willing to accept PCEP connection without TLS, based on the local policy, it MAY attempt to re-establish the PCEP session without TLS. The attempt to re-establish the PCEP session without TLS SHOULD be limited to only once. This will technically work, but is there a reason you don't specify a parameter to STARTTLS which expresses your policy? -Ekr [[[Dhruv Dhody]]] It could be done that way as well, but at this late stage we should avoid making a change that would require adding a new PCEP object. As there is no way to add this in current StartTLS message encoding. This is still an I-D, right? Are there any fielded implementations? -Ekr [[Dhruv Dhody]] There are implementations, not sure if they qualify as “fielded”. Do you feel strongly about making the change? It seems like it would clean up a number of confusing issues in your draft, so I'd like to understand why the WG didn't do it. -Ekr [[[Dhruv Dhody]]] Well to be frank, since it was not proposed, WG did not consider it :) As an author, while referencing StartTLS work in other protocols we did not see such a consideration either, and we ended up with the PCEP error mechanism to convey the information. While the requested change may simplify a few things, but it would also require adding a new section for a new PCEP object - StartTLS object (as unfortunately there is no way to carry the information in the current message/objects). As an editor I am shying away from making a change if the benefit is not big (maybe my biased view) but as an AD if you feel this is required, we would make the change. Thanks for your continued discussion. Regards, Dhruv Regards, Dhruv Regards, Dhruv Working version: https://github.com/dhruvdhody-huawei/ietf/blob/master/draft-ietf-pce-pceps-16.txt Diff: https://tools.ietf.org/rfcdiff?url1=draft-ietf-pce-pceps-15&url2=https://raw.githubusercontent.com/dhruvdhody-huawei/ietf/master/draft-ietf-pce-pceps-16.txt Regards, Dhruv > > > So maybe you need 3 figures describing the above 3 cases.
- [Pce] Alexey Melnikov's Discuss on draft-ietf-pce… Alexey Melnikov
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Dhruv Dhody
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Alexey Melnikov
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Dhruv Dhody
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Eric Rescorla
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Dhruv Dhody
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Eric Rescorla
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Dhruv Dhody
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Eric Rescorla
- Re: [Pce] Alexey Melnikov's Discuss on draft-ietf… Dhruv Dhody