Re: [Pce] Eric Rescorla's Discuss on draft-ietf-pce-rfc6006bis-03: (with DISCUSS)
Dhruv Dhody <dhruv.dhody@huawei.com> Thu, 31 August 2017 06:37 UTC
Return-Path: <dhruv.dhody@huawei.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD44A1321AE; Wed, 30 Aug 2017 23:37:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ri3nnRStWemq; Wed, 30 Aug 2017 23:37:15 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76BA613218F; Wed, 30 Aug 2017 23:37:14 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml704-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DNQ55355; Thu, 31 Aug 2017 06:37:12 +0000 (GMT)
Received: from BLREML701-CAH.china.huawei.com (10.20.4.170) by lhreml704-cah.china.huawei.com (10.201.108.45) with Microsoft SMTP Server (TLS) id 14.3.301.0; Thu, 31 Aug 2017 07:37:11 +0100
Received: from BLREML501-MBX.china.huawei.com ([10.20.5.198]) by blreml701-cah.china.huawei.com ([::1]) with mapi id 14.03.0301.000; Thu, 31 Aug 2017 12:06:58 +0530
From: Dhruv Dhody <dhruv.dhody@huawei.com>
To: Eric Rescorla <ekr@rtfm.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-pce-rfc6006bis@ietf.org" <draft-ietf-pce-rfc6006bis@ietf.org>, "pce@ietf.org" <pce@ietf.org>, "pce-chairs@ietf.org" <pce-chairs@ietf.org>
Thread-Topic: [Pce] Eric Rescorla's Discuss on draft-ietf-pce-rfc6006bis-03: (with DISCUSS)
Thread-Index: AQHTIemYlPnoklGpikO+FkbXiWyMaaKd+HEQ
Date: Thu, 31 Aug 2017 06:36:58 +0000
Message-ID: <23CE718903A838468A8B325B80962F9B8CBBD650@blreml501-mbx>
References: <150413650442.16888.3965748412519528441.idtracker@ietfa.amsl.com>
In-Reply-To: <150413650442.16888.3965748412519528441.idtracker@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.149.39]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020206.59A7AE99.002D, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 2509447d0b6db33b0adad349c116f733
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/YHZzzp8W19WP_KNV-9b3FyUYR1E>
Subject: Re: [Pce] Eric Rescorla's Discuss on draft-ietf-pce-rfc6006bis-03: (with DISCUSS)
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Aug 2017 06:37:18 -0000
Hi Eric, > -----Original Message----- > From: Pce [mailto:pce-bounces@ietf.org] On Behalf Of Eric Rescorla > Sent: 31 August 2017 05:12 > To: The IESG <iesg@ietf.org> > Cc: draft-ietf-pce-rfc6006bis@ietf.org; pce@ietf.org; pce-chairs@ietf.org > Subject: [Pce] Eric Rescorla's Discuss on draft-ietf-pce-rfc6006bis-03: > (with DISCUSS) > > Eric Rescorla has entered the following ballot position for > draft-ietf-pce-rfc6006bis-03: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-pce-rfc6006bis/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > The Security Considerations is worrisome, as it points to RFC 5440; > Section 10.2, which basically recommends TCP-MD5: > > At the time of writing, TCP-MD5 [RFC2385] is the only available > security mechanism for securing the TCP connections that underly PCEP > sessions. > > As explained in [RFC2385], the use of MD5 faces some limitations and > does not provide as high a level of security as was once believed. A > PCEP implementation supporting TCP-MD5 SHOULD be designed so that > stronger security keying techniques or algorithms that may be > specified for TCP can be easily integrated in future releases. > > The TCP Authentication Option [TCP-AUTH] (TCP-AO) specifies new > security procedures for TCP, but is not yet complete. Since it is > believed that [TCP-AUTH] will offer significantly improved security > for applications using TCP, implementers should expect to update > their implementation as soon as the TCP Authentication Option is > published as an RFC. > > Implementations MUST support TCP-MD5 and should make the security > function available as a configuration option. > > TCP-AO has now been published as an RFC for quite some time, so it's > probably not really appropriate to just point to a document which > recommends TCP-MD5. > [[Dhruv Dhody]] Let me know if this change is okay - OLD: 5. Security Considerations As described in [RFC5862], P2MP path computation requests are more CPU-intensive and also utilize more link bandwidth. In the event of an unauthorized P2MP path computation request, or a denial of service attack, the subsequent PCEP requests and processing may be disruptive to the network. Consequently, it is important that implementations conform to the relevant security requirements of [RFC5440] that specifically help to minimize or negate unauthorized P2MP path computation requests and denial of service attacks. These mechanisms include: o Securing the PCEP session requests and responses using TCP security techniques (Section 10.2 of [RFC5440]). o Authenticating the PCEP requests and responses to ensure the message is intact and sent from an authorized node (Section 10.3 of [RFC5440]). o Providing policy control by explicitly defining which PCCs, via IP access-lists, are allowed to send P2MP path requests to the PCE (Section 10.6 of [RFC5440]). PCEP operates over TCP, so it is also important to secure the PCE and PCC against TCP denial of service attacks. Section 10.7.1 of [RFC5440] outlines a number of mechanisms for minimizing the risk of TCP based denial of service attacks against PCEs and PCCs. PCEP implementations SHOULD consider the additional security provided by Transport Layer Security (TLS) [I-D.ietf-pce-pceps]. NEW: 5. Security Considerations As described in [RFC5862], P2MP path computation requests are more CPU-intensive and also utilize more link bandwidth. In the event of an unauthorized P2MP path computation request, or a denial of service attack, the subsequent PCEP requests and processing may be disruptive to the network. Consequently, it is important that implementations conform to the relevant security requirements that specifically help to minimize or negate unauthorized P2MP path computation requests and denial of service attacks. These mechanisms include: o Securing the PCEP session requests and responses using TCP security techniques such as TCP Authentication Option (TCP-AO) [RFC5925] or using Transport Layer Security (TLS) [I-D.ietf-pce- pceps], as per the recommendations and best current practices in [RFC7525]. o Authenticating the PCEP requests and responses to ensure the message is intact and sent from an authorized node using TCP-AO or TLS. o Providing policy control by explicitly defining which PCCs, via IP access-lists, are allowed to send P2MP path requests to the PCE (Section 10.6 of [RFC5440]). PCEP operates over TCP, so it is also important to secure the PCE and PCC against TCP denial of service attacks. Section 10.7.1 of [RFC5440] outlines a number of mechanisms for minimizing the risk of TCP based denial of service attacks against PCEs and PCCs. END Thanks, Dhruv > > > > _______________________________________________ > Pce mailing list > Pce@ietf.org > https://www.ietf.org/mailman/listinfo/pce
- [Pce] Eric Rescorla's Discuss on draft-ietf-pce-r… Eric Rescorla
- Re: [Pce] Eric Rescorla's Discuss on draft-ietf-p… Dhruv Dhody
- Re: [Pce] Eric Rescorla's Discuss on draft-ietf-p… Eric Rescorla
- Re: [Pce] Eric Rescorla's Discuss on draft-ietf-p… Dhruv Dhody