Re: [Pce] Ben Campbell's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT)
Dhruv Dhody <dhruv.dhody@huawei.com> Thu, 03 August 2017 13:36 UTC
Return-Path: <dhruv.dhody@huawei.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ADC5132020; Thu, 3 Aug 2017 06:36:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.222
X-Spam-Level:
X-Spam-Status: No, score=-4.222 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e8VEcrVZU5T3; Thu, 3 Aug 2017 06:36:01 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC72D132037; Thu, 3 Aug 2017 06:35:42 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml707-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DSQ66114; Thu, 03 Aug 2017 13:35:40 +0000 (GMT)
Received: from BLREML405-HUB.china.huawei.com (10.20.4.41) by lhreml707-cah.china.huawei.com (10.201.108.48) with Microsoft SMTP Server (TLS) id 14.3.301.0; Thu, 3 Aug 2017 14:35:39 +0100
Received: from BLREML501-MBB.china.huawei.com ([10.20.5.200]) by BLREML405-HUB.china.huawei.com ([10.20.4.41]) with mapi id 14.03.0301.000; Thu, 3 Aug 2017 19:05:30 +0530
From: Dhruv Dhody <dhruv.dhody@huawei.com>
To: 'Ben Campbell' <ben@nostrum.com>, The IESG <iesg@ietf.org>
CC: "cmargaria@juniper.net" <cmargaria@juniper.net>, "draft-ietf-pce-pceps@ietf.org" <draft-ietf-pce-pceps@ietf.org>, "pce@ietf.org" <pce@ietf.org>, "pce-chairs@ietf.org" <pce-chairs@ietf.org>
Thread-Topic: [Pce] Ben Campbell's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT)
Thread-Index: AQHTC+GeKMusC97gUUWSIE/gjuf8xaJyV6tg
Date: Thu, 03 Aug 2017 13:35:30 +0000
Message-ID: <23CE718903A838468A8B325B80962F9B8CB98665@blreml501-mbb>
References: <150171415228.5759.6042228213633458080.idtracker@ietfa.amsl.com>
In-Reply-To: <150171415228.5759.6042228213633458080.idtracker@ietfa.amsl.com>
Accept-Language: en-GB, zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.79.10]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090205.598326AD.00A0, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 8e93995a2716fdc84cdb4652f3e38ce5
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/_BRV9Uu2MVfVDGiHYSHCYfktTJ8>
Subject: Re: [Pce] Ben Campbell's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT)
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 13:36:04 -0000
Hi Ben, Thanks for your review. See inline.. > -----Original Message----- > From: Pce [mailto:pce-bounces@ietf.org] On Behalf Of Ben Campbell > Sent: 03 August 2017 04:19 > To: The IESG <iesg@ietf.org> > Cc: cmargaria@juniper.net; draft-ietf-pce-pceps@ietf.org; pce@ietf.org; > pce-chairs@ietf.org > Subject: [Pce] Ben Campbell's Discuss on draft-ietf-pce-pceps-15: (with > DISCUSS and COMMENT) > > Ben Campbell has entered the following ballot position for > draft-ietf-pce-pceps-15: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-pce-pceps/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > -3.4, step 2: "Peer validation always SHOULD include a check on whether > the locally configured expected DNS name or IP address of > the peer that is contacted matches its presented > certificate." > > Why is that not a MUST? As it is, this need to at least discuss the risks > involved if you don't check the identity of the peer cert (here or in the > security considerations.) > [[Dhruv Dhody]] Reworded to say - + Implementations MUST follow the rules and guidelines for peer validation as defined in [RFC6125]. If an expected DNS name or IP address for the peer is configured, then the implementations MUST check them against the values in the presented certificate. > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Substantive: > > - I share Warren's question about why you chose STARTTLS over a dedicated > port, especially since the 2nd to last paragraph in 3.2 goes out of its > way to mention that. What were the tradeoffs involved that made adding the > additional protocol machinery more attractive than allocating a port > number? > [[Dhruv Dhody]] I have added this text - This document uses the standard StartTLS procedure in PCEP, instead of using a different port for the secured session. This is done to avoid requesting allocation of another port number for the PCEPS. The StartTLS procedure makes more efficient use of scarce port numbers and allow simpler configuration of PCEP. > - 3.2: "Implementations MUST support SHA-256 as defined by [SHS] as > the hash algorithm for the fingerprint." > Do you really intend "MUST support" (meaning you have to be able to handle > sha-256, but could allow other hashes) vs "MUST use"? > [[Dhruv Dhody]] Yes, additional hash algorithm MAY also be supported/used. > - 3.5: "Implementations > that want to support a wide variety of trust models SHOULD expose as > many details of the presented certificate to the administrator as > possible > so that the trust model can be implemented by the administrator." > "as much as possible" is pretty vague for the a 2119 SHOULD. Since the > following sentences also include a SHOULD along with considerably more > detail, I suggest dropping the SHOULD in this sentence, and leaving the > one in the following sentence. > [[Dhruv Dhody]] Ack. > - 3.6: Is the exponential backoff requirement part of the procedures in > 5440? > The wording suggests that it is not. If so, it needs elaboration here. > [[Dhruv Dhody]] It is part of RFC5440, text updated to - The initiator SHOULD follow the procedure listed in [RFC5440] to retry session setup as per the exponential back-off session establishment retry procedure. > Editorial: > > - 3.2, paragraph 8: s/"... PCE MUST responds with..."/ "...PCE MUST > respond with..." > [[Dhruv Dhody]] Ack > - 3.4 : "Negotiation of mutual authentication is REQUIRED." > Does that mean that the peers must elect to use mutual authentication, or > that if they want to use it, they must agree to do so? (The pattern > persists throughout the section, but the meaning seems more obvious for > some of the > others.) > [[Dhruv Dhody]] I am also not sure, this was added keeping RFC6614 as our reference. Since TLS supports multiple authentication mode, this might be a say mutual as well as server-only authentication should be supported. But not sure about the word negotiation here. I think we can remove this statement, will do so once you confirm. > -3.5, 2nd to last paragraph: Please don't use 2119 keywords to describe > pre-existing or external requirements. They should be reserved for the > authoritative specification of a given requirement. > [[Dhruv Dhody]] Ack. Updated. > -5, 2nd paragraph: The first sentence does not make sense. > [[Dhruv Dhody]] Ack. Updated. Regards, Dhruv > > _______________________________________________ > Pce mailing list > Pce@ietf.org > https://www.ietf.org/mailman/listinfo/pce
- [Pce] Ben Campbell's Discuss on draft-ietf-pce-pc… Ben Campbell
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Dhruv Dhody
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Ben Campbell
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Dhruv Dhody
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Ben Campbell
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Dhruv Dhody
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Ben Campbell