[Pce] Secdir last call review of draft-ietf-pce-association-diversity-10
Rifaat Shekh-Yusef via Datatracker <noreply@ietf.org> Sun, 13 October 2019 11:53 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: pce@ietf.org
Delivered-To: pce@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1705212008C; Sun, 13 Oct 2019 04:53:34 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Rifaat Shekh-Yusef via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: pce@ietf.org, ietf@ietf.org, draft-ietf-pce-association-diversity.all@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.105.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Message-ID: <157096761403.20776.1628036131569931986@ietfa.amsl.com>
Date: Sun, 13 Oct 2019 04:53:34 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/a5zKV_RPBLYow0zR3UmKAjYxuf8>
Subject: [Pce] Secdir last call review of draft-ietf-pce-association-diversity-10
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Oct 2019 11:53:34 -0000
Reviewer: Rifaat Shekh-Yusef Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready. This document adds new extension to the PCEP protocol to allow a PCC to request the PCE to make sure that an LSP belongs to a disjoint group. The PCEP is an existing protocol with well-defined security properties, and this document builds on that. The security section discusses the consequences if this new mechanism is abused and the attacker is able to inject a fake LSP into a disjoint group. The security section also discusses the potential leak of non-sensitive information and the fact that this new mechanism could make it easier on the attacker to obtain this information if the protocol is not secured properly. The document this recommends the use of TLS to secure the interface between the PCC and the PCE to address the above potential issues.
- [Pce] Secdir last call review of draft-ietf-pce-a… Rifaat Shekh-Yusef via Datatracker