IETF Logo Mail Archive

Re: [Pce] PCE WG Last Call - draft-ietf-pce-pceps-04

t.petch <ietfc@btconnect.com> Sat, 14 November 2015 12:49 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 156881B68DB for <pce@ietfa.amsl.com>; Sat, 14 Nov 2015 04:49:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3UoOE3UbyeHR for <pce@ietfa.amsl.com>; Sat, 14 Nov 2015 04:49:32 -0800 (PST)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0791.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::791]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 185161B68D7 for <pce@ietf.org>; Sat, 14 Nov 2015 04:49:30 -0800 (PST)
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=ietfc@btconnect.com;
Received: from pc6 (86.185.87.133) by AMSPR07MB049.eurprd07.prod.outlook.com (10.242.81.11) with Microsoft SMTP Server (TLS) id 15.1.325.17; Sat, 14 Nov 2015 12:49:12 +0000
Message-ID: <01ea01d11eda$b1243920$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com>, pce@ietf.org
References: <23CE718903A838468A8B325B80962F9B8C435C02@BLREML509-MBX.china.huawei.com> <00bb01d1172a$1fcc4100$4001a8c0@gateway.2wire.net> <B46D90DD-D634-4832-90F5-1A9DC1E45760@telefonica.com>
Date: Sat, 14 Nov 2015 12:47:49 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: [86.185.87.133]
X-ClientProxiedBy: DB3PR05CA0014.eurprd05.prod.outlook.com (25.160.41.142) To AMSPR07MB049.eurprd07.prod.outlook.com (10.242.81.11)
X-Microsoft-Exchange-Diagnostics: 1; AMSPR07MB049; 2:qyBd1yKMFtqmBsoQ6xvKKu2WdJm8TLgP6uJ6IU5Xof4JgGgT32BG2c1PFN2BK514E5RM4Qo5nbW69oJknZPXlWPZ0C4l9ou7/OJToFsgEuf5JBukjgbzINT7cjkVUPPwH9UI3YYztG6NYBADXiIdL/uf/ykqXSPcpog0s7Te3Wk=; 3:L0DIYmQL62fqhz2YBv9VBCcEX/G8W4FGe7/ZPDgBV2CQ2wAjDT66S/cL2DKdIRiK/fOc9hUKNCzMMp5Z5A8IX71Zuoo+zXt3L+wMa/qMTSLDoZ4lr3jK6kMbs/rC91mvOYE3LNTiY6QK4Ft+LJz69g==; 25:SQ43hep/3ahmA2Jf5caoMyGoE7AmdQRz8O/KDhpnFgl5XukJLW5jQwUMOGPWlW7XZ6QyUbgrpU3PMK4BDggS82PuuGmZ4RTgNp2iesJz3Zgs6wlS4Pa5rVtejDrBFsd9IbNNWpYAtqpQDMXv1dgY92FxYCJ7jc0/MTPyGWdBbShFarlXwzAjLqKNUie+w0pfxPnuLcmK6Fnpa33YJmcBaoesTIgxgBa8EH8IRYHqysG2bFFR2R3SK9trSqB6/QQ95s/vtFDBYC90jXVl24v1gg==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:AMSPR07MB049;
X-Microsoft-Antispam-PRVS: <AMSPR07MB0498719273476791DF78BCDA0100@AMSPR07MB049.eurprd07.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(178726229863574)(40392960112811);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401047)(520078)(5005006)(8121501046)(10201501046)(3002001); SRVR:AMSPR07MB049; BCL:0; PCL:0; RULEID:; SRVR:AMSPR07MB049;
X-Microsoft-Exchange-Diagnostics: 1; AMSPR07MB049; 4:CtrNZYBDTbxpEDYq7BHKjaj4czxbXncvACDtPg22SGZxYpQyA/ttRwm0wKbuH8m7mkg1aZd6a0NR2zfn5Q+NRutMLlYIowRuLMSJ5Y1E7eDCAFF38PJrAdK0XyXe3+0ujMjEcGWMCslJTUcJ8dskLvmI+0s2oGzHj0tbRZmUfUhA9YYZytyR0Ad6PLdAjXYtYZ0adik+jfKfGNZxwjnz53o4qxDWJF+u+c0EaxDDjrise87iaeNWvjKiQePtLaG+LBnnvAOHJ+OnI3phdMnt9fKan4pd+psjkBBgakNJ71/hznYxsEsCEWwhZ87zwJvxJPalWSD5/+9VurgZfND0lkQpGDNq8ImlZoP1lXryGmzPQoiOm4PmnOSZ+fXK2tC4
X-Forefront-PRVS: 07607ED19A
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(25724002)(199003)(51914003)(189002)(24454002)(40134004)(252514010)(13464003)(10750500004)(551544002)(101416001)(5008740100001)(50986999)(44736004)(106356001)(50226001)(15975445007)(81686999)(62236002)(189998001)(81156007)(586003)(5001960100002)(19580405001)(1456003)(5001770100001)(97736004)(44716002)(19580395003)(107886002)(5007970100001)(122386002)(33646002)(87976001)(5004730100002)(10000500002)(105586002)(77096005)(92566002)(1556002)(76176999)(84392001)(47776003)(230783001)(116806002)(14496001)(50466002)(40100003)(81816999)(61296003)(42186005)(23676002)(86362001)(66066001)(74416001)(7726001); DIR:OUT; SFP:1102; SCL:1; SRVR:AMSPR07MB049; H:pc6; FPR:; SPF:None; PTR:InfoNoRecords; A:0; MX:1; LANG:en;
Received-SPF: None (protection.outlook.com: btconnect.com does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;AMSPR07MB049;23:et6FMNotm6K9aAlrP0TtySDCssi0ZFaDI/wWQgi20trgARy4YwgI1WjazAvrcku8+bicegxaB/ZXp7ksrwUdInMdHCm1jcL1TXT/ijQj04Hk4mG2xmdCvr/xzJNQSoTqWGWDY7QhuhaXzrnqh/n7upQnOIcrjUnyGGF1UxpVFXF3QI2hLWPaDpoVGXFLjOz/cLOrcVMB4c/WFmfXRWIea68Klb7Pgd9W6bhCpMDvwxYvUR7jx0DZeqir6N6/bwI1gVYoFUdMIxBnsSrbKgP81TfCrDmRmyEUxzMcYO+LK3c/46TKI3POPtR7pOt0K5Lf2lCmP7wybNXJ64/hdMFZzy37pJEnIwBG6asXjsyerTXtrqrrscqoZUHikZ0j+PsDDRj5ItxOCjVxWKAnerOU5D9Rw662NQMihOrX4xOUV0pYJsjHboXSdDsYU/Axu+y0f3cagrRZfKthofyFYbBB1qTpXXl+bVbj9pUcVpZHLYwWTAGkSR64ylh5emq4Erxf7ikyDNkpWfhfhPJ3lWi4I/1KOK2b11AOr5PlIgCZjcOhcnkOpjoeDvqjNT604+9BViNhlzxY3B03pSnRFQPiwQsYSrmlVOMeQg5EV5xj8oOF7Gpym906ofp/11tfJoydZ89zIYE/k9A+pMncZ0c1sIwY9Hoz/QypdSSWzRa+tW83YkTGAJRH6ldCYN62vQeJTU7GCjJaXVbcCbkgl5MbDDYqCLgsdGglUwrBJR+RY1lg1UWEN3fXoenV+ASgBr1GdJL5ji5fdgBTYd8qjMH2XPV0E11J1JWcHaI4yJ+5Swri4WYi0byxkEeq44mHHw66IbYNu0KkAPIYqMCEYDh+xPm4WM2itKVVw4TT53qYo8+tvdnd2xT/zOcyDtI+ysIFPFuKTTQuaHOb2mbSG5y0Z2hGfh7fl5XyrzN9h6DMuQRyFlb6UwSLu+5Zk+mNtbuRf6d3dMTim3xGtA8DIjdyLTbeE9aOo7R/ac2ZJzzaE9LKwK3/6E/9hLxgQ4A646dewR1UebPbPsdt5G8lkLRENcWA71a/ZyYAiRt5GTPt7wPMQ4iWosxk4+XA95hRZlS7sFSZPo63RSbMhgaPASlw9xpCFmBVsnIwI6OYugyUumr3OsQRslTEdnebcK3CZevezHO6p7eUZ+oY3aRnDuK2JUmstC/Z11Sgi9shS1jxdjsIcD/RH/e3H8DGr6r2/5SStjhyHDW7ZmqSjumvKZsmKV8nx1l6EhGGl5Bt8trPQdLjfsYq8tLc7cou8obrZ5DqowrupQsZqYmLngYXb+thPPZCgiwfaSY+VonIT11eX2EsA+qVQ9bzE39ydW11cA5Fa5lOPV6depGKPqrJC1zDpZEnBQdWnfOwrm1ZQbtkHYEP4DVHAhS2jSSSdKkBGSI1I5nQS27kZor71ZkJdK4a2fS96uBN4q9PSehBnZK53N5yQ7VDiJzZ7h6hBVC5AWFFHe3yLcvT/9wwZhLLkTQcJA==
X-Microsoft-Exchange-Diagnostics: 1; AMSPR07MB049; 5:XkXg1X1/p352ms2Z/rBZnpF5/04jl4cU2PubOtElcPRoTjDxmISXtG15tvqR7o+rq4uz6tOTGfX4Ghmk2vuwexO80oU8zOlGOtNnVu5d3wuExYmv6p1MkUuYzmwZFOX/guimIlRc14NyvU8Tcdfnyg==; 24:UcKYEGMUQuqH5GPQK5rFbhBTWE+6KGDWTOju0Jq+urCAk5xAFvXrLegBP3/RnNTy/I2D3nzGoYxPTGP3CTpHxS3Sz6wUV4FvAUE4Y7/o76c=; 20:KR8heIC4KqcXSC+p788qpKNQjwbtPZ82vI0lsZ5OSHGmrw6ZwbYQNjjzjBp5B2K7E95agG/eQNKBTkitwBClGQ==
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Nov 2015 12:49:12.8604 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AMSPR07MB049
Archived-At: <http://mailarchive.ietf.org/arch/msg/pce/a6hQPVV1ktsLTkyoR6dHo4bFGbg>
Subject: Re: [Pce] PCE WG Last Call - draft-ietf-pce-pceps-04
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Nov 2015 12:49:36 -0000

Picking up on the one point about the asymmetry of TLS, I agree that the
crypto is symmetric once the master key has been created.  The weakness
is the underlying assumption, at least when SSL started, that there is a
human sitting at the client end who can respond to messages about the
certificate being invalid (something my MUA offers me at least once a
day for the past week, for reasons I cannot divine) or any other hiccup
in the process prior to the establishment of the master key  You can
argue that almost all users haven't a clue about certificates and almost
all systems are configured by default to suppress any such messages, but
the technology is there for those who want adequate security, at least
when there is a human at the TLS client.

What I worry about with such as PCE is getting an adequate check of the
authentication, with a focus on how to validate certificates.  As I said
before, I have been involved with this with I-Ds on SNMP and Netconf and
have seen much arise, even at the IESG stage, with some comments that to
me seem misplaced; but as they are DISCUSS, they have to be taken
seriously.

So I value the early intervention of the Security Directorate to try and
fix such issues sooner, and so cheaper, rather than later.

Tom Petch

----- Original Message -----
From: "DIEGO LOPEZ GARCIA" <diego.r.lopez@telefonica.com>
To: <pce@ietf.org>
Sent: Monday, November 09, 2015 8:23 AM
Subject: Re: [Pce] PCE WG Last Call - draft-ietf-pce-pceps-04


> Hi Tom,
>
> Thanks for the review. We will update the draft text addressing your
comments and those we received form Cyril. Some notes inline below
>
> On 4 Nov 2015, at 19:55 , t.p.
<daedulus@btconnect.com<mailto:daedulus@btconnect.com>> wrote:
>
> s.3 At first, I was unsure whether or not both parties sent a
StartTLS.
> "The StartTLS message is a PCEP message sent by a PCC to a PCE and by
>   a PCE to a PCC " suggests both
> "Once the TCP connection has been successfully established, the first
>   message sent by the PCC to the PCE or  by the PCE to the PCC MUST be
> a
>   StartTLS message " suggests only one.
> Section 3.3 makes it clearer that both send it.  This is fine but I am
> unaware of any other protocol where this happens so I would suggest
> /or/and/ in that second sentence and expanding the earlier sentence
> OLD
>   2.  Initiating the TLS Procedures by the StartTLS message.
> NEW
>   2.  Initiating the TLS Procedures by the StartTLS message from PCE
to
> PCC and from PCC to PCE.
>
> DRL> You are right in the ambiguity and we will correct it as you
suggest.
>
> I focus on this because I was also looking to see which became TLS
> Client.  TLS is asymmetric, designed to authenticate a (HTTP) server
to
> a client.  Netconf (and SNMP), which I know better, struggled with
this
> because the key for Netconf is to authenticate the client to the
server,
> which TLS does not do so well. Posts on the TLS list suggest that
there
> are very few implementations of TLS client authentication, rather
> something else is done once the secure channel has been established.
>
> DRL> I’d not say there are few implementations, but that client
authentication is not commonly employed, especially in the web
environment where other mechanisms are preferred, like using a TLS
connection based on server authentication to retrieve password
credentials from the user… As far as I can tell, TLS is only asymmetric
in this requirement for authentication of both peers, as the crypto
exchanges become essentially equal if client authentication is required.
>
> So, do you care who is TLS client and who TLS server?  It will be
> interesting to see a security review of this.
>
> DRL> What we had in mind was that the natural approach taking into
account the structure of PCEP was to have the PCC peer acting as client
and the PCE acting as server. We’ll include a requirement in section 3.2
on this.  I do not see any security issue here, but we could certainly
request the UTA WG to make a review. I’d say this completely falls under
their area of interest.
>
> In passing, RFC7465 prohibits RC4 with TLS so I would think it
unlikely
> that
> "SHOULD support  TLS_RSA_WITH_RC4_128_SHA"  will be acceptable.
>
> DRL> Good catch. It will ve deleted in the coming version.
>
> Be goode,
>
> --
> "Esta vez no fallaremos, Doctor Infierno"
>
> Dr Diego R. Lopez
> Telefonica I+D
> http://people.tid.es/diego.lopez/
>
> e-mail: diego.r.lopez@telefonica.com
> Tel:    +34 913 129 041
> Mobile: +34 682 051 091
> ----------------------------------
>
>
> ________________________________
>
> Este mensaje y sus adjuntos se dirigen exclusivamente a su
destinatario, puede contener información privilegiada o confidencial y
es para uso exclusivo de la persona o entidad de destino. Si no es
usted. el destinatario indicado, queda notificado de que la lectura,
utilización, divulgación y/o copia sin autorización puede estar
prohibida en virtud de la legislación vigente. Si ha recibido este
mensaje por error, le rogamos que nos lo comunique inmediatamente por
esta misma vía y proceda a su destrucción.
>
> The information contained in this transmission is privileged and
confidential information intended only for the use of the individual or
entity named above. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this communication is strictly prohibited. If you have
received this transmission in error, do not read it. Please immediately
reply to the sender that you have received this communication in error
and then delete it.
>
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu
destinatário, pode conter informação privilegiada ou confidencial e é
para uso exclusivo da pessoa ou entidade de destino. Se não é vossa
senhoria o destinatário indicado, fica notificado de que a leitura,
utilização, divulgação e/ou cópia sem autorização pode estar proibida em
virtude da legislação vigente. Se recebeu esta mensagem por erro,
rogamos-lhe que nos o comunique imediatamente por esta mesma via e
proceda a sua destruição
>

v2.23.0 | Report a Bug | By Email