Re: [Pce] WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05

"Acee Lindem (acee)" <acee@cisco.com> Fri, 23 July 2021 16:54 UTC

Return-Path: <acee@cisco.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25E643A0BAB; Fri, 23 Jul 2021 09:54:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.585
X-Spam-Level:
X-Spam-Status: No, score=-9.585 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=GX6PDigt; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=zC9uzLmD
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n3axKb39q1C6; Fri, 23 Jul 2021 09:54:26 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E0373A0BAA; Fri, 23 Jul 2021 09:54:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=36017; q=dns/txt; s=iport; t=1627059266; x=1628268866; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=FgigSg0AA429uNXmOzWIVSc4y9XEsivHkNgO2IIuviA=; b=GX6PDigt7Hi38vwMqy0H0s+mit7TuwpX0NnPWA9X/Gme4lH3yhATeY2C 3c9Vh71Q5PmfBBTvm3isx0Qy+zIt69BbWtR+ciDIfH586WDtdaxRzxNf9 YdWNcc9YrcnhEqHf9ploja7gIPEEFBjP85LrfUlg2Iw3hAYnfBN/Oc/vT 0=;
IronPort-PHdr: =?us-ascii?q?A9a23=3A8E1G+hWUoCk223hBUvlHHd2u4LbV8K0aAWYlg?= =?us-ascii?q?6HPw5pCd6259NLjMVDRo/J3gwyBUYba7qdCjOzb++DlVHcb6JmM+HYFbNRXV?= =?us-ascii?q?hADhMlX+m5oAMOMBUDhavK/aSs8EZdOUVZ/9De6PFRbXsHkaA6arni79zVHH?= =?us-ascii?q?BL5OEJ8Lfj0HYiHicOx2qiy9pTfbh8OiiC6ZOZ5LQ69qkPascxF6bY=3D?=
IronPort-HdrOrdr: =?us-ascii?q?A9a23=3ADUwXaqHPFttmNiqVpLqFsZLXdLJyesId70?= =?us-ascii?q?hD6qkvc31om52j+fxGws516fatskdvZJkh8erwX5VoMkmsi6KdgLNhfYtKOT?= =?us-ascii?q?OHhILGFvAY0WKP+UyEJ8S6zJ8g6U4CSdk8NDSTNykBsS+S2mDReLxMrKjlgc?= =?us-ascii?q?KVbKXlvgpQpGpRGsddBnJCe36m+zpNNXB77PQCZf6hz/sCgwDlVWUcb8y9CH?= =?us-ascii?q?VAdfPEvcf3mJXvZgNDLwI76SGV5AnYqoLSIly95FMzQjlPybAt/SzuiAri/J?= =?us-ascii?q?iutPm911v1y3LT1ZJLg9Hso+EzQfBky/JlbgkEuDzYIriJaIfy5QzdZ9vfsG?= =?us-ascii?q?rCpeO85CvI+f4DsE85MFvF+ycFkDOQoQrGo0WSuWNwx0GT/PAQgFkBepV8bU?= =?us-ascii?q?UzSGqE16NohqAP7EoAtVjpxKZ/HFfOmj/w6MPPUAwvnk2ooWA6mepWlHBHV5?= =?us-ascii?q?ACAYUh4bD30XklWqvoJhiKpbzP0dMeev309bJTaxeXfnrZtm5gzJilWWkyBA?= =?us-ascii?q?6PRgwHttaO2zZbkXhlxw9ArfZv0Eso5dY4Ud1J9u7EOqNnmPVHSdIXd7t0AK?= =?us-ascii?q?METdGsAmLATBrQOCaZIEjhFqsAJ3XRwqSHr4kd9aWvYtgF3ZEykJPOXBdRsn?= =?us-ascii?q?MzYVvnDYmU0JhC4nn2MS6AtPTWu4ljDr1Cy/zBrZbQQFm+oWEV4oKdSq8kc7?= =?us-ascii?q?jmst6ISeVrP8M=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AdDADL8/pg/5RdJa1aHQEBAQEJARI?= =?us-ascii?q?BBQUBghmBIzBRB3daNzEChEWDSAOFOYhdA49sikSBQoERA1QLAQEBDQEBNwo?= =?us-ascii?q?EAQGEWAIXgmQCJTgTAgQBAQESAQEFAQEBAgEGBHsThWgNhkIBAQEBAxILBgo?= =?us-ascii?q?TAQEpDgEPAgEIEQMBAQEWCwMEAwICAjAUCQgCBAENBSKCTwGBflcDLwEOnQM?= =?us-ascii?q?BgToCih96gTKBAYIHAQEGBASBOgIOQYMiGII0AwaBOoJ8gnFTSAEBhDeCLCc?= =?us-ascii?q?cgg2BFSccgjIwPoJiAQECAYEWZw0JCYJYNoIugi8QWwZhAwQUGyICezYpBSU?= =?us-ascii?q?QEwUPAjqRCyKDRog6N50IghEKgyaKN5QJBSaDY4telyKWCoIcihiTLCcTDYR?= =?us-ascii?q?nAgQCBAUCDgEBBoF3JIFZcBU7KgGCPlAZDo4fDAEVFYM6hRSFSnMCCysCBgE?= =?us-ascii?q?KAQEDCYtBAQE?=
X-IronPort-AV: E=Sophos;i="5.84,264,1620691200"; d="scan'208,217";a="644010059"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Jul 2021 16:53:53 +0000
Received: from mail.cisco.com (xbe-aln-003.cisco.com [173.36.7.18]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 16NGrr1B009210 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Fri, 23 Jul 2021 16:53:53 GMT
Received: from xfe-rtp-003.cisco.com (64.101.210.233) by xbe-aln-003.cisco.com (173.36.7.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Fri, 23 Jul 2021 11:53:52 -0500
Received: from xfe-rcd-003.cisco.com (173.37.227.251) by xfe-rtp-003.cisco.com (64.101.210.233) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Fri, 23 Jul 2021 12:53:52 -0400
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-003.cisco.com (173.37.227.251) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Fri, 23 Jul 2021 11:53:51 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l8WOIZRuQW4/o6Lu0yXZvlXjtNIhqyHBrgYiPsQ2vyM46/vt7t1zsGwp+G8QdgtOQ2KVEWxy9hCptnGYt1YcE3S/lBUojmCCNtxpZdgjEZTlR1FCSjPlm/xPX5quoutsSHUnCTR/C0ULcsnDEmUetFvGP7xCpK3KC4uFkG/owKLeAVqtCdYuxXvaKt1+RPLL5JbKNvwugHe7dxqp9SGIcJXCMApZHPouPraQ7o7Axjs2acban0r3TydxEBGbLhB9gXDtYjAvDmGfqj7vvh/T/CaUFHFPjPWb5Losm7eO7Y0qZtnRw0ofvWpHffHj2Pr7YwlbTvicyTpuJGem2puOeA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FgigSg0AA429uNXmOzWIVSc4y9XEsivHkNgO2IIuviA=; b=bZE36SMMdZJ//th/qcza2t2TT8jNqljXwxR0JYaHna0I45cAJ2jVCVWW8lrOLPogX7O5bALhihzwtrfBMMnvlAkktmwe4OM3mMGJnZZuFbn1FV8s5XbSX9nGy3Gh/qLgIo2pnaM2L7dVHYtD6l7+w2dVYTMA4db5mBPgd5WxMbj9TsSTW+3YNh1TYMQiqiSfvEuscb3vTAvg8zL1mwJ+HQYBQn18sdzmJGr/Y8igI+nGnv4PHnQibAz8v4wsTDpjGcVHv5dfddc0GfC4IT7+fSVouAWgOhI0n0NwSySbmRv6WTPEaZWrVvQwwKdGEGV7t2lwzfRY8MzCfIyaa3PgRg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FgigSg0AA429uNXmOzWIVSc4y9XEsivHkNgO2IIuviA=; b=zC9uzLmDi0x0fEhHQ+CrQDS5MxSRQDrMUmUIAGBGLF0zA+39/35Mv0VNlzhEOU6X+MMLVLUOmb6MG4R/DuQu0ekFsIND22KfEugguZqKcsLJSaO8052fjBB9BHyuIMFrseO/zMdiptnInJ2D90/WC8vsrl8HT/Un/QRNSxnVghM=
Received: from BYAPR11MB2887.namprd11.prod.outlook.com (2603:10b6:a03:89::27) by SJ0PR11MB5118.namprd11.prod.outlook.com (2603:10b6:a03:2dd::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.25; Fri, 23 Jul 2021 16:53:50 +0000
Received: from BYAPR11MB2887.namprd11.prod.outlook.com ([fe80::dc2e:765f:512c:b39e]) by BYAPR11MB2887.namprd11.prod.outlook.com ([fe80::dc2e:765f:512c:b39e%7]) with mapi id 15.20.4331.034; Fri, 23 Jul 2021 16:53:50 +0000
From: "Acee Lindem (acee)" <acee@cisco.com>
To: "Ketan Talaulikar (ketant)" <ketant=40cisco.com@dmarc.ietf.org>, "lsr@ietf.org" <lsr@ietf.org>
CC: "draft-ietf-lsr-pce-discovery-security-support@ietf.org" <draft-ietf-lsr-pce-discovery-security-support@ietf.org>, "pce@ietf.org" <pce@ietf.org>
Thread-Topic: WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05
Thread-Index: AQHXfk/a3VV5rFqXJ0ijRIDgih43Y6tQgbtw///KEgCAAGFdcP//2cQA
Date: Fri, 23 Jul 2021 16:53:50 +0000
Message-ID: <1553E8EA-CA94-47DB-984E-5D4AF89EDED2@cisco.com>
References: <7CF74D7B-A6B8-4255-9493-30E8DA95C45D@cisco.com> <MW3PR11MB45705BAF545DF8220DEC32A2C1E59@MW3PR11MB4570.namprd11.prod.outlook.com> <98817A40-CF34-49D4-B49C-38E586F17513@cisco.com> <MW3PR11MB457090D0D06B684C596D4F3DC1E59@MW3PR11MB4570.namprd11.prod.outlook.com>
In-Reply-To: <MW3PR11MB457090D0D06B684C596D4F3DC1E59@MW3PR11MB4570.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.51.21071101
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cac947a9-0a79-47b3-6174-08d94dfa7258
x-ms-traffictypediagnostic: SJ0PR11MB5118:
x-microsoft-antispam-prvs: <SJ0PR11MB5118905427DB3DB44C72B6F1C2E59@SJ0PR11MB5118.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5wDVQDs9D/qMmYcC/TsRvlofdoyDbaQ8M4XFLE5CX2ogteRLzTxuC9kr2bUlMmBeALYdAbJZR/ezRq6I+hP155rAhb4dC349iiq/bN2HlIJ56bCvthsBv1yRU7QjPph5rRX76JBQDhtpvpUkwBa/Moe+BdhI33qqtjEO43jeMjYzGws3NoofYg6oSd6slfv0w43bsEohV+GcsgQWnCMcETxX+eaeb1WGrcGcVT84k6/9cQLjmZFi8MqoUBHBVku0HKKWyiVwQRcrfDHNG0mxNwB4AgyB2X2jqkthT+lpf0+5/YwjmXckk84tVhIyYlphVMDqPFvkJnGMhYbJ/gN2ru8zD+YJmfSwyVNvhXfoKvGQ2fmlv/7C4NnfXiAPq5YEqDr1s8E9dTpoVBU8Brx7htkZalJoHPiEePERm4RQYW9/bzDulmiXMQL1jOrsFf8ALLVU0P8xCNE8FXLHcsPxTG2Nw3MZJfgmzorrTMm88q37WlscA9BjhxS8WUxopKDKyswqKNmjM6OobIaQT5IqnXgoe7Eog/OVJqzUjGoOE0Mz2okJ8D3ZeZJkE50mCmToFP0fYglkwTnH/HdvfFqvGoBd9IvhN2GFkUBOP1OZzYDquPevYmPJwI+6HOSNYVwiFF6kKYxg4hQIOuyOcoW4WChpFAjkK2V3AnEyUid5Wl0H/Kh0yFT93W7yAuPegWL9DjzWSyvc9eRqutp4iylI3VJz8y/MjRNhrJunkAPFSiVnv4JQS4aKmddRr3O/7jc71W5P9caWqHcKqxde7sEq/qjLuWjw1NiycNKeMV6mb+VElyo+CXaPFqUG7bsTAv8uJRsP5OuC/TR5bETSfi9DRD7quEcP1R8JMpHW/+Ywhgo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB2887.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(110136005)(2616005)(2906002)(66946007)(9326002)(186003)(6486002)(26005)(66446008)(36756003)(5660300002)(66476007)(8936002)(76116006)(4326008)(66556008)(316002)(15650500001)(64756008)(71200400001)(38100700002)(6506007)(122000001)(54906003)(8676002)(53546011)(508600001)(966005)(166002)(33656002)(6512007)(86362001)(83380400001)(45980500001)(38070700004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?ZDZ5dWI5R3U3NGJGaE9tRlpmUXdESXYyMzIyRGZDNkNDQ3pwUTB1UFhvQ0xy?= =?utf-8?B?bXpQOW03Qm1TQW5LM1BLdjFYdlgrTmdmSU4vMktJWXdEd0p2RGVkSDM5NFVh?= =?utf-8?B?cGRETjE2QXR4WUpXZ3dEME5jRjhYdzFLQzMxUWdJZS84bFNDWHF3RVk5RHVq?= =?utf-8?B?eTJqNHRCYkw4TzFxVEV1UzlIQ2lNUnM4b1d1RURUUTVvMW04UHk0L3FDL0kz?= =?utf-8?B?M1pIQk9ZUlZtT01uRm5wWFVGMmRFeC80Qjd5dmQ4UlZMbSsvVTR5TFBTcElm?= =?utf-8?B?cEhLaFhocWZXTFY1ekNxdS9TUytJWU4zQk55YmVsRnp4cWpwTnY5VVA5WldC?= =?utf-8?B?NkVBU1R0cUxicmNoOVpjelFJbVc4cW5mMkduNWlVMSttZDFYWnFmZmZqNjRL?= =?utf-8?B?Q1pxZVF5V2pNamlJL1VZYlQvNHpUTDdCT1pndmFNWGdoUFZpS0RsaHVGRThD?= =?utf-8?B?d3dRdmRjUTB5UzdVZVV3YWVFRUN0YXNNUEdkT0g4ZlNid0RzckFrQmh1azZh?= =?utf-8?B?aDNyTnF5blgrV1I0N2t2U2o2ZHVWR1hIYlhvTGlWTlVkeTRTcWVqNVJ4aEk3?= =?utf-8?B?VXVZVm9qT1RhRXdzRjFHc0xGa1o2b0pPZGZYRE9FWGhhVmx5NXZQMno4YURt?= =?utf-8?B?TXF4bFhnQVN4ZTdpYSsxQ2t5QTJTSDZCTFI3clE0MHhyRGhzYmVwTnZPYTl5?= =?utf-8?B?Qm55SzQ5SUl2TVhvT09IbkNEQStUTVJPTFpPcUY2MDhsd1Nyem8wQTRNRDQ3?= =?utf-8?B?YzhiU3ZlbHpzTWVuZUdTTXZFT2VLc0xHMzJEOGlya2dTS3U0YkFKTmV1QzRy?= =?utf-8?B?ZHAyS2pHOFowVXlNMmVXZVkwaGluRngyS1E3a3pwejJoa3FhcFlUbGRvZmlw?= =?utf-8?B?SEZFM2FSc1E0MVp5RkJZWngyVW82aVBheG16VEhzNzRnNHA2c0QzM2EvSUt2?= =?utf-8?B?cFNuaUZSaEwzS29XQ1RPdmJaUW4yUVp6TVlGN1RXMEFMcnJ5eFlFbUFidDNn?= =?utf-8?B?MlBIMGJaNHE3TE02NC9hNlBGU0lpYktDS2NPaUd1djFITHBKMjVxRmU2QTAx?= =?utf-8?B?Zm5aVWh3TzZVbzd1c2NSNXBhZWNCenpNcHBwdE9aV1pmeHVncGpBcTByclRi?= =?utf-8?B?elRGMTNsOVhMdlVrZkFuSzN6NjlZRUNZZUlKUW9VVEdsb2lkVVBVTzZNdGJC?= =?utf-8?B?QldHOFIzM3NmUDdUSDY0QmdSOWlmN2pMN0RaKzJVNVJzZ0dwcGpTU1hNY0R6?= =?utf-8?B?Ny8yMUlpWEp5bktPcHM1STh4OW54dHAvdllXbW96elRxNDBGMHg1Mnp5MXhv?= =?utf-8?B?Z2x1dWlJaERtM0pBTkxnY1Y3OUxQL3hWR0RWSWxUVjZXUHJEUTV6bFdGM2dm?= =?utf-8?B?THNyblhFclF1M2VpZHc3KzlqQjlHZ2tsRjlsUFBuS0w4Nk9nRFVFRGVUOHZo?= =?utf-8?B?T1JsUE13OVI2UEo0RlVlY3BCWFVJWkhyTVZZanNidGxOeG5tQThYL3QwZ3Qz?= =?utf-8?B?SUw5OGRXQ3owNWFlUXdyVTZpZ1RvZDlGOXBxSG56Mm93eitPTWdOVnlrSnlo?= =?utf-8?B?UWo0U2Q4ZVdvT2puelJLamhhc0RsZVlQUDNrcXJWN0Jsa3dKMnBiSlJiV2Rj?= =?utf-8?B?YllZWDdwL3F4TUQxWWdkUVdhTlUyQjV2d1N1VlNyVndTc3I0TUNIKzYwTXpV?= =?utf-8?B?ZnY0dTVETW5MRjdQS0FvVzJTcXRKRis4eHB2Rk9tN015WjI2NGE1SkdZTlFr?= =?utf-8?B?T21EUHlOc0x2VUY3NEcvYzVrN1QyaVJNKzNLUjBrc0N3WkZhTUtPRjR0Z3hT?= =?utf-8?B?WE1sdXdydVE0WFd0d2p3QT09?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_1553E8EACA9447DB984E5D4AF89EDED2ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB2887.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cac947a9-0a79-47b3-6174-08d94dfa7258
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2021 16:53:50.3734 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JvnU59MVJvamsFlv5RL1Gg88NctHVQniOzJ2QfALlKD9rDKuTzu3Wjg0dmQSEU+6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB5118
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.18, xbe-aln-003.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/m59wnhH2KdQA_wbbXS4C4b106xo>
Subject: Re: [Pce] WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jul 2021 16:54:33 -0000

Hi Ketan,

From: "Ketan Talaulikar (ketant)" <ketant=40cisco.com@dmarc.ietf.org>
Date: Friday, July 23, 2021 at 11:20 AM
To: Acee Lindem <acee@cisco.com>om>, "lsr@ietf.org" <lsr@ietf.org>
Cc: "draft-ietf-lsr-pce-discovery-security-support@ietf.org" <draft-ietf-lsr-pce-discovery-security-support@ietf.org>rg>, "pce@ietf.org" <pce@ietf.org>
Subject: RE: WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05

Hi Acee,

Agree about the keychain provisioning part.

The distribution via IGP for the key selections and the handling  of the same in PCEP sounded new to me. Is there any precedent for this? How does it all work actually and what is needed on the PCE and PCC to handle the change/transitions – this is all missing – probably needs a PCEP spec? This is many PCCs trying to connect to a PCE. I was trying to understand this better and how all that weighs against a potential for attack/disruption by someone doing a M-i-M or replay attack.

Roll-over of keys with key-chains is well-understood.

https://datatracker.ietf.org/doc/html/rfc8177#section-2.2

As is TCP-AO and TLS authentication. The only further specification required would the configuration in the PCE YANG model(s).

Thanks,
Acee

Just some questions … as this seemed something new to me and the spec does not provide any pointers.

Thanks,
Ketan

From: Acee Lindem (acee) <acee=40cisco.com@dmarc.ietf.org>
Sent: 23 July 2021 18:52
To: Ketan Talaulikar (ketant) <ketant@cisco.com>om>; lsr@ietf.org
Cc: draft-ietf-lsr-pce-discovery-security-support@ietf.org; pce@ietf.org
Subject: Re: WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05

Hi Ketan,

From: "Ketan Talaulikar (ketant)" <ketant=40cisco.com@dmarc.ietf.org<mailto:ketant=40cisco.com@dmarc.ietf.org>>
Date: Friday, July 23, 2021 at 9:10 AM
To: Acee Lindem <acee@cisco.com<mailto:acee@cisco.com>>, "lsr@ietf.org<mailto:lsr@ietf.org>" <lsr@ietf.org<mailto:lsr@ietf.org>>
Cc: "draft-ietf-lsr-pce-discovery-security-support@ietf.org<mailto:draft-ietf-lsr-pce-discovery-security-support@ietf.org>" <draft-ietf-lsr-pce-discovery-security-support@ietf.org<mailto:draft-ietf-lsr-pce-discovery-security-support@ietf.org>>, "pce@ietf.org<mailto:pce@ietf.org>" <pce@ietf.org<mailto:pce@ietf.org>>
Subject: RE: WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05

Hello All,

I have reviewed this draft and have the following comments for the authors to address and the WG to consider:


1)      Is there any precedent for the advertisement of auth keychain info (ID/name) in such a manner that is flooded across the IGP domain? When the actual keychain anyway needs to be configured on all PCCs what is really the value in their advertisement other than possibly exposure to attack? I hope the security directorate reviewer looks at this closely and we get some early feedback specifically on this aspect.

The key-chain mechanism was standardized in RFC 8177 and is referenced by all the routing protocol YANG models. While key-chains, as well as, pre-shared keys need to be configured, having multiple configured key-chains that are selectable via discovery is obviously more operationally secure than having a single one.

Thanks,
Acee


2)      In sec 3.2 and 3.3, new sub-TLVs are being introduced. Their ASCII art pictures represent the OSPF TLVs. The ISIS TLV structure is different. While this will be obvious to most in this WG, I would request this to be clarified – perhaps by introducing separate diagrams for both protocols or skipping the art altogether.

3)      RFC5088 applies to both OSPFv2 and OSPFv3. This is however not clear in the text of this document.

4)      Looks like RFC5088 asked for the PCE Capabilities Flags registry to be created as a top-level IANA OSPF registry - https://datatracker.ietf.org/doc/html/rfc5088#section-7.2 – so it should have been placed here : https://www.iana.org/assignments/ospf-parameters/ospf-parameters.xhtml. What seems to have happened is that it got created under OSPFv2 which is wrong - https://www.iana.org/assignments/ospfv2-parameters/ospfv2-parameters.xml#ospfv2-parameters-14. Since this draft updates RFC5088, it is necessary for this document to fix this error. I would support Les in that perhaps all of this (i.e. everything under/related to PCED TLV) ought to be moved under the IANA Common IGP registry here : https://www.iana.org/assignments/igp-parameters/igp-parameters.xhtml

5)      The document needs to be more specific and clear about which IANA registries to be used to avoid errors that have happened in the past (see (3) above).

6)      Appendix A, I believe what the authors intended here was that whether to use MD5 auth or not was part of discovery but static configuration on the PCE and PCC? The keychain introduced in this document can also be used along with MD5. Honestly, I don’t see a strong reason to not include MD5 in the signalling except that it is deprecated (even if widely deployed). This document would not conflict or contradict with RFC5440 if it did include a bit for MD5 support as well. As  follow-on, perhaps this document should also update RFC5440 – specifically for the security section? I see RFC8253 introducing TLS that updates RFC5440 but nothing that introduces TCP-AO?. In any case, these are aspects for PCE WG so I will leave those to the experts there.

Thanks,
Ketan

From: Lsr <lsr-bounces@ietf.org<mailto:lsr-bounces@ietf.org>> On Behalf Of Acee Lindem (acee)
Sent: 21 July 2021 22:16
To: lsr@ietf.org<mailto:lsr@ietf.org>
Cc: draft-ietf-lsr-pce-discovery-security-support@ietf.org<mailto:draft-ietf-lsr-pce-discovery-security-support@ietf.org>
Subject: [Lsr] WG Last Call for IGP extension for PCEP security capability support in the PCE discovery - draft-ietf-lsr-pce-discovery-security-support-05

This begins a 3-week WG Last Call, ending on August 4th, 2021, for draft-ietf-lsr-pce-discovery-security-support. Please indicate your support or objection to this list before the end of the WG last call. The longer WG last call is to account for IETF week.

  https://datatracker.ietf.org/doc/draft-ietf-lsr-pce-discovery-security-support/


Thanks,
Acee