Re: [Pce] Ben Campbell's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT)
Dhruv Dhody <dhruv.dhody@huawei.com> Fri, 04 August 2017 18:40 UTC
Return-Path: <dhruv.dhody@huawei.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E62A13217B; Fri, 4 Aug 2017 11:40:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y5EDxqScetS5; Fri, 4 Aug 2017 11:40:48 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2081B13207A; Fri, 4 Aug 2017 11:40:46 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml704-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DLY50725; Fri, 04 Aug 2017 18:40:44 +0000 (GMT)
Received: from BLREML703-CAH.china.huawei.com (10.20.4.172) by lhreml704-cah.china.huawei.com (10.201.108.45) with Microsoft SMTP Server (TLS) id 14.3.301.0; Fri, 4 Aug 2017 19:40:43 +0100
Received: from BLREML501-MBB.china.huawei.com ([10.20.5.200]) by blreml703-cah.china.huawei.com ([::1]) with mapi id 14.03.0301.000; Sat, 5 Aug 2017 00:10:34 +0530
From: Dhruv Dhody <dhruv.dhody@huawei.com>
To: 'Ben Campbell' <ben@nostrum.com>
CC: The IESG <iesg@ietf.org>, "cmargaria@juniper.net" <cmargaria@juniper.net>, "draft-ietf-pce-pceps@ietf.org" <draft-ietf-pce-pceps@ietf.org>, "pce@ietf.org" <pce@ietf.org>, "pce-chairs@ietf.org" <pce-chairs@ietf.org>
Thread-Topic: [Pce] Ben Campbell's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT)
Thread-Index: AQHTC+GeKMusC97gUUWSIE/gjuf8xaJyV6tggAAOMQCAAVcKwA==
Date: Fri, 04 Aug 2017 18:40:34 +0000
Message-ID: <23CE718903A838468A8B325B80962F9B8CB98DB2@blreml501-mbb>
References: <150171415228.5759.6042228213633458080.idtracker@ietfa.amsl.com> <23CE718903A838468A8B325B80962F9B8CB98665@blreml501-mbb> <E0C89DDB-F358-427F-92FC-F33C35012A0B@nostrum.com>
In-Reply-To: <E0C89DDB-F358-427F-92FC-F33C35012A0B@nostrum.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.77.87]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020202.5984BFAD.00C9, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 634ee1c563fa61fdb532b74f425c49a0
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/n0ZvoMWUzaD-wk2j07As6G8WZt8>
Subject: Re: [Pce] Ben Campbell's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT)
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Aug 2017 18:40:50 -0000
Hi Ben, Please see inline... > -----Original Message----- > From: Ben Campbell [mailto:ben@nostrum.com] > Sent: 03 August 2017 20:57 > To: Dhruv Dhody <dhruv.dhody@huawei.com> > Cc: The IESG <iesg@ietf.org>; cmargaria@juniper.net; draft-ietf-pce- > pceps@ietf.org; pce@ietf.org; pce-chairs@ietf.org > Subject: Re: [Pce] Ben Campbell's Discuss on draft-ietf-pce-pceps-15: > (with DISCUSS and COMMENT) (snip) > >> > >> --------------------------------------------------------------------- > >> - > >> COMMENT: > >> --------------------------------------------------------------------- > >> - > >> > >> Substantive: > >> > >> - I share Warren's question about why you chose STARTTLS over a > >> dedicated port, especially since the 2nd to last paragraph in 3.2 > >> goes out of its way to mention that. What were the tradeoffs involved > >> that made adding the additional protocol machinery more attractive > >> than allocating a port number? > >> > > [[Dhruv Dhody]] I have added this text - > > > > This document uses the standard StartTLS procedure in PCEP, instead > > of using a different port for the secured session. This is done to > > avoid requesting allocation of another port number for the PCEPS. > > The StartTLS procedure makes more efficient use of scarce port > > numbers and allow simpler configuration of PCEP. > > That’s helpful, but it only shows the benefits side of the tradeoff. I > assume people thought the additional protocol complexity was a reasonable > cost to bear? > [[Dhruv Dhody]] There was substantive discussion on the mailing list regarding this, as our original proposal requested a new port and we were advised to use StartTLS instead after discussion with transport/security folks. See https://www.ietf.org/mail-archive/web/pce/current/msg03540.html. > > > > >> - 3.2: "Implementations MUST support SHA-256 as defined by [SHS] as > >> the hash algorithm for the fingerprint." > >> Do you really intend "MUST support" (meaning you have to be able to > >> handle sha-256, but could allow other hashes) vs "MUST use"? > >> > > [[Dhruv Dhody]] Yes, additional hash algorithm MAY also be > supported/used. > > > > Is there an expectation people will use multiple hash algorithms side-by- > side? Or is this for purposes of hash agility? > [[Dhruv Dhody]] SHA-256 is the current mandatory hash, others might become usable and useful as the technology evolves. Do you have any suggested change in mind? I see RFC6614 use similar language "Implementations MUST support SHA-1 as the hash algorithm for the fingerprint...." (snip) > >> - 3.4 : "Negotiation of mutual authentication is REQUIRED." > >> Does that mean that the peers must elect to use mutual > >> authentication, or that if they want to use it, they must agree to do > >> so? (The pattern persists throughout the section, but the meaning > >> seems more obvious for some of the > >> others.) > >> > > [[Dhruv Dhody]] I am also not sure, this was added keeping RFC6614 as > our reference. > > Since TLS supports multiple authentication mode, this might be a say > > mutual as well as server-only authentication should be supported. But > > not sure about the word negotiation here. I think we can remove this > > statement, will do so once you confirm. he > > The important thing is that the intent of the WG is clear. Do you mean to > say that the working group intended to allow both server-only and mutual > authentication, or do you mean to say the working group did not think > about it? > [[Dhruv Dhody]] On further discussion with my co-authors, we feel we should remove the statement. The previous statement in the draft about mutual authentication is enough and mutual authentication should be the standard. Regards, Dhruv > […] > Thanks! > > Ben.
- [Pce] Ben Campbell's Discuss on draft-ietf-pce-pc… Ben Campbell
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Dhruv Dhody
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Ben Campbell
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Dhruv Dhody
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Ben Campbell
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Dhruv Dhody
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Ben Campbell