Re: [Pce] WG Last Call for draft-ietf-pce-pcep-yang-19
Dhruv Dhody <dhruv.ietf@gmail.com> Fri, 07 October 2022 09:45 UTC
Return-Path: <dhruv.ietf@gmail.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55191C14F72D for <pce@ietfa.amsl.com>; Fri, 7 Oct 2022 02:45:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iXPT-RgeQzdo for <pce@ietfa.amsl.com>; Fri, 7 Oct 2022 02:45:46 -0700 (PDT)
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84B6FC14EB1E for <pce@ietf.org>; Fri, 7 Oct 2022 02:45:46 -0700 (PDT)
Received: by mail-wr1-x433.google.com with SMTP id f11so6459184wrm.6 for <pce@ietf.org>; Fri, 07 Oct 2022 02:45:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=jQfxL9h1TouKeubYW5vPTPcJsAtYOvcetYAPw/7BEkQ=; b=Ep384ioIR/ARoI6p3dKpSp3Q926qP7Cyw/9SgwQ1J/b1YGOg0eh2ukpFd/qqfUu8C0 M83X0bk7cRCfdLZl0jrik9VuII90gi/jL3gQ4yji3YW/skWwfhdWTCpWj7HugSfVYenm sgqfVjKQ+vuEMjNJrmFihhVG5212pbfPa8HWT3HBV7JesEnc/1mJtX1ZiHTJpRCO/N4m CSeXaDN3cQ5FlgocYpaYGyra1edrMNP6POgJDvJWqQjOi01dVFjkoyzniEthjReVTaNa c5/WQKEgWeniKuEwLCd+jMZCfClvR1nAA3NJbSSzPXyuyz2GXPB9pCWV00GbgZtr7Qa6 dpuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jQfxL9h1TouKeubYW5vPTPcJsAtYOvcetYAPw/7BEkQ=; b=RPeEvdEKxz5zH9jjbVHUTjC5vHWENso0SCGbwyuo+5V93KogNGVUP1ifcDgrSdo4P3 aTypoh5D2BUvZWBATSzuzz78gbfZoa+4aYE7cAPxFPeKvAZ0I0U1YoTVtWEuyQuXTTHr wXx/ODxopac/dtWdisrz3pHB4irqNcUg584IB5UWuobIrAgNYyOyhlmccpg+fZdA6DLq VqDgoVb33CbN08NRrvQeT3SfPjdenIhahIUqA1a2z35TQEMc9aJ9sNA++7Dr9gisubV5 a9q17ui2alksm+2Jmt32g3jLMI+C0F4MKHA6D3E5kgJX8Ow3xcTerE6xEtRTCtk+wKyx LG8A==
X-Gm-Message-State: ACrzQf14Dt/fT7tBzUw1RoKGQ3cGvw4ZwEEm2DxvJJ+3QjT8ZiWQkH6L yQXcyujUHYngPGx7i5mjsTjjxFw6Gi6EEX7dukQeMox6a3c=
X-Google-Smtp-Source: AMsMyM56dYnBKYqnQk+ZWzovpAWxVgkothlSLfsjiiASvqBq8kgDoWGtN63L2MyGD6rMKG5DG92WSh2tT7ANOnMH0oc=
X-Received: by 2002:adf:fec9:0:b0:22e:431f:b6df with SMTP id q9-20020adffec9000000b0022e431fb6dfmr2546300wrs.705.1665135944638; Fri, 07 Oct 2022 02:45:44 -0700 (PDT)
MIME-Version: 1.0
References: <0d3e71b7-738b-a5f6-852d-0e46f24129f5@orange.com> <AM7PR07MB6248F14E883EDC71E5F85EDAA05B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <AM7PR07MB6248A61A222C94766BBD0853A05F9@AM7PR07MB6248.eurprd07.prod.outlook.com>
In-Reply-To: <AM7PR07MB6248A61A222C94766BBD0853A05F9@AM7PR07MB6248.eurprd07.prod.outlook.com>
From: Dhruv Dhody <dhruv.ietf@gmail.com>
Date: Fri, 07 Oct 2022 15:15:07 +0530
Message-ID: <CAB75xn4-v_qfQK1h6u+YxW=2gGZiEngRNkqG+GhyvNduwV03cg@mail.gmail.com>
To: tom petch <ietfc@btconnect.com>
Cc: "julien.meuric@orange.com" <julien.meuric@orange.com>, "pce@ietf.org" <pce@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007bac7305ea6eac54"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/oLv0-KQHLDPbVwOMUfn_STgiSj0>
Subject: Re: [Pce] WG Last Call for draft-ietf-pce-pcep-yang-19
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2022 09:45:50 -0000
Hi Tom, WG, I was about to send a note to the WG but you beat me to it. You made a valid point regarding TLS 1.3. But I suggest a different approach. RFC 8253 states that TLS v1.2 or "later" is supported for PCEP. IMHO, a draft fixing the issues with TLS 1.3 for PCEPS is a much better idea than saying no TLS 1.3. Sean, Russ and I published - https://www.ietf.org/id/draft-dhody-pce-pceps-tls13-00.html. Note that a similar effort is also being made in NetConf WG. Coming to the PCEP-YANG, I plan to add a section in the draft that would talk about how to enable TLS 1.2 and TLS 1.3 for PCEP. Thoughts? Thanks! Dhruv (co-author hat on, co-chair hat off) On Fri, Oct 7, 2022 at 2:25 PM tom petch <ietfc@btconnect.com> wrote: > From: Pce <pce-bounces@ietf.org> on behalf of tom petch < > ietfc@btconnect.com> > Sent: 03 October 2022 11:02 > > From: Pce <pce-bounces@ietf.org> on behalf of julien.meuric@orange.com < > julien.meuric@orange.com> > Sent: 26 September 2022 14:01 > > Hi PCE WG, > > This message starts a 2-week WG Last Call for > draft-ietf-pce-pcep-yang-19. Please review and share any feedback using > the PCE mailing list. > This WGLC will end on Tuesday October 11. > > <tp> > There are several little problems with this I-D, which I will post in due > course, but one big one that I think needs outside assistance and will take > time to resolve, namely the lack of security. > > This imports netconf-tls groupings and the netconf I-D says basically > security is nothing to do with us, that is up to the user of the grouping. > It recommends TLS1.3 and says TLS1.2 is obsolete and not recommended. > > Trouble is, for most users TLS1.3 is not recommended because it is > insecure because it introduces new features which are fine for web access > and dangerous for almost other cases (eg early data). There are a number > of IETF documents looking at this and nailing down all the things you must > not do with TLS1.3 in an operational environment (which is what most of the > IETF is about). RFC9190 section 2 is an example of what I mean but from > tracking the evolution of that RFC I suspect that that got watered down by > the supporters of TLS1.3. > > This I-D needs the equivalent (or else a MUST NOT for TLS1.3!). Many of > those involved with security in the IETF will not understand the issue, how > dangerous TLS1.3 is for anything other than web access. > > <tp2> > I note the submission of draft-dhody ... TLS13. > > I wonder what that plan is; for pcep-yang to ban TLS1.3 and have a > reference to this I-D? or what? > > I think that PSK need more treatment. My take is that RFC8446 bans PSK > except when used for resumption where a session has been set up using > certificates. I see two documents addressing this issue, - 9257, 9258 - > but I have yet to read them. > > Tom Petch > > > Tom Petch > > Thanks, > > Julien > > > > _______________________________________________ > Pce mailing list > Pce@ietf.org > https://www.ietf.org/mailman/listinfo/pce > > _______________________________________________ > Pce mailing list > Pce@ietf.org > https://www.ietf.org/mailman/listinfo/pce >
- [Pce] WG Last Call for draft-ietf-pce-pcep-yang-19 julien.meuric
- Re: [Pce] WG Last Call for draft-ietf-pce-pcep-ya… tom petch
- Re: [Pce] WG Last Call for draft-ietf-pce-pcep-ya… tom petch
- Re: [Pce] WG Last Call for draft-ietf-pce-pcep-ya… tom petch
- Re: [Pce] WG Last Call for draft-ietf-pce-pcep-ya… Dhruv Dhody
- Re: [Pce] WG Last Call for draft-ietf-pce-pcep-ya… tom petch
- Re: [Pce] WG Last Call for draft-ietf-pce-pcep-ya… Dhruv Dhody
- Re: [Pce] WG Last Call for draft-ietf-pce-pcep-ya… julien.meuric
- Re: [Pce] WG Last Call for draft-ietf-pce-pcep-ya… tom petch
- Re: [Pce] WG Last Call for draft-ietf-pce-pcep-ya… tom petch
- Re: [Pce] WG Last Call for draft-ietf-pce-pcep-ya… tom petch
- Re: [Pce] WG Last Call for draft-ietf-pce-pcep-ya… tom petch
- Re: [Pce] WG Last Call for draft-ietf-pce-pcep-ya… Dhruv Dhody
- Re: [Pce] WG Last Call for draft-ietf-pce-pcep-ya… Dhruv Dhody
- Re: [Pce] WG Last Call for draft-ietf-pce-pcep-ya… Dhruv Dhody