IETF Logo Mail Archive

Re: [Pce] WG Last Call for draft-ietf-pce-pcep-yang-19

Dhruv Dhody <dhruv.ietf@gmail.com> Fri, 07 October 2022 09:45 UTC

Return-Path: <dhruv.ietf@gmail.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55191C14F72D for <pce@ietfa.amsl.com>; Fri, 7 Oct 2022 02:45:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iXPT-RgeQzdo for <pce@ietfa.amsl.com>; Fri, 7 Oct 2022 02:45:46 -0700 (PDT)
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84B6FC14EB1E for <pce@ietf.org>; Fri, 7 Oct 2022 02:45:46 -0700 (PDT)
Received: by mail-wr1-x433.google.com with SMTP id f11so6459184wrm.6 for <pce@ietf.org>; Fri, 07 Oct 2022 02:45:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=jQfxL9h1TouKeubYW5vPTPcJsAtYOvcetYAPw/7BEkQ=; b=Ep384ioIR/ARoI6p3dKpSp3Q926qP7Cyw/9SgwQ1J/b1YGOg0eh2ukpFd/qqfUu8C0 M83X0bk7cRCfdLZl0jrik9VuII90gi/jL3gQ4yji3YW/skWwfhdWTCpWj7HugSfVYenm sgqfVjKQ+vuEMjNJrmFihhVG5212pbfPa8HWT3HBV7JesEnc/1mJtX1ZiHTJpRCO/N4m CSeXaDN3cQ5FlgocYpaYGyra1edrMNP6POgJDvJWqQjOi01dVFjkoyzniEthjReVTaNa c5/WQKEgWeniKuEwLCd+jMZCfClvR1nAA3NJbSSzPXyuyz2GXPB9pCWV00GbgZtr7Qa6 dpuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jQfxL9h1TouKeubYW5vPTPcJsAtYOvcetYAPw/7BEkQ=; b=RPeEvdEKxz5zH9jjbVHUTjC5vHWENso0SCGbwyuo+5V93KogNGVUP1ifcDgrSdo4P3 aTypoh5D2BUvZWBATSzuzz78gbfZoa+4aYE7cAPxFPeKvAZ0I0U1YoTVtWEuyQuXTTHr wXx/ODxopac/dtWdisrz3pHB4irqNcUg584IB5UWuobIrAgNYyOyhlmccpg+fZdA6DLq VqDgoVb33CbN08NRrvQeT3SfPjdenIhahIUqA1a2z35TQEMc9aJ9sNA++7Dr9gisubV5 a9q17ui2alksm+2Jmt32g3jLMI+C0F4MKHA6D3E5kgJX8Ow3xcTerE6xEtRTCtk+wKyx LG8A==
X-Gm-Message-State: ACrzQf14Dt/fT7tBzUw1RoKGQ3cGvw4ZwEEm2DxvJJ+3QjT8ZiWQkH6L yQXcyujUHYngPGx7i5mjsTjjxFw6Gi6EEX7dukQeMox6a3c=
X-Google-Smtp-Source: AMsMyM56dYnBKYqnQk+ZWzovpAWxVgkothlSLfsjiiASvqBq8kgDoWGtN63L2MyGD6rMKG5DG92WSh2tT7ANOnMH0oc=
X-Received: by 2002:adf:fec9:0:b0:22e:431f:b6df with SMTP id q9-20020adffec9000000b0022e431fb6dfmr2546300wrs.705.1665135944638; Fri, 07 Oct 2022 02:45:44 -0700 (PDT)
MIME-Version: 1.0
References: <0d3e71b7-738b-a5f6-852d-0e46f24129f5@orange.com> <AM7PR07MB6248F14E883EDC71E5F85EDAA05B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <AM7PR07MB6248A61A222C94766BBD0853A05F9@AM7PR07MB6248.eurprd07.prod.outlook.com>
In-Reply-To: <AM7PR07MB6248A61A222C94766BBD0853A05F9@AM7PR07MB6248.eurprd07.prod.outlook.com>
From: Dhruv Dhody <dhruv.ietf@gmail.com>
Date: Fri, 07 Oct 2022 15:15:07 +0530
Message-ID: <CAB75xn4-v_qfQK1h6u+YxW=2gGZiEngRNkqG+GhyvNduwV03cg@mail.gmail.com>
To: tom petch <ietfc@btconnect.com>
Cc: "julien.meuric@orange.com" <julien.meuric@orange.com>, "pce@ietf.org" <pce@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007bac7305ea6eac54"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/oLv0-KQHLDPbVwOMUfn_STgiSj0>
Subject: Re: [Pce] WG Last Call for draft-ietf-pce-pcep-yang-19
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2022 09:45:50 -0000

Hi Tom, WG,

I was about to send a note to the WG but you beat me to it. You made a
valid point regarding TLS 1.3. But I suggest a different approach.

RFC 8253 states that TLS v1.2 or "later" is supported for PCEP. IMHO, a
draft fixing the issues with TLS 1.3 for PCEPS is a much better idea than
saying no TLS 1.3. Sean, Russ and I published -
https://www.ietf.org/id/draft-dhody-pce-pceps-tls13-00.html. Note that a
similar effort is also being made in NetConf WG.

Coming to the PCEP-YANG, I plan to add a section in the draft that would
talk about how to enable TLS 1.2 and TLS 1.3 for PCEP. Thoughts?

Thanks!
Dhruv (co-author hat on, co-chair hat off)

On Fri, Oct 7, 2022 at 2:25 PM tom petch <ietfc@btconnect.com> wrote:

> From: Pce <pce-bounces@ietf.org> on behalf of tom petch <
> ietfc@btconnect.com>
> Sent: 03 October 2022 11:02
>
> From: Pce <pce-bounces@ietf.org> on behalf of julien.meuric@orange.com <
> julien.meuric@orange.com>
> Sent: 26 September 2022 14:01
>
> Hi PCE WG,
>
> This message starts a 2-week WG Last Call for
> draft-ietf-pce-pcep-yang-19. Please review and share any feedback using
> the PCE mailing list.
> This WGLC will end on Tuesday October 11.
>
> <tp>
> There are several little problems with this I-D, which I will post in due
> course, but one big one that I think needs outside assistance and will take
> time to resolve, namely the lack of security.
>
> This imports netconf-tls groupings and the netconf  I-D says basically
> security is nothing to do with us, that is up to the user of the grouping.
> It recommends TLS1.3 and says TLS1.2 is obsolete and not recommended.
>
> Trouble is, for most users TLS1.3 is not recommended because it is
> insecure because it introduces new features which are fine for web access
> and dangerous for almost other cases (eg early data).  There are a number
> of IETF documents looking at this and nailing down all the things you must
> not do with TLS1.3 in an operational environment (which is what most of the
> IETF is about).  RFC9190 section 2 is an example of what I mean but from
> tracking the evolution of that RFC I suspect that that got watered down by
> the supporters of TLS1.3.
>
> This I-D needs the equivalent (or else a MUST NOT for TLS1.3!).  Many of
> those involved with security in the IETF will not understand the issue, how
> dangerous TLS1.3 is for anything other than web access.
>
> <tp2>
> I note the submission of draft-dhody ... TLS13.
>
> I wonder what that plan is; for pcep-yang to ban TLS1.3 and have a
> reference to this I-D? or what?
>
> I think that PSK need more treatment.  My take is that RFC8446 bans PSK
> except when used for resumption where a session has been set up using
> certificates.  I see two documents addressing this issue, - 9257, 9258 -
> but I have yet to read them.
>
> Tom Petch
>
>
> Tom Petch
>
> Thanks,
>
> Julien
>
>
>
> _______________________________________________
> Pce mailing list
> Pce@ietf.org
> https://www.ietf.org/mailman/listinfo/pce
>
> _______________________________________________
> Pce mailing list
> Pce@ietf.org
> https://www.ietf.org/mailman/listinfo/pce
>

v2.23.0 | Report a Bug | By Email