IETF Logo Mail Archive

Re: [Pce] PCE WG Last Call - draft-ietf-pce-pceps-04

DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com> Mon, 09 November 2015 08:23 UTC

Return-Path: <diego.r.lopez@telefonica.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6B2F1B7719 for <pce@ietfa.amsl.com>; Mon, 9 Nov 2015 00:23:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.09
X-Spam-Level:
X-Spam-Status: No, score=0.09 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gtmx5IzMUFiP for <pce@ietfa.amsl.com>; Mon, 9 Nov 2015 00:23:51 -0800 (PST)
Received: from smtptc.telefonica.com (smtptc.telefonica.com [195.76.34.108]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7F6A1B7714 for <pce@ietf.org>; Mon, 9 Nov 2015 00:23:50 -0800 (PST)
Received: from smtptc.telefonica.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AD02588096 for <pce@ietf.org>; Mon, 9 Nov 2015 09:23:47 +0100 (CET)
Received: from ESTGVMSP103.EUROPE.telefonica.corp (unknown [10.92.4.9]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtptc.telefonica.com (Postfix) with ESMTPS id 8F08E88044 for <pce@ietf.org>; Mon, 9 Nov 2015 09:23:47 +0100 (CET)
Received: from emea01-db3-obe.outbound.protection.outlook.com (10.92.5.139) by tls.telefonica.com (10.92.6.50) with Microsoft SMTP Server (TLS) id 14.3.235.1; Mon, 9 Nov 2015 09:23:46 +0100
Received: from DB4PR06MB0624.eurprd06.prod.outlook.com (10.161.13.142) by DB4PR06MB0622.eurprd06.prod.outlook.com (10.161.13.140) with Microsoft SMTP Server (TLS) id 15.1.318.15; Mon, 9 Nov 2015 08:23:45 +0000
Received: from DB4PR06MB0624.eurprd06.prod.outlook.com ([10.161.13.142]) by DB4PR06MB0624.eurprd06.prod.outlook.com ([10.161.13.142]) with mapi id 15.01.0318.003; Mon, 9 Nov 2015 08:23:45 +0000
From: DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com>
To: "pce@ietf.org" <pce@ietf.org>
Thread-Topic: [Pce] PCE WG Last Call - draft-ietf-pce-pceps-04
Thread-Index: AQHRAhy/vjVtoYVB9EuMfjvTSIqVgZ6HnDqAgACIpYCAAXqiAIAAXweAgAJRzgWABztVAA==
Date: Mon, 09 Nov 2015 08:23:45 +0000
Message-ID: <B46D90DD-D634-4832-90F5-1A9DC1E45760@telefonica.com>
References: <23CE718903A838468A8B325B80962F9B8C435C02@BLREML509-MBX.china.huawei.com> <00bb01d1172a$1fcc4100$4001a8c0@gateway.2wire.net>
In-Reply-To: <00bb01d1172a$1fcc4100$4001a8c0@gateway.2wire.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=diego.r.lopez@telefonica.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [83.51.61.133]
x-microsoft-exchange-diagnostics: 1; DB4PR06MB0622; 5:KJ1oSg/kIUEjV0cal2oh25qCXV1gG/hWkWC697bzlpeBJPlNMoE521SnJ32smRHMwGGSqfN/5oS1gw9spIJC0DNmuP5jXRg7d6FGmp3F2HOCeBHbupkWuyc/NDVYEZF0AmCTve9O39gY4zcJAn+QJw==; 24:uPJOsx/xXdcBn49GIma+7rTh7erTKB22TI72JkO5ZcYcETwDw1pO05+XfZ7tp4SlNPK+Ba1TsN/pEneZrrnS7tsQnFsi/+U+KJDIiAYY0hw=; 20:mB8UPnWFdHZYRdZPOBbgGMdKSKs04TpLM7r1cSmjfjwqTtzp+czhkdlPd2/RxnSL7MKYtmkQePtcF0e+kbMwbQ==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB4PR06MB0622;
x-microsoft-antispam-prvs: <DB4PR06MB062290B1E745FE5BD7B042A1DF150@DB4PR06MB0622.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(178726229863574)(40392960112811);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(520078)(3002001)(10201501046); SRVR:DB4PR06MB0622; BCL:0; PCL:0; RULEID:; SRVR:DB4PR06MB0622;
x-forefront-prvs: 0755F54DD9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(24454002)(51914003)(189002)(252514010)(199003)(450100001)(11100500001)(106356001)(101416001)(105586002)(40100003)(83716003)(2950100001)(5004730100002)(106116001)(2501003)(15975445007)(16236675004)(2900100001)(5008740100001)(102836002)(19617315012)(77096005)(2351001)(54356999)(76176999)(122556002)(36756003)(50986999)(81156007)(189998001)(66066001)(87936001)(92566002)(230783001)(5007970100001)(5001960100002)(10400500002)(107886002)(5002640100001)(86362001)(97736004)(110136002)(19580405001)(33656002)(82746002)(19580395003)(551544002)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:DB4PR06MB0622; H:DB4PR06MB0624.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: telefonica.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_B46D90DDD634483290F51A9DC1E45760telefonicacom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2015 08:23:45.1004 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9744600e-3e04-492e-baa1-25ec245c6f10
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB4PR06MB0622
X-OriginatorOrg: telefonica.com
X-TM-AS-MML: No
Archived-At: <http://mailarchive.ietf.org/arch/msg/pce/rYTIscKsPpI83a9jiwkRWnMoNog>
Subject: Re: [Pce] PCE WG Last Call - draft-ietf-pce-pceps-04
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2015 08:23:55 -0000

Hi Tom,

Thanks for the review. We will update the draft text addressing your comments and those we received form Cyril. Some notes inline below

On 4 Nov 2015, at 19:55 , t.p. <daedulus@btconnect.com<mailto:daedulus@btconnect.com>> wrote:

s.3 At first, I was unsure whether or not both parties sent a StartTLS.
"The StartTLS message is a PCEP message sent by a PCC to a PCE and by
  a PCE to a PCC " suggests both
"Once the TCP connection has been successfully established, the first
  message sent by the PCC to the PCE or  by the PCE to the PCC MUST be
a
  StartTLS message " suggests only one.
Section 3.3 makes it clearer that both send it.  This is fine but I am
unaware of any other protocol where this happens so I would suggest
/or/and/ in that second sentence and expanding the earlier sentence
OLD
  2.  Initiating the TLS Procedures by the StartTLS message.
NEW
  2.  Initiating the TLS Procedures by the StartTLS message from PCE to
PCC and from PCC to PCE.

DRL> You are right in the ambiguity and we will correct it as you suggest.

I focus on this because I was also looking to see which became TLS
Client.  TLS is asymmetric, designed to authenticate a (HTTP) server to
a client.  Netconf (and SNMP), which I know better, struggled with this
because the key for Netconf is to authenticate the client to the server,
which TLS does not do so well. Posts on the TLS list suggest that there
are very few implementations of TLS client authentication, rather
something else is done once the secure channel has been established.

DRL> I’d not say there are few implementations, but that client authentication is not commonly employed, especially in the web environment where other mechanisms are preferred, like using a TLS connection based on server authentication to retrieve password credentials from the user… As far as I can tell, TLS is only asymmetric in this requirement for authentication of both peers, as the crypto exchanges become essentially equal if client authentication is required.

So, do you care who is TLS client and who TLS server?  It will be
interesting to see a security review of this.

DRL> What we had in mind was that the natural approach taking into account the structure of PCEP was to have the PCC peer acting as client and the PCE acting as server. We’ll include a requirement in section 3.2 on this.  I do not see any security issue here, but we could certainly request the UTA WG to make a review. I’d say this completely falls under their area of interest.

In passing, RFC7465 prohibits RC4 with TLS so I would think it unlikely
that
"SHOULD support  TLS_RSA_WITH_RC4_128_SHA"  will be acceptable.

DRL> Good catch. It will ve deleted in the coming version.

Be goode,

--
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez
Telefonica I+D
http://people.tid.es/diego.lopez/

e-mail: diego.r.lopez@telefonica.com
Tel:    +34 913 129 041
Mobile: +34 682 051 091
----------------------------------


________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição

v2.23.0 | Report a Bug | By Email