IETF Logo Mail Archive

Re: [Pce] Use of TCP AO and TLS in PCEP

Joe Touch <touch@isi.edu> Thu, 06 February 2014 21:42 UTC

Return-Path: <touch@isi.edu>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9223F1A015B for <pce@ietfa.amsl.com>; Thu, 6 Feb 2014 13:42:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.735
X-Spam-Level:
X-Spam-Status: No, score=-4.735 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D7K4OK4d9ePX for <pce@ietfa.amsl.com>; Thu, 6 Feb 2014 13:42:28 -0800 (PST)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by ietfa.amsl.com (Postfix) with ESMTP id E48081A0133 for <pce@ietf.org>; Thu, 6 Feb 2014 13:42:27 -0800 (PST)
Received: from [128.9.160.166] (abc.isi.edu [128.9.160.166]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id s16Lfr17007417 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 6 Feb 2014 13:41:54 -0800 (PST)
Message-ID: <52F401A1.7040209@isi.edu>
Date: Thu, 06 Feb 2014 13:41:53 -0800
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: "Diego R. Lopez" <diego@tid.es>, Farrel Adrian <adrian@olddog.co.uk>
References: <07b801cf1534$bec46b60$3c4d4220$@olddog.co.uk> <4698EB6C-9BEC-4E76-8291-FBCA51753950@tid.es>
In-Reply-To: <4698EB6C-9BEC-4E76-8291-FBCA51753950@tid.es>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Mailman-Approved-At: Fri, 07 Feb 2014 01:26:49 -0800
Cc: "pce@ietf.org" <pce@ietf.org>
Subject: Re: [Pce] Use of TCP AO and TLS in PCEP
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 21:42:29 -0000

Hi, Diego,

Some responses below to some specific points:

On 2/6/2014 12:44 AM, Diego R. Lopez wrote:
> Hi Adrian, Joe,
>
> Thanks for the review. It will really help in putting the draft in a
better shape. We are preparing a new version and the replies below will
be reflected there.
...
>>>> 2.1.  TCP ports
>>>>
>>>>    The default destination port number for PCEPS is TCP/XXXX.
>>>>
>>>>    NOTE: This port has to be agreed and registered as PCEPS with IANA.
>>>
>>> PCEP already is assigned to port 4189. RFC5440 already permits PCEP
>>> connections to use either TCP MD5 or TCP-AO, but at the time of that
>>> document there was no TCP-AO to reference.
>>>
>>> As a result it should be trivial for a PCEP server to differentiate pcep
>>> vs. pceps connections:
>>>
>>>       MD5 must be pcep, and already don't use TLS
>>>
>>>       TCP-AO must be pceps, and thus must include TLS
>>>
>>>       connections using neither MD5 nor TCP-AO must be pceps,
>>>       and thus must include TLS
>>>
>>> I don't see a rationale for needing a separate port.
>
> The rationale is the common practice derived from the TLS layered
> approach, so a client knows how and when require the server to start a
> TLS connection, and the server knows in advance what the client is
> requiring and match it against its policy.

That is common when there is no other way to determine whether a 
connection uses TLS or not (and even then is at best a performance 
optimization).

> The use of TCP protection must be orthogonal to the use of TLS, so it
> can not be used for the server making a guess of the protocol
> security encapsulation.

TCP protection isn't orthogonal to TLS for pcep as currently specified; 
see the table above. The only connections that can use TLS would be 
those that do not use TCP MD5 (see the list of cases above).

> Either we have a protocol-specific mechanism (a-la-STARTTLS) or we
> usea specific port.
...

For every connection, you already know the mode before the connection 
starts. If the connection is configured to require TCP MD5, then there 
is no TLS. If not, then there must be TLS.

There are no protocol changes required to make this happen; you just 
need to use the information you already have.

...
>>>> 4.  Backward Compatibility
>>>>
>>>>    Since the procedure described in this document describes a security
>>>>    container for the transport of PCEP requests and replies carried on a
>>>>    newly allocated TCP port there will be no impact on the base PCEP
>>>>    and/or any further extensions.
>>>
>>> See my comment above; I agree, but not because a new port is needed.
>
> As said above, not using a different port would translate in
> requiring an additional protocol element, so clients could express
> their request to start a TLS connection.

That information isn't needed; you already have to know in advance 
whether you require them to use TCP MD5 or not. That's enough 
information to know whether it's TLS or not too.

Joe

v2.23.0 | Report a Bug | By Email