Re: [Pce] Ben Campbell's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT)
Ben Campbell <ben@nostrum.com> Mon, 07 August 2017 21:38 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C41012009C; Mon, 7 Aug 2017 14:38:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Level:
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Fnh6n9P3dmh; Mon, 7 Aug 2017 14:38:09 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8744B124BE8; Mon, 7 Aug 2017 14:38:09 -0700 (PDT)
Received: from [10.0.1.63] (cpe-66-25-7-22.tx.res.rr.com [66.25.7.22]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id v77Lc4sE034742 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 7 Aug 2017 16:38:05 -0500 (CDT) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-7-22.tx.res.rr.com [66.25.7.22] claimed to be [10.0.1.63]
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Ben Campbell <ben@nostrum.com>
In-Reply-To: <23CE718903A838468A8B325B80962F9B8CB98DB2@blreml501-mbb>
Date: Mon, 07 Aug 2017 16:38:04 -0500
Cc: "cmargaria@juniper.net" <cmargaria@juniper.net>, "draft-ietf-pce-pceps@ietf.org" <draft-ietf-pce-pceps@ietf.org>, "pce@ietf.org" <pce@ietf.org>, The IESG <iesg@ietf.org>, "pce-chairs@ietf.org" <pce-chairs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <47928D93-5F37-40A0-A502-F55DC3A2F92A@nostrum.com>
References: <150171415228.5759.6042228213633458080.idtracker@ietfa.amsl.com> <23CE718903A838468A8B325B80962F9B8CB98665@blreml501-mbb> <E0C89DDB-F358-427F-92FC-F33C35012A0B@nostrum.com> <23CE718903A838468A8B325B80962F9B8CB98DB2@blreml501-mbb>
To: Dhruv Dhody <dhruv.dhody@huawei.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/tfrgJrjLv4xjJgcXJ6vQKvdSqFo>
Subject: Re: [Pce] Ben Campbell's Discuss on draft-ietf-pce-pceps-15: (with DISCUSS and COMMENT)
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2017 21:38:12 -0000
Hi, also inline: Thanks! Ben. > On Aug 4, 2017, at 1:40 PM, Dhruv Dhody <dhruv.dhody@huawei.com> wrote: > > Hi Ben, > > Please see inline... > >> -----Original Message----- >> From: Ben Campbell [mailto:ben@nostrum.com] >> Sent: 03 August 2017 20:57 >> To: Dhruv Dhody <dhruv.dhody@huawei.com> >> Cc: The IESG <iesg@ietf.org>; cmargaria@juniper.net; draft-ietf-pce- >> pceps@ietf.org; pce@ietf.org; pce-chairs@ietf.org >> Subject: Re: [Pce] Ben Campbell's Discuss on draft-ietf-pce-pceps-15: >> (with DISCUSS and COMMENT) > > (snip) > >>>> >>>> --------------------------------------------------------------------- >>>> - >>>> COMMENT: >>>> --------------------------------------------------------------------- >>>> - >>>> >>>> Substantive: >>>> >>>> - I share Warren's question about why you chose STARTTLS over a >>>> dedicated port, especially since the 2nd to last paragraph in 3.2 >>>> goes out of its way to mention that. What were the tradeoffs involved >>>> that made adding the additional protocol machinery more attractive >>>> than allocating a port number? >>>> >>> [[Dhruv Dhody]] I have added this text - >>> >>> This document uses the standard StartTLS procedure in PCEP, instead >>> of using a different port for the secured session. This is done to >>> avoid requesting allocation of another port number for the PCEPS. >>> The StartTLS procedure makes more efficient use of scarce port >>> numbers and allow simpler configuration of PCEP. >> >> That’s helpful, but it only shows the benefits side of the tradeoff. I >> assume people thought the additional protocol complexity was a reasonable >> cost to bear? >> > [[Dhruv Dhody]] There was substantive discussion on the mailing list regarding this, as our original proposal requested a new port and we were advised to use StartTLS instead after discussion with transport/security folks. See https://www.ietf.org/mail-archive/web/pce/current/msg03540.html. Okay, good enough. > > >> >>> >>>> - 3.2: "Implementations MUST support SHA-256 as defined by [SHS] as >>>> the hash algorithm for the fingerprint." >>>> Do you really intend "MUST support" (meaning you have to be able to >>>> handle sha-256, but could allow other hashes) vs "MUST use"? >>>> >>> [[Dhruv Dhody]] Yes, additional hash algorithm MAY also be >> supported/used. >>> >> >> Is there an expectation people will use multiple hash algorithms side-by- >> side? Or is this for purposes of hash agility? >> > [[Dhruv Dhody]] SHA-256 is the current mandatory hash, others might become usable and useful as the technology evolves. Do you have any suggested change in mind? > I see RFC6614 use similar language "Implementations MUST support SHA-1 as the hash algorithm for the fingerprint…." I guess my question is whether the intent is for implementations to be able to pick any hash they want, as long as SHA-256 is an option, or do you expect everyone to use SHA-256 unless that is replaced at some point due to security concerns. If the former, “MUST support…” makes sense. If the latter, something like “MUST (or SHOULD) use…” with a caveat that future specs might update this if SHA-256 is proven unsafe at some point in the future. My real concern here is interoperability—if an implementation chooses a hash other than SHA-256, how does the peer know what hash to use? > > (snip) > >>>> - 3.4 : "Negotiation of mutual authentication is REQUIRED." >>>> Does that mean that the peers must elect to use mutual >>>> authentication, or that if they want to use it, they must agree to do >>>> so? (The pattern persists throughout the section, but the meaning >>>> seems more obvious for some of the >>>> others.) >>>> >>> [[Dhruv Dhody]] I am also not sure, this was added keeping RFC6614 as >> our reference. >>> Since TLS supports multiple authentication mode, this might be a say >>> mutual as well as server-only authentication should be supported. But >>> not sure about the word negotiation here. I think we can remove this >>> statement, will do so once you confirm. he >> >> The important thing is that the intent of the WG is clear. Do you mean to >> say that the working group intended to allow both server-only and mutual >> authentication, or do you mean to say the working group did not think >> about it? >> > [[Dhruv Dhody]] On further discussion with my co-authors, we feel we should remove the statement. The previous statement in the draft about mutual authentication is enough and mutual authentication should be the standard. Okay. > > Regards, > Dhruv > >> […] >> Thanks! >> >> Ben.
- [Pce] Ben Campbell's Discuss on draft-ietf-pce-pc… Ben Campbell
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Dhruv Dhody
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Ben Campbell
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Dhruv Dhody
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Ben Campbell
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Dhruv Dhody
- Re: [Pce] Ben Campbell's Discuss on draft-ietf-pc… Ben Campbell