Re: [Pce] Review of draft-ietf-pce-lsp-control-request-07
Mahend Negi <mahend.ietf@gmail.com> Sun, 25 August 2019 17:13 UTC
Return-Path: <mahend.ietf@gmail.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 690921200E6; Sun, 25 Aug 2019 10:13:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zMiOHXO9nuJ9; Sun, 25 Aug 2019 10:13:04 -0700 (PDT)
Received: from mail-ot1-x329.google.com (mail-ot1-x329.google.com [IPv6:2607:f8b0:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A70D5120033; Sun, 25 Aug 2019 10:13:04 -0700 (PDT)
Received: by mail-ot1-x329.google.com with SMTP id c7so13144324otp.1; Sun, 25 Aug 2019 10:13:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KAusff8vHKIEeCdG/1h5pOk4eAy5zYUDqsWsYb5I8uA=; b=HAB0zL0LecyDPfH5EMVALeLms0SN9pAvo6ZzA/akKVyYJ42dWv3sc9HBFMMk5ZNCFh ocF/uCW8lVnk6IhOLMNMD9pt2jDkezl8pnLL0YT+JgzkCew2Rc9y2Dp06QWH6O0VTPGH c6qmlSKk5L707CIV9wL2WNNWaU83PzuC6ZGzw35QX/xy9r5Uv+rjZMrydSzucli3Dw5k tq9o2DUS5kUhT3MRWu17mxL7bL2zD7KXNt0m+vYh51wlWBDjEzxThJZBKxyQzZo3I0PS zxtUPbgbervPFxN4ztOqfEpa8EoahyrGrRlVeR7jSNwrylPNoCdaT8jSrmpqzyTEGMHG lqGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KAusff8vHKIEeCdG/1h5pOk4eAy5zYUDqsWsYb5I8uA=; b=K65Pa7Gp9b1OKT2kRjUnJPQCwCLbr+XwBHirZCP6/tUvARrpVBFZCQBmu8WKtwRgsd QZCA5D1XKdDw5CRtc3lZs/mDlShqFUakKhD1LDq0lgY4TVW6OMIolHHQPc6z6YBOKTo4 TkkGqAJ54pmQt6OdhNVOSkyBy8AysckGCwvM1EsHWo4hb/mp40s+BbqaKVMBzq6XDF2K Buc1T1zsEh1tNM0vpZxXiNZOAzZF6+QjoYG0bNjbh4XW/L78Upa+xy/zCSymuK4d4kOZ JztDpTvEUxAkVzTb7yxDv7G1XwB1Avzs6liXKH5cw3NbryNTqhSgDzqn1xuYRQUVp1Ok 3CAw==
X-Gm-Message-State: APjAAAVV2ZRxFHtLsy3AHRDf/fZJf8TWQqWl0gJN5WGsIQVLCas8tDs3 BcfeOzAjjHCU1UUecHHu/Hl28YmZjgO3hD5yDTA=
X-Google-Smtp-Source: APXvYqw2P3F4KF99EyH83+ArR+UuPctnf6d6tFeh3wwAweWJISB+gPvOUdvNNronagUCAWfP6n0H3rOgS/TfHCBw04U=
X-Received: by 2002:a9d:61c3:: with SMTP id h3mr12530388otk.39.1566753183983; Sun, 25 Aug 2019 10:13:03 -0700 (PDT)
MIME-Version: 1.0
References: <CAChzXmauwuia34m8wVM4T8+_hB6dOWOsXdjB9E1HUc7H+GKc2g@mail.gmail.com> <CAB75xn6ULjr9qybLx696+_SBxhLmV37hFXuYbMKhFTBS8iYrvw@mail.gmail.com>
In-Reply-To: <CAB75xn6ULjr9qybLx696+_SBxhLmV37hFXuYbMKhFTBS8iYrvw@mail.gmail.com>
From: Mahend Negi <mahend.ietf@gmail.com>
Date: Sun, 25 Aug 2019 22:42:53 +0530
Message-ID: <CAM5Nu_x0DDPLEEOUqArKkE6PCauk1=13Mi0bt-KXDVstsdRyxg@mail.gmail.com>
To: shawn.emery@gmail.com, semery@uccs.edu
Cc: secdir <secdir@ietf.org>, draft-ietf-pce-lsp-control-request.all@ietf.org, pce@ietf.org, Dhruv Dhody <dhruv.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000fb6a880590f4260c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/vjaxUko8v83TTntgufwhyv4Vxsk>
Subject: Re: [Pce] Review of draft-ietf-pce-lsp-control-request-07
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Aug 2019 17:13:07 -0000
Hi Shawn/Dhruv, Thanks for the review and clarifications, we have fixed all the editorial comments in new version. New Version: https://tools.ietf.org/html/draft-ietf-pce-lsp-control-request-08 Version Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-pce-lsp-control-request-08 Regards, Mahendra On Tue, Aug 20, 2019 at 11:14 AM Dhruv Dhody <dhruv.ietf@gmail.com> wrote: > Hi Shawn, > > <adding WG> > > Thanks for your security review and comments. > > On Mon, Aug 19, 2019 at 6:17 AM Shawn Emery <shawn.emery@gmail.com> wrote: > > > > Reviewer: Shawn M. Emery > > Review result: Ready > > > > I have reviewed this document as part of the security directorate's > > ongoing effort to review all IETF documents being processed by the IESG. > > These comments were written primarily for the benefit of the security > > area directors. Document editors and WG chairs should treat these > > comments just like any other last call comments. > > > > This draft specifies an extension to the Path Computation Element > communication > > Protocol (PCE) that allows a PCE to request control of Label Switched > Paths (LSPs). > > > > The security considerations section does exist and discusses a new DoS > vector > > that this draft creates. The attack involves sending control requests > for delegate > > control of all of its LSPs to the Path Computation Client (PCC). The > proposed > > solution is to set a threshold rate of the delegation requests for the > PCC per PCE. > > I agree with the proposed solution, though I don't know if guidance can > be provided > > on what these thresholds would be per environment. > > > > As you noted the document does not provide default for the threshold > as it dependent on the deployment/environment. The same is true for > RFC 8231. > > > The section goes on to refer to RFC 8231 to justify that the PCP > extension should > > be deployed with authenticated and encrypted sessions in TLS using RFC > 8253. > > I agree with this prescription as well else an attacker would now be > able to take > > control over all local LSPs with this extension. I think that this > should at least be > > stated if an attacker is able to compromise a PCE. > > > > The security consideration includes "...either by spoofing messages or > by compromising the PCE itself". > > > General comments: > > > > None. > > > > Editorial comments: > > > > s/sends PCRpt/sends a PCRpt/ > > s/also specify/also specifies/ > > s/all its/all of its/ > > s/If threshold/If the threshold/ > > s/explicitly set aside/explicitly excluded/ > > > > Thanks for these, request authors to handle them. > > Thanks! > Dhruv > > > Shawn. > > -- >
- Re: [Pce] Review of draft-ietf-pce-lsp-control-re… Dhruv Dhody
- Re: [Pce] Review of draft-ietf-pce-lsp-control-re… Mahend Negi
- Re: [Pce] Review of draft-ietf-pce-lsp-control-re… Shawn Emery