Re: [Pce] Roman Danyliw's Discuss on draft-ietf-pce-stateful-hpce-13: (with DISCUSS and COMMENT)
Roman Danyliw <rdd@cert.org> Tue, 15 October 2019 22:25 UTC
Return-Path: <rdd@cert.org>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBD1512080A; Tue, 15 Oct 2019 15:25:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZvXmYIhApYxs; Tue, 15 Oct 2019 15:25:51 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 893BD1200F7; Tue, 15 Oct 2019 15:25:51 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x9FMPoS5026070; Tue, 15 Oct 2019 18:25:50 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu x9FMPoS5026070
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1571178350; bh=+3hqXUS11WVthtasJw81GHl4dcHQsnZcA+QL2iR7WzU=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=rZYgLfY4lY0wKaSoX6+dvKX8BSB3vnspqGFIf6JSsBpcPyL9L6HrIJZQiK+rH9Bjo hI2q3rAPOwSspWDdnz3b67ABdR5n/h+OkYNGUqzsgz82FEkOv5yH1X8lFj+J7l4jnp 4sfT6S1ZhGgw4ShLcV1s5umjldRp62lj9hf80Qnc=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x9FMPUjm036416; Tue, 15 Oct 2019 18:25:30 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.03.0468.000; Tue, 15 Oct 2019 18:25:30 -0400
From: Roman Danyliw <rdd@cert.org>
To: Dhruv Dhody <dhruv.ietf@gmail.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-pce-stateful-hpce@ietf.org" <draft-ietf-pce-stateful-hpce@ietf.org>, Adrian Farrel <adrian@olddog.co.uk>, pce-chairs <pce-chairs@ietf.org>, "pce@ietf.org" <pce@ietf.org>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-pce-stateful-hpce-13: (with DISCUSS and COMMENT)
Thread-Index: AQHVbiuII21UIjGvb0mDsawT8qEFbqc7KQyAgCFIu1A=
Date: Tue, 15 Oct 2019 22:25:29 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC01B3489AF0@marathon>
References: <156881612137.4479.15191325652251719065.idtracker@ietfa.amsl.com> <CAB75xn7ffQRzKdiHf3U5asnFuOenBQoeHT-ER1Bdd=zeieiXtQ@mail.gmail.com>
In-Reply-To: <CAB75xn7ffQRzKdiHf3U5asnFuOenBQoeHT-ER1Bdd=zeieiXtQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/yf1rDh_8CQISn5SbFFXPPxxd45o>
Subject: Re: [Pce] Roman Danyliw's Discuss on draft-ietf-pce-stateful-hpce-13: (with DISCUSS and COMMENT)
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2019 22:25:55 -0000
Hello Dhruv! -14 addresses my concerns. Thank you for making these edits. > -----Original Message----- > From: Dhruv Dhody [mailto:dhruv.ietf@gmail.com] > Sent: Tuesday, September 24, 2019 10:06 AM > To: Roman Danyliw <rdd@cert.org> > Cc: The IESG <iesg@ietf.org>; draft-ietf-pce-stateful-hpce@ietf.org; Adrian > Farrel <adrian@olddog.co.uk>; pce-chairs <pce-chairs@ietf.org>; > pce@ietf.org > Subject: Re: Roman Danyliw's Discuss on draft-ietf-pce-stateful-hpce-13: > (with DISCUSS and COMMENT) > > Hi Roman, > > Thanks for your review. > > On Wed, Sep 18, 2019 at 7:45 PM Roman Danyliw via Datatracker > <noreply@ietf.org> wrote: > > > > Roman Danyliw has entered the following ballot position for > > draft-ietf-pce-stateful-hpce-13: Discuss > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut > > this introductory paragraph, however.) > > > > > > Please refer to > > https://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-pce-stateful-hpce/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > ** Section 4. Per “The security considerations listed in [RFC8231], > > [RFC6805] and [RFC5440] apply to this document as well. As per > > [RFC6805], it is expected that the parent PCE will require all child > > PCEs to use full security when communicating with the parent.”, the > > references make sense, thanks for making them. My concern is in the > > definition of “use full security”. I can see those words come from > > RFC6805, however, I can't find where that set of practices is defined. Can > this please be clarified. > > > > How about we update to "..full security (i.e. the highest security mechanism > available for PCEP)"? The -14 text addresses my concerns. Thank you. > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > ** Section 4. Per the recommendation to use TLS _or_ TCP-AO. > > -- I take the point from the SECDIR (thanks Stephen Farrell) about the > > (lack > > of) deployment of AO. My caution would be that TLS and TCP-AO provide > > different security mechanism and therefore imbue different security > > properties and this should be noted. (i.e., this isn’t a choice > > between like options) > > > > How about I make at "..and/or.."? RFC8253 encourages the use of TCP-AO > alongside TLS. This could do the trick of removing the sense of choice > without adding more text. > > > -- As an editorial nit, it would be worth saying that guidance for > > implementing using TLS with PCEP can be found in RFC8232. > > > > You mean RFC 8253 right? Updated text - Oops. Yes, RFC8253. > Thus it is RECOMMENDED to secure the PCEP session (between the P-PCE > and the C-PCE) using Transport Layer Security (TLS) [RFC8446] (per > the recommendations and best current practices in [RFC7525]) and/or > TCP Authentication Option (TCP-AO) [RFC5925]. The guidance for > implementing PCEP with TLS can be found in [RFC8253]. > > > ** Editorial Nits: > > Title. Is the period at the end of the title necessary? > > > > > > Removed. Regards, Roman > Thanks! > Dhruv
- [Pce] Roman Danyliw's Discuss on draft-ietf-pce-s… Roman Danyliw via Datatracker
- Re: [Pce] Roman Danyliw's Discuss on draft-ietf-p… Dhruv Dhody
- Re: [Pce] Roman Danyliw's Discuss on draft-ietf-p… Roman Danyliw