Re: [Pce] Roman Danyliw's Discuss on draft-ietf-pce-stateful-hpce-13: (with DISCUSS and COMMENT)

Roman Danyliw <rdd@cert.org> Tue, 15 October 2019 22:25 UTC

Return-Path: <rdd@cert.org>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBD1512080A; Tue, 15 Oct 2019 15:25:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZvXmYIhApYxs; Tue, 15 Oct 2019 15:25:51 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 893BD1200F7; Tue, 15 Oct 2019 15:25:51 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x9FMPoS5026070; Tue, 15 Oct 2019 18:25:50 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu x9FMPoS5026070
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1571178350; bh=+3hqXUS11WVthtasJw81GHl4dcHQsnZcA+QL2iR7WzU=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=rZYgLfY4lY0wKaSoX6+dvKX8BSB3vnspqGFIf6JSsBpcPyL9L6HrIJZQiK+rH9Bjo hI2q3rAPOwSspWDdnz3b67ABdR5n/h+OkYNGUqzsgz82FEkOv5yH1X8lFj+J7l4jnp 4sfT6S1ZhGgw4ShLcV1s5umjldRp62lj9hf80Qnc=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x9FMPUjm036416; Tue, 15 Oct 2019 18:25:30 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.03.0468.000; Tue, 15 Oct 2019 18:25:30 -0400
From: Roman Danyliw <rdd@cert.org>
To: Dhruv Dhody <dhruv.ietf@gmail.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-pce-stateful-hpce@ietf.org" <draft-ietf-pce-stateful-hpce@ietf.org>, Adrian Farrel <adrian@olddog.co.uk>, pce-chairs <pce-chairs@ietf.org>, "pce@ietf.org" <pce@ietf.org>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-pce-stateful-hpce-13: (with DISCUSS and COMMENT)
Thread-Index: AQHVbiuII21UIjGvb0mDsawT8qEFbqc7KQyAgCFIu1A=
Date: Tue, 15 Oct 2019 22:25:29 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC01B3489AF0@marathon>
References: <156881612137.4479.15191325652251719065.idtracker@ietfa.amsl.com> <CAB75xn7ffQRzKdiHf3U5asnFuOenBQoeHT-ER1Bdd=zeieiXtQ@mail.gmail.com>
In-Reply-To: <CAB75xn7ffQRzKdiHf3U5asnFuOenBQoeHT-ER1Bdd=zeieiXtQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/yf1rDh_8CQISn5SbFFXPPxxd45o>
Subject: Re: [Pce] Roman Danyliw's Discuss on draft-ietf-pce-stateful-hpce-13: (with DISCUSS and COMMENT)
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2019 22:25:55 -0000

Hello Dhruv!

-14 addresses my concerns.  Thank you for making these edits.

> -----Original Message-----
> From: Dhruv Dhody [mailto:dhruv.ietf@gmail.com]
> Sent: Tuesday, September 24, 2019 10:06 AM
> To: Roman Danyliw <rdd@cert.org>
> Cc: The IESG <iesg@ietf.org>rg>; draft-ietf-pce-stateful-hpce@ietf.org; Adrian
> Farrel <adrian@olddog.co.uk>uk>; pce-chairs <pce-chairs@ietf.org>rg>;
> pce@ietf.org
> Subject: Re: Roman Danyliw's Discuss on draft-ietf-pce-stateful-hpce-13:
> (with DISCUSS and COMMENT)
> 
> Hi Roman,
> 
> Thanks for your review.
> 
> On Wed, Sep 18, 2019 at 7:45 PM Roman Danyliw via Datatracker
> <noreply@ietf.org> wrote:
> >
> > Roman Danyliw has entered the following ballot position for
> > draft-ietf-pce-stateful-hpce-13: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut
> > this introductory paragraph, however.)
> >
> >
> > Please refer to
> > https://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > https://datatracker.ietf.org/doc/draft-ietf-pce-stateful-hpce/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > ** Section 4.  Per “The security considerations listed in [RFC8231],
> > [RFC6805] and [RFC5440] apply to this document as well. As per
> > [RFC6805], it is expected that the parent PCE will require all child
> > PCEs to use full security when communicating with the parent.”, the
> > references make sense, thanks for making them.  My concern is in the
> > definition of “use full security”.  I can see those words come from
> > RFC6805, however, I can't find where that set of practices is defined.  Can
> this please be clarified.
> >
> 
> How about we update to "..full security (i.e. the highest security mechanism
> available for PCEP)"?

The -14 text addresses my concerns.  Thank you.

> >
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > ** Section 4.  Per the recommendation to use TLS _or_ TCP-AO.
> > -- I take the point from the SECDIR (thanks Stephen Farrell) about the
> > (lack
> > of) deployment of AO.  My caution would be that TLS and TCP-AO provide
> > different security mechanism and therefore imbue different security
> > properties and this should be noted. (i.e., this isn’t a choice
> > between like options)
> >
> 
> How about I make at "..and/or.."? RFC8253 encourages the use of TCP-AO
> alongside TLS. This could do the trick of removing the sense of choice
> without adding more text.
> 
> > -- As an editorial nit, it would be worth saying that guidance for
> > implementing using TLS with PCEP can be found in RFC8232.
> >
> 
> You mean RFC 8253 right? Updated text -

Oops. Yes, RFC8253.

>    Thus it is RECOMMENDED to secure the PCEP session (between the P-PCE
>    and the C-PCE) using Transport Layer Security (TLS) [RFC8446] (per
>    the recommendations and best current practices in [RFC7525]) and/or
>    TCP Authentication Option (TCP-AO) [RFC5925]. The guidance for
>    implementing PCEP with TLS can be found in [RFC8253].
> 
> > ** Editorial Nits:
> > Title.  Is the period at the end of the title necessary?
> >
> >
> 
> Removed.

Regards,
Roman

> Thanks!
> Dhruv