[secdir] Secdir last call review of draft-ietf-pce-pcep-stateful-pce-gmpls-21

Ivaylo Petrov via Datatracker <noreply@ietf.org> Tue, 30 May 2023 20:19 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 575BDC1519BF; Tue, 30 May 2023 13:19:42 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Ivaylo Petrov via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-pce-pcep-stateful-pce-gmpls.all@ietf.org, last-call@ietf.org, pce@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 10.4.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <168547798234.6588.7343048372645711779@ietfa.amsl.com>
Reply-To: Ivaylo Petrov <ivaylo@ackl.io>
Date: Tue, 30 May 2023 13:19:42 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/6wSUeRs4U0XNEu3qDyyF7NjHyrg>
Subject: [secdir] Secdir last call review of draft-ietf-pce-pcep-stateful-pce-gmpls-21
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 May 2023 20:19:42 -0000

Reviewer: Ivaylo Petrov
Review result: Has Nits

Reviewer: Ivaylo Petrov
Review result: Has Nits

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

For context, I don't have prior experience with PCEP. From my reading of
the document, the extensions added to enable the usage of a stateful PCE
capability in GMPLS-controlled networks did not add new attack surfaces
and all relevant security considerations were provided.


- Sec 7.3, the first sentence reads confusing to me. Please consider
reformulating it. - Sec 11

   > The secure transport of PCEP specified in [RFC8253]
   > allows the usage of Transport Layer Security (TLS).  The same can
   > also be used by the PCEP extension defined in this document.

  this leaves the feeling that the use of TLS is optional, while I believe the
  intention here is to say that it's recommended and RFC8253 provides more
  details of how to implement that. Please reformulate this.