[secdir] Secdir last call review of draft-ietf-pce-pcep-extension-for-pce-controller-10

Yaron Sheffer via Datatracker <noreply@ietf.org> Sat, 06 February 2021 19:34 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 38ADA3AD2CE; Sat, 6 Feb 2021 11:34:44 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Yaron Sheffer via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-pce-pcep-extension-for-pce-controller.all@ietf.org, last-call@ietf.org, pce@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.25.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <161264008418.17090.9500210699717988432@ietfa.amsl.com>
Reply-To: Yaron Sheffer <yaronf.ietf@gmail.com>
Date: Sat, 06 Feb 2021 11:34:44 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/HwOlHVfUaxXV-by1zubTTxLl_Fw>
Subject: [secdir] Secdir last call review of draft-ietf-pce-pcep-extension-for-pce-controller-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Feb 2021 19:34:44 -0000

Reviewer: Yaron Sheffer
Review result: Not Ready

This document defines PCEP extensions for the RFC 8283 architecture, where the
PCE acts as a central controller in an SDN. The document is focused on specific
use cases, referred to as "basic PCECC mode".

Let me state up front that I am not familiar with the PCE architecture other
than what I read up in order to review this document. Having said that, I
suspect that there would be significant value in a security analysis of the
architecture defined here. Having each connection "authenticated and encrypted"
is table stakes nowadays, but is it really enough for very large SDN
deployments that require this level of protocol sophistication?

Details

9.1: "authenticated and encrypted" TLS sessions are typically only
authenticated by the server. Please point out explicitly that mutual
authentication is required. Also, is there no authorization? I would assume a
peer PCE Controller is allowed to do different things than a PCC. Are all PCCs
allowed to issue the same commands/queries, targeted at the same resources?

- RFC 8283 which defines the architecture that is implemented by this draft
says:

[The] security implications of SDN have not been fully discussed or described. 
Therefore, protocol and applicability work-around solutions for this
architecture must take proper account of these concerns.

It is expected that each new document that is produced for a specific use case
will also include considerations of the security impacts of the use of a
PCE-based central controller on the network type and services being managed.

I don't think that the current document addresses this challenge.

In general, this looks like a very monolithic architecture, where everybody
trusts everybody else once they've been authenticated. Although Sec. 9.1
discusses the case of a malicious PCE (which would be rather catastrophic), I
would encourage the authors to consider whether a malicious PCC can also
disrupt the PCE's operations and cause "major impact to the network".