[secdir] Secdir last call review of draft-ietf-pce-stateful-hpce-11
Stephen Farrell via Datatracker <noreply@ietf.org> Tue, 27 August 2019 22:32 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 62AE91207FE; Tue, 27 Aug 2019 15:32:15 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Stephen Farrell via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: pce@ietf.org, ietf@ietf.org, draft-ietf-pce-stateful-hpce.all@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.100.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <156694513536.5875.13874927498225306603@ietfa.amsl.com>
Date: Tue, 27 Aug 2019 15:32:15 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/J56ngChyqmcSAg51Ve9hWRoU7wc>
Subject: [secdir] Secdir last call review of draft-ietf-pce-stateful-hpce-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2019 22:32:16 -0000
Reviewer: Stephen Farrell Review result: Has Nits Hiya, This draft doesn't define new protocol but rather describes a way to use existing PCE stuff in what I guess is a new way. The nit I see is the usual, presumably fictional, reference to TCP-AO. I mean, if nobody actually does that, why bother? Esp. if you have a TLS option that's (I hope) less fictional. (Is TLS less fictional for PCEP btw?) OTOH, I guess that nearly everyone now knows that referring to TCP-AO is just a figleaf to try keep security nerds happy, so maybe it's ok that we all suspend disbelief;-( Other than that, I did have two questions that occurred to me, but that are by no means a reason to hold up this draft - if answers required some action, it'd almost certainly not be something that'd be fixed here. But I'm still curious:-) 1. Has anyone spent any significant amount of time/effort attempting to attack an H-PCE network as a PCEP speaker? (And written that up:-) It looks to me like there're enough moving parts here that any real stateful hierarchical PCE network could be fairly likely to have interestingly exploitable problems in the face of such an attacker. 2. I see a reference to SPEAKER-IDENTITY-TLV. I wondered if the ability to e.g. use different SubjectAltNames in x.509 certificates might create the potential for some kind of deliberate or accidental loops to be created somewhere. Again, there's no reason to hold this up to try answer (or even to understand) those questions. I'd be happy to chat over a beer with someone at IETF106 about 'em as that might be easier than a bunch of mail. Cheers, S.
- [secdir] Secdir last call review of draft-ietf-pc… Stephen Farrell via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Adrian Farrel
- Re: [secdir] Secdir last call review of draft-iet… Stephen Farrell