Re: [secdir] Issue with PCEP
Brian Weis <bew@cisco.com> Mon, 18 July 2011 21:11 UTC
Return-Path: <bew@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE91B21F86BE for <secdir@ietfa.amsl.com>; Mon, 18 Jul 2011 14:11:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.266
X-Spam-Level:
X-Spam-Status: No, score=-105.266 tagged_above=-999 required=5 tests=[AWL=-2.667, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SnG8Ct3vTHli for <secdir@ietfa.amsl.com>; Mon, 18 Jul 2011 14:10:59 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 0DD3221F871E for <secdir@ietf.org>; Mon, 18 Jul 2011 14:10:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=bew@cisco.com; l=1767; q=dns/txt; s=iport; t=1311023459; x=1312233059; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=XwnClC1S9BdiftPDItkXj9+xWpDyDfqJCSfb8KNWa3Y=; b=ChVHiW91T/Tx3mpY9hB66f0kLKx7gcjSWYtQ2KY8f18fofTGV4li3Xbn tg7p/uSwGjoe6GBLtbf+QxepinhFSF6dlvPvOHk0ACNIx5u3ZnvfF7SPT yOedbTNdTHLtuRudbQcrt2lmT3sjmRIzeci8/k6A8vPfpNQxMyqUv32kn s=;
X-IronPort-AV: E=Sophos;i="4.67,223,1309737600"; d="scan'208";a="4111136"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by rcdn-iport-9.cisco.com with ESMTP; 18 Jul 2011 21:10:58 +0000
Received: from dhcp-128-107-147-1.cisco.com (dhcp-128-107-147-1.cisco.com [128.107.147.1]) by mtv-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p6ILAv46000909; Mon, 18 Jul 2011 21:10:57 GMT
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Brian Weis <bew@cisco.com>
In-Reply-To: <4E1DB3F3.8080103@orange-ftgroup.com>
Date: Mon, 18 Jul 2011 14:10:56 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <18246681-469A-4EF9-A3CB-C6DBC092473F@cisco.com>
References: <4E1DB3F3.8080103@orange-ftgroup.com>
To: Julien Meuric <julien.meuric@orange-ftgroup.com>
X-Mailer: Apple Mail (2.1084)
Cc: Adrian Farrel <adrian@olddog.co.uk>, 'JP Vasseur' <jpv@cisco.com>, secdir@ietf.org
Subject: Re: [secdir] Issue with PCEP
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jul 2011 21:11:03 -0000
Hi Julien, It's not clear to me that there would be any security issue with relaxing this restriction. A PCE application should be concerned with accepting only PCE sessions from authorized peers, and should apply integrity protection to the segments to ensure that only segments from those peers are accepted, but restricting the source port number for the TCP segments received from authorized peers doesn't seem particularly valuable to me. Hope that helps, Brian On Jul 13, 2011, at 8:04 AM, Julien Meuric wrote: > Dear Security Directorate, > > In the PCE WG, an issue had been reported by several implementers of PCEP, the "Path Computation Element communication Protocol" specified in RFC 5440 (cf. the thread on http://www.ietf.org/mail-archive/web/pce/current/msg02426.html or http://tools.ietf.org/agenda/80/slides/pce-0.pdf). > > This issue is related to the fact that the TCP source port of a PCEP session is fixed. To summarize, some operating systems (including Linux) are not that flexible when it comes to assigning a fixed source port. > > A reasonable solution to this issue is to remove that restriction on the source port of a PCEP session. It is backward compatible with current RFC 5440 and has been agreed with the Tranport Area ADs. > > From a security perspective, do you issue any blocking issue in moving forward with this solution? > > Thank you, > > Julien, PCE co-chair > > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir -- Brian Weis Security Standards and Technology, SRTG, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com
- [secdir] Issue with PCEP Julien Meuric
- Re: [secdir] Issue with PCEP Brian Weis
- Re: [secdir] Issue with PCEP Julien Meuric