Re: [secdir] Issue with PCEP
Julien Meuric <julien.meuric@orange-ftgroup.com> Tue, 19 July 2011 08:43 UTC
Return-Path: <julien.meuric@orange-ftgroup.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CE3821F8784 for <secdir@ietfa.amsl.com>; Tue, 19 Jul 2011 01:43:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.209
X-Spam-Level:
X-Spam-Status: No, score=-102.209 tagged_above=-999 required=5 tests=[AWL=1.040, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ySZ9+zTH7DN5 for <secdir@ietfa.amsl.com>; Tue, 19 Jul 2011 01:43:19 -0700 (PDT)
Received: from p-mail1.rd.francetelecom.com (p-mail1.rd.francetelecom.com [195.101.245.15]) by ietfa.amsl.com (Postfix) with ESMTP id 7164B21F8782 for <secdir@ietf.org>; Tue, 19 Jul 2011 01:43:19 -0700 (PDT)
Received: from p-mail1.rd.francetelecom.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 0DFF28B8008; Tue, 19 Jul 2011 10:44:06 +0200 (CEST)
Received: from ftrdsmtp1.rd.francetelecom.fr (unknown [10.192.128.46]) by p-mail1.rd.francetelecom.com (Postfix) with ESMTP id 03D5B8B8002; Tue, 19 Jul 2011 10:44:06 +0200 (CEST)
Received: from ftrdmel10.rd.francetelecom.fr ([10.192.128.44]) by ftrdsmtp1.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.4675); Tue, 19 Jul 2011 10:43:17 +0200
Received: from [10.193.71.247] ([10.193.71.247]) by ftrdmel10.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.4675); Tue, 19 Jul 2011 10:43:17 +0200
Message-ID: <4E2543A5.4010805@orange-ftgroup.com>
Date: Tue, 19 Jul 2011 10:43:17 +0200
From: Julien Meuric <julien.meuric@orange-ftgroup.com>
Organization: France Telecom
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: Brian Weis <bew@cisco.com>
References: <4E1DB3F3.8080103@orange-ftgroup.com> <18246681-469A-4EF9-A3CB-C6DBC092473F@cisco.com>
In-Reply-To: <18246681-469A-4EF9-A3CB-C6DBC092473F@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-OriginalArrivalTime: 19 Jul 2011 08:43:17.0866 (UTC) FILETIME=[E7FF24A0:01CC45EF]
X-Mailman-Approved-At: Tue, 19 Jul 2011 06:14:39 -0700
Cc: Adrian Farrel <adrian@olddog.co.uk>, 'JP Vasseur' <jpv@cisco.com>, secdir@ietf.org
Subject: Re: [secdir] Issue with PCEP
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2011 08:43:20 -0000
Hi Brian. At this stage, we do not look for a deeper security analysis. Your answer is actually helpful, so thank you for your valuable feedback. Cheers, Julien Le 18/07/2011 23:10, Brian Weis a écrit : > Hi Julien, > > It's not clear to me that there would be any security issue with relaxing this restriction. A PCE application should be concerned with accepting only PCE sessions from authorized peers, and should apply integrity protection to the segments to ensure that only segments from those peers are accepted, but restricting the source port number for the TCP segments received from authorized peers doesn't seem particularly valuable to me. > > Hope that helps, > Brian > > On Jul 13, 2011, at 8:04 AM, Julien Meuric wrote: > >> Dear Security Directorate, >> >> In the PCE WG, an issue had been reported by several implementers of PCEP, the "Path Computation Element communication Protocol" specified in RFC 5440 (cf. the thread on http://www.ietf.org/mail-archive/web/pce/current/msg02426.html or http://tools.ietf.org/agenda/80/slides/pce-0.pdf). >> >> This issue is related to the fact that the TCP source port of a PCEP session is fixed. To summarize, some operating systems (including Linux) are not that flexible when it comes to assigning a fixed source port. >> >> A reasonable solution to this issue is to remove that restriction on the source port of a PCEP session. It is backward compatible with current RFC 5440 and has been agreed with the Tranport Area ADs. >> >> From a security perspective, do you issue any blocking issue in moving forward with this solution? >> >> Thank you, >> >> Julien, PCE co-chair >> >> _______________________________________________ >> secdir mailing list >> secdir@ietf.org >> https://www.ietf.org/mailman/listinfo/secdir >
- [secdir] Issue with PCEP Julien Meuric
- Re: [secdir] Issue with PCEP Brian Weis
- Re: [secdir] Issue with PCEP Julien Meuric