[Pce] AD review of draft-ietf-pce-pceps-tls13-02

[John Scudder]

Hi Authors,

Thanks for this document. Looks good, I've requested IETF last call.

A couple of notes below, they didn't seem worth holding up the last call for, 
but please consider them for your next revision.
 
- "what PCEPS implementations do if a PCEPS supports more than one version". I 
don't think PCEPS (second occurrence) takes an article (i.e. referring to "a 
PCEPS" is weird). Some rewrite seems called for, perhaps s/a PCEPS/one/.

- "neither the PCC nor the PCE should establish a PCEPS with
   TLS connection with an unknown, unexpected, or incorrectly identified
   peer;"
   
Isn't "PCEPS with TLS" redundant, doesn't the ess in PCEPS imply TLS? In which 
case, just drop "with TLS". (See also, "ATM machine" :-)

Thanks,

—John
___
Pce mailing list
Pce@ietf.org
https://www.ietf.org/mailman/listinfo/pce

Re: [Pce] RtgDir Early review: draft-ietf-pce-pceps-tls13-02

[Sean Turner]

> On Nov 13, 2023, at 04:07, Tal Mizrahi  wrote:
> 
> Hello
> 
> I have been selected to do a routing directorate “early” review of this draft.
> https://datatracker.ietf.org/doc/draft-ietf-pce-pceps-tls13/

Hi! And, thanks for your review. I have created an issue to track this review:
https://github.com/ietf-wg-pce/draft-ietf-pce-pceps-tls13/issues/15

> The routing directorate will, on request from the working group chair,
> perform an “early” review of a draft before it is submitted for
> publication to the IESG. The early review can be performed at any time
> during the draft’s lifetime as a working group document.
> 
> For more information about the Routing Directorate, please see
> https://wiki.ietf.org/en/group/rtg/RtgDir
> 
> Document: draft-ietf-pce-pceps-tls13-02
> Reviewer: Tal Mizrahi
> Review Date: Nov 13, 2023
> Intended Status: Standards Track
> 
> Summary:
> I have some concerns about this document that I think should be
> resolved before it is submitted to the IESG.
> 
> Comments:
> The draft is clear and straightforward. There is one main comment that
> needs to be addressed.
> 
> Major comment:
> The "Security Considerations" section needs to describe the security
> considerations that are specific to the current document. For example,
> the second note of Section 3, and perhaps some more text that explains
> why this is important. The existing text in this section is not
> helpful to the reader. The section cites 9 references with a brief
> description of each reference, but without the description of the
> security considerations of each reference. The last paragraph of the
> section - is it relevant to the current document? It would be best to
> stick with security considerations that are strictly relevant to the
> current document, and not to PCE in general.

Ah yes, I “fixed” the main body and ignored the Security Considerations. I tend 
to agree we should edit it.

Since this I-D is essentially adding a couple of bullets to an existing RFC, we 
are adopting all of those considerations and the PCEP considerations. This I-D 
also addresses TLS 1.2 and TLS 1.3 protocols and recommendations for those 
protocols. So, that’s the 1st para. Note the WG asked to add more PCEP related 
security considerations; see:
https://github.com/ietf-wg-pce/draft-ietf-pce-pceps-tls13/pull/10/files

I tend to think the 2nd and 3rd paragraph can be dropped entirely now.

As for repeating/expanding on the 2nd NOTE in s3: if the text of this I-D was 
incorporated in a replacement for RFC 8253 and was 10 pages away from the 
security considerations. I could see repeating/expanding it. As it is right 
now, that bullet is immediately proceeds the Security Considerations. Further, 
that text is additionally incorporated by reference from TLS 1.3 and RFC 9325 
so I tend to think it’s kind of covered and doesn’t need more text.  Again, I 
could see repeating the bullet or moving that bullet, but because this document 
is so short it seems like overkill.

I created a PR that incorporates these changes:
https://github.com/ietf-wg-pce/draft-ietf-pce-pceps-tls13/issues/15

>> https://www.ietf.org/archive/id/draft-ietf-pce-pceps-tls13-02.html#name-security-considerations
>>  ?
>> 
>> As for expanding on the 2nd note, I think repeating the text is a bad idea - 
>> I’d rather refer there again as follows:
>> 
>> As noted in Section 3, Section 2.3 of [I-D.ietf-tls-rfc8446bis] identifies 
>> that the security properties for early data are weaker than those for 
>> subsequent TLS-protected data. In particular, early data is not forward 
>> secret, and there is no protection against the replay of early data between 
>> connections.

> Nits:
> - "if a PCEPS supports more than one version" - the sentence is not
> clear. Perhaps "if a PCEPS implementation supports more than one
> version"?
> - Section 4 - second paragraph - there is a missing period at the end
> of the paragraph.

Fixed these via:
https://github.com/ietf-wg-pce/draft-ietf-pce-pceps-tls13/pull/13

Cheers,
spt
___
Pce mailing list
Pce@ietf.org
https://www.ietf.org/mailman/listinfo/pce

Re: [Pce] AD review of draft-ietf-pce-pceps-tls13-02

[Sean Turner]

> On Dec 5, 2023, at 12:03, John Scudder  wrote:
> 
> Hi Authors,
> 
> Thanks for this document. Looks good, I've requested IETF last call.
> 
> A couple of notes below, they didn't seem worth holding up the last call for, 
> but please consider them for your next revision.
> 
> - "what PCEPS implementations do if a PCEPS supports more than one version". 
> I don't think PCEPS (second occurrence) takes an article (i.e. referring to 
> "a PCEPS" is weird). Some rewrite seems called for, perhaps s/a PCEPS/one/.

This was also noted during the RTGDIR review. I suggested the following change:
https://github.com/ietf-wg-pce/draft-ietf-pce-pceps-tls13/pull/13/files

> - "neither the PCC nor the PCE should establish a PCEPS with
>   TLS connection with an unknown, unexpected, or incorrectly identified
>   peer;"
> 
> Isn't "PCEPS with TLS" redundant, doesn't the ess in PCEPS imply TLS? In 
> which case, just drop "with TLS". (See also, "ATM machine" :-)

It is! It would also be like saying HTTPS with TLS :) I did end deleting that 
para though while addressing the RTGDIR comments.

> Thanks,
> 
> —John

Cheers,
spt
___
Pce mailing list
Pce@ietf.org
https://www.ietf.org/mailman/listinfo/pce

[Pce] Last Call: (Updates for PCEPS: TLS Connection Establishment Restrictions) to Proposed Standard

[The IESG]

The IESG has received a request from the Path Computation Element WG (pce) to
consider the following document: - 'Updates for PCEPS: TLS Connection
Establishment Restrictions'
   as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-c...@ietf.org mailing lists by 2023-12-19. Exceptionally, comments may
be sent to i...@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


   Section 3.4 of RFC 8253 specifies TLS connection establishment
   restrictions for PCEPS; PCEPS refers to usage of TLS to provide a
   secure transport for PCEP (Path Computation Element Communication
   Protocol).  This document adds restrictions to specify what PCEPS
   implementations do if a PCEPS supports more than one version of the
   TLS protocol and to restrict the use of TLS 1.3’s early data.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-pce-pceps-tls13/



No IPR declarations have been submitted directly on this I-D.


The document contains these normative downward references.
See RFC 3967 for additional information: 
draft-ietf-tls-rfc8446bis: The Transport Layer Security (TLS) Protocol 
Version 1.3 (None - Internet Engineering Task Force (IETF))




___
Pce mailing list
Pce@ietf.org
https://www.ietf.org/mailman/listinfo/pce