Hi, Diego,
Some responses below to some specific points:
On 2/6/2014 12:44 AM, Diego R. Lopez wrote:
Hi Adrian, Joe,
Thanks for the review. It will really help in putting the draft in a
better shape. We are preparing a new version and the replies below will
be reflected there.
...
2.1. TCP ports
The default destination port number for PCEPS is TCP/XXXX.
NOTE: This port has to be agreed and registered as PCEPS with IANA.
PCEP already is assigned to port 4189. RFC5440 already permits PCEP
connections to use either TCP MD5 or TCP-AO, but at the time of that
document there was no TCP-AO to reference.
As a result it should be trivial for a PCEP server to differentiate pcep
vs. pceps connections:
MD5 must be pcep, and already don't use TLS
TCP-AO must be pceps, and thus must include TLS
connections using neither MD5 nor TCP-AO must be pceps,
and thus must include TLS
I don't see a rationale for needing a separate port.
The rationale is the common practice derived from the TLS layered
approach, so a client knows how and when require the server to start a
TLS connection, and the server knows in advance what the client is
requiring and match it against its policy.
That is common when there is no other way to determine whether a
connection uses TLS or not (and even then is at best a performance
optimization).
The use of TCP protection must be orthogonal to the use of TLS, so it
can not be used for the server making a guess of the protocol
security encapsulation.
TCP protection isn't orthogonal to TLS for pcep as currently specified;
see the table above. The only connections that can use TLS would be
those that do not use TCP MD5 (see the list of cases above).
Either we have a protocol-specific mechanism (a-la-STARTTLS) or we
usea specific port.
...
For every connection, you already know the mode before the connection
starts. If the connection is configured to require TCP MD5, then there
is no TLS. If not, then there must be TLS.
There are no protocol changes required to make this happen; you just
need to use the information you already have.
...
4. Backward Compatibility
Since the procedure described in this document describes a security
container for the transport of PCEP requests and replies carried on a
newly allocated TCP port there will be no impact on the base PCEP
and/or any further extensions.
See my comment above; I agree, but not because a new port is needed.
As said above, not using a different port would translate in
requiring an additional protocol element, so clients could express
their request to start a TLS connection.
That information isn't needed; you already have to know in advance
whether you require them to use TCP MD5 or not. That's enough
information to know whether it's TLS or not too.
Joe
_______________________________________________
Pce mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/pce
