s.3 At first, I was unsure whether or not both parties sent a StartTLS. "The StartTLS message is a PCEP message sent by a PCC to a PCE and by a PCE to a PCC " suggests both "Once the TCP connection has been successfully established, the first message sent by the PCC to the PCE or by the PCE to the PCC MUST be a StartTLS message " suggests only one. Section 3.3 makes it clearer that both send it. This is fine but I am unaware of any other protocol where this happens so I would suggest /or/and/ in that second sentence and expanding the earlier sentence OLD 2. Initiating the TLS Procedures by the StartTLS message. NEW 2. Initiating the TLS Procedures by the StartTLS message from PCE to PCC and from PCC to PCE.
I focus on this because I was also looking to see which became TLS Client. TLS is asymmetric, designed to authenticate a (HTTP) server to a client. Netconf (and SNMP), which I know better, struggled with this because the key for Netconf is to authenticate the client to the server, which TLS does not do so well. Posts on the TLS list suggest that there are very few implementations of TLS client authentication, rather something else is done once the secure channel has been established. So, do you care who is TLS client and who TLS server? It will be interesting to see a security review of this. In passing, RFC7465 prohibits RC4 with TLS so I would think it unlikely that "SHOULD support TLS_RSA_WITH_RC4_128_SHA" will be acceptable. Tom Petch ----- Original Message ----- > On Oct 8, 2015 18:57, "JP Vasseur (jvasseur)" <[email protected]<mailto:[email protected]>> wrote: > Dear WG, > > This starts a 2-week WG Last Call on draft-ietf-pce-pceps-04, ending on Oct 23 at noon ET. Please send your comments to the authors and copy the list. > > _______________________________________________ Pce mailing list [email protected] https://www.ietf.org/mailman/listinfo/pce
