From: Pce <pce-boun...@ietf.org> on behalf of tom petch <ie...@btconnect.com> Sent: 03 October 2022 11:02
From: Pce <pce-boun...@ietf.org> on behalf of julien.meu...@orange.com <julien.meu...@orange.com> Sent: 26 September 2022 14:01 Hi PCE WG, This message starts a 2-week WG Last Call for draft-ietf-pce-pcep-yang-19. Please review and share any feedback using the PCE mailing list. This WGLC will end on Tuesday October 11. <tp> There are several little problems with this I-D, which I will post in due course, but one big one that I think needs outside assistance and will take time to resolve, namely the lack of security. This imports netconf-tls groupings and the netconf I-D says basically security is nothing to do with us, that is up to the user of the grouping. It recommends TLS1.3 and says TLS1.2 is obsolete and not recommended. Trouble is, for most users TLS1.3 is not recommended because it is insecure because it introduces new features which are fine for web access and dangerous for almost other cases (eg early data). There are a number of IETF documents looking at this and nailing down all the things you must not do with TLS1.3 in an operational environment (which is what most of the IETF is about). RFC9190 section 2 is an example of what I mean but from tracking the evolution of that RFC I suspect that that got watered down by the supporters of TLS1.3. This I-D needs the equivalent (or else a MUST NOT for TLS1.3!). Many of those involved with security in the IETF will not understand the issue, how dangerous TLS1.3 is for anything other than web access. <tp2> I note the submission of draft-dhody ... TLS13. I wonder what that plan is; for pcep-yang to ban TLS1.3 and have a reference to this I-D? or what? I think that PSK need more treatment. My take is that RFC8446 bans PSK except when used for resumption where a session has been set up using certificates. I see two documents addressing this issue, - 9257, 9258 - but I have yet to read them. Tom Petch Tom Petch Thanks, Julien _______________________________________________ Pce mailing list Pce@ietf.org https://www.ietf.org/mailman/listinfo/pce _______________________________________________ Pce mailing list Pce@ietf.org https://www.ietf.org/mailman/listinfo/pce
