Re: [Pce] RE: I-DACTION:draft-rbradfor-ccamp-confidential-segment-00.txt

[Igor Bryskin]

Rich,   Yes, I think PCEP needs some strong authentication mechanism, I'd say similar to one used in HTTP. It is not just about resolving of PKSs. For example, two PCCs may request from a PCE a TE path between two ASBRs across an AS. Suppose, PCC1 belongs to the AS, and PCC2 does not. How can the PCE return an explicit path to PCC1 without authenticating it first?   Igor  ----- Original Message ----- From: Rich Bradford (rbradfor) To: Igor Bryskin ; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, March 07, 2006 11:37 AM Subject: RE: [Pce] RE: I-DACTION:draft-rbradfor-ccamp-confidential-segment-00.txt Igor, Thanks for the clarification. The authentication called out in section 12 of PCEP could be used to address this concern. If this restriction were enabled, a PCE would only expand a PKS for authenticated clients, making MD5 (or its equivalent from PCEP) required for this extension. The downside of requiring authentication is called out in section 12.1 of PCEP, which describes the operator overhead of implementing these keys as onerous. However, these keys would only need to be configured on the AS-border LSRs (and the PCEs), since those would be the only nodes where the expansion would be needed. Perhaps use of authentication in this situation could be suggested or recommended. Would that address the issue adequately? Sincerely, Rich       From: Igor Bryskin [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 07, 2006 10:22 AM To: Rich Bradford (rbradfor); [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Pce] RE: I-DACTION:draft-rbradfor-ccamp-confidential-segment-00.txt   Rich,   My point is that path(s) containing PKSs will also contain address of the ASBR, hence the PCC can issue a request to the PCC pretending that it is the ASBR and resolve PKSs into explicit path segments. Your draft says that this resolution is accomplished via a PCEP request, and my understanding is that PCEP does not have any protection from such impersonation.   Thanks, Igor

_______________________________________________
Pce mailing list
Pce@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/pce