Skip to main content

PCEPS: Usage of TLS to Provide a Secure Transport for the Path Computation Element Communication Protocol (PCEP)
draft-ietf-pce-pceps-18

Revision differences

Document history

Date Rev. By Action
2017-10-20
18 (System) RFC Editor state changed to AUTH48-DONE from AUTH48
2017-10-11
18 (System) RFC Editor state changed to AUTH48 from RFC-EDITOR
2017-09-22
18 (System) RFC Editor state changed to RFC-EDITOR from EDIT
2017-09-15
18 (System) IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor
2017-09-08
18 (System) IANA Action state changed to Waiting on RFC Editor from Waiting on Authors
2017-09-07
18 (System) IANA Action state changed to Waiting on Authors from In Progress
2017-09-05
18 (System) RFC Editor state changed to EDIT
2017-09-05
18 (System) IESG state changed to RFC Ed Queue from Approved-announcement sent
2017-09-05
18 (System) Announcement was received by RFC Editor
2017-09-05
18 (System) IANA Action state changed to In Progress
2017-09-05
18 Cindy Morgan IESG state changed to Approved-announcement sent from IESG Evaluation::AD Followup
2017-09-05
18 Cindy Morgan IESG has approved the document
2017-09-05
18 Cindy Morgan Closed "Approve" ballot
2017-09-05
18 Cindy Morgan Ballot writeup was changed
2017-09-05
18 Deborah Brungard Ballot approval text was changed
2017-09-04
18 Dhruv Dhody New version available: draft-ietf-pce-pceps-18.txt
2017-09-04
18 (System) New version approved
2017-09-04
18 (System) Request for posting confirmation emailed to previous authors: Oscar de Dios , Qin Wu , Dhruv Dhody , Diego Lopez
2017-09-04
18 Dhruv Dhody Uploaded new revision
2017-09-04
17 Eric Rescorla [Ballot Position Update] Position for Eric Rescorla has been changed to No Objection from Discuss
2017-09-04
17 Dhruv Dhody New version available: draft-ietf-pce-pceps-17.txt
2017-09-04
17 (System) New version approved
2017-09-04
17 (System) Request for posting confirmation emailed to previous authors: Oscar de Dios , Qin Wu , Dhruv Dhody , Diego Lopez
2017-09-04
17 Dhruv Dhody Uploaded new revision
2017-08-09
16 Suresh Krishnan [Ballot comment]
Thanks for taking care of my DISCUSS points.
2017-08-09
16 Suresh Krishnan [Ballot Position Update] Position for Suresh Krishnan has been changed to No Objection from Discuss
2017-08-08
16 (System) Sub state has been changed to AD Followup from Revised ID Needed
2017-08-08
16 (System) IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed
2017-08-08
16 Dhruv Dhody New version available: draft-ietf-pce-pceps-16.txt
2017-08-08
16 (System) New version approved
2017-08-08
16 (System) Request for posting confirmation emailed to previous authors: Oscar de Dios , Qin Wu , Dhruv Dhody , Diego Lopez
2017-08-08
16 Dhruv Dhody Uploaded new revision
2017-08-07
15 Ben Campbell
[Ballot comment]
Thanks for resolving my DISCUSS point and other comments via email. I'm clearing now under the assumption the discussed updates will make it …
[Ballot comment]
Thanks for resolving my DISCUSS point and other comments via email. I'm clearing now under the assumption the discussed updates will make it into a future revision.
2017-08-07
15 Ben Campbell [Ballot Position Update] Position for Ben Campbell has been changed to Yes from Discuss
2017-08-07
15 Alexey Melnikov
[Ballot comment]
Thank you for addressing my DISCUSS points and comments.

I think the text about use of RFC 6125 should use RFC 6125 terminology …
[Ballot comment]
Thank you for addressing my DISCUSS points and comments.

I think the text about use of RFC 6125 should use RFC 6125 terminology like DNS-ID and CN-ID, because they have a bit more semantics associated with them other than just subjectAltName:DNS.
I think you should also clarify whether you want to allow wildcards in DNS-ID/CN-ID (RFC 6125 talks about that).
2017-08-07
15 Alexey Melnikov [Ballot Position Update] Position for Alexey Melnikov has been changed to Yes from Discuss
2017-08-03
15 Amy Vezza IESG state changed to IESG Evaluation::Revised I-D Needed from IESG Evaluation
2017-08-03
15 Alexey Melnikov
[Ballot discuss]
I am very glad to see this document and I will be switching to "Yes" once we discuss the following issues:

1)
  …
[Ballot discuss]
I am very glad to see this document and I will be switching to "Yes" once we discuss the following issues:

1)
                  +-+-+                +-+-+
                  |PCC|                |PCE|
                  +-+-+                +-+-+
                    |                    |
                    | StartTLS            |
                    | msg                |
                    |-------              |
                    |      \  StartTLS  |
                    |        \  msg      |
                    |        \  ---------|
                    |          \/        |
                    |          /\        |
                    |        /  -------->|
                    |        /            |
                    |<------              |
                    |:::::::::TLS:::::::::| TLS Establishment
                    |:::::Establishment:::| Failure
                    |                    |
                    |<--------------------| Send Error-Type TBA2
                    |      PCErr          | Error-Value 3/4
                    |                    |

      Figure 2: Both PCEP Speaker supports PCEPS (strict), but cannot
                              establish TLS

Firstly, I think you also need to demonstrate a case when the server end of TLS is refusing to startTLS before trying TLS negotiation (e.g. if it doesn't have certificate configured). In this case you need to send PCErr in the clear.
I think earlier text suggest that this case is possible.

Secondly, does the case depicted on this picture mean that TLS was negotiated successfully, but TLS identities were not successfully verified? (I.e. the PCErr is sent over the TLS layer). If TLS failed to negotiate, you don't have a channel to send data on, as the other end will get confused. I think you just have to close connection in such case.

So maybe you need 3 figures describing the above 3 cases.

2) In Section 3.4:

        +  Implementations MAY allow the configuration of a set of
            additional properties of the certificate to check for a
            peer's authorization to communicate (e.g., a set of allowed
            values in subjectAltName:URI or a set of allowed X509v3
            Certificate Policies)

Can you give an example of what you expect to see in the subjectAltName:URI? Your current text doesn't seem sufficient for interoperability.
2017-08-03
15 Alexey Melnikov
[Ballot comment]
I am agreeing with Ekr's DISCUSS points. Some of mine might be just a different phrasing of his.

In Section 3.4.  TLS Connection …
[Ballot comment]
I am agreeing with Ekr's DISCUSS points. Some of mine might be just a different phrasing of his.

In Section 3.4.  TLS Connection Establishment

      *  PCEPS implementations MUST, at a minimum, support negotiation
          of the TLS_RSA_WITH_AES_128_GCM_SHA256, and SHOULD support
          TLS_RSA_WITH_AES_256_GCM_SHA384 as well [RFC5288].  In
          addition, PCEPS implementations MUST support negotiation of
          the mandatory-to-implement ciphersuites required by the
          versions of TLS that they support.

Should the last sentence apply starting from TLS 1.3 forward?

In Section 3.5:

  [I-D.ietf-pce-stateful-sync-optimizations] specify a Speaker Entity
  Identifier TLV (SPEAKER-ENTITY-ID), as an optional TLV that MAY be
  included in the OPEN Object.  It contains a unique identifier for the
  node that does not change during the lifetime of the PCEP speaker.
  An implementation would thus expose the speaker entity identifier as
  part of the X509v3 certificate, so that an implementation could use

Can you be a bit more specific, as this looks underspecified. Are you thinking about using subject name or subject alt name for this (or either)?

  this identifier for the peer identification trust model.

In the Security Considerations sections:

I think you should also talk about downgrade attacks here, e.g. man-in-the-middle injecting error response in response to StartTLS command or man-in-the-middle stripping StartTLS command.
2017-08-03
15 Alexey Melnikov [Ballot Position Update] New position, Discuss, has been recorded for Alexey Melnikov
2017-08-02
15 Ben Campbell
[Ballot discuss]
-3.4, step 2: "Peer validation always SHOULD include a check on whether
  the locally configured expected DNS name or IP address of …
[Ballot discuss]
-3.4, step 2: "Peer validation always SHOULD include a check on whether
  the locally configured expected DNS name or IP address of
  the peer that is contacted matches its presented
  certificate."

Why is that not a MUST? As it is, this need to at least discuss the risks involved if you don't check the identity of the peer cert (here or in the security considerations.)
2017-08-02
15 Ben Campbell
[Ballot comment]
Substantive:

- I share Warren's question about why you chose STARTTLS over a dedicated port, especially since the 2nd to last paragraph in …
[Ballot comment]
Substantive:

- I share Warren's question about why you chose STARTTLS over a dedicated port, especially since the 2nd to last paragraph in 3.2 goes out of its way to mention that. What were the tradeoffs involved that made adding the additional protocol machinery more attractive than allocating a port number?

- 3.2: "Implementations MUST support SHA-256 as defined by [SHS] as
          the hash algorithm for the fingerprint."
Do you really intend "MUST support" (meaning you have to be able to handle sha-256, but could allow other hashes) vs "MUST use"?

- 3.5: "Implementations
  that want to support a wide variety of trust models SHOULD expose as
  many details of the presented certificate to the administrator as possible
  so that the trust model can be implemented by the administrator."
"as much as possible" is pretty vague for the a 2119 SHOULD. Since the following sentences also include a SHOULD along with considerably more detail, I suggest dropping the SHOULD in this sentence, and leaving the one in the following sentence.

- 3.6: Is the exponential backoff requirement part of the procedures in 5440? The wording suggests that it is not. If so, it needs elaboration here.

Editorial:

- 3.2, paragraph 8: s/"... PCE MUST responds with..."/ "...PCE MUST respond with..."

- 3.4 : "Negotiation of mutual authentication is REQUIRED."
Does that mean that the peers must elect to use mutual authentication, or that if they want to use it, they must agree to do so? (The pattern persists throughout the section, but the meaning seems more obvious for some of the others.)

-3.5, 2nd to last paragraph: Please don't use 2119 keywords to describe pre-existing or external requirements. They should be reserved for the authoritative specification of a given requirement.

-5, 2nd paragraph: The first sentence does not make sense.
2017-08-02
15 Ben Campbell [Ballot Position Update] New position, Discuss, has been recorded for Ben Campbell
2017-08-02
15 Suresh Krishnan
[Ballot discuss]
* Section 3.2:

This seems to be overly broad and directly contradicts to what is required by RFC5440.

  A PCEP speaker …
[Ballot discuss]
* Section 3.2:

This seems to be overly broad and directly contradicts to what is required by RFC5440.

  A PCEP speaker receiving any other message apart from StartTLS, Open, or
  PCErr as the first message, MUST treat it as an unexpected message
  and reply with a PCErr message with Error-Type set to [TBA2 by IANA]
  (PCEP StartTLS failure) and Error-value set to 2 (reception of any
  other message apart from StartTLS, Open, or PCErr message), and MUST
  close the TCP connection.

According to RFC5440, when a non-Open message is received the PCEP speaker is required to send a PCErr message with Error-Type 1 ("PCEP session establishment failure") and Error-value 1 ("reception of an invalid Open message or a non Open message"). I think this text needs to be reworded to narrow down the scope of this error.

* The fallback procedure after receiving the error code 4 needs to be clarified. Is the response 4 remembered for future connections or is it only limited to a single attempt immediately after the TLS connection establishment failure. i.e. After falling back, does the client ever try to establish a secure connection again?
2017-08-02
15 Suresh Krishnan [Ballot comment]
* Section 3.2:

This sentence needs to be reworded

s/If a PCE that supports PCEPS connection/If a PCE supports PCEPS connection/
2017-08-02
15 Suresh Krishnan [Ballot Position Update] New position, Discuss, has been recorded for Suresh Krishnan
2017-08-02
15 Alia Atlas [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas
2017-08-02
15 Amanda Baber IANA Review state changed to IANA OK - Actions Needed from Version Changed - Review Needed
2017-08-02
15 Kathleen Moriarty
[Ballot comment]
I support EKR's discuss points, especially the first.

I'm a yes assuming that all the discuss points will be addressed, as I do …
[Ballot comment]
I support EKR's discuss points, especially the first.

I'm a yes assuming that all the discuss points will be addressed, as I do think this work is important and am glad to see it.  In addition to other comments, I don't think anyone else commented on the use of the word "privacy" instead of confidentiality in the security considerations section.  That should be changed.  Thank you.
2017-08-02
15 Kathleen Moriarty [Ballot Position Update] New position, Yes, has been recorded for Kathleen Moriarty
2017-08-01
15 Spencer Dawkins [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins
2017-08-01
15 Terry Manderson [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson
2017-08-01
15 Warren Kumari
[Ballot comment]
I think that the document should explain why this does STARTTLS and not e.g another port (which would be more downgrade resistant)
Obviously …
[Ballot comment]
I think that the document should explain why this does STARTTLS and not e.g another port (which would be more downgrade resistant)
Obviously this is in addition to the DISCUSS held by EKR.
2017-08-01
15 Warren Kumari Ballot comment text updated for Warren Kumari
2017-08-01
15 Warren Kumari
[Ballot comment]
I'd like to understand why this does STARTTLS and not e.g another port.

Obviously this is in addition to the DISCUSS held by …
[Ballot comment]
I'd like to understand why this does STARTTLS and not e.g another port.

Obviously this is in addition to the DISCUSS held by EKR.
2017-08-01
15 Warren Kumari [Ballot Position Update] New position, No Objection, has been recorded for Warren Kumari
2017-08-01
15 Eric Rescorla
[Ballot discuss]
1. This needs a cite to RFC 6125 to define how to do name validation.

2. You require TLS_RSA_WITH_AES_128_GCM_SHA256, but this is not …
[Ballot discuss]
1. This needs a cite to RFC 6125 to define how to do name validation.

2. You require TLS_RSA_WITH_AES_128_GCM_SHA256, but this is not
consistent with modern recommendations, which are for algorithms
that provide forward secrecy. You should be recommending
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 with P-256, which is
consistent with the recommendations for TLS 1.3 (and UTA, IIRC).

3, It's clear to me how authentication of the PCE works in that
the PCC connects to it using a domain name or IP address and
therefore can check the PCC's certificate against that, but
it's not clear to me what the PCE does when the client connects?
Is it supposed to have a list of valid peers?

4. The error reporting mechanism you describe in S 3.2 is unusual:

  After the exchange of StartTLS messages, if a PCEP speaker cannot
  establish a TLS connection for some reason (e.g. the required
  mechanisms for certificate revocation checking are not available), it
  MUST return a PCErr message (in clear) with Error-Type set to [TBA2
  by IANA] (PCEP StartTLS failure) and Error-value set to:

I am not aware of any other protocol that does this, and it's a bit
problematic because you either need to (a) require that you always
send a TLS alert so that the receiver knows that the next byte
is a PCE message or (b) specify some mechanism for demuxing PCE
and TLS. Even in the former category, many TLS stacks are greedy
about their IO, so they will read the alert + the PCE message and
then discard the message. Instead you should either:

(a) specify that you always send TLS alerts and don't send PCE
errors (TLS alerts are pretty rich)
(b) send any post-handshake alerts over the TLS connection.

Failing that, you need to provide detailed instructions about
how to make this work.


5. It seems like it would be a good idea to specify a pinning
mechanism so you could say "always do TLS in future". Is that
something that was discussed?

6.        *  TLS with X.509 certificates using certificate fingerprints:
          Implementations MUST allow the configuration of a list of
          trusted certificates, identified via fingerprint of the
          Distinguished Encoding Rules (DER) encoded certificate octets.
          Implementations MUST support SHA-256 as defined by [SHS] as
          the hash algorithm for the fingerprint.

What does "trusted" mean here? I think it means "one I would accept as
a counterparty" rather than "can sign other certs". In any case, this
must be clear.

A bunch of other stuff is underspecified (see below).
2017-08-01
15 Eric Rescorla
[Ballot comment]
This document needs a significant editorial pass. I found a number of
writing errors, e.g., "Securing via TLS of an existing PCEP session …
[Ballot comment]
This document needs a significant editorial pass. I found a number of
writing errors, e.g., "Securing via TLS of an existing PCEP session is
not permitted,"

S 1.
  defining their application in depth.  Moreover, [RFC6952] remarks the
  importance of ensuring PCEP communication privacy, especially when

The term here is "confidentiality"

S 3.2.
The whole description of how you can race StartTLS iff you know you
are TLS only is really hard to understand until you get to the
diagrams. I would write something like:

  The PCC initiates the use of TLS by sending a StartTLS message
  The PCE agrees to the use of TLS by responding with its own
  StartTLS message. If the PCE is configured to only do TLS, it
  may send the StartTLS message immediately upon TCP connection
  establishment; otherwise it MUST wait for the PCC's first
  message to see whether it is an Open or StartTLS message.



S 3.4.
          +  Implementations SHOULD indicate their trusted CAs.  For TLS
            1.2, this is done using [RFC5246], Section 7.4.4,
            "certificate_authorities" (server side) and [RFC6066],
            Section 6 "Trusted CA Indication" (client side).

Do common stacks do this? I know NSS does not.


  To support TLS re-negotiation both peers MUST support the mechanism
  described in [RFC5746].  Any attempt to initiate a TLS handshake to
  establish new cryptographic parameters not aligned with [RFC5746]
  SHALL be considered a TLS negotiation failure.

Is there a reason to allow renegotiation at all?


S 3.5
  [I-D.ietf-pce-stateful-sync-optimizations] specify a Speaker Entity
  Identifier TLV (SPEAKER-ENTITY-ID), as an optional TLV that MAY be
  included in the OPEN Object.  It contains a unique identifier for the
  node that does not change during the lifetime of the PCEP speaker.
  An implementation would thus expose the speaker entity identifier as
  part of the X509v3 certificate, so that an implementation could use
  this identifier for the peer identification trust model.

This seems underspecified. Is there an OID assigned?


S 4.1.
  DANE [RFC6698] defines a secure method to associate the certificate
  that is obtained from a TLS server with a domain name using DNS,
  i.e., using the TLSA DNS resource record (RR) to associate a TLS
  server certificate or public key with the domain name where the
  record is found, thus forming a "TLSA certificate association".  The
  DNS information needs to be protected by DNS Security (DNSSEC).  A
  PCC willing to apply DANE to verify server identity MUST conform to
  the rules defined in section 4 of [RFC6698].  The server's domain
  name must be authorized separately, as TLSA does not provide any
  useful authorization guarantees.

This is also underspecified. Which DANE types are you suggesting you
use?


S  7.
  Some TLS ciphersuites only provide integrity validation of their
  payload, and provide no encryption.  This specification does not
  forbid the use of such ciphersuites, but administrators must weight
  carefully the risk of relevant internal data leakage that can occur
  in such a case, as explicitly stated by [RFC6952].

Why don't you forbid it?
2017-08-01
15 Eric Rescorla [Ballot Position Update] New position, Discuss, has been recorded for Eric Rescorla
2017-07-31
15 (System) IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed
2017-07-31
15 Dhruv Dhody New version available: draft-ietf-pce-pceps-15.txt
2017-07-31
15 (System) New version approved
2017-07-31
15 (System) Request for posting confirmation emailed to previous authors: Oscar de Dios , Qin Wu , Dhruv Dhody , Diego Lopez
2017-07-31
15 Dhruv Dhody Uploaded new revision
2017-07-31
14 Mirja Kühlewind
[Ballot comment]
One high level comment:

As already mentioned by the gen-art review (Thanks Dale for the detailed review!), for me the text was for …
[Ballot comment]
One high level comment:

As already mentioned by the gen-art review (Thanks Dale for the detailed review!), for me the text was for a long time while reading not clear on who starts the TLS negotiation. In think there is a statement missing that a speaker/PCE that supports PCEPS and receives a StartTLS message MUST reply with a StartTLS message and further the PCC MUST initiation the TLS after reception of a StartTLS message from the PCC.

More minor/editorial comments:

1) There are two cases where the behavior of speakers that do not support PCEPS is specified, which is a bit non-sensical given that not support probably means it does not follow this spec:
OLD
"If the PCEP speaker that does not support PCEPS, receives a StartTLS
  message, it MUST behave according to the existing error mechanism
  described in section 6.2 of [RFC5440] (in case message is received
  prior to an Open message) or section 6.9 of [RFC5440] (for the case
  of reception of unknown message)."
NEW
"If the PCEP speaker that does not support PCEPS, receives a StartTLS
  message, it will behave according to the existing error mechanism
  described in section 6.2 of [RFC5440] (in case message is received
  prior to an Open message) or section 6.9 of [RFC5440] (for the case
  of reception of unknown message)."
and
OLD
"A PCEP speaker that does not support PCEPS or has learned the peer
  willingness to reestablish session without TLS, can send the Open
  message directly, as per [RFC5440]."
NEW
"A PCEP speaker that does not support PCEPS sends the Open message directly, as per [RFC5440].
A PCEP speaker that supports PCEPS but has previously already learned the peer
  willingness to reestablish session without TLS, MAY send the Open
  message directly, as per [RFC5440]."

2) As already mentioned in the gen-art review, I also think there should be more text on what a host should do that uses StartTLS but gets an error back. This is defined previously in the document but given there is an own section here, I would just recommend to re-iterate there. In other words please add the proposed text!

3) Why is this a MUST?
sec 8.1 "A PCE or PCC implementation MUST allow configuring the PCEP security
  via TLS capabilities as described in this document."
Wouldn't a SHOULD be enough/better? Meaning that when PCEPS is implemented and turned on by default, I don't necessarily have to provide a knob to turn it off?

4) Also related to the previous point
sec 8.2 "An implementation SHOULD allow the operator to configure the PCEPS
  capability and various TLS related parameters, ..."
Probably this part of sentence should not be normative given this part is (differently) specified in the previous section.
2017-07-31
14 Mirja Kühlewind [Ballot Position Update] New position, No Objection, has been recorded for Mirja Kühlewind
2017-07-24
14 Deborah Brungard IESG state changed to IESG Evaluation from Waiting for Writeup
2017-07-24
14 Deborah Brungard Ballot has been issued
2017-07-24
14 Deborah Brungard [Ballot Position Update] New position, Yes, has been recorded for Deborah Brungard
2017-07-24
14 Deborah Brungard Created "Approve" ballot
2017-07-24
14 Deborah Brungard Ballot writeup was changed
2017-07-13
14 Tero Kivinen Request for Last Call review by SECDIR Completed: Ready. Reviewer: David Mandelberg.
2017-07-12
14 Tianran Zhou Request for Last Call review by OPSDIR Completed: Ready. Reviewer: Tianran Zhou. Sent review to list.
2017-07-12
14 (System) IESG state changed to Waiting for Writeup from In Last Call
2017-07-11
14 Dale Worley Request for Last Call review by GENART Completed: Ready with Nits. Reviewer: Dale Worley. Sent review to list.
2017-07-07
14 (System) IANA Review state changed to IANA OK - Actions Needed from IANA - Review Needed
2017-07-07
14 Sabrina Tanamal
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has completed its review of draft-ietf-pce-pceps-14.txt. If any part of this review is inaccurate, please let …
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has completed its review of draft-ietf-pce-pceps-14.txt. If any part of this review is inaccurate, please let us know.

The IANA Services Operator understands that, upon approval of [ RFC-to-be ], there are two actions which we must complete.

First, in the PCEP Messages registry on the Path Computation Element Protocol (PCEP) Numbers registry page located at:

https://www.iana.org/assignments/pcep/

a single new registration is to be made as follows:

Value: [ TBD-at-registration ]
Description: The Start TLS Message (StartTLS)
Reference: [ RFC-to-be ]

Second, in the PCEP-ERROR Object Error Types and Values registry also on the Path Computation Element Protocol (PCEP) Numbers registry page located at:

https://www.iana.org/assignments/pcep/

a new registration will be made as follows:

Error-
Type Meaning Error-value Reference
-----------------------+---------------------+-----------------------+---------------
[ TBD-at-registration ] StartTLS Failure 0:Unassigned [ RFC-to-be ]
1:Reception of [ RFC-to-be ]
StartTLS after
any PCEP exchange
2:Reception of [ RFC-to-be ]
any other message
apart from StartTLS,
Open or PCErr
3:Failure, connection [ RFC-to-be ]
without TLS not
possible
4:Failure, connection [ RFC-to-be ]
without TLS possible
5:No StartTLS message [ RFC-to-be ]
before StartTLSWait
timer expiry

The IANA Services Operator understands that these two actions are the only ones required to be completed upon approval of [ RFC-to-be ].
Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

Thank you,

Sabrina Tanamal
IANA Services Specialist
PTI
2017-06-30
14 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Tianran Zhou
2017-06-30
14 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Tianran Zhou
2017-06-29
14 Jean Mahoney Request for Last Call review by GENART is assigned to Dale Worley
2017-06-29
14 Jean Mahoney Request for Last Call review by GENART is assigned to Dale Worley
2017-06-29
14 Tero Kivinen Request for Last Call review by SECDIR is assigned to David Mandelberg
2017-06-29
14 Tero Kivinen Request for Last Call review by SECDIR is assigned to David Mandelberg
2017-06-28
14 Cindy Morgan IANA Review state changed to IANA - Review Needed
2017-06-28
14 Cindy Morgan
The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC: db3546@att.com, draft-ietf-pce-pceps@ietf.org, Cyril Margaria , pce@ietf.org, pce-chairs@ietf.org …
The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC: db3546@att.com, draft-ietf-pce-pceps@ietf.org, Cyril Margaria , pce@ietf.org, pce-chairs@ietf.org, cmargaria@juniper.net
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Secure Transport for PCEP) to Proposed Standard


The IESG has received a request from the Path Computation Element WG (pce) to
consider the following document: - 'Secure Transport for PCEP'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2017-07-12. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the beginning of
the Subject line to allow automated sorting.

Abstract


  The Path Computation Element Communication Protocol (PCEP) defines
  the mechanisms for the communication between a Path Computation
  Client (PCC) and a Path Computation Element (PCE), or among PCEs.
  This document describe the usage of Transport Layer Security (TLS) to
  enhance PCEP security, hence the PCEPS acronym proposed for it.  The
  additional security mechanisms are provided by the transport protocol
  supporting PCEP, and therefore they do not affect the flexibility and
  extensibility of PCEP.

  This document updates RFC 5440 regarding the PCEP initialization
  phase specification.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-pce-pceps/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-pce-pceps/ballot/


No IPR declarations have been submitted directly on this I-D.




2017-06-28
14 Cindy Morgan IESG state changed to In Last Call from Last Call Requested
2017-06-28
14 Deborah Brungard Placed on agenda for telechat - 2017-08-03
2017-06-28
14 Deborah Brungard Last call was requested
2017-06-28
14 Deborah Brungard Ballot approval text was generated
2017-06-28
14 Deborah Brungard Ballot writeup was generated
2017-06-28
14 Deborah Brungard IESG state changed to Last Call Requested from Expert Review
2017-06-28
14 Deborah Brungard Last call announcement was generated
2017-05-22
14 Dhruv Dhody New version available: draft-ietf-pce-pceps-14.txt
2017-05-22
14 (System) New version approved
2017-05-22
14 (System) Request for posting confirmation emailed to previous authors: Oscar de Dios , Qin Wu , Dhruv Dhody , pce-chairs@ietf.org, Diego Lopez
2017-05-22
14 Dhruv Dhody Uploaded new revision
2017-05-20
13 Dhruv Dhody New version available: draft-ietf-pce-pceps-13.txt
2017-05-20
13 (System) New version approved
2017-05-20
13 (System) Request for posting confirmation emailed to previous authors: Oscar de Dios , Qin Wu , Dhruv Dhody , pce-chairs@ietf.org, Diego Lopez
2017-05-20
13 Dhruv Dhody Uploaded new revision
2017-05-11
12 Min Ye Request for Last Call review by RTGDIR Completed: Has Issues. Reviewer: Dan Frost.
2017-05-05
12 Deborah Brungard Routing Area Directorate Reviewer - Dan Frost.
2017-05-05
12 Deborah Brungard IESG state changed to Expert Review from Publication Requested
2017-04-26
12 Jonathan Hardwick Request for Last Call review by RTGDIR is assigned to Dan Frost
2017-04-26
12 Jonathan Hardwick Request for Last Call review by RTGDIR is assigned to Dan Frost
2017-04-26
12 Deborah Brungard Requested Last Call review by RTGDIR
2017-04-25
12 Jonathan Hardwick
As required by RFC 4858, this is the current template for the Document
Shepherd Write-Up.

Changes are expected over time. This version is dated …
As required by RFC 4858, this is the current template for the Document
Shepherd Write-Up.

Changes are expected over time. This version is dated 24 February 2012.

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

  Proposed Standard - indicated in the title page header.
  This is the correct type as the draft proposes extensions
  to the Path Computation Element Protocol (PCEP).


(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

  The Path Computation Element Communication Protocol (PCEP) defines
  the mechanisms for the communication between a Path Computation
  Client (PCC) and a Path Computation Element (PCE), or among PCEs.
  This document describe the usage of Transport Layer Security (TLS) to
  enhance PCEP security, hence the PCEPS acronym proposed for it.  The
  additional security mechanisms are provided by the transport protocol
  supporting PCEP, and therefore they do not affect the flexibility and
  extensibility of PCEP.




Working Group Summary

  There has been no particular controversy and the consensus behind
  the document is good.


Document Quality

  The document is good. It has been reviewed outside of the PCE WG for
  the TLS mechanisms.


Personnel

  Cyril Margaria is the Document Shepherd.  Deborah Brungard is the
  Responsible Area Director.


(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

  I reviewed the text around the time of working group last call and
  during a shepherd reviiew.
  In my opinion, the document is ready to be published.


(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

  No.
 


(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

the usage of TLS and start TLS derives from existing RFCs
  (RFC6614 and rfc4513)?

An early security directorate review has been made (By David Mandelberg)


(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

  None.


(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

  Yes.


(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

  No.


(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it?

  It has been carefully reviewed by a few interested individuals.


(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

  No.


(11) Identify any ID nits the Document Shepherd has found in this
document. (See https://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

  Because the draft originates from before 10 November 2008, idnits reports
  the following warning.

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
    have content which was first submitted before 10 November 2008.  If you
    have contacted all the original authors and they are all willing to grant
    the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
    this comment.  If not, you may need to add the pre-RFC5378 disclaimer.
    (See the Legal Provisions document at
    http://trustee.ietf.org/license-info for more information.)

  However, the document states in its preamble:

    This Internet-Draft is submitted in full conformance with the
    provisions of BCP 78 and BCP 79.

  Thus my understanding is that the authors have granted the BCP78 rights
  to the IETF trust.


(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

  N/A.


(13) Have all references within this document been identified as
either normative or informative?

  Yes.


(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

No


(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

  No.


(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

  No.


(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

  IANA actions are clearly specified, covering all protocol extensions.


(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

  None.


(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

  None.
2017-04-25
12 Jonathan Hardwick Responsible AD changed to Deborah Brungard
2017-04-25
12 Jonathan Hardwick IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up
2017-04-25
12 Jonathan Hardwick IESG state changed to Publication Requested
2017-04-25
12 Jonathan Hardwick IESG process started in state Publication Requested
2017-04-24
12 Cyril Margaria Changed document writeup
2017-04-11
12 Dhruv Dhody New version available: draft-ietf-pce-pceps-12.txt
2017-04-11
12 (System) New version approved
2017-04-11
12 (System) Request for posting confirmation emailed to previous authors: Oscar de Dios , Wenson Wu , Dhruv Dhody , pce-chairs@ietf.org, Diego Lopez
2017-04-11
12 Dhruv Dhody Uploaded new revision
2017-02-27
11 Jonathan Hardwick Changed consensus to Yes from Unknown
2017-02-27
11 Jonathan Hardwick Intended Status changed to Proposed Standard from None
2017-02-27
11 Jonathan Hardwick Notification list changed to Cyril Margaria <cmargaria@juniper.net>
2017-02-27
11 Jonathan Hardwick Document shepherd changed to Cyril Margaria
2017-02-27
11 Jonathan Hardwick IETF WG state changed to WG Consensus: Waiting for Write-Up from In WG Last Call
2017-01-02
11 Dhruv Dhody New version available: draft-ietf-pce-pceps-11.txt
2017-01-02
11 (System) New version approved
2017-01-02
11 (System) Request for posting confirmation emailed to previous authors: "Diego Lopez" , "Wenson Wu" , "Oscar de Dios" , pce-chairs@ietf.org, "Dhruv Dhody"
2017-01-02
11 Dhruv Dhody Uploaded new revision
2016-07-08
10 Dhruv Dhody New version available: draft-ietf-pce-pceps-10.txt
2016-03-08
09 Diego Lopez New version available: draft-ietf-pce-pceps-09.txt
2016-03-06
08 Diego Lopez New version available: draft-ietf-pce-pceps-08.txt
2016-01-21
07 Diego Lopez New version available: draft-ietf-pce-pceps-07.txt
2015-12-03
06 Tero Kivinen Request for Early review by SECDIR Completed: Has Issues. Reviewer: David Mandelberg.
2015-11-26
06 Tero Kivinen Request for Early review by SECDIR is assigned to David Mandelberg
2015-11-26
06 Tero Kivinen Request for Early review by SECDIR is assigned to David Mandelberg
2015-11-19
06 Diego Lopez New version available: draft-ietf-pce-pceps-06.txt
2015-11-02
05 Diego Lopez New version available: draft-ietf-pce-pceps-05.txt
2015-10-08
04 Vasseur Jp IETF WG state changed to In WG Last Call from WG Document
2015-05-05
04 Diego Lopez New version available: draft-ietf-pce-pceps-04.txt
2015-03-04
03 Dhruv Dhody New version available: draft-ietf-pce-pceps-03.txt
2014-10-02
02 Dhruv Dhody New version available: draft-ietf-pce-pceps-02.txt
2014-09-11
01 Diego Lopez New version available: draft-ietf-pce-pceps-01.txt
2014-03-20
00 Julien Meuric This document now replaces draft-lopez-pce-pceps instead of None
2014-03-11
00 Diego Lopez New version available: draft-ietf-pce-pceps-00.txt