PCEPS: Usage of TLS to Provide a Secure Transport for the Path Computation Element Communication Protocol (PCEP)
draft-ietf-pce-pceps-18
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2017-10-20
|
18 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2017-10-11
|
18 | (System) | RFC Editor state changed to AUTH48 from RFC-EDITOR |
2017-09-22
|
18 | (System) | RFC Editor state changed to RFC-EDITOR from EDIT |
2017-09-15
|
18 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2017-09-08
|
18 | (System) | IANA Action state changed to Waiting on RFC Editor from Waiting on Authors |
2017-09-07
|
18 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2017-09-05
|
18 | (System) | RFC Editor state changed to EDIT |
2017-09-05
|
18 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2017-09-05
|
18 | (System) | Announcement was received by RFC Editor |
2017-09-05
|
18 | (System) | IANA Action state changed to In Progress |
2017-09-05
|
18 | Cindy Morgan | IESG state changed to Approved-announcement sent from IESG Evaluation::AD Followup |
2017-09-05
|
18 | Cindy Morgan | IESG has approved the document |
2017-09-05
|
18 | Cindy Morgan | Closed "Approve" ballot |
2017-09-05
|
18 | Cindy Morgan | Ballot writeup was changed |
2017-09-05
|
18 | Deborah Brungard | Ballot approval text was changed |
2017-09-04
|
18 | Dhruv Dhody | New version available: draft-ietf-pce-pceps-18.txt |
2017-09-04
|
18 | (System) | New version approved |
2017-09-04
|
18 | (System) | Request for posting confirmation emailed to previous authors: Oscar de Dios , Qin Wu , Dhruv Dhody , Diego Lopez |
2017-09-04
|
18 | Dhruv Dhody | Uploaded new revision |
2017-09-04
|
17 | Eric Rescorla | [Ballot Position Update] Position for Eric Rescorla has been changed to No Objection from Discuss |
2017-09-04
|
17 | Dhruv Dhody | New version available: draft-ietf-pce-pceps-17.txt |
2017-09-04
|
17 | (System) | New version approved |
2017-09-04
|
17 | (System) | Request for posting confirmation emailed to previous authors: Oscar de Dios , Qin Wu , Dhruv Dhody , Diego Lopez |
2017-09-04
|
17 | Dhruv Dhody | Uploaded new revision |
2017-08-09
|
16 | Suresh Krishnan | [Ballot comment] Thanks for taking care of my DISCUSS points. |
2017-08-09
|
16 | Suresh Krishnan | [Ballot Position Update] Position for Suresh Krishnan has been changed to No Objection from Discuss |
2017-08-08
|
16 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2017-08-08
|
16 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2017-08-08
|
16 | Dhruv Dhody | New version available: draft-ietf-pce-pceps-16.txt |
2017-08-08
|
16 | (System) | New version approved |
2017-08-08
|
16 | (System) | Request for posting confirmation emailed to previous authors: Oscar de Dios , Qin Wu , Dhruv Dhody , Diego Lopez |
2017-08-08
|
16 | Dhruv Dhody | Uploaded new revision |
2017-08-07
|
15 | Ben Campbell | [Ballot comment] Thanks for resolving my DISCUSS point and other comments via email. I'm clearing now under the assumption the discussed updates will make it … [Ballot comment] Thanks for resolving my DISCUSS point and other comments via email. I'm clearing now under the assumption the discussed updates will make it into a future revision. |
2017-08-07
|
15 | Ben Campbell | [Ballot Position Update] Position for Ben Campbell has been changed to Yes from Discuss |
2017-08-07
|
15 | Alexey Melnikov | [Ballot comment] Thank you for addressing my DISCUSS points and comments. I think the text about use of RFC 6125 should use RFC 6125 terminology … [Ballot comment] Thank you for addressing my DISCUSS points and comments. I think the text about use of RFC 6125 should use RFC 6125 terminology like DNS-ID and CN-ID, because they have a bit more semantics associated with them other than just subjectAltName:DNS. I think you should also clarify whether you want to allow wildcards in DNS-ID/CN-ID (RFC 6125 talks about that). |
2017-08-07
|
15 | Alexey Melnikov | [Ballot Position Update] Position for Alexey Melnikov has been changed to Yes from Discuss |
2017-08-03
|
15 | Amy Vezza | IESG state changed to IESG Evaluation::Revised I-D Needed from IESG Evaluation |
2017-08-03
|
15 | Alexey Melnikov | [Ballot discuss] I am very glad to see this document and I will be switching to "Yes" once we discuss the following issues: 1) … [Ballot discuss] I am very glad to see this document and I will be switching to "Yes" once we discuss the following issues: 1) +-+-+ +-+-+ |PCC| |PCE| +-+-+ +-+-+ | | | StartTLS | | msg | |------- | | \ StartTLS | | \ msg | | \ ---------| | \/ | | /\ | | / -------->| | / | |<------ | |:::::::::TLS:::::::::| TLS Establishment |:::::Establishment:::| Failure | | |<--------------------| Send Error-Type TBA2 | PCErr | Error-Value 3/4 | | Figure 2: Both PCEP Speaker supports PCEPS (strict), but cannot establish TLS Firstly, I think you also need to demonstrate a case when the server end of TLS is refusing to startTLS before trying TLS negotiation (e.g. if it doesn't have certificate configured). In this case you need to send PCErr in the clear. I think earlier text suggest that this case is possible. Secondly, does the case depicted on this picture mean that TLS was negotiated successfully, but TLS identities were not successfully verified? (I.e. the PCErr is sent over the TLS layer). If TLS failed to negotiate, you don't have a channel to send data on, as the other end will get confused. I think you just have to close connection in such case. So maybe you need 3 figures describing the above 3 cases. 2) In Section 3.4: + Implementations MAY allow the configuration of a set of additional properties of the certificate to check for a peer's authorization to communicate (e.g., a set of allowed values in subjectAltName:URI or a set of allowed X509v3 Certificate Policies) Can you give an example of what you expect to see in the subjectAltName:URI? Your current text doesn't seem sufficient for interoperability. |
2017-08-03
|
15 | Alexey Melnikov | [Ballot comment] I am agreeing with Ekr's DISCUSS points. Some of mine might be just a different phrasing of his. In Section 3.4. TLS Connection … [Ballot comment] I am agreeing with Ekr's DISCUSS points. Some of mine might be just a different phrasing of his. In Section 3.4. TLS Connection Establishment * PCEPS implementations MUST, at a minimum, support negotiation of the TLS_RSA_WITH_AES_128_GCM_SHA256, and SHOULD support TLS_RSA_WITH_AES_256_GCM_SHA384 as well [RFC5288]. In addition, PCEPS implementations MUST support negotiation of the mandatory-to-implement ciphersuites required by the versions of TLS that they support. Should the last sentence apply starting from TLS 1.3 forward? In Section 3.5: [I-D.ietf-pce-stateful-sync-optimizations] specify a Speaker Entity Identifier TLV (SPEAKER-ENTITY-ID), as an optional TLV that MAY be included in the OPEN Object. It contains a unique identifier for the node that does not change during the lifetime of the PCEP speaker. An implementation would thus expose the speaker entity identifier as part of the X509v3 certificate, so that an implementation could use Can you be a bit more specific, as this looks underspecified. Are you thinking about using subject name or subject alt name for this (or either)? this identifier for the peer identification trust model. In the Security Considerations sections: I think you should also talk about downgrade attacks here, e.g. man-in-the-middle injecting error response in response to StartTLS command or man-in-the-middle stripping StartTLS command. |
2017-08-03
|
15 | Alexey Melnikov | [Ballot Position Update] New position, Discuss, has been recorded for Alexey Melnikov |
2017-08-02
|
15 | Ben Campbell | [Ballot discuss] -3.4, step 2: "Peer validation always SHOULD include a check on whether the locally configured expected DNS name or IP address of … [Ballot discuss] -3.4, step 2: "Peer validation always SHOULD include a check on whether the locally configured expected DNS name or IP address of the peer that is contacted matches its presented certificate." Why is that not a MUST? As it is, this need to at least discuss the risks involved if you don't check the identity of the peer cert (here or in the security considerations.) |
2017-08-02
|
15 | Ben Campbell | [Ballot comment] Substantive: - I share Warren's question about why you chose STARTTLS over a dedicated port, especially since the 2nd to last paragraph in … [Ballot comment] Substantive: - I share Warren's question about why you chose STARTTLS over a dedicated port, especially since the 2nd to last paragraph in 3.2 goes out of its way to mention that. What were the tradeoffs involved that made adding the additional protocol machinery more attractive than allocating a port number? - 3.2: "Implementations MUST support SHA-256 as defined by [SHS] as the hash algorithm for the fingerprint." Do you really intend "MUST support" (meaning you have to be able to handle sha-256, but could allow other hashes) vs "MUST use"? - 3.5: "Implementations that want to support a wide variety of trust models SHOULD expose as many details of the presented certificate to the administrator as possible so that the trust model can be implemented by the administrator." "as much as possible" is pretty vague for the a 2119 SHOULD. Since the following sentences also include a SHOULD along with considerably more detail, I suggest dropping the SHOULD in this sentence, and leaving the one in the following sentence. - 3.6: Is the exponential backoff requirement part of the procedures in 5440? The wording suggests that it is not. If so, it needs elaboration here. Editorial: - 3.2, paragraph 8: s/"... PCE MUST responds with..."/ "...PCE MUST respond with..." - 3.4 : "Negotiation of mutual authentication is REQUIRED." Does that mean that the peers must elect to use mutual authentication, or that if they want to use it, they must agree to do so? (The pattern persists throughout the section, but the meaning seems more obvious for some of the others.) -3.5, 2nd to last paragraph: Please don't use 2119 keywords to describe pre-existing or external requirements. They should be reserved for the authoritative specification of a given requirement. -5, 2nd paragraph: The first sentence does not make sense. |
2017-08-02
|
15 | Ben Campbell | [Ballot Position Update] New position, Discuss, has been recorded for Ben Campbell |
2017-08-02
|
15 | Suresh Krishnan | [Ballot discuss] * Section 3.2: This seems to be overly broad and directly contradicts to what is required by RFC5440. A PCEP speaker … [Ballot discuss] * Section 3.2: This seems to be overly broad and directly contradicts to what is required by RFC5440. A PCEP speaker receiving any other message apart from StartTLS, Open, or PCErr as the first message, MUST treat it as an unexpected message and reply with a PCErr message with Error-Type set to [TBA2 by IANA] (PCEP StartTLS failure) and Error-value set to 2 (reception of any other message apart from StartTLS, Open, or PCErr message), and MUST close the TCP connection. According to RFC5440, when a non-Open message is received the PCEP speaker is required to send a PCErr message with Error-Type 1 ("PCEP session establishment failure") and Error-value 1 ("reception of an invalid Open message or a non Open message"). I think this text needs to be reworded to narrow down the scope of this error. * The fallback procedure after receiving the error code 4 needs to be clarified. Is the response 4 remembered for future connections or is it only limited to a single attempt immediately after the TLS connection establishment failure. i.e. After falling back, does the client ever try to establish a secure connection again? |
2017-08-02
|
15 | Suresh Krishnan | [Ballot comment] * Section 3.2: This sentence needs to be reworded s/If a PCE that supports PCEPS connection/If a PCE supports PCEPS connection/ |
2017-08-02
|
15 | Suresh Krishnan | [Ballot Position Update] New position, Discuss, has been recorded for Suresh Krishnan |
2017-08-02
|
15 | Alia Atlas | [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas |
2017-08-02
|
15 | Amanda Baber | IANA Review state changed to IANA OK - Actions Needed from Version Changed - Review Needed |
2017-08-02
|
15 | Kathleen Moriarty | [Ballot comment] I support EKR's discuss points, especially the first. I'm a yes assuming that all the discuss points will be addressed, as I do … [Ballot comment] I support EKR's discuss points, especially the first. I'm a yes assuming that all the discuss points will be addressed, as I do think this work is important and am glad to see it. In addition to other comments, I don't think anyone else commented on the use of the word "privacy" instead of confidentiality in the security considerations section. That should be changed. Thank you. |
2017-08-02
|
15 | Kathleen Moriarty | [Ballot Position Update] New position, Yes, has been recorded for Kathleen Moriarty |
2017-08-01
|
15 | Spencer Dawkins | [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins |
2017-08-01
|
15 | Terry Manderson | [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson |
2017-08-01
|
15 | Warren Kumari | [Ballot comment] I think that the document should explain why this does STARTTLS and not e.g another port (which would be more downgrade resistant) Obviously … [Ballot comment] I think that the document should explain why this does STARTTLS and not e.g another port (which would be more downgrade resistant) Obviously this is in addition to the DISCUSS held by EKR. |
2017-08-01
|
15 | Warren Kumari | Ballot comment text updated for Warren Kumari |
2017-08-01
|
15 | Warren Kumari | [Ballot comment] I'd like to understand why this does STARTTLS and not e.g another port. Obviously this is in addition to the DISCUSS held by … [Ballot comment] I'd like to understand why this does STARTTLS and not e.g another port. Obviously this is in addition to the DISCUSS held by EKR. |
2017-08-01
|
15 | Warren Kumari | [Ballot Position Update] New position, No Objection, has been recorded for Warren Kumari |
2017-08-01
|
15 | Eric Rescorla | [Ballot discuss] 1. This needs a cite to RFC 6125 to define how to do name validation. 2. You require TLS_RSA_WITH_AES_128_GCM_SHA256, but this is not … [Ballot discuss] 1. This needs a cite to RFC 6125 to define how to do name validation. 2. You require TLS_RSA_WITH_AES_128_GCM_SHA256, but this is not consistent with modern recommendations, which are for algorithms that provide forward secrecy. You should be recommending TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 with P-256, which is consistent with the recommendations for TLS 1.3 (and UTA, IIRC). 3, It's clear to me how authentication of the PCE works in that the PCC connects to it using a domain name or IP address and therefore can check the PCC's certificate against that, but it's not clear to me what the PCE does when the client connects? Is it supposed to have a list of valid peers? 4. The error reporting mechanism you describe in S 3.2 is unusual: After the exchange of StartTLS messages, if a PCEP speaker cannot establish a TLS connection for some reason (e.g. the required mechanisms for certificate revocation checking are not available), it MUST return a PCErr message (in clear) with Error-Type set to [TBA2 by IANA] (PCEP StartTLS failure) and Error-value set to: I am not aware of any other protocol that does this, and it's a bit problematic because you either need to (a) require that you always send a TLS alert so that the receiver knows that the next byte is a PCE message or (b) specify some mechanism for demuxing PCE and TLS. Even in the former category, many TLS stacks are greedy about their IO, so they will read the alert + the PCE message and then discard the message. Instead you should either: (a) specify that you always send TLS alerts and don't send PCE errors (TLS alerts are pretty rich) (b) send any post-handshake alerts over the TLS connection. Failing that, you need to provide detailed instructions about how to make this work. 5. It seems like it would be a good idea to specify a pinning mechanism so you could say "always do TLS in future". Is that something that was discussed? 6. * TLS with X.509 certificates using certificate fingerprints: Implementations MUST allow the configuration of a list of trusted certificates, identified via fingerprint of the Distinguished Encoding Rules (DER) encoded certificate octets. Implementations MUST support SHA-256 as defined by [SHS] as the hash algorithm for the fingerprint. What does "trusted" mean here? I think it means "one I would accept as a counterparty" rather than "can sign other certs". In any case, this must be clear. A bunch of other stuff is underspecified (see below). |
2017-08-01
|
15 | Eric Rescorla | [Ballot comment] This document needs a significant editorial pass. I found a number of writing errors, e.g., "Securing via TLS of an existing PCEP session … [Ballot comment] This document needs a significant editorial pass. I found a number of writing errors, e.g., "Securing via TLS of an existing PCEP session is not permitted," S 1. defining their application in depth. Moreover, [RFC6952] remarks the importance of ensuring PCEP communication privacy, especially when The term here is "confidentiality" S 3.2. The whole description of how you can race StartTLS iff you know you are TLS only is really hard to understand until you get to the diagrams. I would write something like: The PCC initiates the use of TLS by sending a StartTLS message The PCE agrees to the use of TLS by responding with its own StartTLS message. If the PCE is configured to only do TLS, it may send the StartTLS message immediately upon TCP connection establishment; otherwise it MUST wait for the PCC's first message to see whether it is an Open or StartTLS message. S 3.4. + Implementations SHOULD indicate their trusted CAs. For TLS 1.2, this is done using [RFC5246], Section 7.4.4, "certificate_authorities" (server side) and [RFC6066], Section 6 "Trusted CA Indication" (client side). Do common stacks do this? I know NSS does not. To support TLS re-negotiation both peers MUST support the mechanism described in [RFC5746]. Any attempt to initiate a TLS handshake to establish new cryptographic parameters not aligned with [RFC5746] SHALL be considered a TLS negotiation failure. Is there a reason to allow renegotiation at all? S 3.5 [I-D.ietf-pce-stateful-sync-optimizations] specify a Speaker Entity Identifier TLV (SPEAKER-ENTITY-ID), as an optional TLV that MAY be included in the OPEN Object. It contains a unique identifier for the node that does not change during the lifetime of the PCEP speaker. An implementation would thus expose the speaker entity identifier as part of the X509v3 certificate, so that an implementation could use this identifier for the peer identification trust model. This seems underspecified. Is there an OID assigned? S 4.1. DANE [RFC6698] defines a secure method to associate the certificate that is obtained from a TLS server with a domain name using DNS, i.e., using the TLSA DNS resource record (RR) to associate a TLS server certificate or public key with the domain name where the record is found, thus forming a "TLSA certificate association". The DNS information needs to be protected by DNS Security (DNSSEC). A PCC willing to apply DANE to verify server identity MUST conform to the rules defined in section 4 of [RFC6698]. The server's domain name must be authorized separately, as TLSA does not provide any useful authorization guarantees. This is also underspecified. Which DANE types are you suggesting you use? S 7. Some TLS ciphersuites only provide integrity validation of their payload, and provide no encryption. This specification does not forbid the use of such ciphersuites, but administrators must weight carefully the risk of relevant internal data leakage that can occur in such a case, as explicitly stated by [RFC6952]. Why don't you forbid it? |
2017-08-01
|
15 | Eric Rescorla | [Ballot Position Update] New position, Discuss, has been recorded for Eric Rescorla |
2017-07-31
|
15 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2017-07-31
|
15 | Dhruv Dhody | New version available: draft-ietf-pce-pceps-15.txt |
2017-07-31
|
15 | (System) | New version approved |
2017-07-31
|
15 | (System) | Request for posting confirmation emailed to previous authors: Oscar de Dios , Qin Wu , Dhruv Dhody , Diego Lopez |
2017-07-31
|
15 | Dhruv Dhody | Uploaded new revision |
2017-07-31
|
14 | Mirja Kühlewind | [Ballot comment] One high level comment: As already mentioned by the gen-art review (Thanks Dale for the detailed review!), for me the text was for … [Ballot comment] One high level comment: As already mentioned by the gen-art review (Thanks Dale for the detailed review!), for me the text was for a long time while reading not clear on who starts the TLS negotiation. In think there is a statement missing that a speaker/PCE that supports PCEPS and receives a StartTLS message MUST reply with a StartTLS message and further the PCC MUST initiation the TLS after reception of a StartTLS message from the PCC. More minor/editorial comments: 1) There are two cases where the behavior of speakers that do not support PCEPS is specified, which is a bit non-sensical given that not support probably means it does not follow this spec: OLD "If the PCEP speaker that does not support PCEPS, receives a StartTLS message, it MUST behave according to the existing error mechanism described in section 6.2 of [RFC5440] (in case message is received prior to an Open message) or section 6.9 of [RFC5440] (for the case of reception of unknown message)." NEW "If the PCEP speaker that does not support PCEPS, receives a StartTLS message, it will behave according to the existing error mechanism described in section 6.2 of [RFC5440] (in case message is received prior to an Open message) or section 6.9 of [RFC5440] (for the case of reception of unknown message)." and OLD "A PCEP speaker that does not support PCEPS or has learned the peer willingness to reestablish session without TLS, can send the Open message directly, as per [RFC5440]." NEW "A PCEP speaker that does not support PCEPS sends the Open message directly, as per [RFC5440]. A PCEP speaker that supports PCEPS but has previously already learned the peer willingness to reestablish session without TLS, MAY send the Open message directly, as per [RFC5440]." 2) As already mentioned in the gen-art review, I also think there should be more text on what a host should do that uses StartTLS but gets an error back. This is defined previously in the document but given there is an own section here, I would just recommend to re-iterate there. In other words please add the proposed text! 3) Why is this a MUST? sec 8.1 "A PCE or PCC implementation MUST allow configuring the PCEP security via TLS capabilities as described in this document." Wouldn't a SHOULD be enough/better? Meaning that when PCEPS is implemented and turned on by default, I don't necessarily have to provide a knob to turn it off? 4) Also related to the previous point sec 8.2 "An implementation SHOULD allow the operator to configure the PCEPS capability and various TLS related parameters, ..." Probably this part of sentence should not be normative given this part is (differently) specified in the previous section. |
2017-07-31
|
14 | Mirja Kühlewind | [Ballot Position Update] New position, No Objection, has been recorded for Mirja Kühlewind |
2017-07-24
|
14 | Deborah Brungard | IESG state changed to IESG Evaluation from Waiting for Writeup |
2017-07-24
|
14 | Deborah Brungard | Ballot has been issued |
2017-07-24
|
14 | Deborah Brungard | [Ballot Position Update] New position, Yes, has been recorded for Deborah Brungard |
2017-07-24
|
14 | Deborah Brungard | Created "Approve" ballot |
2017-07-24
|
14 | Deborah Brungard | Ballot writeup was changed |
2017-07-13
|
14 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Ready. Reviewer: David Mandelberg. |
2017-07-12
|
14 | Tianran Zhou | Request for Last Call review by OPSDIR Completed: Ready. Reviewer: Tianran Zhou. Sent review to list. |
2017-07-12
|
14 | (System) | IESG state changed to Waiting for Writeup from In Last Call |
2017-07-11
|
14 | Dale Worley | Request for Last Call review by GENART Completed: Ready with Nits. Reviewer: Dale Worley. Sent review to list. |
2017-07-07
|
14 | (System) | IANA Review state changed to IANA OK - Actions Needed from IANA - Review Needed |
2017-07-07
|
14 | Sabrina Tanamal | (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Services Operator has completed its review of draft-ietf-pce-pceps-14.txt. If any part of this review is inaccurate, please let … (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Services Operator has completed its review of draft-ietf-pce-pceps-14.txt. If any part of this review is inaccurate, please let us know. The IANA Services Operator understands that, upon approval of [ RFC-to-be ], there are two actions which we must complete. First, in the PCEP Messages registry on the Path Computation Element Protocol (PCEP) Numbers registry page located at: https://www.iana.org/assignments/pcep/ a single new registration is to be made as follows: Value: [ TBD-at-registration ] Description: The Start TLS Message (StartTLS) Reference: [ RFC-to-be ] Second, in the PCEP-ERROR Object Error Types and Values registry also on the Path Computation Element Protocol (PCEP) Numbers registry page located at: https://www.iana.org/assignments/pcep/ a new registration will be made as follows: Error- Type Meaning Error-value Reference -----------------------+---------------------+-----------------------+--------------- [ TBD-at-registration ] StartTLS Failure 0:Unassigned [ RFC-to-be ] 1:Reception of [ RFC-to-be ] StartTLS after any PCEP exchange 2:Reception of [ RFC-to-be ] any other message apart from StartTLS, Open or PCErr 3:Failure, connection [ RFC-to-be ] without TLS not possible 4:Failure, connection [ RFC-to-be ] without TLS possible 5:No StartTLS message [ RFC-to-be ] before StartTLSWait timer expiry The IANA Services Operator understands that these two actions are the only ones required to be completed upon approval of [ RFC-to-be ]. Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. Thank you, Sabrina Tanamal IANA Services Specialist PTI |
2017-06-30
|
14 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Tianran Zhou |
2017-06-30
|
14 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Tianran Zhou |
2017-06-29
|
14 | Jean Mahoney | Request for Last Call review by GENART is assigned to Dale Worley |
2017-06-29
|
14 | Jean Mahoney | Request for Last Call review by GENART is assigned to Dale Worley |
2017-06-29
|
14 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to David Mandelberg |
2017-06-29
|
14 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to David Mandelberg |
2017-06-28
|
14 | Cindy Morgan | IANA Review state changed to IANA - Review Needed |
2017-06-28
|
14 | Cindy Morgan | The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: db3546@att.com, draft-ietf-pce-pceps@ietf.org, Cyril Margaria , pce@ietf.org, pce-chairs@ietf.org … The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: db3546@att.com, draft-ietf-pce-pceps@ietf.org, Cyril Margaria , pce@ietf.org, pce-chairs@ietf.org, cmargaria@juniper.net Reply-To: ietf@ietf.org Sender: Subject: Last Call: (Secure Transport for PCEP) to Proposed Standard The IESG has received a request from the Path Computation Element WG (pce) to consider the following document: - 'Secure Transport for PCEP' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2017-07-12. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract The Path Computation Element Communication Protocol (PCEP) defines the mechanisms for the communication between a Path Computation Client (PCC) and a Path Computation Element (PCE), or among PCEs. This document describe the usage of Transport Layer Security (TLS) to enhance PCEP security, hence the PCEPS acronym proposed for it. The additional security mechanisms are provided by the transport protocol supporting PCEP, and therefore they do not affect the flexibility and extensibility of PCEP. This document updates RFC 5440 regarding the PCEP initialization phase specification. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-pce-pceps/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-pce-pceps/ballot/ No IPR declarations have been submitted directly on this I-D. |
2017-06-28
|
14 | Cindy Morgan | IESG state changed to In Last Call from Last Call Requested |
2017-06-28
|
14 | Deborah Brungard | Placed on agenda for telechat - 2017-08-03 |
2017-06-28
|
14 | Deborah Brungard | Last call was requested |
2017-06-28
|
14 | Deborah Brungard | Ballot approval text was generated |
2017-06-28
|
14 | Deborah Brungard | Ballot writeup was generated |
2017-06-28
|
14 | Deborah Brungard | IESG state changed to Last Call Requested from Expert Review |
2017-06-28
|
14 | Deborah Brungard | Last call announcement was generated |
2017-05-22
|
14 | Dhruv Dhody | New version available: draft-ietf-pce-pceps-14.txt |
2017-05-22
|
14 | (System) | New version approved |
2017-05-22
|
14 | (System) | Request for posting confirmation emailed to previous authors: Oscar de Dios , Qin Wu , Dhruv Dhody , pce-chairs@ietf.org, Diego Lopez |
2017-05-22
|
14 | Dhruv Dhody | Uploaded new revision |
2017-05-20
|
13 | Dhruv Dhody | New version available: draft-ietf-pce-pceps-13.txt |
2017-05-20
|
13 | (System) | New version approved |
2017-05-20
|
13 | (System) | Request for posting confirmation emailed to previous authors: Oscar de Dios , Qin Wu , Dhruv Dhody , pce-chairs@ietf.org, Diego Lopez |
2017-05-20
|
13 | Dhruv Dhody | Uploaded new revision |
2017-05-11
|
12 | Min Ye | Request for Last Call review by RTGDIR Completed: Has Issues. Reviewer: Dan Frost. |
2017-05-05
|
12 | Deborah Brungard | Routing Area Directorate Reviewer - Dan Frost. |
2017-05-05
|
12 | Deborah Brungard | IESG state changed to Expert Review from Publication Requested |
2017-04-26
|
12 | Jonathan Hardwick | Request for Last Call review by RTGDIR is assigned to Dan Frost |
2017-04-26
|
12 | Jonathan Hardwick | Request for Last Call review by RTGDIR is assigned to Dan Frost |
2017-04-26
|
12 | Deborah Brungard | Requested Last Call review by RTGDIR |
2017-04-25
|
12 | Jonathan Hardwick | As required by RFC 4858, this is the current template for the Document Shepherd Write-Up. Changes are expected over time. This version is dated … As required by RFC 4858, this is the current template for the Document Shepherd Write-Up. Changes are expected over time. This version is dated 24 February 2012. (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? Proposed Standard - indicated in the title page header. This is the correct type as the draft proposes extensions to the Path Computation Element Protocol (PCEP). (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary The Path Computation Element Communication Protocol (PCEP) defines the mechanisms for the communication between a Path Computation Client (PCC) and a Path Computation Element (PCE), or among PCEs. This document describe the usage of Transport Layer Security (TLS) to enhance PCEP security, hence the PCEPS acronym proposed for it. The additional security mechanisms are provided by the transport protocol supporting PCEP, and therefore they do not affect the flexibility and extensibility of PCEP. Working Group Summary There has been no particular controversy and the consensus behind the document is good. Document Quality The document is good. It has been reviewed outside of the PCE WG for the TLS mechanisms. Personnel Cyril Margaria is the Document Shepherd. Deborah Brungard is the Responsible Area Director. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. I reviewed the text around the time of working group last call and during a shepherd reviiew. In my opinion, the document is ready to be published. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? No. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. the usage of TLS and start TLS derives from existing RFCs (RFC6614 and rfc4513)? An early security directorate review has been made (By David Mandelberg) (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. None. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why. Yes. (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. No. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? It has been carefully reviewed by a few interested individuals. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No. (11) Identify any ID nits the Document Shepherd has found in this document. (See https://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. Because the draft originates from before 10 November 2008, idnits reports the following warning. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at http://trustee.ietf.org/license-info for more information.) However, the document states in its preamble: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Thus my understanding is that the authors have granted the BCP78 rights to the IETF trust. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. N/A. (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? No (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. No. (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. No. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). IANA actions are clearly specified, covering all protocol extensions. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. None. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. None. |
2017-04-25
|
12 | Jonathan Hardwick | Responsible AD changed to Deborah Brungard |
2017-04-25
|
12 | Jonathan Hardwick | IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up |
2017-04-25
|
12 | Jonathan Hardwick | IESG state changed to Publication Requested |
2017-04-25
|
12 | Jonathan Hardwick | IESG process started in state Publication Requested |
2017-04-24
|
12 | Cyril Margaria | Changed document writeup |
2017-04-11
|
12 | Dhruv Dhody | New version available: draft-ietf-pce-pceps-12.txt |
2017-04-11
|
12 | (System) | New version approved |
2017-04-11
|
12 | (System) | Request for posting confirmation emailed to previous authors: Oscar de Dios , Wenson Wu , Dhruv Dhody , pce-chairs@ietf.org, Diego Lopez |
2017-04-11
|
12 | Dhruv Dhody | Uploaded new revision |
2017-02-27
|
11 | Jonathan Hardwick | Changed consensus to Yes from Unknown |
2017-02-27
|
11 | Jonathan Hardwick | Intended Status changed to Proposed Standard from None |
2017-02-27
|
11 | Jonathan Hardwick | Notification list changed to Cyril Margaria <cmargaria@juniper.net> |
2017-02-27
|
11 | Jonathan Hardwick | Document shepherd changed to Cyril Margaria |
2017-02-27
|
11 | Jonathan Hardwick | IETF WG state changed to WG Consensus: Waiting for Write-Up from In WG Last Call |
2017-01-02
|
11 | Dhruv Dhody | New version available: draft-ietf-pce-pceps-11.txt |
2017-01-02
|
11 | (System) | New version approved |
2017-01-02
|
11 | (System) | Request for posting confirmation emailed to previous authors: "Diego Lopez" , "Wenson Wu" , "Oscar de Dios" , pce-chairs@ietf.org, "Dhruv Dhody" |
2017-01-02
|
11 | Dhruv Dhody | Uploaded new revision |
2016-07-08
|
10 | Dhruv Dhody | New version available: draft-ietf-pce-pceps-10.txt |
2016-03-08
|
09 | Diego Lopez | New version available: draft-ietf-pce-pceps-09.txt |
2016-03-06
|
08 | Diego Lopez | New version available: draft-ietf-pce-pceps-08.txt |
2016-01-21
|
07 | Diego Lopez | New version available: draft-ietf-pce-pceps-07.txt |
2015-12-03
|
06 | Tero Kivinen | Request for Early review by SECDIR Completed: Has Issues. Reviewer: David Mandelberg. |
2015-11-26
|
06 | Tero Kivinen | Request for Early review by SECDIR is assigned to David Mandelberg |
2015-11-26
|
06 | Tero Kivinen | Request for Early review by SECDIR is assigned to David Mandelberg |
2015-11-19
|
06 | Diego Lopez | New version available: draft-ietf-pce-pceps-06.txt |
2015-11-02
|
05 | Diego Lopez | New version available: draft-ietf-pce-pceps-05.txt |
2015-10-08
|
04 | Vasseur Jp | IETF WG state changed to In WG Last Call from WG Document |
2015-05-05
|
04 | Diego Lopez | New version available: draft-ietf-pce-pceps-04.txt |
2015-03-04
|
03 | Dhruv Dhody | New version available: draft-ietf-pce-pceps-03.txt |
2014-10-02
|
02 | Dhruv Dhody | New version available: draft-ietf-pce-pceps-02.txt |
2014-09-11
|
01 | Diego Lopez | New version available: draft-ietf-pce-pceps-01.txt |
2014-03-20
|
00 | Julien Meuric | This document now replaces draft-lopez-pce-pceps instead of None |
2014-03-11
|
00 | Diego Lopez | New version available: draft-ietf-pce-pceps-00.txt |