Skip to main content

Last Call Review of draft-ietf-pce-vn-association-11
review-ietf-pce-vn-association-11-secdir-lc-reddyk-2022-10-30-00

Request Review of draft-ietf-pce-vn-association
Requested revision No specific revision (document currently at 11)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2022-10-13
Requested 2022-09-29
Authors Young Lee , Haomian Zheng , Daniele Ceccarelli
I-D last updated 2022-10-30
Completed reviews Rtgdir Early review of -08 by He Jia (diff)
Secdir Last Call review of -11 by Tirumaleswar Reddy.K
Genart Last Call review of -09 by Meral Shirazipour (diff)
Assignment Reviewer Tirumaleswar Reddy.K
State Completed
Request Last Call review on draft-ietf-pce-vn-association by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/BVT_aEu8-Wksg5R6qFTJY2Lfdls
Reviewed revision 11
Result Has issues
Completed 2022-10-25
review-ietf-pce-vn-association-11-secdir-lc-reddyk-2022-10-30-00
Reviewer: Tirumaleswar Reddy
Review result:  Ready with issues

I apologize for missing the deadline for this review.

This document relies on [RFC5440], [RFC8231], [RFC8281] and [RFC8697] for
security considerations. RFC5440 discusses the use of TCP-MD5 (obsoleted),
TCP Authentication Option and TLS 1.2. Further, RFC5440 refers to RFC7525
for TLS recommendations.

draft-ietf-pce-vn-association says use of TLS is recommended.

My comments below:

1. Any specific reason for using "SHOULD" instead of using "MUST" for
TLS. If TLS is not used in certain scenarios, how is a malicious PCEP
speaker detected ?
2. Do you see any challenges encouraging the use of TLS 1.3 ?
3. You may want to make it clear that this document does not rely on
TCP-MD5.
4. If existing implementations are using TLS 1.2, I suggest referring to
the recommendations in draft-ietf-uta-rfc7525bis instead of rfc7525. Please
see Appendix A in draft-ietf-uta-rfc7525bis, it highlights the differences
with rfc7525.

Cheers,
-Tiru