PCEP over TLS (PCEPS) uses Transport Layer Security (TLS) to provide secure communication for PCEP. The secured session uses port 4189. The PCC is configured with a TLS client profile to initiate the TLS handshake. The PCE is configured with a TLS server profile to allow PCEP over TLS.
When a TLS server profile is configured on the PCE, the PCE can establish TLS connections in PCE secured (PCES) mode or non-TLS connections in PCE mode.
On the PCC, the 7705 SAR supports only strict TLS. That is, when the PCC is configured with a TLS client profile, the PCE must be TLS-capable and in PCES mode in order to establish a TLS connection. The PCE and PCC must perform a successful TLS handshake before the TLS wait timer expires.
If the PCC is not configured with a TLS client profile, the PCC and PCE can still make a connection in PCE mode, even if the PCE is configured with a TLS server profile.
In PCES mode, both the PCC and PCE must provide certificates for authentication. The PCE provides the server certificate to the PCC and requires the client certificate to authenticate the PCC.