IETF Logo Mail Archive

Re: [arch-d] draft-iab-m-ten-workshop

Arnaud Taddei <arnaud.taddei@broadcom.com> Sat, 26 August 2023 16:16 UTC

Return-Path: <arnaud.taddei@broadcom.com>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 037A8C151525 for <architecture-discuss@ietfa.amsl.com>; Sat, 26 Aug 2023 09:16:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.004
X-Spam-Level:
X-Spam-Status: No, score=-2.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=broadcom.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wIeUfCppmcrQ for <architecture-discuss@ietfa.amsl.com>; Sat, 26 Aug 2023 09:16:52 -0700 (PDT)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB914C1519B5 for <architecture-discuss@ietf.org>; Sat, 26 Aug 2023 09:16:52 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id ffacd0b85a97d-31ad779e6b3so1490012f8f.2 for <architecture-discuss@ietf.org>; Sat, 26 Aug 2023 09:16:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1693066610; x=1693671410; h=mime-version:accept-language:in-reply-to:references:message-id:date :thread-index:thread-topic:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=pGmJwLL+20+4N/ZqAL6WdP/j+HAwMsMYgVA1VOHfx9o=; b=OgBxsP/cWsnGwQdsHzudcNAZDa/xY+dtIRlg0pl4DMhr0xRoL9UfdCn//nxKAVMACl d8ZlIn/fYSXDmQlZPJV/cKIpz2/uIMbw5BYkFPWBCqeebl8Ujzsh1YdD3BnJ676qvlTA SUbR60jxbr7TKmy1UZLnWO6Ad93O/qx1wsRaU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693066610; x=1693671410; h=mime-version:accept-language:in-reply-to:references:message-id:date :thread-index:thread-topic:subject:cc:to:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=pGmJwLL+20+4N/ZqAL6WdP/j+HAwMsMYgVA1VOHfx9o=; b=YaYG3CuRH7Yu8AH9hDx28GoqD4FY+UUKg9O/LzPOF8c5v1m3/pWRfpNNn/e2ryxLVd VZ62zkzeLwVpqF2Y31BvnZhQ3/8TclHdOCmrQnil7YLAPYtaZxB0Yb0qNY64WfWWbbYS TMw4/gmgQ6xfgZYnVfyyE4C4ZJcQ1ce/hvIpYOxsnekUOdRIGOZqNO4LgWz0bZLMXRR8 +OGznC63Bj3TJIeylLCpxCTEbB75bWXWoUwpVXMMWPJ5M6XZ8XasTxWkTSBfgx1i7V2h VWMdfQkr7cbu1E9WnlhRPpYD9R+0k1BUvgZj3IqrqqclOIl6RP4zAA9iYehPQM5BzPkU Pykw==
X-Gm-Message-State: AOJu0Yy63vp2sDYKMGbKSYLuCNuAJcLzeo8qoCt6ldQaxdZxqE1zlOMQ HuTpnnOX/2PTbaJR4p+Yc9/MnzDMCttUGNmcD+tF0IrJw7VjcAYbWWQ+hfW2LTfzTtX7B1V0C8S VOUT5xQGk3TBPrp6Y
X-Google-Smtp-Source: AGHT+IEYFrR6o80G+TPZh1ZaRupChPF9VdjcxATzOMej9VaVIQyVK/zUcILudhhQiIbYu5GmWRcQGA==
X-Received: by 2002:a5d:4ace:0:b0:317:7441:1a4 with SMTP id y14-20020a5d4ace000000b00317744101a4mr15605547wrs.29.1693066610597; Sat, 26 Aug 2023 09:16:50 -0700 (PDT)
Received: from LO2P123MB3839.GBRP123.PROD.OUTLOOK.COM ([2603:1026:c06:71::5]) by smtp.gmail.com with ESMTPSA id g13-20020a5d64ed000000b003177f57e79esm5310682wri.88.2023.08.26.09.16.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 26 Aug 2023 09:16:49 -0700 (PDT)
From: Arnaud Taddei <arnaud.taddei@broadcom.com>
To: "Salz, Rich" <rsalz@akamai.com>, Hesham ElBakoury <helbakoury@gmail.com>
CC: "architecture-discuss@ietf.org" <architecture-discuss@ietf.org>
Thread-Topic: [arch-d] draft-iab-m-ten-workshop
Thread-Index: AWI2Zjk2kF9HqbZ6fiTaIGoGJ/0mumI2Zjk2Zi5yNGzo7fmVgIASRyQ/gAAU9gCAAAhDAIAAH/jm
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Sat, 26 Aug 2023 16:16:49 +0000
Message-ID: <LO2P123MB38397A7CD326C790897C6B09F7E2A@LO2P123MB3839.GBRP123.PROD.OUTLOOK.COM>
References: <997f6696-dcd9-9d5d-26f2-3b486cee601b@lear.ch> <yblfs4ljrxg.fsf@wd.hardakers.net> <CAFvDQ9oj_ejUh+v4bs+AdOfDi1WTW5BrdSEwvCJKW3SuqM2COA@mail.gmail.com> <LO2P123MB3839CE40972FE956BC22D22BF7E2A@LO2P123MB3839.GBRP123.PROD.OUTLOOK.COM> <CAFvDQ9oYPSM26u0eZ2LZXTjt-PO8Q6=JqDTYTrbmXQ=p0riObw@mail.gmail.com> <2B263E92-8F09-4214-A4D9-1AD3272B01A9@akamai.com>
In-Reply-To: <2B263E92-8F09-4214-A4D9-1AD3272B01A9@akamai.com>
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000edb5c70603d5c922"
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/jjADT9aEMFd4L93oMAxsgCf-42o>
Subject: Re: [arch-d] draft-iab-m-ten-workshop
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Aug 2023 16:16:57 -0000

Ok so that is exactly not the conversation I want to have nor in this format.

So please forget me for the next 3 weeks (SG17 in Korea) and I will try to understand how best to frame what should be framed.

From: Salz, Rich <rsalz@akamai.com>
Date: Saturday, 26 August 2023 at 16:21
To: Hesham ElBakoury <helbakoury@gmail.com>, Arnaud Taddei <Arnaud.taddei@broadcom.com>
Cc: architecture-discuss@ietf.org <architecture-discuss@ietf.org>
Subject: Re: [arch-d] draft-iab-m-ten-workshop
Since this IAB report is mainly looking into encrypted data, I would assume that you are interested in the cases where Ransomware attack is leveraging encrypted data such as Encrypted Client Header (ECH) which can be used to hide the adversaries command and control [https://www.ietf.org/archive/id/draft-campling-ech-deployment-considerations-07.txt<https://www.google.com/url?q=https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-campling-ech-deployment-considerations-07.txt__;!!GjvTz_vk!TCEUzvgyrwR484kRDlnSTqYySSCORBNX0MW3d1BSPYbggzqy7zcY7DxxTYSjjJNxvrHZTmc9bFTRV4V6$&source=gmail-imap&ust=1693664482000000&usg=AOvVaw2e-mo-OVLMRrZUXEKYp6F3>]

It would be senseless to use ECH for C&C, since they are not hosting multiple services.  From what I have seen, most C&C centers are taken down by looking at the IP address and working from there, not examining TLS handshakes.


-- 
This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.

v2.23.0 | Report a Bug | By Email