IETF Logo Mail Archive

Re: [arch-d] draft-iab-m-ten-workshop

Hesham ElBakoury <helbakoury@gmail.com> Sat, 26 August 2023 13:52 UTC

Return-Path: <helbakoury@gmail.com>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B860CC14CE2E for <architecture-discuss@ietfa.amsl.com>; Sat, 26 Aug 2023 06:52:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id doLceQS8wFMV for <architecture-discuss@ietfa.amsl.com>; Sat, 26 Aug 2023 06:51:58 -0700 (PDT)
Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D6C3C14F73F for <architecture-discuss@ietf.org>; Sat, 26 Aug 2023 06:51:58 -0700 (PDT)
Received: by mail-pg1-x52a.google.com with SMTP id 41be03b00d2f7-56b0c5a140dso1133237a12.0 for <architecture-discuss@ietf.org>; Sat, 26 Aug 2023 06:51:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1693057917; x=1693662717; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=AXfv0F2u5CKAFi+nepXoJM8oW+In7w8wXtKr4QCybK4=; b=PrQJZJUS9asQ9jSwlB7xmTJ9VFzW8/e3z77G3V5HhEhW/wLzuX85xaz+eFGOn+j3rY dxhCScNyhdAXLI2Oh7/jmBjFBYR7jNRkICH6dHsEW67hgBa7xlKi2dXUk4qKhrakm2ll javnzF0gPGS83H8bWywtRC3t+5j5H7OYA5ga5B44AIrKbBYmw0zQAx7uTq9798Q4u+6N r1dyL6v9+IcxJmDWRps69fwRbggWpMLUMt3b4kfpD4Y22KJJHj8DPXoOV+6iBbPSIa5L rt86KdB0tLHcVlxWJw8MuJJP7WrX+Vl3FMh92QVc6/OG/UhmK9QKDWTTwzM6nzFDPoeU 997g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693057917; x=1693662717; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=AXfv0F2u5CKAFi+nepXoJM8oW+In7w8wXtKr4QCybK4=; b=DZQqK1oqqRa8un9hrbKJ800T6/LQbAiv2m6C+vm+BgHZaGlhZI2NmFWEStgQU///HN MeC4EQvfax74LS4/7O7HI8zIvdBC5ZzfgHDvN7/jJSZt/9M2AaZZwKnpYW5kMLE8VAg2 dFm6uUhTurRYAccxwu6gN0li91p3axdMxuoyqdC+BS3TChbpumvAzyJ0ZA2WMFZtDxmW JEp80rebw7aOMyqFqE1zL3SGcEZwBQk5VuVsY1J+0TrM09tOTiPC5jpfs/TwH0ifG0Z4 cpordb3X/v/2zSfQFqFjpL49jvHjUWQIe3/WVTgSuMadQNJwwjp0deWz0dhw2PWNKYto gxfg==
X-Gm-Message-State: AOJu0YyNlfY88z3OuIgl3R1NzO2kwS7gSghlzVOSwGlrT4ucjOcoxrm+ q7uC7uZ3v0BQRaF5nx7LRVvhYSG/z9genDRYLTY=
X-Google-Smtp-Source: AGHT+IGYLRo9H2/WMccHwpe5C66tQByaIr8QCdworCWBa6N1Wupp4IfYGbxsvZ35c1zZsumbQgR7iOD/kF/haXPAJTk=
X-Received: by 2002:a17:90a:ec01:b0:270:b961:1c3d with SMTP id l1-20020a17090aec0100b00270b9611c3dmr569213pjy.22.1693057917173; Sat, 26 Aug 2023 06:51:57 -0700 (PDT)
MIME-Version: 1.0
References: <997f6696-dcd9-9d5d-26f2-3b486cee601b@lear.ch> <yblfs4ljrxg.fsf@wd.hardakers.net> <CAFvDQ9oj_ejUh+v4bs+AdOfDi1WTW5BrdSEwvCJKW3SuqM2COA@mail.gmail.com> <LO2P123MB3839CE40972FE956BC22D22BF7E2A@LO2P123MB3839.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To: <LO2P123MB3839CE40972FE956BC22D22BF7E2A@LO2P123MB3839.GBRP123.PROD.OUTLOOK.COM>
From: Hesham ElBakoury <helbakoury@gmail.com>
Date: Sat, 26 Aug 2023 06:51:44 -0700
Message-ID: <CAFvDQ9oYPSM26u0eZ2LZXTjt-PO8Q6=JqDTYTrbmXQ=p0riObw@mail.gmail.com>
To: Arnaud Taddei <arnaud.taddei@broadcom.com>
Cc: Wes Hardaker <wjhns1@hardakers.net>, architecture-discuss@ietf.org
Content-Type: multipart/alternative; boundary="000000000000bcc64b0603d3c334"
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/yJDFw1Ruaf-sIgco3cwRrNuZ6j4>
Subject: Re: [arch-d] draft-iab-m-ten-workshop
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Aug 2023 13:52:02 -0000

Certainly fighting against ransomware attacks is very important. Many
reports are issued from both industry and academia regarding this attack
and ways to mitigate it.

For example, this Splunk report [
https://www.splunk.com/en_us/blog/learn/ransomware-attack-types.html] says:
"Recently, we’ve seen a huge rise in ransomware attacks, with more than 2.3
billion attacks in 2022 alone
<https://www.privacyaffairs.com/ransomware-attacks-in-2022/>. Statistics
show:

   - A ransomware attack occurs every 2 seconds
   <https://www.getastra.com/blog/security-audit/ransomware-attack-statistics/>.
   (That’s 43,000+ a day.)
   - The average cost of a ransomware attack is $1.85 million
   <https://www.getastra.com/blog/security-audit/ransomware-attack-statistics/>
   ."

Since this IAB report is mainly looking into encrypted data, I would assume
that you are interested in the cases where Ransomware attack is leveraging
encrypted data such as Encrypted Client Header (ECH) which can be used to
hide the adversaries command and control [
https://www.ietf.org/archive/id/draft-campling-ech-deployment-considerations-07.txt
]

Hesham

On Sat, Aug 26, 2023, 5:40 AM Arnaud Taddei <arnaud.taddei@broadcom.com>
wrote:

> Thank you Hesham, I will educate myself in the (too many) forthcoming
> trips.
>
>
>
> Whilst I am sure this approach can help, I am taking it from a different
> point of view which basically boils down to ‘I cannot afford playing dice
> with the security of organizations and people’ especially when I see
> Ransomware damaging so much this world.
>
>
>
> *From: *Architecture-discuss <architecture-discuss-bounces@ietf.org> on
> behalf of Hesham ElBakoury <helbakoury@gmail.com>
> *Date: *Monday, 14 August 2023 at 23:29
> *To: *Wes Hardaker <wjhns1@hardakers.net>
> *Cc: *architecture-discuss@ietf.org <architecture-discuss@ietf.org>
> *Subject: *Re: [arch-d] draft-iab-m-ten-workshop
>
> Professor Boutaba and his team in the university of Waterloo have good
> papers on handling encrypted traffic. Examples are:
>
>
>
> 1)https://www.sciencedirect.com/science/article/abs/pii/S1389128623000932
> <https://www.google.com/url?q=https://www.sciencedirect.com/science/article/abs/pii/S1389128623000932&source=gmail-imap&ust=1692653392000000&usg=AOvVaw156PPnjCWC5AWlIlm-sKTP>
>
> 2)https://dl.acm.org/doi/10.1145/3447382
> <https://www.google.com/url?q=https://dl.acm.org/doi/10.1145/3447382&source=gmail-imap&ust=1692653392000000&usg=AOvVaw2TVawa1ZzzJI3XvfvSnMI->
>
> 3)https://arxiv.org/pdf/2308.02182
> <https://www.google.com/url?q=https://arxiv.org/pdf/2308.02182&source=gmail-imap&ust=1692653392000000&usg=AOvVaw2OOeAMSM_a1GAfQYx0KEE9>
>
> 4)
> https://www.researchgate.net/profile/Navid-Malekghaini/publication/368722877_Deep_learning_for_encrypted_traffic_classification_in_the_face_of_data_drift_An_empirical_study/links/6431cb5e4e83cd0e2f9d3a23/Deep-learning-for-encrypted-traffic-classification-in-the-face-of-data-drift-An-empirical-study.pdf
> <https://www.google.com/url?q=https://www.researchgate.net/profile/Navid-Malekghaini/publication/368722877_Deep_learning_for_encrypted_traffic_classification_in_the_face_of_data_drift_An_empirical_study/links/6431cb5e4e83cd0e2f9d3a23/Deep-learning-for-encrypted-traffic-classification-in-the-face-of-data-drift-An-empirical-study.pdf&source=gmail-imap&ust=1692653392000000&usg=AOvVaw0wTPRNqp3us8soQk1QmOwI>
>
>
>
> Hesham
>
>
>
> On Mon, Aug 14, 2023, 1:22 PM Wes Hardaker <wjhns1@hardakers.net> wrote:
>
> Eliot Lear <lear@lear.ch> writes:
>
> > Hi everyone,
>
> Hi Eliot and Arnaud,
>
> I'm responding to the larger point you both had concerned with together
> about the nature of the wording and the purpose of the IAB workshop
> report.  Thank you both for your extensive comments about the content.
>
> > To begin with, it's nice when a report can seamlessly join various
> > workshop components, but this report goes so far as to appear to be
> > itself a position paper.  There are a great many unsupported and
> > otherwise unattributed assertions made.  Under Chatham House rules one
> > might expect such assertions along the lines of, “[one person/several
> > people] suggested that...”
>
> I think the general of how best to describe what happens in an IAB
> workshop and what the report entails is an interesting one, and I'm
> surprised it hasn't been brought up before (well, at least to my
> knowledge so it may very much have been in past discussions).  IAB
> workshop reports (IMHO) are designed not to assert the veracity of the
> statements within, but rather to capture the discussion and the
> statements that participants made either in presentations or in ensuing
> discussions.  So, to some extent the entire report should be read as
> "[one person/several people] suggested that"...  To that end, we [the
> IAB] did discuss the best way to represent this and have published a -02
> version with a number of changes, including a new section in the
> introduction to make this more clear which I'll quote below:
>
>     1.1.  About this workshop report content
>
>        This document is a report on the proceedings of the workshop.  The
>
>        views and positions documented in this report are those of the
>
>        expressed during the workshop by participants and do not
> necessarily
>        reflect IAB views and positions.
>
>        Furthermore, the content of the report comes from presentations
> given
>        by workshop participants and notes taken during the discussions,
>
>        without interpretation or validation.  Thus, the content of this
>
>        report follows the flow and dialog of the workshop but does not
>
>        attempt to capture a consensus.
>
> The full diff between -01 and -02 can be found here:
>
>   https://author-tools.ietf.org/iddiff?url2=draft-iab-m-ten-workshop-02
> <https://www.google.com/url?q=https://author-tools.ietf.org/iddiff?url2%3Ddraft-iab-m-ten-workshop-02&source=gmail-imap&ust=1692653392000000&usg=AOvVaw3bWL4OFgd3fttCLZEOdxxz>
>
> Most of the rest of your comments were about specific statements that
> you disagreed with, but were made during the course of the workshop by
> at least "[one person/several people]".
>
> Note that the full recordings are on the IETF youtube channel as well:
>
> https://www.youtube.com/watch?v=Kizk_QrIc3s
> <https://www.google.com/url?q=https://www.youtube.com/watch?v%3DKizk_QrIc3s&source=gmail-imap&ust=1692653392000000&usg=AOvVaw1dtj0H4avRj3i-U14V8_X9>
> https://www.youtube.com/watch?v=aV1pzuCduLo
> <https://www.google.com/url?q=https://www.youtube.com/watch?v%3DaV1pzuCduLo&source=gmail-imap&ust=1692653392000000&usg=AOvVaw3VJypoKu_tLB9hGIWwOyN_>
> https://www.youtube.com/watch?v=p4NlZJlactE
> <https://www.google.com/url?q=https://www.youtube.com/watch?v%3Dp4NlZJlactE&source=gmail-imap&ust=1692653392000000&usg=AOvVaw1n2tfhTEn7wRtvMHECJha2>
>
> A number of your comments were requesting references:
>
> > Great!  Reference, please?
>
> We did not include references to work, but rather included references to
> the individual position papers which themselves often contained
> references.  And the youtube presentations also have discussions from
> the presenters and comments that will give rise to additional information.
>
> >     Within the IETF, the Manufacturer Usage Description Specification
> (MUDD) {?RFC8520} specification is one
> >     subset of contracts. Note that contracts are likely to only succeed
> in a constrained, expected environment
> >     maintained by operational staff, and may not work in an open
> internet environment where end users are
> >     driving all network connections.
> >
> > The initial demonstration implementation of MUD (one D) was
> > implemented using a plugin to DNSCAP that itself issued commands to
> > iptables.
>
> FYI, fixed the typo in MUD.  Thanks for catching that.
>
> > There are two real questions hiding here:
> >
> >  1. Are firewall vendors and telcos have an interest in protecting the
> user with such contractors?  The user
> >     certainly has that interest.
> >  2. Can a contract be properly described and maintained in a secure way?
> >
> > There has been some academic work on answering the latter
> > question.[1,2]  Going further, though, some aspects of MUD (and
> > Michael could say a good bit about this, and probably did at the
> > workshop), require visibility.   So for instance, rather than making
> > use of DNSCAP, a more explicit API between the resolver and the rest
> > of network management is something that has been discussed in various
> > corners (if memory serves, dnsop just recently).  This very much
> > depends on whether the endpoint uses a resolver with that sort of
> > binding.  Future work, I suppose.
>
> I've argued recently that half (if not more) of an IAB workshop is to
> start the discussion and direction, and rarely should the workshop
> actually solve a problem.  The point is to get people in the room so a
> conversation starts, even if there isn't agreement at the end.  To that
> end, there should *always* (IMHO) be future work after an IAB workshop.
> For if there isn't and the problem was actually solved during the
> workshop, it probably should have been a working group instead of a
> workshop :-)
>
> --
> Wes Hardaker
> USC/ISI
>
> _______________________________________________
> Architecture-discuss mailing list
> Architecture-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/architecture-discuss
> <https://www.google.com/url?q=https://www.ietf.org/mailman/listinfo/architecture-discuss&source=gmail-imap&ust=1692653392000000&usg=AOvVaw3e7j6K8CJwrxzIbKf2n8aS>
>
>
> This electronic communication and the information and any files
> transmitted with it, or attached to it, are confidential and are intended
> solely for the use of the individual or entity to whom it is addressed and
> may contain information that is confidential, legally privileged, protected
> by privacy laws, or otherwise restricted from disclosure to anyone else. If
> you are not the intended recipient or the person responsible for delivering
> the e-mail to the intended recipient, you are hereby notified that any use,
> copying, distributing, dissemination, forwarding, printing, or copying of
> this e-mail is strictly prohibited. If you received this e-mail in error,
> please return the e-mail to the sender, delete it from your computer, and
> destroy any printed copy of it.

v2.23.0 | Report a Bug | By Email