IETF Logo Mail Archive

Re: [DNSOP] Fwd: [Add] new draft: draft-grover-add-policy-detection-00

Tommy Jensen <Jensen.Thomas@microsoft.com> Tue, 16 July 2019 17:20 UTC

Return-Path: <Jensen.Thomas@microsoft.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33971120A79 for <dnsop@ietfa.amsl.com>; Tue, 16 Jul 2019 10:20:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mJOzcD2O8_99 for <dnsop@ietfa.amsl.com>; Tue, 16 Jul 2019 10:20:41 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-eopbgr740123.outbound.protection.outlook.com [40.107.74.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C58B120A6F for <dnsop@ietf.org>; Tue, 16 Jul 2019 10:20:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=R2hclRK3v92kko53wspvOnXWCxqxS9tMJjRpYmt24s+OrOjOMgikmS6aOukm/icaEMF2iZRkFEQhyNxVYzKKFq7ovYtBSj3jXSACWUlmeISgTJGj3mmrPc6fEWIBisZSsmPEmlj9RKOifqwEWsksGUkNy9cRBfeqvxp6EDoPcZoBFrbxShazl5rcUkesqsU4PnMEanG67Y4wVN2khhXtrgANaR4ln2wI4XTnkUle/sUxBS417TPVfSMmZN+cnR4bSAtocIXIaWHdh12vQGvaucf5fTTwaALT2hMrbfw26ajfrdWdOU/asBTXrH7L3zu5LKrLAsBO0OLQ86x2dD1Rew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aGJ605nh5hLhb2jeuB0WQe9TfpEQkc+oeSguVureCKk=; b=my91pNxUim1sYgYmsq8I3ltXAwxn4fsRMjP/WjXLZ+kjWv+EA2IkALMxXuZC/wiAbXhvZrWaHmlgjG43ThT7x98wQd02p8UKKPfzjWzjQn9HmqUK7Jc8WmoHPpaTkBr8TARjm1L6adnmYgTIqPmSWJBjx+qCdlBssuTTONYyn5oYSegVYcEGFLiIeQvyZBraFkNX2FPtIh9N77kERUbAfDcRumPMkUSQnlL/ukk5lfq7Y3OcL2KMSK5xYxZQH+ZrQJiaxQNnRqLhB1gyqZ8itw/7z3MrcdO0xeog0Jx5i/hu494taXjyWOWV0t9CC8ORp49J+tc7EfrcIP3HJjscmw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=microsoft.com;dmarc=pass action=none header.from=microsoft.com;dkim=pass header.d=microsoft.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aGJ605nh5hLhb2jeuB0WQe9TfpEQkc+oeSguVureCKk=; b=bwZzrDVEGwVj23ize2HpBc1vLY22YRR9k0XX0UNijVttBY1CseXgcA6y+q1kumk+BSojFoMZunfvQr4UsDVgrfea/1o055rSDqB+WI0+WCnDJ6Fp1woMMAy8Nad8CAgFEqirKWGq37GWEN1xg6C2ZuJA/ByoIqHedrqXEMupZco=
Received: from BN8PR21MB1202.namprd21.prod.outlook.com (20.179.73.142) by BN8PR21MB1234.namprd21.prod.outlook.com (20.179.73.222) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.0; Tue, 16 Jul 2019 17:20:40 +0000
Received: from BN8PR21MB1202.namprd21.prod.outlook.com ([fe80::695f:2ff8:262a:7ff8]) by BN8PR21MB1202.namprd21.prod.outlook.com ([fe80::695f:2ff8:262a:7ff8%5]) with mapi id 15.20.2115.002; Tue, 16 Jul 2019 17:20:39 +0000
From: Tommy Jensen <Jensen.Thomas@microsoft.com>
To: Rob Sayre <sayrer@gmail.com>, Eric Rescorla <ekr@rtfm.com>
CC: dnsop WG <dnsop@ietf.org>, Paul Vixie <paul@redbarn.org>
Thread-Topic: [DNSOP] Fwd: [Add] new draft: draft-grover-add-policy-detection-00
Thread-Index: AQHVOpkwV+Ph9EMorUedduswrT8NVabK5aqAgAAB5QCAAAUdAIAABOoAgADZPYCAANP0AIAApEIAgAAjGACAABnLkA==
Date: Tue, 16 Jul 2019 17:20:39 +0000
Message-ID: <BN8PR21MB120256255A71749066FA7671FACE0@BN8PR21MB1202.namprd21.prod.outlook.com>
References: <CAChr6SyVmgMpD6Cd=m2Z03nts-Bv9ZVgJkG8oaj_jzwYMUZuCg@mail.gmail.com> <3220557.rvQTihJl8x@linux-9daj> <CAChr6SyM3LSgAdu5+SJGq-n=+AZc7M44BVSru_EZgf9svBHo3w@mail.gmail.com> <8499859.s69PqOT0jb@linux-9daj> <CAChr6Syp4TR2HRy6ehn2rduuPQepADD=2Jj45ba5ncG52i9vYA@mail.gmail.com> <CABcZeBOi2g3X3oSuWuSzUWxTwSCG=auxVzjy+aJEKemVZU7W9Q@mail.gmail.com>, <CAChr6Swy76TV=w4sn0VBns1U912rBjYS+DVpR46jPVU6E879fg@mail.gmail.com>
In-Reply-To: <CAChr6Swy76TV=w4sn0VBns1U912rBjYS+DVpR46jPVU6E879fg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Jensen.Thomas@microsoft.com;
x-originating-ip: [167.220.61.56]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 673e4ada-bc74-4c95-2664-08d70a11eccf
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(1401327)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:BN8PR21MB1234;
x-ms-traffictypediagnostic: BN8PR21MB1234:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <BN8PR21MB1234D6F00871D3DC8D0309FFFACE0@BN8PR21MB1234.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 0100732B76
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(136003)(376002)(39860400002)(366004)(346002)(396003)(189003)(199004)(10090500001)(4744005)(11346002)(8990500004)(14444005)(486006)(2906002)(52536014)(66066001)(66446008)(66946007)(446003)(91956017)(66556008)(64756008)(76116006)(66476007)(71190400001)(71200400001)(606006)(476003)(25786009)(110136005)(10290500003)(256004)(478600001)(14454004)(99286004)(55016002)(53936002)(102836004)(74316002)(316002)(6116002)(76176011)(7736002)(26005)(54906003)(229853002)(68736007)(9686003)(86362001)(81166006)(6436002)(7696005)(22452003)(33656002)(53546011)(81156014)(8676002)(8936002)(4326008)(6506007)(3846002)(6306002)(236005)(6246003)(54896002)(5660300002)(186003); DIR:OUT; SFP:1102; SCL:1; SRVR:BN8PR21MB1234; H:BN8PR21MB1202.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: xlI76Q4mpA4/0pj5qhUpf6JEgrn1iXtnVMk83Y111S8jr1Dq28l2vw6WG3T9VW6Mbl3ym7wpiqoXGnCo5yarm9HgRs7058YWQBYhcTCRt8UOGweEHLwaxR7mYxg2fFcXQdefCd2HILDlxinX+nAvhW7o7h/46ctrQZlng1BC7Vf//gpvCVqjMvt7yDhg2u7ngg7T82T+PASYob1WkONMGgNHMQG1oJkgejdqbpVD6hdYZVSx2vMJF3zn/ED3LqHUDyXYQqRux1++XOWNGHxrS10BIrMv2Owj5eS6CpoBRuRa/3DSii1I7UplqA/+4z/9WglO7TF5dGiYrMkOfBNZiBKXIyigizhhNEaDGvUhTXIigkKn65yaDKmTmeSOCJp1oGEnclksCLMHjSO4CVXAJ36M7O0Gylhh6DoGKH7P1DY=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN8PR21MB120256255A71749066FA7671FACE0BN8PR21MB1202namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 673e4ada-bc74-4c95-2664-08d70a11eccf
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jul 2019 17:20:39.8086 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tojens@microsoft.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR21MB1234
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ltFAPzyeKAs8IEFyVR1OYVfjoko>
Subject: Re: [DNSOP] Fwd: [Add] new draft: draft-grover-add-policy-detection-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 17:20:43 -0000

The link you shared indicates the problem is RC4, which was removed from TLS in 1.3 for this very reason. This doesn’t demonstrate TLS 1.3 is vulnerable; it demonstrates why adopting TLS 1.3 is so important.

Thanks,
Tommy
________________________________
From: DNSOP <dnsop-bounces@ietf.org> on behalf of Rob Sayre <sayrer@gmail.com>
Sent: Tuesday, July 16, 2019 8:46:42 AM
To: Eric Rescorla <ekr@rtfm.com>
Cc: dnsop WG <dnsop@ietf.org>; Paul Vixie <paul@redbarn.org>
Subject: Re: [DNSOP] Fwd: [Add] new draft: draft-grover-add-policy-detection-00

On Tue, Jul 16, 2019 at 6:41 AM Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:


The certs are public information, so having the certs isn't useful. Can you please be clearer about the attack you are describing?

Sure, here's an article about it:
<https://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.theregister.co.uk%2F2013%2F09%2F06%2Fnsa_cryptobreaking_bullrun_analysis%2F&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C496a0b49339349ac921308d70a04e0de%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636988888386522988&sdata=SbICd7%2FtkDlhh1zyusjw75CRgg6KHhbpzH0Efn%2BoBew%3D&reserved=0>>

Do you have any thoughts on that?

thanks,
Rob

v2.23.0 | Report a Bug | By Email