[Hotrfc] HotRFC: ECH Deployment Considerations
Andrew Campling <andrew.campling@419.consulting> Sat, 22 July 2023 20:59 UTC
Return-Path: <andrew.campling@419.consulting>
X-Original-To: hotrfc@ietfa.amsl.com
Delivered-To: hotrfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A6D6C15154E for <hotrfc@ietfa.amsl.com>; Sat, 22 Jul 2023 13:59:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.01
X-Spam-Level:
X-Spam-Status: No, score=-0.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, LOCALPART_IN_SUBJECT=1.107, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft5189650.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6cV_Bz7TqzTR for <hotrfc@ietfa.amsl.com>; Sat, 22 Jul 2023 13:59:50 -0700 (PDT)
Received: from GBR01-CWX-obe.outbound.protection.outlook.com (mail-cwxgbr01on2083.outbound.protection.outlook.com [40.107.121.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3F2FC14CE38 for <HotRFC@ietf.org>; Sat, 22 Jul 2023 13:59:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KVO1NEKpPFFudwykM2awq5qUaVB3LLNUegFHAFAu7eRKa06mG1XMJVgedYcxLhaeSt33z0Igt54uRCkJWz+4arALSgnztoqST6V579CZ8/ifs6t+kstX5d9bcaC81OlO9xdc/YY+RVQnnuCwIJniENFbxg96H5hPt9jhZ/Jy+xfbytgZO29jVTFDnLQLtBj5M/EZOnW30+1p0gSl6+C5NR3vTWA2jzTvAxkXlr5pXZfAIgjUpGoIvbD59oyIuU+AaghPF+oGlS599R/MFPpK3Fdk78g367h1+hXk9BOpNTPo5NL3hBEBbZXOkeR2/9h9vAUxEO5KK7Lzhs78fjcakw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CcBAYD9LySB9OqLv+p8OwL4MCUh4BwLvWMJpQiSE/xU=; b=eprQVXA/X/1TyqcnyZxA2Bt1xT71dYUJIr0j5F5e2FQDmO8s7zzR/V/67uD0X6svs8s/yNC4yuv7KUm2KKf7mZww2NmVRGUEN8axgIcSilVyDMO28D3nRapH7dM1NnHoSMb6q0iaPnCtc4Dh2plkThg2jStMyjy/XmhE9+qO1l7/FyY5ttw0EruwXYyTzUnyBblJ+8zIErClXdZ9pth7eX+8jo1OMCRg9jQ2KJS+tL9KLV37WLPoiKbUxzRXvM7K+UE820cl64KJ56uQ9Jlzzfqs6esA4inDLYIKIPNhKOZ/sN1weaG8/GLxA51ml61y9rIOQHrYZ3fDki4dL5nEhQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=419.consulting; dmarc=pass action=none header.from=419.consulting; dkim=pass header.d=419.consulting; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT5189650.onmicrosoft.com; s=selector1-NETORGFT5189650-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CcBAYD9LySB9OqLv+p8OwL4MCUh4BwLvWMJpQiSE/xU=; b=curOgsZI8L9zYUq0sEGoKjdq860ZGTQqONWLD38uMdvgSHyaLBlBT70ctxRQ2HdSwPzFF2KgUT3evXzPT0hW71MDY0FpX1XZg54tTONwvrfhbWqgcxygSjk+jEo4HcUY8uQyFKdcPsEWSVSbBMPMKVLTOdBxKtJsOs+43eoHIZo=
Received: from CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:196::5) by CWLP265MB5211.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:1c3::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6609.31; Sat, 22 Jul 2023 20:59:46 +0000
Received: from CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM ([fe80::5642:a3aa:30c8:aa66]) by CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM ([fe80::5642:a3aa:30c8:aa66%6]) with mapi id 15.20.6609.030; Sat, 22 Jul 2023 20:59:46 +0000
From: Andrew Campling <andrew.campling@419.consulting>
To: "HotRFC@ietf.org" <HotRFC@ietf.org>, Liz Flynn <lflynn@amsl.com>
CC: Arnaud Taddei <arnaud.taddei@broadcom.com>
Thread-Topic: HotRFC: ECH Deployment Considerations
Thread-Index: Adm83k4GFB99tmr+S7KKlXp5BdcuSQ==
Date: Sat, 22 Jul 2023 20:59:45 +0000
Message-ID: <CWXP265MB51533BFA152CA5B9AB23F072C23CA@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=419.consulting;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CWXP265MB5153:EE_|CWLP265MB5211:EE_
x-ms-office365-filtering-correlation-id: 04f8b876-0d9c-42cb-5345-08db8af69479
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IT6oZkQq0bCyDNqB4VqDifvE7fFgzgsVbWll7guWHXvSFyzKvYJ+WWDbD3LM/hO1fkzycnyl5FuW55DjsVzG6uXJ7micScQivwfpGAT1Om4kJ9sqrpeaBpiURcAlhl9GeglhMults27FP6LcS8QcR27o7/JjJ6U7x3z/T55uJGkSCdoFmngzAT0R8zgeXGLnjdsBOlDuUEMW09YrkT3wtA99PNtlKAUpOVD2iXfSOjtZ6/3tvIGFLq8bzF0Rfih35OyzGI2U/JLHtmfQaWuF/gGCdo9BuimTxCTrwBlqLc0a+Rfyb1tdn9zzLaa4q5DNDDy/ZFwSSKWvZTt+j38Ml9vIqVG3HdqhrY2gpg4Ovk11q2hdHiZQ0HL2SkvFF1Q1X1yXZEqsUcQz14L7EDa71BPP/hMjR7v4JcMXBLH8abKCSqc2nFzRQd+L0WuSg4QmGWtOPSuGdFm7QhsLyACmzfaTsuR2o/FmIqgKEjhQuk9cV00Bp/YpEf8FkfrSSl5tE6AxzdMzzHd4H5pZ5dQx7JIAXlc8Z27oeDJES9Ve/Brp7dYMsNlirNsY/1QYPasrWEK7NhCU6Vs2Q4DpO2NdUg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230028)(396003)(376002)(346002)(39830400003)(136003)(366004)(451199021)(38100700002)(99936003)(166002)(122000001)(55016003)(66574015)(83380400001)(9326002)(8936002)(8676002)(44832011)(5660300002)(52536014)(110136005)(478600001)(66556008)(66476007)(66446008)(64756008)(4326008)(316002)(76116006)(66946007)(41300700001)(186003)(4743002)(6506007)(71200400001)(966005)(7696005)(9686003)(2906002)(33656002)(38070700005)(86362001)(46492021); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 0V3oj1Cyv9GygLAStb5YsozfiDS+Mrs/N+7gTzJNL2YUHVyTTq3q8c9SdOISFIE1/0B/Ec0HnjfINBEOQ6awSuEKMroH8RCrOGxpkU+lRR3MnEmgAplRY/gBCzeR4+FjItxiYb9tirO388bhF3E5b73wn01nFFoR+mrZk18kmph3TVFa2wvqw1aEtytB1WKhIOuPB4vGuDU+/2f4LK4yDR4ja9eQHIrGMxJ0iUb/6f+lqObkP4XWcxUIX5QvGtpXNd9HC3c2G6yTozF4RZVLKaBjZu8tcUSSct08Ud7V2Prf+cN/FDC6/Hi8RQpNrIeptLLH4dSB/dp021IpMTs9cgyKUlyB26Y+nba0uvTykYF/y0uaKL9Jqvw4waGKdYYiTHPHycy510Ov3eE+cMDzk0Obf/v1pQurdeXwUT//VNUOCzImjLAQzWL8PGyLlt0orFTSmu4ekZMLT7KqlwNl7ZrQ07aNHlJ7vmUT25z9Acq6eLNEf5IfFB3TmLM9Uesvb4i9b8Jqi3H5pXhboqfZKxHKVbIhl3Zl1v3Xlgy/TBtE/NgIrn8xLdhwlOIARyx5kl0NDM4PsxpEohiEuVIand0QX6gcqp7ko/ngn6JuZDChCvl1T2fyWQZkVo7e006mn7tMBgOPo8j1u+lTpOAeVNNdxSPX7M2UTB9JasrADEIhaVcFuVXOWLXeReyYn1438hxIH241qpLxq9hnTS4FXHB7dgL8hs2TmjfGONDmS8COEAgoUt6hHEvqdH6bmY9avIf/11CXjW1w5JOEvlL3h5GVRgCOXtLz39v1VzReP7cI47cks2UB95hhbyHJm2KN8WtLZ4uuCfX5GoQEO1wUU/VaiZh6kkDoReMQLN1hmnpHtNtomy78dJumzqcgdXj732XenLq6Wibt/teYiF0qOucniagR59uKkgWAcPP+RcUQl955rnaecAFc0E6+1I6FN/jV79Qhjzr2oNjpn+QwCB/QdCTXL1JO318UEhKkWQ73lW+5qBtHMtmeAZ7DiGEtSdUvScIpXyqj49rpbSwpuYXar6QdBL+lyI6yGjcatpll9BBkCIgBuiklgE6bC+5sA/LPHpkg2hhhz0ESfQA7QygaQXbyb4KUK3e1zIIZTKn9TTezGtEangNpkLNxreh9gAKPTlv9GObyKSVzOzFvnlQArxVcTppRFMZXVi9oD0vhWLYZC5GYZfoLn7Flo63GrlqbiAX+ozRkesW0XzNVCyrQeGkMN0jw6Ur197c1+K0EMtN4tXOk83zYB8YjuWuk+1C2WaL63/llkInKQ/4RNrtLuAwGq7enY5F3JEzkTM0f5mXu+GIfPrvb13TjtYzNSKbrATpQnokhcVXa5BJnXdCtDs9pTfo9h33vOgP786myCTVxwWn/NZLcVEKja05ndct+FxJXFyQubuAI/rUW7Cdcr3KTqCAAR1tLKYbUVOwzzMVIVR+oUI7kHeyZzWtgqrr19ltH5de/W4n2EmKR32qvDx9mUpJZxZYs0JSEJx4famnNozW+ZFQI4wyVr0RMu8lPa4C3+60BuVbxyPhtwKUf1+n02Qak2g1uaCzZUlP602eGr//AoWxZgeiGUCMisWtVsyaye3/vJOJ1NvfNlin2jkH4Eey3QKx28BioB/m9hiwEmyF0Cu5hpV96f4X6fwQ6hWrxD9qcFW4Fn9GAzQ==
Content-Type: multipart/mixed; boundary="_004_CWXP265MB51533BFA152CA5B9AB23F072C23CACWXP265MB5153GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: 419.consulting
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 04f8b876-0d9c-42cb-5345-08db8af69479
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jul 2023 20:59:46.0119 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c2ced3e-7522-4755-87dc-f983abc66ec3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SNKyYZEBJQFVqPVq+oUErVMgud1EbgWr6weecR/n7e5yMhHtpOobnzKwdTu81AShgxqJRH3BKrHmcDvnAsC3BMtB+oYhsMezU2Qwbksom+Y=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CWLP265MB5211
Archived-At: <https://mailarchive.ietf.org/arch/msg/hotrfc/c7FOnSUCtxcU7sc07uElbhhghhQ>
Subject: [Hotrfc] HotRFC: ECH Deployment Considerations
X-BeenThere: hotrfc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: HotRFC Lightning Talk submission list <hotrfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hotrfc>, <mailto:hotrfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hotrfc/>
List-Post: <mailto:hotrfc@ietf.org>
List-Help: <mailto:hotrfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hotrfc>, <mailto:hotrfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Jul 2023 20:59:54 -0000
Hi I've attched slides for our slot at the HotRFC session tomorrow and have also tidied up the abstract a little as I did th eoriginal on an overnight flight to hit the deadline whilst trying not to annoy my neighbours. Andrew Talk title: ECH Deployment Considerations Presenter, Affiliation, and whether you'll be presenting in person or remotely Andrew Campling, 419 Consulting and Arnaud Taddei, Broadcom, both in-person Short topic abstract (topics should be IETF- or IRTF-related in some way) We are working on a document that is intended to inform the community about the impact of the deployment of the proposed Encrypted Client Hello (ECH) standard that encrypts Server Name Indication (SNI) and other data. Data encapsulated by ECH (ie data included in the encrypted ClientHelloInner) is of legitimate interest to on-path security actors including those providing inline malware detection, parental controls, content filtering to prevent access to malware and other risky traffic, mandatory security controls etc. The current draft of the document already includes observations on current use cases for SNI data in a variety of contexts. It highlights how the use of that data is important to the operators of both public and private networks and shows how the loss of access to SNI data will cause difficulties in the provision of a range of services to end-users, including the potential weakening of cybersecurity defences. Some mitigations are identified that may be useful for inclusion by those considering the adoption of support for ECH in their software. What you're looking for (education, collaborators, implementers, etc.) We are looking for the involvement of additional collaborators to augment the contributions that we have already and are continuing to gather, especially from the end-user and opsec communities. Coordinates to learn more, contact those involved, participate in existing mailing lists and scheduled meetings, and/or relevant formal or side meetings. Andrew Campling and Arnaud Taddei will be on site in San Francisco all week and can also be reached via Andrew.Campling@419.Consulting<mailto:Andrew.Campling@419.Consulting> and Arnaud.Taddei@Broadcom.Com<mailto:Arnaud.Taddei@Broadcom.Com> respectively. Any relevant drafts or helpful resources you'd like collaborators to look at Datatracker - https://datatracker.ietf.org/doc/draft-campling-ech-deployment-considerations/ GitHub - https://github.com/echdeploy/draft-ech-deployment-considerations
- [Hotrfc] HotRFC: ECH Deployment Considerations Andrew Campling
- Re: [Hotrfc] HotRFC: ECH Deployment Considerations Liz Flynn
- Re: [Hotrfc] HotRFC: ECH Deployment Considerations Arnaud Taddei