Re: [Lurk] Is this scenario covered by LURK?
Eric Burger <eburger@standardstrack.com> Sat, 02 July 2016 18:35 UTC
Return-Path: <eburger@standardstrack.com>
X-Original-To: lurk@ietfa.amsl.com
Delivered-To: lurk@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EBE812D100 for <lurk@ietfa.amsl.com>; Sat, 2 Jul 2016 11:35:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.001
X-Spam-Level:
X-Spam-Status: No, score=-1.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_NEUTRAL=0.779, T_DKIM_INVALID=0.01, T_KAM_HTML_FONT_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=standardstrack.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K2eZcDTF6tyc for <lurk@ietfa.amsl.com>; Sat, 2 Jul 2016 11:35:12 -0700 (PDT)
Received: from biz104.inmotionhosting.com (biz104.inmotionhosting.com [173.247.247.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F24D712B028 for <lurk@ietf.org>; Sat, 2 Jul 2016 11:35:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=standardstrack.com; s=default; h=To:References:Message-Id:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type; bh=5m7U4mSicv/QAd0rogjfg/L1ESwXn3tgY4JELaAe+A0=; b=CJ65DMy+VImdI48YNGZHyyyNMe pn+JDKNsoef6EFMMMTA5GM72fKkg6t6UUu3/hbaa/QKy3iHyfNOQmR9NObwI/ZMlCTj6hYuDemVyF 34RbRQEHLYbb8PpASssGCeoRRXhIydFOrfSJSTnfmQ04TByzu9BrrJ9RobeuRoSk5Snc=;
Received: from ip68-100-196-239.dc.dc.cox.net ([68.100.196.239]:52751 helo=[192.168.15.107]) by biz104.inmotionhosting.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.86_1) (envelope-from <eburger@standardstrack.com>) id 1bJPku-0004Mk-0x for lurk@ietf.org; Sat, 02 Jul 2016 11:35:11 -0700
Content-Type: multipart/signed; boundary="Apple-Mail=_90091D5A-B1EE-435A-ABE3-BCAD594D6BB0"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Pgp-Agent: GPGMail 2.6b2
From: Eric Burger <eburger@standardstrack.com>
In-Reply-To: <F6C28B32DA084644BB6C8D0BD65B669DC0C68C@NKGEML515-MBX.china.huawei.com>
Date: Sat, 02 Jul 2016 14:35:01 -0400
Message-Id: <5330D752-0D55-45B8-848F-35A7719FBFAF@standardstrack.com>
References: <D38EC95D.6A5A1%thomas.fossati@alcatel-lucent.com> <F6C28B32DA084644BB6C8D0BD65B669DC0C68C@NKGEML515-MBX.china.huawei.com>
To: "lurk@ietf.org" <lurk@ietf.org>
X-Mailer: Apple Mail (2.3124)
X-OutGoing-Spam-Status: No, score=-2.9
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - biz104.inmotionhosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - standardstrack.com
X-Get-Message-Sender-Via: biz104.inmotionhosting.com: authenticated_id: eburger+standardstrack.com/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: biz104.inmotionhosting.com: eburger@standardstrack.com
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/lurk/g1q932MWkZN6RKkNhkeCDfZnGPs>
Subject: Re: [Lurk] Is this scenario covered by LURK?
X-BeenThere: lurk@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Limited Use of Remote Keys <lurk.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lurk>, <mailto:lurk-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lurk/>
List-Post: <mailto:lurk@ietf.org>
List-Help: <mailto:lurk-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lurk>, <mailto:lurk-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Jul 2016 18:35:15 -0000
<not as BOF chair> The technology for ‘lawful’ intercept is indistinguishable from criminal eavesdropping is indistinguishable from ‘friendly’ DPI. IMHO, if this scenario is covered by LURK, LURK must not be chartered and we all can go home. > On Jun 21, 2016, at 10:14 PM, Youjianjie <youjianjie@huawei.com> wrote: > > Hi Thomas, > > We’re thinking in this use case, if middle-box does traffic management, the three participated parties (i.e. client, server, and middle-box) should all be aware of this. Therefore, when the key manager (representing middle-box) asks the key server for key information, the key manager maybe needs to carry the digital signed data from the client (indicating client agreed and aware of this), 5-tuple (indicating which connection is decrypted), and decryption reason etc. These information are not discussed in the current document https://tools.ietf.org/html/draft-cairns-tls-session-key-interface-01 <https://tools.ietf.org/html/draft-cairns-tls-session-key-interface-01> . We’re wondering if these information are reasonable via SKI? > > Your comments are welcome! > > Thanks, > Jianjie > > > 发件人: Fossati, Thomas (Nokia - GB) [mailto:thomas.fossati@nokia.com] > 发送时间: 2016年6月21日 18:53 > 收件人: Youjianjie; Fossati, Thomas (Nokia - GB); Daniel Migault; lurk@ietf.org > 主题: Re: 答复: 答复: 答复: [Lurk] 答复: Is this scenario covered by LURK? > > HI Jianjie, > > I understand the two use cases are completely different, I'm not sure there'd be any substantial distinction in terms of interfaces though. > > Cheers, t > > From: Youjianjie <youjianjie@huawei.com <mailto:youjianjie@huawei.com>> > Date: Tuesday, 21 June 2016 10:36 > To: "Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com <mailto:thomas.fossati@nokia.com>>, Daniel Migault <daniel.migault@ericsson.com <mailto:daniel.migault@ericsson.com>>, "lurk@ietf.org <mailto:lurk@ietf.org>" <lurk@ietf.org <mailto:lurk@ietf.org>> > Subject: 答复: 答复: 答复: [Lurk] 答复: Is this scenario covered by LURK? > > Hi Thomas, > > I think the second is different from the lawful interception. In this option, the edge server (middle-box) does and only does policy control when it is authorized and has the key information from the content owner. So, here’s an assumption that the content provider and the content owner should have some agreement for doing this, otherwise, the key information will not be provided to the middle-box for traffic optimization for example. That’s why we need to define the interface between the key manager and key server. > > What do you think? > > Thanks, > Jianjie > > 发件人: Fossati, Thomas (Nokia - GB) [mailto:thomas.fossati@nokia.com <mailto:thomas.fossati@nokia.com>] > 发送时间: 2016年6月21日 17:19 > 收件人: Youjianjie; Fossati, Thomas (Nokia - GB); Daniel Migault; lurk@ietf.org <mailto:lurk@ietf.org> > 主题: Re: 答复: 答复: [Lurk] 答复: Is this scenario covered by LURK? > > Hi Jianjie, > > Yes, both options are possible but the second looks very much like a lawful interception interface to me. > > So, unless you are ready to convince the IETF that an update of RFC 2804 is in order, I guess that option is actually precluded? > > Cheers, t > > From: Youjianjie <youjianjie@huawei.com <mailto:youjianjie@huawei.com>> > Date: Tuesday, 21 June 2016 03:56 > To: "Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com <mailto:thomas.fossati@nokia.com>>, Daniel Migault <daniel.migault@ericsson.com <mailto:daniel.migault@ericsson.com>>, "lurk@ietf.org <mailto:lurk@ietf.org>" <lurk@ietf.org <mailto:lurk@ietf.org>> > Subject: 答复: 答复: [Lurk] 答复: Is this scenario covered by LURK? > > Hi Thomas, > > One way is the middle-box submits a chunk of encrypted bytes to the Key Manager and gets the clear-text back. The other way is the middle-box gets the key information from the Key Manager. I think both are possible. > > I’m wondering if this use case could be merged into the existing use case document? If the use case is acceptable, we’ll describe the interface requirements for it. > > Thanks, > Jianjie > > 发件人: Fossati, Thomas (Nokia - GB) [mailto:thomas.fossati@nokia.com <mailto:thomas.fossati@nokia.com>] > 发送时间: 2016年6月20日 17:18 > 收件人: Youjianjie; Fossati, Thomas (Nokia - GB); Daniel Migault; lurk@ietf.org <mailto:lurk@ietf.org> > 主题: Re: 答复: [Lurk] 答复: Is this scenario covered by LURK? > > Thanks Jianjie. > > I was slightly confused because in the discussion so far (and in the LURK drafts) "edge server" has been used with distinct semantics ― i.e. a HTTP edge cache that terminates TLS. Instead, in your picture it's used to mean "traffic management middle-box": firewall, IDS, anti-spam/malware, load balancer, whatever. > > IIUC, what you want to achieve is that these middle-boxes submit a chunk of encrypted bytes to the Key Server and get the clear-text back (sort of DPI by proxy if you like) while at the same time hiding topological details about the Gi-LAN (though this seems to be ancillary). > > While I think this is an interesting idea, I'm concerned that pulling this use case in to the picture at this point in time would derail the working group focus in endless political discussions. > > However, we should keep in the back of our mind the fact that LURK must evolve (both refining existing use cases and incorporating new ones as well) and thus it needs to be built with an extensible interface from the onset. > > Cheers, t > > PS: It'd be nice if you took some time to draft the interfaces so that we can have a more precise idea of what you have in mind? > > From: Youjianjie <youjianjie@huawei.com <mailto:youjianjie@huawei.com>> > Date: Monday, 20 June 2016 07:26 > To: "Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com <mailto:thomas.fossati@nokia.com>>, Daniel Migault <daniel.migault@ericsson.com <mailto:daniel.migault@ericsson.com>>, "lurk@ietf.org <mailto:lurk@ietf.org>" <lurk@ietf.org <mailto:lurk@ietf.org>> > Subject: 答复: [Lurk] 答复: Is this scenario covered by LURK? > > Hi Thomas, > > It is the latter. In this figure, the edge server (e.g. middle-box) can manage the encrypted flows if it is trusted and authorized to have the key from Key server via Key manager. > > We introduce a Key manager because there may be many edge servers in the network. It's better not to expose the topology of edge servers to the content owner if the Content Provider and the Content Owner are in different administrative domain. > > Further comments are welcome. > > Thanks, > Jianjie > > > 发件人: Lurk [mailto:lurk-bounces@ietf.org <mailto:lurk-bounces@ietf.org>] 代表 Fossati, Thomas (Nokia - GB) > 发送时间: 2016年6月19日 1:39 > 收件人: Youjianjie; Daniel Migault; Fossati, Thomas (Nokia - GB); lurk@ietf.org <mailto:lurk@ietf.org> > 主题: Re: [Lurk] 答复: Is this scenario covered by LURK? > > Hi Jianjie, > > I've been staring at the picture for a while but I still don't understand whether what you call "Edge Server" is actually a cache that terminates the TLS connection on behalf of the content owner, or some other middle-box that needs to do traffic management and wants to talk to the Key Server to DPI the encrypted flows. > > If the former, your "Key Manager" is really just a LURK proxy ― I don't think there is anything new to standardise once the LURK interfaces are defined. > > If the latter, I don't seem to remember anyone presenting this use case either at the BoF, on list, or in the interim meeting. > > Cheers, t > > From: Youjianjie <youjianjie@huawei.com <mailto:youjianjie@huawei.com>> > Date: Friday, 17 June 2016 03:42 > To: Daniel Migault <daniel.migault@ericsson.com <mailto:daniel.migault@ericsson.com>>, "Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com <mailto:thomas.fossati@nokia.com>>, "lurk@ietf.org <mailto:lurk@ietf.org>" <lurk@ietf.org <mailto:lurk@ietf.org>> > Subject: 答复: [Lurk] Is this scenario covered by LURK? > > Hi Daniel, Thomas, > > Here’s a diagram illustrating the scenario I want to mean. > > <image001.jpg> > > Please also see my comments inline below: > > Thanks, > Jianjie > > -----邮件原件----- > > 发件人: Daniel Migault [mailto:daniel.migault@ericsson.com <mailto:daniel.migault@ericsson.com>] > > 发送时间: 2016年6月16日 21:27 > > 收件人: Fossati, Thomas (Nokia - GB); Youjianjie; lurk@ietf.org <mailto:lurk@ietf.org> > > 主题: RE: [Lurk] Is this scenario covered by LURK? > > > > Hi Jianjie, > > > > Thank you for bringing a potential new use case. Currently LURK aims at > > providing an interface between Edge Servers and the Key Server in a context of > > TLS. If I am correct, the use case you provide introduces an additional element > > designated as a Key Manager. From the description it is not clear to me what > > role the Key Manager has, and its relation with the Edge Servers and the Key > > Server. > > The reason why we introduce a Key manager is that there're many edge servers in some cases. It's better not to expose the topology of edge servers to the content owner if the Content Provider and the Content Owner are in different administrative domain. > > > Could you specify what role the Key Manager has as well as interactions > > between: > > - the Key Manger and Key Server > > Key information needs to be interacted between them. > > > - the Key Manager and the Edge Server > > Key information needs to be interacted between them. > > > In addition, it might be also helpful to provide feed back why you think the use > > cases of the draft do not address your use case. Could you please point what is > > missing ? > > Is the content owner also expected to deliver content traffic in the current use case doc? > https://tools.ietf.org/html/draft-mglt-lurk-tls-use-cases-01 <https://tools.ietf.org/html/draft-mglt-lurk-tls-use-cases-01> > > > BR, > > Daniel > > > > > > -----Original Message----- > > From: Lurk [mailto:lurk-bounces@ietf.org <mailto:lurk-bounces@ietf.org>] On Behalf Of Fossati, Thomas > > (Nokia - GB) > > Sent: Thursday, June 16, 2016 8:40 AM > > To: Youjianjie; lurk@ietf.org <mailto:lurk@ietf.org> > > Subject: Re: [Lurk] Is this scenario covered by LURK? > > > > Hi Jianjie, > > > > On 16/06/2016 04:31, "Lurk on behalf of Youjianjie" <lurk-bounces@ietf.org <mailto:lurk-bounces@ietf.org%20on%20behalf%20of%20youjianjie@huawei.com> > > on behalf of youjianjie@huawei.com <mailto:lurk-bounces@ietf.org%20on%20behalf%20of%20youjianjie@huawei.com>> wrote: > > >Hi > > > > > >I've a question about the scenario. I'm not sure if the following > > >scenario is covered by the LURK. > > > > > >In this scenario, the Content Provider and the Content Owner are in > > >different administrative domain. Content owner is also responsible to > > >deliver the content. The content provider participates the delivery of > > >a content, providing necessary traffic management, such as FW, IPS. > > > > > >For example, the edge server can be middle-box in the operator's network. > > >There may be multiple middle-boxes, which can be managed by a key > > >manager in the operator's network. In order to do traffic management, > > >the key manager needs to interact with the key server located in the > > >content owner domain, in order to do traffic management since the > > >packets are encrypted. Here, the interaction between key manager (e.g. > > >operator's > > >network) and key server (in content owner) needs to be standardized? Is > > >this use case in the scope of LURK? > > > > Could you spend a few more lines on the kind of interaction that you are > > envisaging between the key manager and the key server? > > > > Cheers, t > > > > _______________________________________________ > > Lurk mailing list > > Lurk@ietf.org <mailto:Lurk@ietf.org> > > https://www.ietf.org/mailman/listinfo/lurk <https://www.ietf.org/mailman/listinfo/lurk>_______________________________________________ > Lurk mailing list > Lurk@ietf.org > https://www.ietf.org/mailman/listinfo/lurk
- Re: [Lurk] Is this scenario covered by LURK? Eric Burger
- [Lurk] 答复: 答复: 答复: 答复: 答复: Is this scenario cover… Youjianjie
- Re: [Lurk] 答复: 答复: 答复: 答复: Is this scenario cover… Fossati, Thomas (Nokia - GB)