IETF Logo Mail Archive

Re: [OPSAWG] [TLS] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls

Ben Schwartz <bemasc@google.com> Tue, 15 September 2020 12:58 UTC

Return-Path: <bemasc@google.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BFD73A0F62 for <opsawg@ietfa.amsl.com>; Tue, 15 Sep 2020 05:58:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JjBrfaY25Fz3 for <opsawg@ietfa.amsl.com>; Tue, 15 Sep 2020 05:58:47 -0700 (PDT)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B62B23A0F5A for <opsawg@ietf.org>; Tue, 15 Sep 2020 05:58:47 -0700 (PDT)
Received: by mail-il1-x12b.google.com with SMTP id u18so2820677iln.13 for <opsawg@ietf.org>; Tue, 15 Sep 2020 05:58:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oKMnv83dxKzICYWBUK2gRyxjsVITzQUp5jjeKk6h+nU=; b=q99PZdaPfRmJe9Ik/QMtJuzLWK8/+ydPzDOH62glHq717y6Lpv2zwsKUSS01nrNYFl oGrwwFvs1JIoT0oRXJOBEsQFTgavfIloxlumh8xUSKC3OXXlKffwxKtqPDti5ZXqumm1 mqoapVwJF01p0NqE4pGdvAgF9HUGnh5xtqIBXZ3WmDWnFOX5XgOX2wZ044Gj/B3EgSyD 7KuLclQTp44xdYrgA58caKfGAEJnpgDZpwm/h2kC/8yMURT7rc0dYI/uUWTcWQly+kD2 tbJeQJpiZBqrTJIgbynCI6wHKbQZJm9YQPT03S8jecp6YWyc3n510AGsYcTH28YNQNYh YWUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oKMnv83dxKzICYWBUK2gRyxjsVITzQUp5jjeKk6h+nU=; b=c4mGCq6fJe803RbMdxIU8GXypJ/2ISZ5t8MHa8N277//z0+jL+knuiNEbk09KsASTq obj7Dd8pyqvugh26hMrlY5oaNXjjCUhdINCJG4P/O6aX87q8t4aJruraLoaku2sP3dX3 qPlnzODNM/NhtHKv7BifZNrVK/0k8MOqX2/Xzok89yj9qB6Li8prmvGwhWjskgir1PLO 2AjK/Ma0838p3vDKNhKeeW2jHC6fwIERucxyYgGLrQa+OcT8t/JUIx2lVJvCLqpvF3EW eNjcypVWpKBr3ktLDI6a1emxx2vaVnLx+fxMyDdDlKsJ73rA82o+QOmxOH1UyS17YwMk JeOQ==
X-Gm-Message-State: AOAM5325cHHrQ9BDEa7bEHqYjb/gqAVbqFtmqtHBlv0kXRGQNZ2c8FfF 8jNpN7MBr2paRVtjiKyIpZOgxwVXHdrMVUJ1iWkeCQ==
X-Google-Smtp-Source: ABdhPJypbOMxmdrX9zQ67iclu294pIe8YfQQQrdB+SryEXsW6YkEN32hOvjxv/n39K9UozqjrSH/pUUwk2mNKcRtsOk=
X-Received: by 2002:a92:7c03:: with SMTP id x3mr16952198ilc.241.1600174726545; Tue, 15 Sep 2020 05:58:46 -0700 (PDT)
MIME-Version: 1.0
References: <21BA8D05-DD83-44DE-81B9-457692484CAD@cisco.com> <053b286e-4780-1818-a79d-71b9c967bbd2@sandelman.ca> <CAHbrMsANEA4omTm5dPYLN9zGde2YdT_71ujpBcCEer_xSkPhbw@mail.gmail.com> <CAFpG3gepojPJoK8W+o9Qr66gPSUqHY+sDX-v+-fuwcM9Y56C_g@mail.gmail.com> <20200911114054.184988dc@totoro.tlrmx.org> <CAFpG3gdRUAAYmvV1+m=+4_0GUd_SDS0hZHhpSXa2qQ6Civtf-g@mail.gmail.com> <CAHbrMsD=BOxYLaJyOkv-t9p+Cm4cEpOui7sQdL9Mmfi=Ufh3mA@mail.gmail.com> <7207C73E-FB80-4BD3-AE68-627355B10708@cisco.com> <CAHbrMsBLrGsg+beMhNadqs+QC9icOsGLxLJYGghEg339=c0b0Q@mail.gmail.com> <5F503ED8-38B0-414A-906A-FE8DCF94AC92@cisco.com> <CAFpG3gdcy2Drm+7j6M_oSfuG5VRH5qE+0nY8joZG3g9yszKf2Q@mail.gmail.com>
In-Reply-To: <CAFpG3gdcy2Drm+7j6M_oSfuG5VRH5qE+0nY8joZG3g9yszKf2Q@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 15 Sep 2020 08:58:34 -0400
Message-ID: <CAHbrMsBOhZ+sMxM3KJYT=OkZGzp_1GipkFpwxLKVBckXhDRt2Q@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>
Cc: Eliot Lear <lear@cisco.com>, Nick Lamb <njl@tlrmx.org>, opsawg <opsawg@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000003038e505af59b6c2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/1ntMahF3Pz30vDnjuM05SWAMJWs>
Subject: Re: [OPSAWG] [TLS] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2020 12:58:49 -0000

On Tue, Sep 15, 2020 at 6:45 AM tirumal reddy <kondtir@gmail.com> wrote:

> Thanks Ben and Eliot for the feedback. Please see inline
>
> On Tue, 15 Sep 2020 at 14:51, Eliot Lear <lear@cisco.com> wrote:
>
...

> What I do see as a showstopper would be if, as is written and you rightly
>> observe, a new rev of a YANG model is required to introduce the TLS
>> extension, so that part would need to be described in a more flexible
>> manner (e.g, an IANA registration or similar).  I’d suggest the authors
>> consider that.
>>
>
> Agreed, the YANG model relies on IANA for TLS parameters values including
> extension type values. Even if a f/w does not support a new extension, it
> can still identify whether the new extension is included in the MUD
> profile. If the extension is not included in the MUD profile, presence of
> unauthorized software is detected.
>
> We will update the draft to make it more clear.
>

My concern is not with "new extensions" per se.  The hidden assumption here
is that "extensions" are the only way TLS can evolve.  In fact, future TLS
versions are not constrained to evolve in any particular way.  For example,
future versions can introduce entirely new messages in the handshake, or
remove messages that are currently visible in the handshake.  QUIC is
arguably just an extreme version of this observation.

Even within the realm of ClientHello extensions, there is significant
inflexibility here.  For example, consider the handling of GREASE
extensions.  GREASE uses a variety of reserved extension codepoints,
specifically to make sure that no entity is attempting to restrict use of
unrecognized extensions.  This proposal therefore has to add a flag
declaring whether the client uses GREASE, because otherwise the set of
extensions is dynamic, and the number of potential codepoints is
impractically large.  Any change to the way GREASE selects and rotates
extension codepoints would therefore require a revision of this YANG model
first.  There has also been discussion of adding GREASE-type behavior to
the "supported_versions" extension; that would similarly require a revised
YANG model here.


> -Tiru
>
>
>> Eliot
>>
>>
>>
>>

v2.23.0 | Report a Bug | By Email