IETF Logo Mail Archive

Re: [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls

"Panwei (William)" <william.panwei@huawei.com> Fri, 11 September 2020 04:12 UTC

Return-Path: <william.panwei@huawei.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F225B3A13E9 for <opsawg@ietfa.amsl.com>; Thu, 10 Sep 2020 21:12:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hf801V0xP4Mp for <opsawg@ietfa.amsl.com>; Thu, 10 Sep 2020 21:12:20 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EBF33A13E1 for <opsawg@ietf.org>; Thu, 10 Sep 2020 21:12:20 -0700 (PDT)
Received: from lhreml748-chm.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id A287C599986E26744B40 for <opsawg@ietf.org>; Fri, 11 Sep 2020 05:12:16 +0100 (IST)
Received: from nkgeml708-chm.china.huawei.com (10.98.57.160) by lhreml748-chm.china.huawei.com (10.201.108.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Fri, 11 Sep 2020 05:12:16 +0100
Received: from nkgeml705-chm.china.huawei.com (10.98.57.154) by nkgeml708-chm.china.huawei.com (10.98.57.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Fri, 11 Sep 2020 12:12:13 +0800
Received: from nkgeml705-chm.china.huawei.com ([10.98.57.154]) by nkgeml705-chm.china.huawei.com ([10.98.57.154]) with mapi id 15.01.1913.007; Fri, 11 Sep 2020 12:12:13 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: opsawg <opsawg@ietf.org>
Thread-Topic: CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls
Thread-Index: AQHWgTqLrs7yGMshmEWSLbII+dDziali24Fw
Date: Fri, 11 Sep 2020 04:12:13 +0000
Message-ID: <b81bcda4149648ad9cfd7d74c64008e9@huawei.com>
References: <21BA8D05-DD83-44DE-81B9-457692484CAD@cisco.com>
In-Reply-To: <21BA8D05-DD83-44DE-81B9-457692484CAD@cisco.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.99.125]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/3j19A_ik3hAlEBV1Wp7MUnL-2q8>
Subject: Re: [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 04:12:33 -0000

Hi authors, all,

I've read the draft and I support adoption. This draft is useful for the network element, e.g., firewalls, to identity and prevent the unintended usage of (D)TLS encryption, which will help increase the security especially in the Enterprise networks. The unexpected usage of (D)TLS can include two aspects, one is using the old version or weak algorithms, the other is communicating with unauthorized servers. I'm glad to see this draft has covered these two aspects.

Two comments:
1. The 'application-protocols' defined in the YANG module is string-type, can it be defined in a more accurate way, like port numbers or enumerations? Because I think different entities may have different interpretations of the strings.
2. It does be a problem if the updates of the MUD file can't follow the pace of the updates of IoT devices. This draft has considered this problem in some places, but I think it's better to outline this problem separately and systematically.

Regards & Thanks!
Wei Pan

-----Original Message-----
From: OPSAWG [mailto:opsawg-bounces@ietf.org] On Behalf Of Joe Clarke (jclarke)
Sent: Wednesday, September 2, 2020 11:06 PM
To: opsawg <opsawg@ietf.org>
Subject: [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls

Hello, opsawg.  This draft as underwent a number of revisions based on reviews and presentations at the last few IETF meetings.  The authors feel they have addressed the issues and concerns from the WG in their latest posted -05 revision.  As a reminder, this document describes how to use (D)TLS profile parameters with MUD to expose potential unauthorized software or malware on an endpoint.

To that end, this serves as a two-week call for adoption for this work.  Please reply with your support and/or comments by September 16, 2020.

Thanks.

Joe and Tianran
_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg

v2.23.0 | Report a Bug | By Email