Re: [OPSAWG] Eric Rescorla's Discuss on draft-mm-wg-effect-encrypt-17: (with DISCUSS and COMMENT)

[Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>]

Hi Eric,

A quick update per the discussion on a TLS draft.

On Mon, Feb 19, 2018 at 3:11 PM, Kathleen Moriarty
<kathleen.moriarty.ietf@gmail.com> wrote:
> Hi Eric,
>
> Thanks for your feedback, responses are inline.
>
> FYI - I posted another version, but expect at least one more iteration
> after this version with additional comments and the ones we haven't
> gotten to yet.
>
> On Thu, Feb 8, 2018 at 12:04 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>> Eric Rescorla has entered the following ballot position for
>> draft-mm-wg-effect-encrypt-17: Discuss
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-mm-wg-effect-encrypt/
>>
>>
>>
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>>
>> I have completely re-reviewed the latest version. First, I want to
>> thank you for toning down some of the material that I was concerned
>> about.
>>
>> Unfortunately, the fundamental concern that motivated my DISCUSS
>> remains: I do not believe that this document matches the consensus
>> of the IETF community.
>>
>> Specifically, this document takes at face value a large number of
>> claims about the necessity/value of certain practices that either are
>> controversial within the IETF or that there is, I believe, rough
>> consensus to be actively bad, and that in many cases, encryption is
>> specifically designed to prevent. I have noted a number of these
>> below, but I do not believe that this is an exhaustive list (going
>> through my previous DISCUSS, I see that I noted a number of these but
>> that still appear to be unaddressed.)
>
> In the previous round of IESG reviews, the IESG concluded that framing
> upfront was the preferred approach to make it clear that not all cited
> practices are ones the IETF consider valid.  This was done in the
> updated introduction.
>
> Please respond to the discussion points as I believe your additional
> points have been addressed to also make these points again in the
> document.  In a couple of places, we have questions to make sure your
> concern is understood.
>
>>
>>
>> DISCUSS
>>    session encryption that deployed more easily instead of no
>>    encryption.
>>
>> I think I understand what you are saying here, but the term
>> "breakable" seems very unfortunate, especially in the context of this
>> document. The only such shift I am aware of that has received
>> acceptance in IETF is one from always requiring fully authenticated
>> encryption to allowing unauthenticated encryption, which you document
>> in the next paragraph. I recognize that there are other perspectives
>> (e.g., those in draft-rhrd) but those are pretty far from IETF
>> consenus. Accordingly, I think you should remove this sentence.
>
> Opportunistic security was well discussed, so that was likely top of
> mind for you when reading this draft. However there are other areas
> where the IETF decided breakable encryption was better than none in
> recent years.  Another adopted and published example is in the mail
> community.  Deprecating MD5 was deemed to be too hard because of
> support in a particular library.  We had lengthy discussions about
> this for RFC7627 (see sect 6.2) and related drafts, now published
> RFCs.
>
> This sentence had nothing to do with the drafts that are not WG drafts
> in the TLS WG, but real use cases of published RFCs where deprecated
> crypto is still accepted despite efforts to correct that in addition
> to the acceptance of the OS approach in multiple session encryption
> protocols.  The support tools and use cases don't always drive the
> best solution where we have strong crypto everywhere as you have also
> noted on recent draft reviews, now published RFCs.
>
>>
>>
>>    motivation outside of privacy and pervasive monitoring that are
>>    driving end-to-end encryption for these content providers.
>>
>> This section seems kind of confusing, at least as applied to
>> HTTP. There are three kinds of cache in HTTP:
>>
>> - Reverse proxy caches (the kind CDNs run)
>> - Explicit forward proxy caches
>> - "Transparent" intercepting caches
>>
>> The first of these move to HTTPS just fine and that's typically how
>> CDNs do it.  Explicit forward proxy caches are largely going away, but
>> part of the point of this kind of end-to-end encryption is to hide
>> data from those caches.
>
> Sure, that point was made in the draft and cleared up a little further
> from Benjamin K's review.  The business risk associated with not
> controlling your content was more explicitly stated for CDNs who have
> moved to an e2e approach.
>
> Here's the updated sentence:
>    The business risk of losing control of content is a motivation outside
>    of privacy and pervasive monitoring that are driving end-to-end
>    encryption for these content providers.
>
>> Transparent intercepting caches that the user
>> didn't opt into are a bad thing, so having them go away is a positive.
>
> The text says authorized parties, so this is referring to caches where
> there is an agreement in place for this usage.  CDN's that wish to
> block this behavior have the option to require e2e.  That trend alone
> may be enough to kill this type of service offering.  I don't see why
> it shouldn't be mentioned in terms of it's current use.  What change
> are you looking to see here?
>
>>
>>    document existing practices, the development of IETF protocols
>>    follows the guiding principles of [RFC1984] and [RFC2804].
>>
>> This is pretty opaque in this context. It should explicitly state that
>> the IETF's position is that we do not engineer for these use cases,
>> not just to cite the RFCs.
>
> We can add the following (or suggest something else):
>
> "and explicitly do not support tools and methods that could be used
> for wiretapping and censorship."
>
>>
>>
>>    based billing, or for other reasons, possibly considered
>>    inappropriate by some.  See RFC7754 [RFC7754] for a survey of
>>    Internet filtering techniques and motivations.  This section is
>>
>> I don't think this accurately represents the RFC, which makes clear
>> that the IAB consensus is that filtering is bad:
>>
>> " From a technical perspective, there are no perfect or even good
>> solutions -- there is only least bad.  On that front, we posit that a
>> hybrid approach that combines endpoint-based filtering with network
>> filtering may prove least damaging.  An endpoint may choose to
>> participate in a filtering regime in exchange for the network
>> providing broader unfiltered access."
>
> I've added the following to the end of the sentence as the RFC is too
> long to repeat what is already in 7754:
>
>    "and the IAB consensus on those mechanisms."
>
> But I'll note that this cherry picks one part of the conclusion
> section of 7754 and even this text acknowledges that some network
> filtering is needed in the suggested hybrid approach.
>
> The first paragraph of this section says:
>   "Filtering will continue to occur on the Internet. We conclude that,
>    whenever possible, filtering should be done on the endpoint.
>    Cooperative endpoints are most likely to have sufficient contextual
>    knowledge to effectively target blocking; hence, such blocking
>    minimizes unintended consequences.  It is realistic to expect that at
>    times filtering will not be done on the endpoints.  In these cases,
>    promptly informing the endpoint that blocking has occurred provides
>    necessary transparency to redress any errors, particularly as they
>    relate to any collateral damage introduced by errant filters."
>
> This text does not say it is bad, it says that it should occur when
> possible on the endpoint and that in cases where it is not possible,
> the end points should be notified of this filtering.  That's different
> from saying filtering is bad as there are a number of cases why the
> IAB agreed on a hybrid approach.
>
> DDoS mitigation requires the use of SP filtering to be effective.
> This is a clear example of where filtering must be done on the network
> and is very important and hard to argue that it isn't good.  You may
> have to step back toward the source of the traffic, iteratively
> setting up filters to block traffic through cooperation of SPs until
> you get close to the source.
>
> Filtering recommended in BCP38 certainly has had a positive impact.
>
> SPs also use filtering to protect their own infrastructure.
>
> This was just a quick response, I am sure there are other good
> examples that supported the hybrid recommendation.
>
>>
>>
>>    detect or prevent attacks as well as to guarantee service level
>>    expectations.  In some cases, alternate options are available when
>>    encryption is in use, but techniques like that of data leakage
>>
>> These certainly are use cases, but you really need to acknowledge that
>> it's also a form of user surveillance.
>>
>
> This is referring to corporate networks.  The rules are a bit
> different since you get a paycheck and agree to monitoring, sign an
> acknowledgement as an employee then operate on their equipment and
> network.
>
> To help make this point more clear, I've added text into section 4.1,
> let us know if this does not address your concern:
>
> OLD:
> Large corporate enterprises are the owners of the platforms, data, and
> network infrastructure that provide critical business services to
> their user communities. As such, these enterprises are responsible for
> all aspects of the performance, availability, security, and quality of
> experience for all user sessions. These responsibilities break down
> into three basic areas:
>
> NEW:
> Large corporate enterprises are the owners of the platforms, data, and
> network infrastructure that provide critical business services to
> their user communities. As such, these enterprises are responsible for
> all aspects of the performance, availability, security, and quality of
> experience for all user sessions. Users typically sign agreements
> acknowledging that they are subject to monitoring while operating on
> corporate networks. Subsections of 4. Encryption for Enterprises may
> discuss techniques that access data beyond the data-link, network, and
> transport level headers typically used in SP networks since the
> corporate enterprise owns the data. These responsibilities break down
> into three basic areas:
>
> This was one of the reasons why we felt it was important to keep
> section 4 separate.
>
>>
>>    Some DLP tools intercept traffic at the Internet gateway or proxy
>>    services with the ability to man-in-the-middle (MiTM) encrypted
>>    session traffic (HTTP/TLS).  These tools may use key words important
>>    to the enterprise including business sensitive information such as
>>    trade secrets, financial data, personally identifiable information
>>    (PII), or personal health information (PHI).  Various techniques are
>>    used to intercept HTTP/TLS sessions for DLP and other purposes, and
>>    are described in "Summarizing Known Attacks on TLS and DTLS"
>>    [RFC7457].
>>
>> As far as I know, the MITM techniques used by middleboxes are not
>> described in 7457.
>
> The use of an RSA static key is discussed in terms of the danger of
> using this approach in Section 2.8. I updated the text slightly to
> make this point more clear and added the section reference:
>
> Various techniques are used to intercept HTTP/TLS sessions for DLP and
> other purposes, and can be misused as described in "Summarizing Known
> Attacks on TLS and DTLS [RFC7457] Section 2.8.
>
>>
>> You also need to cover the fact that these MITM are a threat to user
>> security because they are often so badly implemented.
>
> I think 7457 does a good job of that.  Let us know if you have
> proposed text if the above fix isn't enough for you coupled with this
> being in the Enterprise section.
>
>>
>>
>> S 5.4.
>> It's pretty odd to talk about phishing without acknowledging that by
>> far the largest anti-phishing platform (Safe Browsing) operates in the
>> client, not be network interception.
>
> We responded on this previously pointing out that this is mentioned in
> section 5.3 on phishing.  Here's the text:
>
>    Administrators might also add URLs contained in
>    messages to block lists locally or this may also be done by browser
>    vendors through larger scales efforts like that of the Anti-Phishing
>    Working Group (APWG).  See the Coordinating Attack Response at
>    Internet Scale (CARIS) workshop Report [RFC8073] for additional
>    information and pointers to the APWG's efforts on anti- phishing.
>
> The CARIS report goes a bit deeper as well.  The approach is broader
> than just the browser vendors and that should be acknowledged.
> Cooperation of many other players is involved in updating the block
> lists and working with law enforcement to take down the offending
> sites.  Safe Browsing is just one piece of the larger puzzle and the
> browser block lists are already mentioned.
>
>>
>>
>>     The transport header encryption prevents trusted transit proxies.  It
>>    may be that the benefits of such proxies could be achieved by end to
>>
>> You don't define a "trusted transit proxy" so I don't know what this
>> means, and whether they provide any benefit, but this certainly sounds
>> euphemistic. Generally, "trusted" is not an adjective we associate
>> with network proxies operated by third parties.
>
> We added a little more text on this per Benjamin's comment.  I'm
> including the full text of the paragraph so this is not taken out of
> context as endorsing such mechanisms as the text goes on to say other
> ways it could be addressed in an encrypted Internet.  Here is the
> text.
>
>      Transport header encryption prevents the use of transit proxies
>      in center of the network and the use of some edge proxies by preventing
>      the proxies from taking action on the stream. It may be that the benefits
>      of such proxies could be achieved by end-to-end client and server
>      optimizations, distribution using CDNs, plus the ability to continue
>      connections across different access technologies (across dynamic
>      user IP addresses).
>
>>
>>
>>    In the best case scenario, engineers and other innovators would work
>>    to solve the problems at hand in new ways rather than prevent the use
>>    of encryption.  As stated in [RFC7258], "an appropriate balance
>>    (between network management and PM mitigations) will emerge over time
>>    as real instances of this tension are considered."
>>
>> Much of the context of this debate is about whether operators not
>> being able to do the things in this document is a problem, and this
>> seems to presume the answer.
>
> Section 8 has been overhauled in response to Deborah's comments. I see
> what you mean in the wording and that was not intended. The goal of
> the draft is to help improve adoption by talking about the issues and
> bringing them to the surface for discussion (tough discussions that
> need to happen).  Here is the current text.
>
> "As stated in [RFC7258] an appropriate balance (between network
> management and PM mitigations) will emerge over time as real instances
> of this tension are considered." Numerous operators made it clear in
> their response to this document that they fully support strong
> encryption and providing privacy for end users, this is a common goal.
> Operators recognize not all the practices documented need to be
> supported going forward, either because of the risk to end user
> privacy or alternate technologies and tools have already emerged. This
> document is intended to support network engineers and other innovators
> to work toward solving network and security management problems with
> protocol designers and application developers in new ways that
> facilitate adoption of strong encryption rather than preventing the
> use of encryption. By having the discussions on network and security
> management practices with application developers and protocol
> designers, each side of the debate can understand each others goals,
> work toward alternate solutions, and disband with practices that
> should no longer be supported. A goal of this document is to assist
> the IETF to understand some of the current practices so as to identify
> new work items for IETF-related use cases which can help facilitate
> the adoption of strong session encryption and support network and
> security management."
>
>>
>>
>>    This optimization at network edges measurably improves real-time
>>    transmission over long delay Internet paths or networks with large
>>
>> Do you have a citation for this claim?
>
> The draft that this text refers to in the previous paragraph has a
> section on performance enhancing proxies, section 3.5 and is referred
> to right before this text. David Dolson was the contributor.
>
>>
>>
>>    Web proxies are sometimes used to filter traffic, allowing only
>>    access to well-known sites found to be legitimate and free of malware
>>    on last check by a proxy service company.  This type of restriction
>>    is usually not noticeable in a corporate setting as the typical
>>    corporate user does not access sites that are not well-known to these
>>    tools, but may be noticeable to those in research who are unable to
>>    access colleague's individual sites or new web sites that have not
>>    yet been screened.  In situations where new sites are required for
>>    access, they can typically be added after notification by the user or
>>    proxy log alerts and review.  Home mail account access may be blocked
>>    in corporate settings to prevent another vector for malware to enter
>>    as well as for intellectual property to leak out of the network.
>>    This method remains functional with increased use of encryption and
>>    may be more effective at preventing malware from entering the
>>    network.  Web proxy solutions monitor and potentially restrict access
>>    based on the destination URL or the DNS name.  A complete URL may be
>>    used in cases where access restrictions vary for content on a
>>    particular site or for the sites hosted on a particular server.
>>
>> If you are filtering on URL and there is HTTPS involved, then you are
>> a MITM, and this is potentially noticeable to end-users. We encounter
>> this regularly when MITM proxies make mistakes in getting into our
>> trust anchor store.
>
> This is in the enterprise section where monitoring is accepted by end
> users.  What is your proposal here?  I don't see an issue with
> describing this usage.  Are you okay with this text since you also see
> this as an issue and perhaps it needs more discussion?
>
>>
>>
>> Re: 0-rating.
>>    user.  This feature is impacted if encryption hides the details of
>>    the content domain from the network.
>>
>> Well, maybe. Facebook's zero rating, for instance, is IP-based.
>> https://info.internet.org/en/blog/2015/09/24/enhancing-security-and-privacy-of-free-basics/
>
> It seems the providers or applications offering 0-rating all operate
> differently.
> https://arstechnica.com/information-technology/2016/02/verizons-mobile-video-wont-count-against-data-caps-but-netflix-will/
>
> I had more of an issue with the word feature here, so I believe I
> addressed your comment and my concern with the following:
>
>      For some implementations, zero rating is impacted if encryption
>      hides the details of the content domain from the network.
>
>>
>> S 2.2.2.
>> The presentation here seems biased given that it does not acknowledge
>> that one of the reasons that ISPs do traffic class discrimination is
>> to prioritize favored rather than disfavored traffic, regardless of
>> user preferences. I don't believe that the IETF has taken a position
>> for net neutrality, but I'm also pretty sure we don't have consensus
>> against it.
>
> How about the following text:
> This section does not consider traffic discrimination by service
> providers related to NetNeutrality, where traffic may be favored
> according to the service provider preference as opposed to the user's
> preference. These use cases are considered out-of-scope for this
> document as controversial practices.
>
>>
>>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>>    Pervasive Monitoring (PM) attacks on the privacy of Internet users is
>>    of serious concern to both the user and the operator communities.
>> are of serious concern
>
> Thanks.
>>
>>    Traditional network management, planning, security operations, and
>>    performance optimization have been developed in an Internet where a
>>    large majority of data traffic flows without encryption.  While
>> you have a plural/singular mismatch here.
>>
>>    Authentication with IPsec [RFC7619] and there are a number of
>>    infrastructure use cases such as server to server encryption, where
>>    this mode is deployed.  While OS is helpful in reducing pervassive
>> Nit, no comma before "where"
>
> Done, thanks.
>>
>>    recommendations from these documents were were built upon for TLS 1.3
>>    to provide a more inherently secure end-to-end protocol.
>> "were were"
>
> Already fixed, thanks.
>>
>>    to-user content encryption schemes, such as S/MIME and PGP for email
>>    and encryption (e.g.  Off-the-Record (OTR)) for XMPP are used by
>>    those interested to protect their data as it crosses intermediary
>> Not, "e.g.,"
>
> Fixed, thanks.
>>
>>    been impacted by increases in encrypted traffic.  Only methods
>>    keeping with the goal of balancing network management and PM
>>    mitigation in [RFC7258] should be considered in solution work
>>    resulting from this document.
>> I don't understand what the normative content of this was.
>
> There is no normative content.  Are you asking because the lowercase
> should was used?
>
>>
>>    upgrades before user experience declines.  For example, findings of
>>    loss and jitter in VoIP traffic can be a predictor of future customer
>>    dissatisfaction (supported by metadata from the RTP/RTCP protocol )
>>    [RFC3550], or increases in DNS response time can generally make
>>    interactive web browsing appear sluggish.  But to detect such
>>    problems, the application or service stream must first be
>>    distinguished from others.
>>
>> This is a little hard to read, but generally this information is not
>> encrypted for SRTP/SRTCP.
>
> In looking at the text, the Secure version of RTP/RTCP isn't mentioned
> and isn't cited as an issue.  The text (from Dave Dolson, we think)
> seems to say that any form of security that obscures the application
> or service info of the stream complicates analysis as VoIP, or
> analysis as <something else>.
>
> If this isn't clear enough, would you like to propose text?
>
>>
>>    When using increased encryption, operators lose a source of data that
>>    may be used to debug user issues.  Because of this, application
>>    server operators using increased encryption might be called upon more
>>    frequently to assist with debugging and troubleshooting, and thus may
>>    want to consider what tools can be put in the hands of their clients
>>    or network operators.
>>
>> This is phrased as hypothetical, but is there any actual data to
>> support this? We have a lot of experience now with encrypted voice and
>> video as well as Web. Do those providers report any increased level of requests.
>
> This makes perfect sense.  If you are troubleshooting and the data is
> not available at the endpoint, the network is used.  If that goes
> away, logging and reporting at the endpoint has to improve.  If you
> take a look at the feedback from the OPsDir review, it had several
> specific types of log improvements added into a paragraph early into
> the document.  I added a few more to that from other comments.
>
> In my operational experience as well as work with customers at EMC,
> I've heard this comment as well and it was addressed.  This is part of
> why the increase in encryption with storage platforms is not a big hit
> - tools were provided at the endpoint to fill the gap.
>
>>
>>    the new flow and would not be able to route it back to the original
>>    POP.
>>
>> I'm having a little trouble understanding this paragraph. Why is this
>> about mobile operators? It seems like it's an issue for anyone who has
>> a service that might have mobile clients.
>
> If you mean laptops/IP based devices on WiFi access, this works
> differently at the routing layer than with cellular mobile phones.
> Phones need to be able to transition seamlessly with migrations
> (coordinated roaming).  Other devices, like laptops on WiFi access,
> might need this type of transition within a wireless managed
> environment, but this is with APs that don't typically attempt to
> preserve connection state. When IP based devices on WiFi access have
> traffic traversing POPs, it's at the IP layer and the applications
> handle continuity.  The key difference between WiFi and cellular is
> maintaining connection state.
>
>>
>>    effective at providing data offload when there is a network element
>>    close to the receiver that has access to see all the content.
>> This section is also confusing in that it fails to distinguish between proxies
>> of this type that the user opts into from transparent proxies that just do this
>> service without the user's consent. Part of the purpose of encryption is to
>> preclude that.
>
> This reads to me as if these are transparent proxies, so I'll add that
> in to clarify the text further.  Thanks.
>
>>
>>    created from the intercepting device to the client's destination,
>>    this is an opt-in strategy for the client.  Changes to TLSv1.3 do not
>>    impact this more invasive method of interception, where this has the
>> I don't understand the cite to TLS 1.3 here. None of this is presently affected
>> by 1.3.
>
> This is saying that changes to TLSv1.3 do not impact this more
> invasive method of interception explicitly, so I believe the text
> already addresses your point.  If not, could you please suggest text?
>
>>
>>    endpoints as a service reduces providers' ability to offer parental
>>    control.
>> This section makes it seem like there are no other methods that allow for
>> parental control, but that's not true. There are parental control mechanisms
>> which rely on MITM proxies or application interfacing.
>
> The section NOW starts off with the following in the first paragraph
> that should address your concern:
>
>     This section is intended to document a selection of current
>     content blocking practices...
>
> I think this came from Benjamin's review - the section is not
> exhaustive (neither is the draft as it was contribution driven).
>
> This text in the first paragraph should also help with your point:
>     Content blocking may also happen at endpoints or at the edge
>     of enterprise networks, but those are not addressed in this section.
>
> At the edge is a proxy/gateway MiTM solution.
>
> The next paragraph talks about proxies in the core or edge of a
> network, these are also MiTM devices, so I think that's well covered.
>
> The following sentence in this section calls this out as MiTM behavior
> explicitly:
>
>     Changes to TLSv1.3 do not impact this more invasive method of
>      interception, that has the potential to expose every HTTPS
>      session to an active man in the middle (MitM).
>
> I ammended the following sentence in the last paragraph in case that helps you:
>
> OLD:
> This type of granular filtering could occur at the endpoint.
>
> NEW:
> This type of granular filtering could occur at the endpoint or as a
> proxy service.
>
>>
>>    HTTP headers and content are encrypted, this prevents mobile carriers
>>    from intercepting the traffic and performing an HTTP redirect.  As a
>>    result, some mobile carriers block customer's encrypted requests,
>> Yes, stopping traffic redirection is actually one of the major design purposes
>> of HTTPS.
>
> Sure, there's not an issue other than the practice needs to change and
> they need to figure out better ways to notify customers.  It's raised
> here in case better ideas can be developed and some operator may look
> at the reference (RFC6108).  Adam and Al were chatting on this as a
> result of his review, so hopefully they make a little progress.
>
> I added the word appropriately as I think that will address your
> concern.  The operators just want efficient ways to notify their
> customers, it doesn't have to be done this way, but they raised the
> issue because they don't know what to do and I believe, want help.
>
> NEW:
> When the HTTP headers and content are encrypted, this appropriately
> prevents mobile carriers from intercepting the traffic and performing
> an HTTP redirect.
>
>>
>>    to the customer and additional overhead to the mobile network service
>>    provider.
>> This section is basically a commercial for this practice. It needs to
>> acknowledge that it's actually much closer to IETF consensus that it's a bad
>> practice.
>
> This text was already changed as follows:
>
>      The customer may need to call customer care to find out the
>      reason and/or resolve the issue, possibly extending the time
>      needed to restore their network access.
>>
>>    headers to accomplish the, sometimes considered controversial,
>>    functions above.
>> Again, this is precisely the form of attack that HTTPS is intended to prevent.
>
> The following paragraph was added per conversations with Christian and
> Martin.  Hopefully, this also addreses your concern.  The paragraph
> mentioned was amended as well.
>
> NEW:
>     Guidance from the Internet Architecture Board has been provided
>      in [RFC8165] on Design Considerations for Metadata Insertion.
>      The guidance asserts that designs that share metadata only by
>      explicit actions at the host are preferable to designs in which
>      middleboxes insert metadata. Alternate notification methods that
>      follow this and other guidance would be helpful to mobile carriers.
>
>>
>>    perform SSL/TLS decryption are impacted by the increased use of
>>    encryption that prevents interception.
>> I don't really understand what this text means. What is "use of encryption that
>> prevents interception" in the context of tools which already do decryption?
>
> This reads clear enough to me, but would you be happier with:
>
> s/impacted/no longer functions/
>
> It's referring to encryption that prevents interception, not talking
> about proxies which still can be used technically.  This change has
> not been made yet, so please let us know if this helps or if you have
> another suggestion.
>
>
>>
>>    [DarkMail].  Of course, SPAM filtering will not be possible on
>>    encrypted content.
>> This is not strictly correct, as you can still header filter, etc.
>
> It seems a few words were trimmed in what you have quoted above.
> Here's the full sentence:
>
> Of course, content-based spam filtering will not be possible on
> encrypted content.
>
> I'm not sure what happened there as I don't think this was a recent
> fix. The sentence was in context of content-based filtering.
>
> In much earlier versions of this draft, there was mention of efforts
> that would encrypt email header information to protect privacy
> discussed a couple of years ago (SAAG and a spin off list) - which is
> a good thing to do.  If that happens operations are impacted and that
> would require discussion to develop new approaches for spam filtering
> and other email based attack prevention techniques.
>
>>
>>    over the Internet.  Options for monitoring will vary with each
>>    encryption approach described below.  In most cases, solution have
>>    been identified to provide encryption while ensuring management
>> Nit: "solutions have"
>
> Already fixed, thanks.
>>
>>    allow for multiple end user sessions to share the same TCP
>>    connection.  This rasises several points of interest with an
>>    increased use of encryption.  TCP session multiplexing should still
>> Typos: rasises
>
> Fixed, thanks.
>>
>>    be possible when TLS or TCPcrypt is in use since the TCP header
>>    information is exposed leaving the 5-tuple accessible.  The use TCP
>>    session multiplexing of an IP layer encyption, e.g.  IPsec, that only
>> I'm not sure if this is correct. What precisely do you mean by "TCP
>> session multiplexing"? A cite would be helpful here.
>
> It's described in section 4.1.3.2:
>
>     TCP pipelining/session multiplexing used mainly by
>     middleboxes today allows for multiple end user sessions
>     to share the same TCP connection.
>
>>
>>    center.  HTTP pipelining requires both the client and server to
>>    participate; visibilty of packets once encrypted will hide the use of
>>    HTTP pipelining for any monitoring that takes place outside of the
>> Typo: visibility
>
> Fixed, thanks.
>>
>>    traffic cannot be intercepted, encouraging alternate options such as
>>    performing these functions at the edge.
>> I'm not seeing the relevance of this. Who is proposing solutions in which
>> encrypted traffic cannot be intercepted at the outgoing network edge.
>
> The only option here for this described usage is a proxy where the TLS
> 1.3 session is terminated and restarted.  If you look back to slides
> from Stephen on PM and advancements resulting from PM being considered
> an attack, one of the ideas to make TLS stronger was DANE
> authentication to provide a way to know you truly have an e2e session
> - a very good thing.  The draft on the last telechat:
> https://datatracker.ietf.org/doc/draft-ietf-tls-dnssec-chain-extension/
> that should be approved soon is able to do this with some middleboxes,
> but I'm not sure what happens with a proxy - so I asked the editors
> for clarification.  If this just doesn't work and the session proceeds
> without this extension, there is nothing to notify on.  If this is
> something proxies should be aware of to allow through unhampered, it
> would be good to include a little more text.  For instance, in
> corporate networks certain traffic with PII, like financial
> transactions, are not proxied and would benefit from using this
> extension, giving their users assurance in the security of their
> sessions.

 In some cases, alternate options are available when encryption is in
use through a proxy or a shift to monitoring at the endpoint. In both
cases, scaling is a concern and advancements to support this shift in
monitoring practices will assist the deployment of end-to-end
encryption.

Best regards,
Kathleen

>
>>
>>    owing to concealment of critical headers and payloads.  Many forms of
>>    enterprise performance management may be similarly affected.
>> Again, this is sort of transparent caching is an anti-pattern, so this document
>> ought to acknowledge that,
>
> I added the following text at the end of this paragraph to address your concern:
> It should be noted that transparent caching is considered an anti-pattern.
>
> If you have alternate text to suggest, please do!
>
>
>>
>>    parts of the address assignment/management protocols, critical for
>>    SAVI mechanisms, can result in a dysfunction of the SAVI mechanisms.
>> Does anyone actually deploy SAVI? If not, encryption isn't having much of an
>> impact.
>
> It appears to be the case with drafts being published as recent as 2017:
> https://tools.ietf.org/html/rfc8074
>
> And I'm told it is widely deployed in China.
>
>>
>>    network filters look out for seeing a Server Name Indication
>>    extension, they may not find one.  The SNI Encryption in TLS Through
>>    Tunneling [I-D.ietf-tls-sni-encryption] draft has been adopted by the
>> This doesn't really follow. I mean they "may not" but overwhelmingly they will
>
> I'm not sure when the text was changed, but it already has been changed from.
>
> OLD:
>
>    This information is only visible if the client is populating the
>    Server Name Indication extension.  This need not be done, but may be
>    done as per TLS standard and as stated above this has been
>    implemented by all major browsers.  Therefore, even if existing
>    network filters look out for seeing a Server Name Indication
>    extension, they may not find one.
>
> NEW:
> This information is only available if the client populates the Server
> Name Indication extension. Doing so is an optional part of the TLS
> standard and as stated above this has been implemented by all major
> browsers. Due to its optional nature, though, existing network filters
> that examine a TLS ClientHello for a SNI extension cannot expect to
> always find one.
>
>>
>>
>
>
>
> --
>
> Best regards,
> Kathleen



-- 

Best regards,
Kathleen