IETF Logo Mail Archive

Re: [OPSAWG] [TLS] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls

Ben Schwartz <bemasc@google.com> Fri, 11 September 2020 01:35 UTC

Return-Path: <bemasc@google.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5E433A12D7 for <opsawg@ietfa.amsl.com>; Thu, 10 Sep 2020 18:35:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wHW1BzQ_56wX for <opsawg@ietfa.amsl.com>; Thu, 10 Sep 2020 18:35:45 -0700 (PDT)
Received: from mail-il1-x134.google.com (mail-il1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DDAB3A12D5 for <opsawg@ietf.org>; Thu, 10 Sep 2020 18:35:45 -0700 (PDT)
Received: by mail-il1-x134.google.com with SMTP id t13so7577699ile.9 for <opsawg@ietf.org>; Thu, 10 Sep 2020 18:35:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/Xq6K20LaWKnfSeJagsNi0rQS8vpTCErKf95BHL1psw=; b=naPS/p/567sK/EB/DyplwMr8vSSfIQuyAAEkckUZxHq+nNoSwVNy6+zs9/BoPw3YLM LMR6sj4PBA95mZ2I8eV7zosl5FOyjzROYsR/X2LE8D8lDVAPTXaK5+GTkMsdRvXo/0Zf 3NiB9KxJLTq8PNt5BeIxUYwLNIQdoVJdaANVA8RgoNvGMwn5A8XGSIYzB3Xw6h91BQQ/ 8wKo4AIkRqIKrMZJi3hPxVZK2nR8cZmIBpk0ZnZmR0xyfVtOjZS3y/C26VFffQy+nS0v Oo7kfbWlrEK5R5n3fFc2mDsn/nn80vxY6r4SoomaF7yWD7zcuDYA6OqvqISC2tT+mNL6 Qn2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/Xq6K20LaWKnfSeJagsNi0rQS8vpTCErKf95BHL1psw=; b=beSendxZDrM8dMuUzI8TwTb9vgX4IRMA8FeCoN8TTsF38ZqtMFksCGZ2GzI0r/Gigj 3Qr5j+LswsdZ+sqoorZPmhpVPLX3zBNAh1vEUeyTXAadAkdexGB0r9lHQEXkHljbvIa2 P5V/z0JuZA4zvqbBJNU+vUMqTx9MyuQaZBUx6g07K5Igd3CKIgQrwgWcQE0JoWjIHXdV f4lGX/ZMiWYcXlb4NeI0IMHkhJCpnnPJ+VgEh7cxkdj3F8926r0wBTPXDvGkEntNkpgW ZdHEaLBc66cCxDLI2aiRAw7Uy03FjOsBjkgvIHtBSBbidt6dxI8+NCsdKAV10QcorAbx AicA==
X-Gm-Message-State: AOAM530K2ET1xsvcQ3qaN2oQ/4uvl5meQ4hGD3O+EG9syCIV4xy3mCBP ingCHlNfG9uxPXPaAzzgcqouhorxRhnvnFPO0pQCidRaXsI=
X-Google-Smtp-Source: ABdhPJwMrshmAaXxS6zvn4gaVZVL6dW/R5wIGEoqdHH7jKsZYLsvLo3atR5jmIRrli8/LhCmE3/FCwnaayePtnKNmY8=
X-Received: by 2002:a05:6e02:10d1:: with SMTP id s17mr8910243ilj.24.1599788144189; Thu, 10 Sep 2020 18:35:44 -0700 (PDT)
MIME-Version: 1.0
References: <21BA8D05-DD83-44DE-81B9-457692484CAD@cisco.com> <053b286e-4780-1818-a79d-71b9c967bbd2@sandelman.ca>
In-Reply-To: <053b286e-4780-1818-a79d-71b9c967bbd2@sandelman.ca>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 10 Sep 2020 21:35:33 -0400
Message-ID: <CAHbrMsANEA4omTm5dPYLN9zGde2YdT_71ujpBcCEer_xSkPhbw@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: opsawg@ietf.org, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000015998d05aeffb46f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/_nsJpZ5GRHCvU8aRhquP657Liac>
Subject: Re: [OPSAWG] [TLS] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 01:35:47 -0000

Thanks for highlighting this, Michael.  I don't support adoption of this
draft, because I don't think it is fit-for-purpose.  Specifically, I think
it is likely to provide a significant advantage to malware authors (the
opposite of the intended effect).

Currently, if a malware author wants to match the TLS characteristics of
the host device, they have to do some work to characterize its TLS
behavior.  This may be difficult, especially in the case of partial
compromise, or for malware that targets a wide variety of hosts.  However,
with this MUD module in place, the malware can read the TLS behavior right
out of the MUD profile, and configure its behavior to match.

Note that, except in the case of TLS termination, the proxy cannot verify
anything about the TLS session by observing it.  Just because a connection
appears to use a particular SNI or certificate does not prove anything
about the actual destination.

On Thu, Sep 10, 2020 at 11:47 AM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

> On 2020-09-02 11:05 a.m., Joe Clarke (jclarke) wrote:
> > Hello, opsawg.  This draft as underwent a number of revisions based on
> reviews and presentations at the last few IETF meetings.  The authors feel
> they have addressed the issues and concerns from the WG in their latest
> posted -05 revision.  As a reminder, this document describes how to use
> (D)TLS profile parameters with MUD to expose potential unauthorized
> software or malware on an endpoint.
> >
> > To that end, this serves as a two-week call for adoption for this work.
> Please reply with your support and/or comments by September 16, 2020.
>
> I have read the document in a number of different revisions, and I
> support adoption.
>
> I have been concerned that this document codifies a kind of TLS snooping
> by middle boxes which has in the past caused significant harm to
> development of TLS. (In particular, TLS version negotiation has had to
> evade existing middle box policies!)
>
> However,  this document seems to walk the fine line between causing
> protocol ossification and providing real security.  To the extent that
> it reduces the pressure by enterprises to invade the TLS encryption
> envelope through use of Enterprise certificates [is there a term for the
> activity describe in section 4.1? I wish there was] this document is a
> very useful thing.
>
> I would like to suggest that upon adoption, that this document go
> through a TLS WG review of some sort before OPSAWG does a WGLC.
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email