IETF Logo Mail Archive

Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp

"Eric Wang (ejwang)" <ejwang@cisco.com> Mon, 27 July 2020 05:15 UTC

Return-Path: <ejwang@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C9973A0AAC; Sun, 26 Jul 2020 22:15:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.619
X-Spam-Level:
X-Spam-Status: No, score=-9.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=YEOeoj7X; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=iB3295ED
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qG4VsXNf3acg; Sun, 26 Jul 2020 22:15:00 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C19933A0AA7; Sun, 26 Jul 2020 22:14:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=24691; q=dns/txt; s=iport; t=1595826899; x=1597036499; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=PuzFDiOufT+1M+1wWTx9Cjhl+paKUf4TAn16ApfIfL0=; b=YEOeoj7XUs9H2hGppZA4772G5spB8exyBhmOmK0roiG/xwTWKRVUnrim wDQ00U8Kpp/fISWKfPwEaRyw+AIpkFVxo0wj3HghxCVEMr//ZAMT7m+kY CSIne6oqQqke6kwDLvcA6GQFiZzcfQrHKXaGzHipTyUprRP4Q/4uOCf9S c=;
IronPort-PHdr: 9a23:opXlHR2R+x7lHMRusmDT+zVfbzU7u7jyIg8e44YmjLQLaKm44pD+JxWGuadmlxnVVomd6v8Xw+bVsqW1X2sG7N7BtX0Za5VDWlcDjtlehA0vBsOJSCiZZP7nZiA3BoJOAVli+XzoOlMTBM3yIVzf8TW+6DcIEUD5Mgx4bu3+Bo/ViZGx0Oa/s53eaglFnnyze7R3eR63tg7W8MIRhNhv
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AVDADKYR5f/40NJK1gg3YvUQdvWC8sCoQqg0YDjTCZBoFCgREDVQsBAQEMAQEYAQoKAgQBAYRMAheCCwIkOBMCAwEBCwEBBQEBAQIBBgRthVwMhXICBAEBEAsGHQEBIwkLAQ8CAQg4BwMCAgIlCxQRAQEEDgUUDoMEAYF+TQMuAQ6hQwKBOYhhdoEygwEBAQWFLRiCDgMGgTiCbYNZhjcaggCBOAwQgk0+glwBAQIBgScBEgEgGBaCaTOCLY94gis9hlmLUpBjCoJeiFaRGAMegnuJSJMhnESRFoNWAgQCBAUCDgEBBYFqI2dwcBU7KgGCPj4SFwINkg+FFIVCdAI1AgYBBwEBAwl8jgsBgRABAQ
X-IronPort-AV: E=Sophos;i="5.75,401,1589241600"; d="scan'208,217";a="529916091"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 27 Jul 2020 05:14:58 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id 06R5Ewpp007692 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 27 Jul 2020 05:14:58 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 27 Jul 2020 00:14:58 -0500
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 27 Jul 2020 00:14:58 -0500
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 27 Jul 2020 00:14:57 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J794cei53KUN86ge2h3iFf/FEe6ua8tJdRjaJup9Elrd8blqzjtzJC8xr9bUlyJ2R+6uXbap5q6Kv0amGlZnHFrbw5Tzhjfg41uI2s65K7fSIAneBSpfslfguWvzMpnyvcuiA2pPyk7OK732y6W2Z0JclH0BKBbymE5vEy+1ZqLRrx23Uc+5Oby9q1y014lV9D/uLag8UYR8xW9B39gl4T8dt0J4rjXricy9p7iMpMIq7ge7kinmdCcQK/qXkqRcNEzvTNT8H0DoQGZCKp/8x2nNpqCYH7iMCDyTVIjB1WVveZoQrPJl7ePq5kOrnvRrooW/ZB/UMZv+w/n5LGDH9g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PuzFDiOufT+1M+1wWTx9Cjhl+paKUf4TAn16ApfIfL0=; b=b0vs+KACR4FAzfLqLOLKIjlpm1LGWzYljqFkrvxmAsBM04V5lZgHr+WNHmiyqB63smknhTFJyQ18Z1nl2Xyqcl1jqV1wluj7TtarauUYbxfobe4L/FKkXSTE8n4Xlklq1B0WNj87kcn+HClfEwlhw5JXPmityaXhA+ZdWloeEtWCQyGtXyFpkYIf7fBpwZcbqLhDdYcUgXtjp6OwN5Kk/LlEhn65T74NCS/dt754LejyI4RCZARL7DCE68gz7bh1Vn2mf5GmM9ytwFNtBIh6KEHB2RqY3hoo/W2zqiZH55ZsUJgnb1DUe58DqOMCEEzZa3IB1TbrLjORhYeEdHDsoA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PuzFDiOufT+1M+1wWTx9Cjhl+paKUf4TAn16ApfIfL0=; b=iB3295EDWFjlqLg99Oma2oUHcOym4YcWyHj43jjcldf9+BTKNdp/2gD2dXgJQYI3MyjZsDTE1RqV/6BRWitJOxh18bkV54VNZQjvj39bySITz+CWPteLIQLMAi2x7UcT2imlZcIYoXKXKCxv8lc0JWeqGUfnvIasiWNkjdfJej8=
Received: from BYAPR11MB2789.namprd11.prod.outlook.com (2603:10b6:a02:cc::11) by BY5PR11MB4037.namprd11.prod.outlook.com (2603:10b6:a03:188::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3216.24; Mon, 27 Jul 2020 05:14:56 +0000
Received: from BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::9913:ef92:7ce3:8870]) by BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::9913:ef92:7ce3:8870%6]) with mapi id 15.20.3216.031; Mon, 27 Jul 2020 05:14:56 +0000
From: "Eric Wang (ejwang)" <ejwang@cisco.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
CC: Jen Linkova <furry13@gmail.com>, OPSEC <opsec@ietf.org>, "tls@ietf.org" <tls@ietf.org>, OpSec Chairs <opsec-chairs@ietf.org>
Thread-Topic: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp
Thread-Index: AdZd8qs4MVhjKcpfSaSC3eC5PK0rEQCniF8AAH8FdoAAUf6sgA==
Date: Mon, 27 Jul 2020 05:14:56 +0000
Message-ID: <4937FCE4-23EF-4585-8675-C07F3B347AC6@cisco.com>
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com> <CAFU7BAS=ymUPTAGB_fOSrHTG0OajV1n5M1-yOBWxvGam-a89AA@mail.gmail.com> <d9d6d8c2-3916-be28-d01f-f040a28ce361@cs.tcd.ie>
In-Reply-To: <d9d6d8c2-3916-be28-d01f-f040a28ce361@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.15)
authentication-results: cs.tcd.ie; dkim=none (message not signed) header.d=none;cs.tcd.ie; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [128.107.241.183]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4b86151e-c10b-4409-715d-08d831ec00a0
x-ms-traffictypediagnostic: BY5PR11MB4037:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BY5PR11MB4037B4D4F0C8E02FA3E9B2D6D0720@BY5PR11MB4037.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: mCpBLMcyyEkuGq28cuHBA/whvOZoUJA3Eu1zTO+y9hl7JMelia2I3/05bqi24jkDlTZGPS7Rzr6UAbUpIMSKjCqNHPxL9b8FCNlszSOs/1AUP9qcQWUhMpmYd9KgA6qLJBquZidEgLTRHhrJEmR72LgBtX3WayRChsIgpvXmZINCSI8LaR21GYHJXGAr2zE5YPMBrpLz1CkeI1mYJ9oZ0QbqzbKeQfH4EEFLLkhkheyMSINJ+M5IukQ/O2SomZUYSh0/WsR9tQl5Yozrctza4UR/4s6Bwg9mSktOOhxzG80AUlgKYGx5MPZUkZbhlpGUPDiS3BVmltB1IEsEg0yVVFWBLck/hvQ2WHkOysECxkcwT/7DCe2ylC+7d30sMRevRhpbda1AE218eyYGZfwhcA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB2789.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(136003)(366004)(396003)(376002)(346002)(478600001)(6486002)(5660300002)(166002)(66476007)(71200400001)(76116006)(66556008)(64756008)(66446008)(66946007)(8936002)(2616005)(4326008)(26005)(6506007)(53546011)(6512007)(966005)(186003)(36756003)(86362001)(33656002)(2906002)(316002)(296002)(54906003)(6916009)(8676002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: Qg5wSSwb/0t7ZRR4jIiV3jajZq4+/b8BPOS70dCKaZ1m3km/neOTo5tQ69sXay0JNrocirczxYhExULSikoeWXd9dUPp7CJK7T2MAah/C4fvFulWzsrzbi7lcwwxO5pMtMrizcwX9kH5WXTbGckcqUB2g7JHs9QeSgqj4eoGEYJWOgd3N2tll/ZTtBRCSk1KX56Od2XGkQ2ueD2q8v44F44JaKN5R0arW4BOtfXozhriLlmXeCIe/LeYGL6s4TUSd6iDvGQP9gdTU6zH9hIZe7cJWzdZTImNYQb0kuDG3CJ2KLLqUNdH/KI1lgsLm4+yrj6hqZZW55zQT0fGjuXvd8gnvbZ9u9Mwfvcp5f7BRoqtrglP7xXWlfemeOVkRlQLt5imJYJCiCzMr76HKKzy0Gmgm08Fa4cHA5Xr2U7vgb9VXhd0EQc0//lEM9UTrm1ZZNmll5NgzwW9Z5xj2f7iz7kXsWblpErgA+KiG0AfCnpxQMgWATw7Y9BuDLT7SWgL
Content-Type: multipart/alternative; boundary="_000_4937FCE423EF45858675C07F3B347AC6ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB2789.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4b86151e-c10b-4409-715d-08d831ec00a0
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jul 2020 05:14:56.3883 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TAq0L7vwPQVd5Pl9R7FA+TzB7EPZ6mOt5HDSgSNs5JlBQ5Qy+X55DIlQBw5m18+vRbIFCaaiu+4WMDGe7RnDzQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR11MB4037
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/6_jwUNl3tTpR3wByjAtaMdhCbAw>
Subject: Re: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2020 05:15:03 -0000

Hi Stephen,

Thanks for your feedback.  I’d like to clarify, given the reality today that CDN/load balancers and enterprises deploy TLS proxy, this draft is merely to lay out a baseline guidance to the implementation and operation[1].  It is not meant to analyze "use and abuse" or "pros and cons", for which there were many discussions and publications in the past and the draft references some of them.

Given the progression of TLS and its wide adoption, the use of TLS proxy is also becoming a practice and is growing in enterprise/CDN.  We felt it’s a good thing for the community to define a set of best practices for practitioners to reference when implementing and operating TLS proxy.  Without one, TLS deployments would be negatively impacted.  Also, given some of the implementation inconsistencies noted during the TLS 1.3 evolution, we felt a bcp guide could help the community moving forward.  That’s the purpose of this draft.

Best,
-Eric

[1] https://tools.ietf.org/html/draft-wang-opsec-tls-proxy-bp-00#section-1


On Jul 25, 2020, at 7:07 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>> wrote:


I oppose adoption. While there could be some minor benefit
in documenting the uses and abuses seen when mitm'ing tls,
I doubt that the effort to ensure a balanced document is at
all worthwhile. The current draft is too far from what it'd
need to be to be adopted.

Send to ISE.

S.

On 23/07/2020 02:30, Jen Linkova wrote:
One thing to add here: the chairs would like to hear active and
explicit support of the adoption. So please speak up if you believe
the draft is useful and the WG shall work on getting it published.

On Mon, Jul 20, 2020 at 3:35 AM Ron Bonica
<rbonica=40juniper.net@dmarc.ietf.org<mailto:rbonica=40juniper.net@dmarc.ietf.org>> wrote:

Folks,



This email begins a Call For Adoption on draft-wang-opsec-tls-proxy-bp.



Please send comments to opsec@ietf.org<mailto:opsec@ietf.org> by August 3, 2020.



                                                               Ron




Juniper Business Use Only

_______________________________________________
OPSEC mailing list
OPSEC@ietf.org<mailto:OPSEC@ietf.org>
https://www.ietf.org/mailman/listinfo/opsec



--
SY, Jen Linkova aka Furry

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

<0x5AB2FAF17B172BEA.asc>_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email