Re: [OPSEC] Fwd: I-D Action: draft-ietf-opsec-probe-attribution-01.txt
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Tue, 28 March 2023 05:01 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1739C14CE30; Mon, 27 Mar 2023 22:01:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="Vtv5WlhK"; dkim=pass (1024-bit key) header.d=cisco.com header.b="Z91DkL7Y"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oOZLsZyVncoE; Mon, 27 Mar 2023 22:01:00 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80C03C14CF1C; Mon, 27 Mar 2023 22:00:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8052; q=dns/txt; s=iport; t=1679979653; x=1681189253; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=4HIZwULAP+J082c/M6etB2YWwmfyM7vgM0+UXRAWF8M=; b=Vtv5WlhKYvlr1quebuBi4tDCpGj7uRN04UnJ4G4cv9JHdjZRoz4juOiH NsJUzNBhVvoJ117Wcc32fLAcvihqcCYy+HovMVy0edvRNokOZ180cc1tB uieWPqcerNm2P4JVEGHdORJBRm35J6qI+gAgYwmYWGSKX+hsz1P4PF1vU Y=;
X-IPAS-Result: A0ADAADZcyJkmIUNJK1UBhoBAQEBAQEBAQEBAwEBAQESAQEBAQICAQEBAUCBOwUBAQEBCwGBW1JzAlk7RoRSg0wDhFBfiDEDgRObFYEsgSUDQhQPAQEBDQEBOQsEAQGFBQIWhSICJTQJDgECBAEBAQEDAgMBAQEBAQEDAQEFAQEBAgEHBBQBAQEBAQEBAR4ZBQ4QJ4VoDYZVAQEBAQMSEREMAQE3AQsEAgEIEQMBAQEDAiMDAgICMBQBCAgCBAENBSKCXAEogjQDAQ+iVwGBPwKKH3qBMoEBgggBAQYEBJ8gAwaBFC0Bh0ceWF+DUReDAYEvJxuBSUSBFSccgWZKNz6CYgEBgVAQF4NBgmeQfohDCoE0doEgDoE9gQQCCQIRQyiBEghngXxAAg1jCw5vgUoCZEyBFDcDGSsdQAMLOzo/NQYOIAZYawIJIxETBQMLFSpHBAg5Bho0EQIIDxIPBiZEDkI3NBMGXAEpCw4RA0+BRwQvgVwGASYknEUJAToEFBkxEyYEOAsQFA52AQY7EhYRAhdLkkqDS48YngAKg3qKT5Y3BC6iLIYxYpdqIKI4CIURAgQCBAUCDgEBBoFjOoFbcBUaISoBgjxSGQ+OIBmDWYd6h391OwIBBgEKAQEDCYtDAQE
IronPort-PHdr: A9a23:Ikkw3Bb70ZVvc62GslXmLxH/LTAphN3EVzX9orIriLNLJ6Kk+Zmqf EnS/u5kg1KBW4LHo+lFhOzbv+GFOyQA7J+NvWpEfMlKUBkI2skTlhYrVciCD0CzJfX2bis8S cJFUlIt/3yyPUVPXsjkYFiHqXyp5jlUERL6ZmJI
IronPort-Data: A9a23:E/U/76IT4ABxLer2FE+RAZUlxSXFcZb7ZxGr2PjKsXjdYENShGRTz WVMXD2EPPiIZWqjKo9/a4rgoBtSvpLRzNA3SlYd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcIZsCCW0Si6FatANl1EkvU2zbue6Wb6s1hxZH1c+E39600I7wobVv6Yx6TSHK1LV0 T/Ni5W31G+Ng1aY5UpNtspvADs21BjDkGtwUm4WPJinj3eC/5UhN6/zEInqR5fOria4KcbhL wrL5OnREmo0ZH7BAPv9+lrwWhVirrI/oWFih1IOM5VOjCSuqQQV7oslasEnKnwUkjyAwtB4y /RSiIWZHFJB0q3kwIzxUjFRFyV4eKZB4rKCeCH5us2IxEqAeHzpqxlsJBhpZstDpKAuWicXr qdwxDMlNnhvg8q73qO9Qephrs8iN8LseogYvxmMyBmCUqt8G8+dHc0m4/dE+C9optpFLMyHO cdEbxpXQj2fMw9mbwJ/5JUWxbf02SaXnydjgF6PrKQrpmne0AI016D2PdGQYsaNT8gQl1qEv GPM4nj4BRcyNdGDx3yC6H3ErujXhi7wcIMfCLP+8eRl6HWR23cPCRtQVEahpPC/olO6Wt9QJ goe90IGpK4+7kG0CMKndxuzu3XCsRkCHcdTe9DW8ymEzq7Spg2eHGVBF2cHY909v8hwTjsvv rOUoz/3LRtTnaPLcknezfSNpDrvOSEWDHA/fAZRGGPp/OLfiI00ixvOSPNqH6i0ksD5FFnML 9ai8XNWa1I70JJj6kmrwbzUq2n3/8WWE2bZ8i2SDzz5v18oDGKwT9bwsTDmAeB8wJF1p7Vrl EAems6V4fwJC/lhfwTSHblVQ9lFCxt5WQAwbHZmG50nsj+q4XPmJNkW6zBlL0AvOcEBEdMIX KMxkV0JjHOwFCL1BUOSX25XI557pUQHPY++Ps04lvIUPvBMmPavpUmCn3K40WH3i1QLmqoiI 5qdesvEJS9EVvU2kGPmHL9DgOJDKsUCKYX7GM6TI/OPjOT2WZJpYext3KamN7pgt/rU/G05D f4PbpviJ+pjvB3WO3mLrtF7waEiJnkgDpe+sN1MauOGOWJb9JIJVZfsLUcaU9U9xcx9z76Ql lnkAxMw4ASk3xXvd17VAk2PnZuyB/6TW1phY3x1VbtpslB+CbuSAFA3LsVoI+B2pLc5k5aZj ZAtIq29PxiGcRyfkxx1UHU3hNYKmMiD7e5WAxeYXQ==
IronPort-HdrOrdr: A9a23:8LsJ763UiLq3sVHmlXvT6QqjBRByeYIsimQD101hICG9Lfb3qy n+ppsmPEHP5Ar5AEtQ5expOMG7MBfhHQYc2/hfAV7QZniYhILOFvAt0WKC+UytJ8SazI9gPM hbAtBD4bHLfDpHZIPBkXSF+rUbsZi6GcKT9JzjJh5WJGkAAcwBnmRE40SgYzdLrWJ9dP0E/e +nl7N6Tk2bCBIqh6qAdxw4dtmGg+eOuIPtYBYACRJiwhKJlymU5LnzFAXd9gsCUhtUqI1SsV Ttokjc3OGOovu7whjT2yv49JJNgubszdNFGYilltUVEDPxkQylDb4RGIFq/QpF4t1H2mxa1O UkkC1QePibLEmhOF1dlCGdnjUIFgxeskMKh2Xo2UcL6vaJOg7SQ/Ax9L6xNCGpsHbJeLpHof 92N6XzjesMMfqIplWP2zCDPSsa5nacsD4sl/UegGdYVpZbYLhNrZYH9EcQC5sYGjnmgbpXW9 WGIfusrcq+S2nqJ0zxry1q2pihT34zFhCJTgwLvdGUySFfmDR8w1EDzMISk38c/NZlIqM0qt jsI+BtjvVDX8UWZaVyCKMIRta2EHXERVbJPHiJKVrqGakbMzbGqoLx4r8y+Oa2EaZ4hqcaid DEShdVpGQyc0XhBYmH24BK6AnERCGnUTHk2qhllu5EU33HNc3W2AG4OSQTepGb0oci6+XgKo OOBK4=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.98,296,1673913600"; d="scan'208";a="37522766"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 28 Mar 2023 05:00:52 +0000
Received: from mail.cisco.com (xfe-rcd-004.cisco.com [173.37.227.252]) by alln-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id 32S50buf019412 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Tue, 28 Mar 2023 05:00:51 GMT
Received: from xfe-rcd-003.cisco.com (173.37.227.251) by xfe-rcd-004.cisco.com (173.37.227.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25; Tue, 28 Mar 2023 00:00:39 -0500
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-003.cisco.com (173.37.227.251) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25 via Frontend Transport; Tue, 28 Mar 2023 00:00:39 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iG2EWGDgSLLj2r3VPACiMmDV+FdYhL3lGiO6iftQboy9l3SFb2BEAixg/0xgEnwtqGhRvgA4YooM5Zq1S0WY6r6SZp1Q4gz8nCwNSs1RevBZON1tASpCyXPKFG5lVT81I1YdYtgT9tCC0z/V84DfGZc022hl4KQC5+UJzGHCHd25va4kiSTK1r53Zim36zHMuctSsN56FxVjfMIUWsAwZn5kxy6VzAoseo6L+8D2CXbkA90JWDcZnQG+nE7BFbpNjnvFJX454gu7+QSEQI4SA40iiygU6GjZEcUKgrCgZHL5gOOLMYxhwFWFRY78jtriKibG9SeJn5GKhnclVQ2ljg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4HIZwULAP+J082c/M6etB2YWwmfyM7vgM0+UXRAWF8M=; b=QA7bVOH98Lbtjxu9yeKPYwgXGxhPs7bLezxXyL1aYOeiR7TzG7l0qVwQFSepmdALEQw8/xL7VChgBrOSn+NIncB6GwE9NZ4LUGIV6OXtfcG1zjuqh9QSWELiROVMtZI/P/Y/MJ/7cCq5lpElA6Z2R4q2bJxoHSFSmteblUYYh6/aVUZwETGwYHrTZlQ2LFv9C6LLntmL+86+V70dS20YF7a5WueocLEg1ZpJpoaz4Achu0thOW7dfl04OqxdFnb5Y429eG/pmj+0bk9rpgIMfoX63aRcC8CkAECWnu0r3PCvbGyVGAw66M3teJv6wLXzUHEGo43q4ImrB8Kk3ldUMA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4HIZwULAP+J082c/M6etB2YWwmfyM7vgM0+UXRAWF8M=; b=Z91DkL7Yta3g4PC1/amdzLhAFS2vRKrQeGsUlj7/C6tskK9EGd7b5cq31q8NhOog/S+QDdV7fKpNfJc99rnnV1sWy0RJXA8Xh1hO8e4RIYAuCiq29Y4AVPgI0u7Q0wq/Z/Uyvre5vc1f0ITy35yNlczjdK2/IIBTdhLCIJWIGGg=
Received: from SA2PR11MB4972.namprd11.prod.outlook.com (2603:10b6:806:fb::21) by IA0PR11MB7861.namprd11.prod.outlook.com (2603:10b6:208:3de::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6222.30; Tue, 28 Mar 2023 05:00:37 +0000
Received: from SA2PR11MB4972.namprd11.prod.outlook.com ([fe80::e7c0:dce5:999f:4e6]) by SA2PR11MB4972.namprd11.prod.outlook.com ([fe80::e7c0:dce5:999f:4e6%4]) with mapi id 15.20.6222.028; Tue, 28 Mar 2023 05:00:37 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Andrew S2 <andrew.s2@ncsc.gov.uk>, Justin Iurman <justin.iurman@uliege.be>, opsec WG <opsec@ietf.org>
CC: "draft-ietf-opsec-probe-attribution@ietf.org" <draft-ietf-opsec-probe-attribution@ietf.org>
Thread-Topic: [OPSEC] Fwd: I-D Action: draft-ietf-opsec-probe-attribution-01.txt
Thread-Index: AQHZVlso4cnRANMMckugxb4kIXSpCK8P2UcA
Date: Tue, 28 Mar 2023 05:00:37 +0000
Message-ID: <662A1D8C-DB05-4D8A-A30A-549459DDBECA@cisco.com>
References: <167801889020.46846.2906110407563334629@ietfa.amsl.com> <c9a986dd-20fd-dc42-2604-34dddb8df660@uliege.be> <LO0P123MB4843B5E8E06E9FB83C7BE6E0E3BE9@LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To: <LO0P123MB4843B5E8E06E9FB83C7BE6E0E3BE9@LO0P123MB4843.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: fr-BE, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.71.23031200
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA2PR11MB4972:EE_|IA0PR11MB7861:EE_
x-ms-office365-filtering-correlation-id: 0853e180-6832-4559-c635-08db2f495ed0
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: gsXTo1g/VRuYa89luIFYlcEOOOryT4EQk2nC0d/oz/geq6JnlfDvCLToaZOGcafnXij2H6i/udzM+/kAs5YCCgFydtXrPaCYCx10o8cuF7aOyQAvFOC118IFfop7f8mizejlspMhmKTIU4CcPAyQuZ3IZcuxXxMRjatQh2kZM43mBO1mTtb3zNxYT9GQdqXYF/lJo9UBaDuIG0bdlFqrbcCvSa8Jqy07puF8DpKpFeKMqRpZg+LRbgw01TQ7kswnMCl58P3M0uCGMnx0Col7fxEiDXQp4f2ofbDjBC07x2p1NMrQEU5HmYNkT0NWfURdmHSkUxf5jsmHFLeiE56+f74hO1Ju5UErZUI7Rhkeumitv1Neni0mKZVFtwTR2UPh8hbFRU9mZ8FoNAzZK3SgV/i93YWTh/6PD4nDHGvcBWPmLKFFfWP3DE73ckZ7UJvNNhUACF20FJH57FivuuR3sXyJp/O6ixTypBqTYxpf/qecCsvgjFlUSjeK2RvrGouLjarPy9jdIFkXhi3epk8l66s1GMJkI0v+4rkZ7tVISQ+oOPKTSPk365YtvgfmwQhc9pgU4/BjwTlri16f31mkvygUV5z76bkShi0E+gfgkd71UIOLkeL+F7dX5MNXrutIaCnW4lBlVXNFEy+F2q29Wg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA2PR11MB4972.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(376002)(366004)(346002)(136003)(39860400002)(396003)(451199021)(122000001)(71200400001)(8936002)(5660300002)(2616005)(186003)(6512007)(6506007)(2906002)(53546011)(36756003)(66574015)(86362001)(33656002)(83380400001)(6486002)(38070700005)(91956017)(4326008)(64756008)(76116006)(66446008)(66476007)(66556008)(8676002)(41300700001)(66946007)(478600001)(38100700002)(110136005)(316002)(66899021)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: l7sAGSazLgprVR2Zr4/F16Yr4GUYu/pfEoFmhZuQSc72n4OMJpha+eJ0QYvmyKfhaV30LOwbrMnTfpEVUI66VZxZXYhYExZSJvNnW6D14i0iFjwVj8FeL5ptdzUt8Plh7TptWGGkYBFLgXSZp27Yn3sJ7q8N38UTniIVP6ofdlLTZc7x4DkZHEMwTmNLMaAJgBW4AaVhuoysxZWhbVR1aGT+3hZtTdBcOgc8JfMD4FS8Sh3CBHTl4DCQInSN1TF0yFVkXn6TsG/vCGN7p2cGXneJQvvx/I4OAOG/MvsCnc7ubvKnTkk0WR35sostDz3xUYe/8iOjZLeVltvZj+Luebz/5WI9bPTFEBruNnGeT9/SCBlN8rrHYY2bO6ZtRSMNJOfck3pjXGM20RSqlsPADPB/H5FC24oD6m+1ZQoe17TycZbtlu5Rm1lYQnItm6GTtggVHdPgumqQhuDT4qgEB31gEs8swUy+icFX6FAYHTzJ/5kU/0ovRtL0YWIwH69d6tDIvCJ0CwHkzX4gy6PysAgsYsVJ+AJcTxlE20kpd1RefDogYAh9TqNG3GGHjD2+UpfmKAMiLdOFDTDxR8pixeZjpdhhbJZ5s2EVA4sCeQ7vNORL0gtGbtUN8lOiVJavLR/o95P5OAVwFaz/B5mHqUb68v8Kd2DNw46d/R2N13xFAdVFDFzn/ZYJiKgUGYc5+KHiUjxzUxQ7DqNy7Rf0RvRqKWn/NDYvIP/acjTVq81fT3V/ZDV3BU6zHzQUZVuFtHScRoMgE51wMgoYaClD/LP0K+wBCOxIidnZ2G2G0H+QEdtf9goVc+T6RCfMrd7rBtHP61K1nBiFNJuFAxQOshDsxczI8C9Q7zAVm4GVMKrJnc9fW+NFyZ/lC3hMvTJfdlROQcK9w1QC/CPOSjqD2buVe+B7AhJJdaqcQPtk7M8FNcObiMOIjRAeEHkRlAR9Tv7Dj/jOqKN/A3MMer8ELTuSjBZQ+pkLPd+M+fxqtL+s4ASfLUgVJVW8FSXylZUkE3PNbnMPhxQPLPDTUaPN7t0wjlKbhBa73UvXh7WD/zxnq4peFL3Ir1SBEb1rbtogSYD0CMqQCHl91m0uVWOO5+U07+IcI+J0f0uVw5RSTEPRWEdqgTTvJEnE0BWtR4kkoUupwZ5I2t6skpNI7bVZj/rqVYDbIZIu8JZ+NOfn/88F1Xm11fFWxNcL4WVZ14d2JGZ3fqeC5/3cxxQwgoFhgYLfaAWMxH20tNdRHxWFVlFfjfiqYD+ShyNq/C9HVyIVptZ32Gvhsp3wUFKVVhHVsxe5UWj7BxRgxYp5ulR3JLBCZpq+mCFufUkqBukIygTD47rJgvN6CWyVDpIgU2hWlEHof832SvSUA1NSB7A+ZS7c1BPgO14wZNZ1wJ5Vhrlur/ht9IQ7Xay2uY//HsY/94s3H1BDRht1JX4fqJ/U1rmOxQvsRSXMRfspehkFWJN2K1KOIEQbYuknS5llTVlIWLE9HmZRaN+PRe4cy07O0zOwiNCN56hgv0sAfF90vGqk3KB6+C5ndVoCRcmgnrmKgNHd8sif9CBTshD+IdRXFp6qzse4/o1zKSyKKZ3GIdUsXPzeJVsfDEqfNvcrj4jlhL8DvskubWBUeLm7P8VqsZl5f3T83S4+IZcMHkxBXUVH
Content-Type: text/plain; charset="utf-8"
Content-ID: <238AB358BB64E2419648F3725AF9F674@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA2PR11MB4972.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0853e180-6832-4559-c635-08db2f495ed0
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2023 05:00:37.2564 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WDIUi0xH84Fi4KD+33PZaGnBHWAhmE2U6BjCIUsA0Fm4rx36OcwGv0H3i9+TnUNTabk6HHjONSdfuUWaAgwHTA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA0PR11MB7861
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.227.252, xfe-rcd-004.cisco.com
X-Outbound-Node: alln-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/80aJeOr6j8BIw1bV_w2OnhLa6Fk>
Subject: Re: [OPSEC] Fwd: I-D Action: draft-ietf-opsec-probe-attribution-01.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2023 05:01:05 -0000
Hello Andy, Sorry for belated reply... and thank you for your detailed review. Based on our own experiences, the authors would like to keep the in-band probe attribution in the text. It of course lacks several properties of the out-of-band attribution, and it also can bias the experiment results, but in-band has the following advantages: - can be used in RIPE Atlas (or similar probes) where the actual source is *not* the researcher - can be used behind an (ugly) NAT device And, I have seen the case where the probe packet had lost its IP header when it was observed... I.e., in-band attribution is not perfect, but it is still useful. See below for EV> for additional replies. Regards -éric & -justin On 14/03/2023, 18:55, "Andrew S2" <andrew.s2@ncsc.gov.uk <mailto:andrew.s2@ncsc.gov.uk>> wrote: Many thanks to the authors for this draft, and the updates in the latest version, it's a great topic for this group to be working on. I think that standardising the suggestions on out-of-band attribution would be really useful. While I'm not too familiar with the situations mentioned in Section 5 where out-of-band attribution will not work, I think there are sufficient issues with in-band attribution that it would be better to focus this draft on the out-of-band mechanisms. In a little more detail: * The suggestions on Out-of-Band Probe Attribution in Section 3 are easy to implement, lightweight suggestions that are similar to how we attribute our scanning at NCSC (UK National Cyber Security Centre). We scan for vulnerabilities across internet-connected systems in the UK and publish information on our scanning (https://www.ncsc.gov.uk/information/ncsc-scanning-information <https://www.ncsc.gov.uk/information/ncsc-scanning-information>), providing the address of this webpage in reverse DNS, as the draft suggests. Standardising a .well-known URI is helpful, especially as it is in some sense capturing existing best current practice in this space. EV> would you mind if the UK NCSC reference is added in the document ? * For Section 4, on In-band Probe Attribution, there are a couple of risks: * As mentioned at the end of the section (and discussed on this list), there is a good chance that firewalls or middleboxes drop (or otherwise do something unexpected with) these unusual looking packets, compromising the scan. If following this document compromises the results of the scan, then I think it's unlikely that scanners will choose to add this information. EV> in our JAMES experiment (V6OPS) we have preferred to include the in-band probe attribution, we understand that it increases the packet drops but we prefer to be 'clean' even if the results are less nice * Providing this information in the packet payloads would provide an easy way for a system to automatically block all scanning that complies with this document. This would provide little benefit to the system owner as it would only allow systems to block benign scanning that is compliant with this document. It would also reduce the amount of information available to researchers, making their scans less representative. It could prove particularly detrimental if systems make uninformed decisions to (attempt to) block all scanning by dropping packets that include this information. EV> Possibly, I have hard time seeing an operator doing deep packet inspection to find a potential probe at the risk of many false positives and at the expense of CPU. But, you are right: in-band probe attribution does impact the experiment. I hope these comments are helpful, thanks again to the authors for putting this useful document together. Thanks, Andy -----Original Message----- From: OPSEC <opsec-bounces@ietf.org <mailto:opsec-bounces@ietf.org>> On Behalf Of Justin Iurman Sent: 05 March 2023 12:47 To: opsec WG <opsec@ietf.org <mailto:opsec@ietf.org>> Cc: draft-ietf-opsec-probe-attribution@ietf.org <mailto:draft-ietf-opsec-probe-attribution@ietf.org> Subject: [OPSEC] Fwd: I-D Action: draft-ietf-opsec-probe-attribution-01.txt Hello, This version addresses most of the comments received by Jen, Prapanch and Warren (thanks again for your reviews!). The diff is [1]. @Jen: with Éric, we finally decided that it might be better not to use normative language since this document is informational. Also, regarding your comment about DNS, we just wanted to make sure that you were talking about a TXT record where the value might "authenticate" the probes. Is it what you had in mind? If so, this is indeed a good idea, but we might need to define a new value/keyword for that, which might overcomplicate the document. Thoughts? Thanks, Justin -------- Forwarded Message -------- Subject: [OPSEC] I-D Action: draft-ietf-opsec-probe-attribution-01.txt Date: Sun, 05 Mar 2023 04:21:30 -0800 From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> Reply-To: opsec@ietf.org <mailto:opsec@ietf.org> To: i-d-announce@ietf.org <mailto:i-d-announce@ietf.org> CC: opsec@ietf.org <mailto:opsec@ietf.org> A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Operational Security Capabilities for IP Network Infrastructure WG of the IETF. Title : Attribution of Internet Probes Authors : Éric Vyncke Benoît Donnet Justin Iurman Filename : draft-ietf-opsec-probe-attribution-01.txt Pages : 9 Date : 2023-03-05 Abstract: Active measurements at Internet-scale can target either collaborating parties or non-collaborating ones. Sometimes these measurements are viewed as unwelcome or aggressive. This document proposes some simple techniques allowing any party or organization to understand what this unsolicited packet is, what is its purpose, and more importantly who to contact.
- [OPSEC] I-D Action: draft-ietf-opsec-probe-attrib… internet-drafts
- [OPSEC] Fwd: I-D Action: draft-ietf-opsec-probe-a… Justin Iurman
- Re: [OPSEC] Fwd: I-D Action: draft-ietf-opsec-pro… Andrew S2
- Re: [OPSEC] Fwd: I-D Action: draft-ietf-opsec-pro… Eric Vyncke (evyncke)
- Re: [OPSEC] Fwd: I-D Action: draft-ietf-opsec-pro… Andrew S2
- Re: [OPSEC] Fwd: I-D Action: draft-ietf-opsec-pro… Justin Iurman