[OPSEC] Paul Wouters' Yes on draft-ietf-opsec-indicators-of-compromise-03: (with COMMENT)
Paul Wouters via Datatracker <noreply@ietf.org> Thu, 19 January 2023 00:08 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: opsec@ietf.org
Delivered-To: opsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DDEFC14CEE5; Wed, 18 Jan 2023 16:08:40 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Paul Wouters via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-opsec-indicators-of-compromise@ietf.org, opsec-chairs@ietf.org, opsec@ietf.org, furry13@gmail.com, furry13@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 9.5.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Paul Wouters <paul.wouters@aiven.io>
Message-ID: <167408692004.1531.5490450779471228371@ietfa.amsl.com>
Date: Wed, 18 Jan 2023 16:08:40 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/9RsfjZyvGgA0ATxxhWmTcTWnp8M>
Subject: [OPSEC] Paul Wouters' Yes on draft-ietf-opsec-indicators-of-compromise-03: (with COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jan 2023 00:08:40 -0000
Paul Wouters has entered the following ballot position for draft-ietf-opsec-indicators-of-compromise-03: Yes When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsec-indicators-of-compromise/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks for this document. I just have a few nits/comments: Why is figure 1 a pyramid ? I understand the "more and "less" modifiers to "precise", "fragile" and "pain", but I don't understand why one layer sits on top of another smaller layer. Especially seeing domain names at 25M and SHA256 hashes at 5M, with domain names being a smaller layer on top of SHA256 hashes ? This outlined recent exploitation of Fortinet [FORTINET] I would change "Fortinet" to something not identifiable to a single vendor. No need to shame them for a decade while this RFC is current. 28 million of them were for domain generation algorithms (DGAs) It wasn't for the algorithms but for the domains generated by such algorithms. Perhaps: 28 million of these were for domains generated by known domain generation algorithms (DGAs) Other IoCs, like Server Name Indicator values in TLS or the server certificate information, also provide IoC protections. This sentence is in a section that talks about DNS and blocking at an upstream DNS layer, but that does not apply to SNI/TLS. Perhaps this needs its own section or be moved elsewhere? It now appears SNI can be blocked by a DNS server. Note too that DNS goes through firewalls, proxies and possibly to a DNS filtering service; it doesn't have to be unencrypted, but these appliances must be able to decrypt it to do anything useful with it, like blocking queries for known bad URIs. I find this paragraph weak and alluding to 'DoH is evil'. In an enterprise, surely one can force DNS through their own DNS infrastructure, and HTTPS through their own middleware proxy, and one would certainly want to block any direct connections to the outside world that are encrypted regardless of whether it is encrypted payload is DNS or something else.
- [OPSEC] Paul Wouters' Yes on draft-ietf-opsec-ind… Paul Wouters via Datatracker