IETF Logo Mail Archive

Re: [OPSEC] New OPSEC individual draft on probe attribution

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Sun, 20 February 2022 11:06 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 336433A10D7 for <opsec@ietfa.amsl.com>; Sun, 20 Feb 2022 03:06:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=mtHA7stE; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Pw7aeL0L
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tuMtaUfSe5qY for <opsec@ietfa.amsl.com>; Sun, 20 Feb 2022 03:06:29 -0800 (PST)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 718123A10D5 for <opsec@ietf.org>; Sun, 20 Feb 2022 03:06:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6246; q=dns/txt; s=iport; t=1645355189; x=1646564789; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=WMqybuI/FzWnVvnWsLyoWVAqfRj95ujC5SBVKwiBVns=; b=mtHA7stEd3IuLfbaooM/3eAOfYk/P0XWnlWYmkCehU0TedA76wTp+de9 6M3wlDXqSK7oPT0ZJS3/AAItKQAMa0pb6OpiCMeEa+4Q+3jBHQcF1quCt D2oLOPfFiw32lqRt4KvrYctUZcUcoTSQ/dQWWmUh3UgPydAuTuhV9/3dS 4=;
X-IPAS-Result: A0BJAAAIIBJimIsNJK1aGwEBAQEBAQEBBQEBARIBAQEDAwEBAUCBWoFSLiiBWDdChFSDSgOFOYUPgwIDgROaGYFCgREDVAsBAQENAQFBBAEBhQcCF4NuAiU4EwECBAEBAQEDAgMBAQEBBQEBBQEBAQIBBgQUAQEBAQEBAQEdBwYMBRAOJ4VoDYZCAQEBAQIBEhERDAEBNwELBAIBCBEDAQIDAiYCAgIwFQgIAgQBDQUbB4JigmYDDSEBn0EBgToCih96gTGBAYIIAQEGBASCU4I4GII3CYEQLIMOgwNVTIYWeyccgUlEJm8nHIIwBzA+gmMEgSAVER8QFQwCgl43gi6TUB0PFhlnAwQGInMHNBVCCy4ZCxcpkVsLKINJl0qSZQqDR59iBSMLg3KMJIQjgQySTZZNIKEaIIRvAgQCBAUCDgEBBoF4I4FbcBVlAYI+URkPjiAZgQwBCIJDil51AgE1AgYBCgEBAwmPJYJGAQE
IronPort-PHdr: A9a23:Ha/qvhGZOHo9s5t9ljazHJ1GfiYY04WdBeZdwpYkircbdKOl8tyiO UHE/vxigRfPWpmT8PNLjefa8sWCEWwN6JqMqjYOJZpLURJWhcAfhQd1BsmDBAXyJ+LraCpvG sNEWRdl8ni3PFITFtz5YgjZo2a56ngZHRCsXTc=
IronPort-Data: A9a23:tQdeKaNoc3RHtdDvrR11l8FynXyQoLVcMsEvi/4bfWQNrUoq32dVy jdODzyEbKmPNGX2fY9+Oozn9RtQsZ7cn4RjT3M5pCpnJ55oRWUpJjg4wmPYZX76whjrFRo/h ykmh1qpwPkcFhcwnD/1WlTahSQ6hfHgqobUUraeYHgrH1c8Ek/NtDo68wIHqt8w6TSGK1vlV ePa+6Uz73f8hlaYmkpNg06ygEsHUMba4Vv0jXRiDRx/h2IyolFOZH4pyQ5dGFOjKmVcNrbSq +8uV9hV9EuBl/smIovNfroW7iTmT5aKVTVihEa6VIC4ojVlljUqj5xjaspFcWl9gDyYo4BYn YAlWZyYEW/FP4XFnOAbFhJfCSw7Y+tN+aTMJj60tsn7I0/uKiS3ha4wShhte9RDq46bAkkWn RAcAD0TfxaIhO+ey7OgQe4qjcMmRCXuFNNG5Co/lG6IU57KR7jBXKn3/4RD+Q0orcVKGvP1O tcyRwtGOUGojxpnYwdLV81WcP2TrnviaCFZrhSUuLAy6m770Qhw3bfgdtDYEvSgSMNSn1rei mXA+WnlKgweNdGQxHyP/xqEgffUkCjTWY8OGvu/7PECqFOe3GoaDhERE1S8p+Xs1hazV91SN koTvCEpqIA+8UWxRZ/8UgG25nmesXYht8F4Guk+7kSGzbDZpljfDWkfRTkHY9sj3CMredA0/ kWpsvTZHCQyiuXLeSuF2J2fpCKOaQFAeAfuehQ4ZQcC5tDipqQ6gRTOUstvHcaJYjvdRGiYL 9ei8XRWulkDsSIY//7gpAmY3VpAsrCMH1BruVSONo6wxlohPOaYi5qUBU83BBqqBK+dSlSH1 JTvs5fDtLlVZX1hedDkfQngNLit4/DAOzrGjBsxWZIg7D+qvXWkeOi8AQ2Sxm80ba7omhewP Sc/XD+9ArcIZRNGiocsOuqM5zwCl/SIKDgcfqm8giBySpZwbhSb2ypleFSd2Wvg+GB1z/1iY 8bGLZzwXSxLYUiC8NZQb7pAuVPM7n1hrV4/ubigp/ha+ePEPSXMGett3KWmN7xkt8toXzk5A /4GZ5fVlH2zocX1YzLc9sYIPEsWIH0gba0aWOQJHtNv1jFOQTl7Y9eImOtJU9U8z8x9y7aTl lngCxAw4ASk3xXvd17VAk2PnZuyB/6TW1phYXZ2VbtpslB+CbuSAFA3LcVvJuB/rLQ5pRO2J tFcE/i97j10Ymyv01wggVPV9eSOqDzDadqyAheY
IronPort-HdrOrdr: A9a23:D+pw3a0jYKNQs6xFgxrFcQqjBehxeYIsimQD101hICG9Lfb4qy n+ppomPEHP5wr5AEtQ5uxpOMG7MBThHQYc2/hRAV7QZniZhILOFvAj0WKC+UyvJ8SazI5gPM hbAtND4bHLfD1HZIPBkXWF+rUbsZq6GcKT9J3jJh5WJGkAAcwNnmQJaDpzUHcGOTWubqBJcq Z0k/A33wZIDk5nF/hTaEN1O9TrlpnurtbLcBQGDxko5E2lljWz8oP3FBCew1M3Ty5P6a1Kyx mGryXJooGY992rwB7V0GHeq75MnsH699dFDMuQzuAINzTXjBqybogJYczGgNl1mpDq1L8Zqq iLn/4SBbUr15oXRBDsnfLZ4Xim7N/p0Q649bbXuwq4nSWzfkNKNyMIv/MoTvKe0Tt8gDm5u5 g7gF5wcPFsfE/9dW3Glqr1v1sBrDvGnVMy1eEUlHBRSo0YdftYqpEe5lpcFNMaEDv9851PKp giMCjw3occTbqhVQGSgoCv+q3bYl0jWhOdBkQSsM2c1DZb2Hh/0ksD3cQa2nMN7og0RZVI7/ nNdv0ArsAAcuYGKaZmQOsRS8q+DWLABRrKLWKJOFziUKUKIWjEpZL76Kg8oOuqZJsLxp0vn4 mpaiIViUciP0b1TcGe1pxC9R7ABG27QDT208lbo4N0v7XtLYCbeRFriGpe2vdIj89vdvEzAc zDTa6+K8WTWlfTJQ==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.88,383,1635206400"; d="scan'208";a="816371796"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 20 Feb 2022 11:06:27 +0000
Received: from mail.cisco.com (xbe-aln-004.cisco.com [173.36.7.19]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id 21KB6R67021128 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Sun, 20 Feb 2022 11:06:27 GMT
Received: from xfe-aln-003.cisco.com (173.37.135.123) by xbe-aln-004.cisco.com (173.36.7.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Sun, 20 Feb 2022 05:06:26 -0600
Received: from xfe-rtp-003.cisco.com (64.101.210.233) by xfe-aln-003.cisco.com (173.37.135.123) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Sun, 20 Feb 2022 05:06:26 -0600
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (64.101.32.56) by xfe-rtp-003.cisco.com (64.101.210.233) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14 via Frontend Transport; Sun, 20 Feb 2022 06:06:26 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WPjEy80+Ge1NsPoGcBHJkeMhuMFhRfWf2cvzJuQdK6eQrIQK+Innwd9RLnm3KqPkKeqQ3Ne54HCoQPbDy6yo/A3emcmadZkQhudgDr8KL533gsxhplItf2St9CTp/QRfwBfhgGX6mzEqxUvlT4HZWfPQVa1b9foUdUo08azLGKS2svh3K+jh3efSJxbIGQiCME+74weWoB59mL4yRk5aoGzpkeyEti/Kn9PT621s4svg6u3F1BtunZSBMxvMScWph/j4xycss1+tV7AD5zHc2CcusJyQKy0+ApqREcAKrrfAJKs1FXLwpjgizlIUmdEjJF0+fQw1SBoJ/wCOJeplTA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WMqybuI/FzWnVvnWsLyoWVAqfRj95ujC5SBVKwiBVns=; b=AXR02igDJWYiO1Qy5c0A/j2NJX7F3h7X3zg01TyG682FPiIr0NUE6h0vXFd2Q9HmA9CbVm6BdsJ5QuHolZjAYBIe2auOzRK9b1VFsrSfqyRNxHBVD+GMPhcE7M8uc5fe8v8znr3X8uRpbb2vEWIJ9XIt5meMfWVwhIlsZrf2zFTLPcn5m87aXi0s6PHJ8fUflZe6/11pieRXDRSx+gUmuN2f0daahFHElH4G0XYOTKQEEN2vM1yferVzaQOLReVRx+iTsB/oZcshVw5gn3N3LModN8IfCvSX/ngBKDN2x8/lfAE0QTGvpQrmCpbaUE9ePFm+fBgWRBzbETw6j3kQWQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WMqybuI/FzWnVvnWsLyoWVAqfRj95ujC5SBVKwiBVns=; b=Pw7aeL0L7BrBQR2uMdx7Smd7ptJp3LVhiOVDRtDSKuSFVa8Hzf6PK9Sqi4vA0I03fJFa2Y/XRt4ue1zl8SlAdNeCgfWrqsK1COCWYeBskmMsAiY0SpOdjQDQUIzB1bHTh1tXhaZ4EhGJ5fNmf3GHqWHnQgrDb8INI3W6STwoYWc=
Received: from PH0PR11MB4966.namprd11.prod.outlook.com (2603:10b6:510:42::21) by DM4PR11MB5550.namprd11.prod.outlook.com (2603:10b6:5:38b::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4995.16; Sun, 20 Feb 2022 11:06:24 +0000
Received: from PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::1929:3b1b:99a3:312]) by PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::1929:3b1b:99a3:312%7]) with mapi id 15.20.4995.026; Sun, 20 Feb 2022 11:06:24 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Fernando Gont <fernando.gont=40edgeuno.com@dmarc.ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
CC: Benoît <Benoit.Donnet@uliege.be>, Justin Iurman <justin.iurman@uliege.be>
Thread-Topic: [OPSEC] New OPSEC individual draft on probe attribution
Thread-Index: AQHYJCPdz2fb2JiOtUWWhC4pw5TSOqyZVgCAgAMGRQA=
Date: Sun, 20 Feb 2022 11:06:24 +0000
Message-ID: <ED3D21D4-0DFF-4A60-A3BA-726F9AE8DE20@cisco.com>
References: <EDA6831B-1A74-4C5C-8BA7-9440C3785ACC@cisco.com> <85904cdc-7874-ac26-ad6e-3dc354aa3c50@edgeuno.com>
In-Reply-To: <85904cdc-7874-ac26-ad6e-3dc354aa3c50@edgeuno.com>
Accept-Language: fr-BE, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.58.22021501
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8e10b70d-02ee-4248-71cc-08d9f46108c0
x-ms-traffictypediagnostic: DM4PR11MB5550:EE_
x-microsoft-antispam-prvs: <DM4PR11MB5550A0F64E8BC66032CCD3BFA9399@DM4PR11MB5550.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hDCQAlQ3oYEj2Ab0Vb9v2weP4T77SLskw7awvSHJh23thvERss+qJqdx9Xym0W4kQTmrB/xc087Kjp5VrRH5zxy1sG/wAMhm3PSp6CrraHJb5dFMXwY3L5MxLciQ2XNRnGFyebAVQTcF57UXsBfM7ahPVbwCjK+bPTF0k3jVhQHmWEb2CWEFj8PEI9e6BSRaTvLseKt75Ko9NdFPdUfPsCSVRhPK/nY5c+gsFbW3HCoF4JBHqn8jKU6fBxnCd47c58mohwHKIcMxeMKYfOg4nDmVHo7fTNXYOHM/rweV32PCw0M1ph2oN63ToeL+kSbBmGXdyppMabGebeFaC3+LF895rFJIPbd/HjeJ6S3rBzS0bT+dnHFcMbIh1MTpNGTgHV2RCUoAu5gT4NS+2Pj7xgeqU5DSpRXwhncCfvZArvM+ow7uKQcP8cbMrJo+cZEq33QJ8piyKpyfWVUNAtaqL9MC5e9RKCLL8akXfha0qiGuGs66j6GMQxGcXxH8qyxFAWnksXBkptGwWhmyzspcz7oMngNX8JlNIeXh1jV4Cu5Qj5j6yLdYewE6A4Hmc1eGU8c8rP2cf+3WvJZybQdIgv+hx7bKvvAW8gU5JpCtjVgWM6jnuyrfQAPjfr7HzQIz39sn4Tdrm4bzEV4rrfhSXjYyL5X++1GEa1FQ3lWlw5nCbcK8LUX8FFZ6+0O6Iqzh3avCOvyOVsO/8XKvSZ9GCgo7v8TJQRWsqUh7DJI+adp9qBCiEW7Qhj07e4yp8Aq1
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB4966.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(54906003)(33656002)(110136005)(5660300002)(6506007)(8936002)(316002)(86362001)(76116006)(508600001)(8676002)(4326008)(38070700005)(71200400001)(66946007)(66556008)(66476007)(66446008)(64756008)(53546011)(186003)(38100700002)(36756003)(83380400001)(91956017)(2616005)(122000001)(6486002)(2906002)(66574015)(6512007)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: riIQhfkyX+Z52w17Efa2zT8TvMMB6R9GWKWfEg0yoUWoNdehKccHER1t+53IUmjobD9ljaAruZ68r3mg5+xxRTEOcD7HSvS5+/y/g5EC/y1M3CM9zxoL8E+THFxigiwu3RWx/+0XuHzg1vF9OVlJhKSW2XWeQdypBWku+u9u5t/rxd+02zohK4y142fpuCv5sNJQrOSld9P5jHgpurz5sHYUoboQdxyrTrCJzEN3HxPuQ8Zw/PGK/kJFuRVRqxDDMJRFNXAUglJezVteYCnoBE+ks/hblX9jkrQExN8tWQpzPPSoJNm0JxY5loqXp7fYtIsT32YFAYWjxHFuEZuq23eeyoVzzPQAMLaGMyVbPPI/A2/DReZyx6Z0V3WdJU3ker1bAZy1TNvWq5pluw7KxPF6Tv4+en8MtVd+FeuHZ86xF0J4KvWrgsuVIQq34WW6L/7VZHdI8DZ/gWjwBcchMiF4rZIg2qkWYvVvCZUPmRxGOccYhK5rHarLi1pdIEwuDA2xZrKTJWnn8GzBR13D1R76UmOKkJGy2KPB7P0ZSDcabhPM8nD/OdAyjRrEjC+3rCRdAdTB61sMlsoZzc83NfNQw0z4qhBKdKh/+sEpdzsvL6/GpRgXxFxrTBFNEuyu8YvHNmVieXh22oWTcCNchgNdeLaApuALDk9wzkWLSrpobDm2bfp9jIMvGPJK7HIyrSE4B95di5137MYbqK3XcFdZ3Mkul6hNB6EslSlIHqpw4cNzAv4nWC7UpZtnNMbcTRRPwRN28nelucfhZ9cUCvBhTPak5tzOh49oFObrOtEY81BG6zcbWsd8NI9oBO3HkBpwdlOIM5VDPH7ML6+kBaMn1oAYnl8WdDkdYctOdq8AIDpi04b/ioe05ammnSB8jvjkLIH8+paJQduyiX+IaUWfHOIW3iIpM/nubnYmFPbn91nWGrD+YKIYFvVkVoM+65jx2ROHFT12ks1RpMhU8iuHltJu3JfGyKqgx0l9cevnD6sOfl6A8csMPz6b3x6gln+4BGAfjNsOWj4NxdvhWx2bMQwxckYZCUKknvYN3eMHS95TSSfJ2uo2OfxxuSQ54Q5Qf6+Vg2Ccitm9ov95hD7NfB/NSlRi01u2dthYfD4vvvlHQL3Bnhl9VFkA9C3jnfCrolnLdZsjqkVsybo3BQ6/BFMrOvqkAf+TjVb4EmN5EQw0WE+Gd5BQCP7613+WQP+jNNADyBCGiEnH/YqIBinWwaCwJQ7b/GvVBshI8VUNkk0QjTwI+8Ih926nIuz5C6zAhjqKJ4lvW2cNfObBXhY8SwGzuykRo6buM4UL0sR7wSmKPTDDfLHwT0nrYLGm97CZVagDl0Fj0iO8/bsaEY31OTKXgNWMNfQkAerW36Eu7l8CcFSQwHssFQ3wthqU5DTpXjCeb+pnRWKP8umN7wI8+KMOpFsNYdee8w7+CK4OHYt4nXWveNBNhhlg2RodexiNXWZNazCfH27Id4m3VPQtmu2KD9Wq+L/fs9uk4b8SN771/GfnVUjUvCpegK8oTykrRU0x7RMEE8XAlU22E/3sgp/01tNJNAb9Oyu4pmPkwn1Nm3bianfb6RDFjGdoy23gVmqbFTTtTPlRp8VvSDMCzotzvQODg2WER/Of5Hf+Xw7coslLiAl5WOpL/zIS5NfiMY8SySwufUWVSeKNh9aVZEA4PqfMpTJEyy1m3XU=
Content-Type: text/plain; charset="utf-8"
Content-ID: <822910792274A442BF3C35BE2DC1CB3C@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8e10b70d-02ee-4248-71cc-08d9f46108c0
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Feb 2022 11:06:24.4221 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6DxY4ryrp2QSQ7TYyyY+C6MnNFOrgZe0tXkmXqUvxBkGXoIm0KOcsy+hwOS1vGbdsnn1zSzCOAl1XoByZDN7jQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB5550
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.19, xbe-aln-004.cisco.com
X-Outbound-Node: alln-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/GliVI1sjuzfWHsO0Ph7WPpeC26c>
Subject: Re: [OPSEC] New OPSEC individual draft on probe attribution
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Feb 2022 11:06:36 -0000

Hello Fernando,

Thank you for your quick review, we completely agree with you:

1) the reverse DNS/web server is probably to be preferred, so, we will move the section 4 'out of band' before the inband section to put more focus on this technique
2) on the URI in the payload, indeed this will not work in every case (for the reasons you explained), we will modify the text to make it more clear.

BWT, about the "extension header" and RFC 7872, this is indeed what Raphaël (a Master student of Prof. Donnet) is doing right now ;) Our hope is to present it at V6OPS at IETF-113. BTW, do you know of a VM/VPS hoster in South America? Preferrably using Telefonica as tier-1 

Regards

-éric

-----Original Message-----
From: Fernando Gont <fernando.gont=40edgeuno.com@dmarc.ietf.org>
Date: Friday, 18 February 2022 at 14:55
To: Eric Vyncke <evyncke@cisco.com>, "opsec@ietf.org" <opsec@ietf.org>
Cc: Benoît <Benoit.Donnet@uliege.be>, Justin Iurman <justin.iurman@uliege.be>
Subject: Re: [OPSEC] New OPSEC individual draft on probe attribution

    Hi, Eric, and all,

    Thanks for the heads up on this document!

    FWIW, I agree with the "principle, but not with the proposed solution.

    Meta: the easiest way to provide information about the probe is to:

    1) simply run a web server on the probing machine, with a web page that
       describes the experiment, and/or,

    2) have a reverse mapping in the DNS that hints about what's going on,
       and possible leads to a web page as #1 above.

    Regarding the proposed "in-band probe attribution", this is generally
    not possible, since it may interfere with the probing experiment itself.
    e.g.:


    > 3.  In-band Probe Attribution
    >
    >    When the desired measurement allows for it, one "probe description
    >    URI" should be included in the payload of all probes sent.  This
    >    could be:
    >
    >    *  for a [RFC4443] ICMPv6 echo request: in the optional data (see
    >       section 4.1 of [RFC443]);
    >
    >    *  for a [RFC792] ICMPv4 echo request: in the optional data;

    These two *may* be possible. But:
    1) You'd normally not use ping for probing, since it may be filtered
        and/or rate-limited.

    2) Sensors at the target network might be configured to not capture the
        payload




    >    *  for a [RFC768] UDP datagram: in the data part;

    This one is not possible: When scanning UDP services, the probe packet
    needs to be a valid request for the target service -- otherwise it would
    not elicit a response.



    >    *  for a [RFC793] TCP packet with the SYN flag: data is allowed in
    >       TCP packets with the SYN flag per section 3.4 of [RFC793] (2nd
    >       paragraph);

    This is theoretically possible -- maybe feasible now. But for quite some
    time this wouldn;t work (implementation bugs that wouldn't allow data in
    the SYN, even when protocol-wise legitimate), and because firewalls
    would block these.


    >
    >    *  for a [RFC8200] IPv6 packet with either hop-by-hop or destination
    >       options headers, in the PadN option.  Note that, per the
    >       informational [RFC4942] section 2.1.9.5, it is suggested that PadN
    >       option should only contain 0x0 and be smaller than 8 octets, so
    >       the proposed insertion of the URI in PadN option could have
    >       influence on the measurement itself;

    You'd probably never use IPv6 EHs for probing, since the reliability of
    the experiment will be degraded significantly -- unless you're actually
    trying to measure *that* (as in RFC7872 ;-) ).

    Thanks!

    Regards,
    --
    Fernando Gont
    Director of Information Security
    EdgeUno
    PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531




    “This communication is the property of EdgeUno or one of its group companies and/or affiliates. This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and if you are not the intended recipient be aware that any non-explicitly authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, and will be considered a criminal offense. Please notify legal@edgeuno.com about the unintended receipt of this electronic message and delete it.”

v2.23.0 | Report a Bug | By Email