Re: [OPSEC] Roman Danyliw's Discuss on draft-ietf-opsec-probe-attribution-07: (with DISCUSS and COMMENT)
Roman Danyliw <rdd@cert.org> Tue, 29 August 2023 15:26 UTC
Return-Path: <rdd@cert.org>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 383C0C1519A3; Tue, 29 Aug 2023 08:26:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id af4PU5s4rt3a; Tue, 29 Aug 2023 08:26:22 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0135.outbound.protection.office365.us [23.103.208.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B87E7C15199C; Tue, 29 Aug 2023 08:26:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=Sb2NFExY6cr6Z4jd0Tm1XY1vlIwSmgMPstdcHvZB8pMBAtmslFCgHOgx5yWbJlJCUGQOqAtzEMYkMgKTJ2tHSoiiazRYeazKlz724BiN80KmUcz5aXxyDbXpCKpLfbhzes00iV9U3W8FjvYe6DuSiuSQbxOdJnWU3JdSiLMbzfTbqYB/hnRLk3lUH7tiz7r5JOUgcMtbRUeyCwQUekVW79RWCjLbir8BDuO+tTaShnSG+e53OENyQVbExJc3ze/OGxLyEtqYVaofrSH00lZTxXV5aMXgGWdeqqybPYHhor3kOoIho0ZJzwZiB9dPdQNrCuxdaE1PtRT8rj6u7kZh/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/by5NcewYjfPfvxBx2469KPCiwSos19Dx3sGF8yei/w=; b=rWRAplh19BSRSqTsleHk4Me8uMeBXcCcnlgl85LeOivNELToXOYC4g/bqDP5IMsHnfo6TSYNL4L18HWQkJlDGPRb80zQ+YeDWhfe2ezRoAbhZDu/xgXB3YwmwpBINJJS7W0bD9WHgYPaZwqFK9GnrscAD4ADxRMjDFQIorL1dwUiALboxpSZbRdEbLXh22zTPvLtPm6BvB6y5rqzuVsf9yDMXkdm5DOCR59p0HCW6nOR3XQXnphXt54VWuDNaq3W3IBsgMZK4XXp84oxEug7MtAdbvtmogXgag1h+JNhFEiOuR9Qgy9yn8viu+FEbiGgLbuGHd4dnPjpMHBwYqyE/Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/by5NcewYjfPfvxBx2469KPCiwSos19Dx3sGF8yei/w=; b=bpc7IGyuvkhd6AVwOmHHL+Ux/X7deNC9ZJziBfwHHUHPwsUU4BnFhQ8BLOeprjOfvqmXUNA4AeVM4C8TmY4IdceAo9yk0d2QaLn7HN1IzhDFWGQS4YSPQEhCXxeYtNxSHep4ja1k3Mq3rZkk0O79kqEmXXAwNQ1JwmuI42YvymM=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1608.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17e::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6699.35; Tue, 29 Aug 2023 15:26:15 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::2bb4:7f24:a90f:44d9]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::2bb4:7f24:a90f:44d9%6]) with mapi id 15.20.6699.035; Tue, 29 Aug 2023 15:26:15 +0000
From: Roman Danyliw <rdd@cert.org>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-opsec-probe-attribution@ietf.org" <draft-ietf-opsec-probe-attribution@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "furry13@gmail.com" <furry13@gmail.com>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-opsec-probe-attribution-07: (with DISCUSS and COMMENT)
Thread-Index: AQHZrnlVXrjXQzvJSEu2Dpo8g27BS6+rUViAgFZkNXA=
Date: Tue, 29 Aug 2023 15:26:15 +0000
Message-ID: <BN2P110MB11075F52A6F9C94BF66A0319DCE7A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <168847636988.23180.16211496796614010068@ietfa.amsl.com> <C6C9A546-A590-490D-8AD3-DAD2EB367041@cisco.com>
In-Reply-To: <C6C9A546-A590-490D-8AD3-DAD2EB367041@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1608:EE_
x-ms-office365-filtering-correlation-id: 86e94e0a-91b8-447d-283d-08dba8a448f9
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RDaK4oEg237zKEf75HQp2pl+eIQ4xBjt76kg7tRyEjIVaJN4rJZsRGEQ/A9OrANtgWPZnifpi6pNREh9dfFouiuN0TI1spnJDYlUqD6VRxl2GwUZAbPi+/5B9lFqphkGHeGmCvRY0iT3MCGRj5NCBG01eLCRsCywhb/ndyXi790HAbPVw/mZNq/HlmHUFwpHGawDlDREwYYtjHWqWdEhTqxuV4EVQ/nF3Tlyy+4ku3LlB8MpcyfH9jtFgv2pFNFdtPNGnNZHiFmsy6+xZrRYTKk3AQDMt6fUuPjB+iivuavfI9SO4BRBpKedEvP+TZi0Kd6KU3tzXEfLT5WVXENNQ26ywa3+ZeDMFiMWnjMm2wPYVxUAtbXDX0UDHj5D4nztgdJioqxHb+uImoIz3cHtGs0owaXiJbmtRPa5Q8kDnuBIZLGh78srESVCErP9HZdnNTPbciD/Vgzk4eaU4zMCzPojQX9ePJAPqCt/GZz6hHfZPaOVVyIEzF+/LY5I95wioTsIfRhE6xJYjaotAgTVrome52M8NHpxxKx/9Dg2Ti1MRpA/+/rX45YKX1vbY/FKY0u9lAoSiZ4lOGhbXN81rJRljM8SEBBUbL63TN19QLFzVyMs+YrPGNX9bhHYK3Kq
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(366004)(136003)(396003)(39830400003)(1800799009)(451199024)(186009)(9686003)(38100700002)(38070700005)(41300700001)(66899024)(82960400001)(4326008)(33656002)(66574015)(2906002)(83380400001)(86362001)(52536014)(26005)(5660300002)(41320700001)(8676002)(55016003)(8936002)(71200400001)(6506007)(7696005)(54906003)(66556008)(64756008)(66446008)(66476007)(66946007)(53546011)(110136005)(76116006)(122000001)(508600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: cohMq6LWKQY9qB67p9Fkx2tuUTGvTQAY5JkIJeDh03krNsf3uwp0on8ETNkYvdZUqYreenkMj20ucfsbo9ppAie6Z2nCC2wkTBLIEOglrHyBKdekpySslboApA4TYshdr/uuyyIAXw/owbMqDjQpcVZn8f3Ut97Ofe3BT8ClMAZGUz1dLb4W4NxviWc3hyUMVEUJjqOeZvZXbphrm5+7mQUyTXkcYcLA7ajwlgzJf7hU9a/mpFOBsY0P5x9dUBbz6ynZTJcZJJ/XLdfk+jqKpg9sR+7SBzw3lIEz+XXGFjqQB/zsDtfd9lfYDhqVFFSgHJy1e2jLMSP1Dw42YjeU9XGtN/hLmH012e/GzC2Nimk2V4MapUSQ6qlUvkmDrh7peqTYPoXF/OlHoNa2AQ3+2hziZtniee0/ZK242dO4bec=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 86e94e0a-91b8-447d-283d-08dba8a448f9
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Aug 2023 15:26:15.5131 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1608
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/QZBSVQbyo9u64mK5gYChFPvM3QI>
Subject: Re: [OPSEC] Roman Danyliw's Discuss on draft-ietf-opsec-probe-attribution-07: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Aug 2023 15:26:27 -0000
Hi! Thank you for the follow-up response. I have entered an ABSTAIN position. I few responses to your clarifications are added below (that I didn't include in my ballot). > -----Original Message----- > From: Eric Vyncke (evyncke) <evyncke@cisco.com> > Sent: Wednesday, July 5, 2023 11:41 AM > To: Roman Danyliw <rdd@cert.org>; The IESG <iesg@ietf.org> > Cc: draft-ietf-opsec-probe-attribution@ietf.org; opsec-chairs@ietf.org; > opsec@ietf.org; furry13@gmail.com > Subject: Re: Roman Danyliw's Discuss on draft-ietf-opsec-probe-attribution-07: > (with DISCUSS and COMMENT) > > Hello Roman, > > Thank you for your review. > > My understanding of your DISCUSS ballot is that this I-D is worse than the cure. > > If the above statement is correct, then there is probably a disconnect between > your view and the actual purpose of this I-D, which is more like "if you bumped > into another car on a parking lot, then please leave a message on the damaged > car windshield with your contact information". I.e., propose a reasonably > sensible way to contact the researcher(s) sending those probes. I concur that there is a disconnect. In my view, this document aspires to define a mechanism that will only be used by "researchers with good intentions" but provides no mechanisms to enforce that. It expects circumstances on the internet which are inconsistent with the internet threat model (RFC3552) that explicitly cautions against assuming that entities on a path have "good intentions." > Those probe research are not common; I know about 5 teams doing (and > counting me twice) such probing over the public Internet over a period of 10 > years... And a vast majority of them (if not all) have applied similar > mechanisms, so let's document them in an *informational* document that > starts with "This document suggests some simple techniques". I may have misunderstood the expected deployment. Respectfully, if this mechanism is only need by a few times every decade, I question why a specification is required. > More background: I was contacted only *once* in those 2 measurement > campaigns of mine, and it proved really useful as it allowed a forensic analyst > to contact me in a matter of hours (more information in a private / confidential > discussion if you want). This was really critical and valuable in that case, > therefore the suggestions in this I-D, while not perfect, are rather useful. Are there any experimental results which support the thesis of this approach -- that is, including of this in-band or out-of-band signaling improves the efficacy of these probing experiments? [I-D.draft-vyncke-v6ops-james] was cited as using the in-band-technique. This would make a compelling argument. Regards, Roman
- [OPSEC] Roman Danyliw's Discuss on draft-ietf-ops… Roman Danyliw via Datatracker
- Re: [OPSEC] Roman Danyliw's Discuss on draft-ietf… Eric Vyncke (evyncke)
- Re: [OPSEC] Roman Danyliw's Discuss on draft-ietf… Roman Danyliw