Re: [OPSEC] New Version Notification for draft-wang-opsec-tls-proxy-bp-00.txt

"Eric Wang (ejwang)" <ejwang@cisco.com> Tue, 16 June 2020 22:18 UTC

Return-Path: <ejwang@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 108243A0867 for <opsec@ietfa.amsl.com>; Tue, 16 Jun 2020 15:18:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=I+aDm/XV; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=fhcJtL0C
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AHjC_KqS2yKy for <opsec@ietfa.amsl.com>; Tue, 16 Jun 2020 15:18:52 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D59E3A0864 for <opsec@ietf.org>; Tue, 16 Jun 2020 15:18:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=33639; q=dns/txt; s=iport; t=1592345932; x=1593555532; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=C/ZgTNMHzl1U/soh5WYHnx4SZPA6Mdz3KmWeAGnkoLM=; b=I+aDm/XVrx5amURpzl3Foh6mgFaCZ6/TqKOHO/rN1CZvHQUrvdJlygSj cmLVWSr97ecNcrj8Ak9F8T7bFdWaFFzOg1q0e2BW9yDulK1MyRdax6zQ0 oSizJo8Aj3JckSk+LST4muQN+pOEn7pU24JiVHJ82cbQuJp+JRmO9sgQQ A=;
IronPort-PHdr: =?us-ascii?q?9a23=3AsYNEYRc1/f4ZEo1eDWeZDRcflGMj4e+mNxMJ6p?= =?us-ascii?q?chl7NFe7ii+JKnJkHE+PFxlwaTAdfX7vtegKzXvrzuH2sa7sXJvHMDdclKUB?= =?us-ascii?q?kIwYUTkhc7CcGIQUv8MLbxbiM8EcgDMT0t/3yyPUVPXsqrYVrUry6+6DcIEV?= =?us-ascii?q?P+OBZ7YOPvFd2ag8G+zevn/ZrVbk1Bjya8ZrUnKhKwoE3Ru8AajJEkJLw2z0?= =?us-ascii?q?7Co2BDfKJdwmY7KA=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CKAAD4ROle/5NdJa1mGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQEBAQEBARIBAQEBAQEBAQEBAQGCCoEjL1EHb1gvLAqEGoNGA41AmFK?= =?us-ascii?q?BQoEQA1ULAQEBDAEBGAEMCAIEAQGERQIXggACJDgTAgMBAQsBAQUBAQECAQY?= =?us-ascii?q?EbYVbDIVyAQEBAQMBARARBBkBASwJAgEPAgEIEQMBAiEHAwICAiULFAkIAgQ?= =?us-ascii?q?OBSKDBAGBfk0DLgEOq3QCgTmIYXZ/M4MBAQEFgTYCDkGDPhiCDgmBOAGCZIl?= =?us-ascii?q?2GoIAgREnHIJNPoJcAQECAQGBISIXIQ0JCIJWM4ItkiWGNyabRAqCWog/kGA?= =?us-ascii?q?DHYJwgRaIBJJemyqQC02DTgIEAgQFAg4BAQWBQCoigVZwFRohKgGCPgk1Ehc?= =?us-ascii?q?CDY4eg3GFFIVCdAI1AgYBBwEBAwl8jwgBgRABAQ?=
X-IronPort-AV: E=Sophos;i="5.73,520,1583193600"; d="scan'208,217";a="512390868"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 16 Jun 2020 22:18:51 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by rcdn-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id 05GMIo2L016675 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 16 Jun 2020 22:18:50 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 16 Jun 2020 17:18:50 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 16 Jun 2020 17:18:50 -0500
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 16 Jun 2020 17:18:49 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hmTR/rO5vDcpnNOH4tji8X1dGx2SOVXoxVfVmXiu+eM9jHHMrwrX3FXoWQCtEJc3MT7beYmE/gExP+H3rOGB1kxo1IpY8L0hcCVVd6WB1naxrOmIYP/tkI26p0Kv+8dR+W8zan0H0mqfTuEXsQ7e1yhNR35A0BVudEDseleiu/RCrz7KoXjl71exEAHwJa/U2de3b86tyBx9n89/veel4klcETNG3/XvLIaTKE8FjyKBEzskecQhOpGgNNMY/aJ3E89DcwnQBhcyBirkqBBaxnKVayP+t7fcOHhZQfjkdv83CJYRamGfIzqzDvS52I7ekkMFtU2EU9lsn22rSKNVqQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=C/ZgTNMHzl1U/soh5WYHnx4SZPA6Mdz3KmWeAGnkoLM=; b=OeiSGM6UAETiZDjvReBUDaguMEJbnI2U2k/ZnxVkzfIS8z0q3VOjcbomzL7ncE8aT9JEhjSifeA7AoAU50j2pdJU1AxOmy9HQfRNUmh/DK3IjugRwSaWjgedBcq8v8VIEPRLdYIeDveK85B/QJ64x2YeA9+ftDvGDyPbhkPMFFhr/dKUAR3zlMWEO4iLp/B4YJaX2jTKk9hw0wTF7pVu3/B62bSiCvrq2W4Vh70jmvME2q5DtBk7/WZkO6IKzaNY6yUin9AwE+cF5R6LYMuBnrxdnIQsrXaJjnVOv0dCZmgTijhYpbvxX1eECXMAxgWZFCVoJGZKkAAbZVOjB8z8fg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=C/ZgTNMHzl1U/soh5WYHnx4SZPA6Mdz3KmWeAGnkoLM=; b=fhcJtL0C7p1LbYajp5M+ck1WnTHcbqGiK0hJn+5N+OG3xRyjE0UACQhQTLhswlvnyNMa719cGEP+bInk+HR2WYg5EblMBiizoVf92KO3pSbshs8yyULooMbUZH/JTQLERcgpO/gGcI9b2rhc9fANl3UY3Vvoe3FznC3inBUHQTU=
Received: from BYAPR11MB2789.namprd11.prod.outlook.com (2603:10b6:a02:cc::11) by BY5PR11MB4119.namprd11.prod.outlook.com (2603:10b6:a03:190::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.19; Tue, 16 Jun 2020 22:18:49 +0000
Received: from BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::9913:ef92:7ce3:8870]) by BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::9913:ef92:7ce3:8870%6]) with mapi id 15.20.3088.028; Tue, 16 Jun 2020 22:18:49 +0000
From: "Eric Wang (ejwang)" <ejwang@cisco.com>
To: "Tobias Mayer (tmayer)" <tmayer=40cisco.com@dmarc.ietf.org>
CC: "Eric Wang (ejwang)" <ejwang=40cisco.com@dmarc.ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, Roelof Du Toit <roelof.dutoit@broadcom.com>, "Andrew Ossipov (aossipov)" <aossipov@cisco.com>
Thread-Topic: [OPSEC] New Version Notification for draft-wang-opsec-tls-proxy-bp-00.txt
Thread-Index: AQHWRCwbCuY6swynBE+ruSPD+feLbA==
Date: Tue, 16 Jun 2020 22:18:49 +0000
Message-ID: <7CCDCB89-FB6A-4F54-98FF-3E5C76E2F4DA@cisco.com>
References: <6774F53A-B1E6-49DC-A414-15955FE074CC@cisco.com>
In-Reply-To: <6774F53A-B1E6-49DC-A414-15955FE074CC@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.14)
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [128.107.241.185]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4f1ba3e6-5ed1-446e-ae2a-08d812433e6e
x-ms-traffictypediagnostic: BY5PR11MB4119:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BY5PR11MB41194E2EAFFD8B684CCC13DCD09D0@BY5PR11MB4119.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 04362AC73B
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: NDoyCLDBp7rfHL5DFWPUMvW7xHqZe5DpAJLcQZfFP4Dn3VEHgCQyohtT64HlJZFrf5SdM/tvChVOfy9sp/A5B/umeqp5HWIFiv28jqSoWy57zA0KLKeUcGlfIlzumirPrmkzQZ+yYnWjSSLMnBP952z+e7NY303N2pioUQa74Ga+N5OLhzmWMKw4agt6Y8n0E1vi29PXWumvFPFrKNsJYnY6PvXvNsezG9L4EoDJxHtiKPKW5FLk+glGWXKhnfBldQ+D4OCq8M0sqcSZ3zDL/Wu3uYfRWE9KVmCSKVgRXWF0BZbHZor/4vNaMkgCiIMeGNnMrkxTNT/UdM8hsZIYN6BL9RJWdqPGDIadBm82/H8UuFGOnOYgCslhhoie/qZQ+OiBPg6X3dXY2DnDIVG3nQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB2789.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(136003)(366004)(376002)(346002)(39860400002)(2616005)(54906003)(478600001)(53546011)(66574015)(26005)(86362001)(33656002)(2906002)(71200400001)(15650500001)(186003)(36756003)(6506007)(66946007)(5660300002)(76116006)(6486002)(6512007)(966005)(66446008)(8676002)(316002)(166002)(66476007)(64756008)(4326008)(107886003)(66556008)(8936002)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: xFAywSwc2seiXxWYceDfD+UQhlry7hP7gPmp6/py1x0c8Y/8TZ/EAHJ+BUSreh34+8kzrP3CswM629TjEzm47qXV/j67uDsYp+VO3KoxGFC2/EjR4nARY+0fsHP+bXbdzQdd2cQb9IspFLDHgOfRm4xxz1k8ECK2AdpvY86J0L0SjvnG/qbZjnq62sRJbzCQbeAxam5vbyn5JbQlEHWUbOyLcLqilDO/TNI64uVr28fw9j9OGKojUZP2STc+WC2i/ug0CDQWRm1QOhN5eUr2emN9Ggfkw3dfoCkY6rzf38qTy4Tb7NlVxkkXm7eLA4EkW+MUw3tKN73ua0l/Tbz8UMIDmWQqlottxLzKfwgYnZy7qDIjdkMq1gYJ+BugOizhpjnNmWtTb11sz2g3zqky6BqoCTx6Y2ngj9AIsCqDtLsB7RhA/WMrTAiXXONVDxp9inHamkkMXDtpby9YHmA2eZYK8XtP5tu/CbylQp+j874Ji9oHyE82ydCSZMiIzuBO
Content-Type: multipart/alternative; boundary="_000_7CCDCB89FB6A4F5498FF3E5C76E2F4DAciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 4f1ba3e6-5ed1-446e-ae2a-08d812433e6e
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jun 2020 22:18:49.0116 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: klpInh4RHOWkALNWRQpxjorBGRNazM7040/mv3FMMQTYa5sPe7EBFBWVQwp5lC8lTg2rr+iQa5tK6W58jeDE3A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR11MB4119
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: rcdn-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/YI8zIJJGns4QCbrSX4ApJQ07n_8>
Subject: Re: [OPSEC] New Version Notification for draft-wang-opsec-tls-proxy-bp-00.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2020 22:18:54 -0000

Hi Toby,

Many thanks for your comments. Please see responses inline.

On Jun 11, 2020, at 2:45 AM, Tobias Mayer (tmayer) <tmayer=40cisco.com@dmarc.ietf.org<mailto:tmayer=40cisco.com@dmarc.ietf.org>> wrote:

Hi Eric,

Some minor comments on the draft:

4.2 Are we making a difference in a TLS Session client hello really initiated as a new client hello by the proxy on the server side or if , like some proxies might do,
the client hello from the client side is modified and forwarded? According to the text it looks like we are assuming that the proxy MUST always initiate its own session?

4.4 See comment on 4.2

The proxy MUST always initiate a new session and create its own ClientHello. The ClientHello may follow the original one such as proposing the same cipher suites, but it must use its own key materials. In that sense, it is always a fresh-created ClientHello.

There were some proxy behaviors that attempted to reuse the original ClientHello. We think that must be strongly prohibited given the security risks (and technically impossible with forward secrecy).  That’s also one of the reasons for this document.



4.8  typo: "updateble""-> updatable”

Thanks, corrected.



5.3 2nd paragraph. Maybe add a note that this out-of-band handshake is also giving back visibility into the certificate with TLS 1.3? Would be good to point this out.

Good point. Will add that part.


Best,
-Eric





Toby


From: OPSEC <opsec-bounces@ietf.org<mailto:opsec-bounces@ietf.org>> on behalf of "Eric Wang (ejwang)" <ejwang=40cisco.com@dmarc.ietf.org<mailto:ejwang=40cisco.com@dmarc.ietf.org>>
Date: Friday, 5. June 2020 at 03:30
To: "opsec@ietf.org<mailto:opsec@ietf.org>" <opsec@ietf.org<mailto:opsec@ietf.org>>
Cc: Roelof Du Toit <roelof.dutoit@broadcom.com<mailto:roelof.dutoit@broadcom.com>>, Andrew Ossipov <aossipov@cisco.com<mailto:aossipov@cisco.com>>
Subject: [OPSEC] Fwd: New Version Notification for draft-wang-opsec-tls-proxy-bp-00.txt

Dear OPSEC participants,

We published a new revision of the TLS-proxy best practice draft for the WG review. The title was updated with “opsec” based on Ron’s suggestion.  It replaces the previous file and contains the same updates to address early comments from Eric R., Tobias Mayer and others.

We would like to thank those reviewers and appreciate more comments and feedback on the draft!

Best,

-Eric (on behalf of the authors)



Begin forwarded message:

From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Subject: New Version Notification for draft-wang-opsec-tls-proxy-bp-00.txt
Date: June 4, 2020 at 2:59:38 PM PDT
To: Eric Wang <ejwang@cisco.com<mailto:ejwang@cisco.com>>, Roelof DuToit <roelof.dutoit@broadcom.com<mailto:roelof.dutoit@broadcom.com>>, Andrew Ossipov <aossipov@cisco.com<mailto:aossipov@cisco.com>>


A new version of I-D, draft-wang-opsec-tls-proxy-bp-00.txt
has been successfully submitted by Eric Wang and posted to the
IETF repository.

Name: draft-wang-opsec-tls-proxy-bp
Revision: 00
Title: TLS Proxy Best Practice
Document date: 2020-06-03
Group: Individual Submission
Pages: 16
URL:            https://www.ietf.org/internet-drafts/draft-wang-opsec-tls-proxy-bp-00.txt
Status:         https://datatracker.ietf.org/doc/draft-wang-opsec-tls-proxy-bp/
Htmlized:       https://tools.ietf.org/html/draft-wang-opsec-tls-proxy-bp-00
Htmlized:       https://datatracker.ietf.org/doc/html/draft-wang-opsec-tls-proxy-bp


Abstract:
  TLS proxies are widely deployed by organizations to enable security
  features and apply enterprise policies.  This document defines a TLS
  proxy and discusses a wide range of security requirements to guide
  TLS proxy implementations.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org/>g/>.

The IETF Secretariat


_______________________________________________
OPSEC mailing list
OPSEC@ietf.org<mailto:OPSEC@ietf.org>
https://www.ietf.org/mailman/listinfo/opsec