Re: [OPSEC] I-D Action: draft-ietf-opsec-ns-impact-00.txt

"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> Mon, 26 October 2020 02:58 UTC

Return-Path: <ncamwing@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25A023A1836 for <opsec@ietfa.amsl.com>; Sun, 25 Oct 2020 19:58:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=KQpoxkSQ; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=TxQbUYfK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6IFfhb-a2445 for <opsec@ietfa.amsl.com>; Sun, 25 Oct 2020 19:58:50 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBDE43A1851 for <opsec@ietf.org>; Sun, 25 Oct 2020 19:58:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=25085; q=dns/txt; s=iport; t=1603681114; x=1604890714; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Eg5fWf91KpwC57JBtlCyyDWDqi3ww2mBO+IU1hKoJDw=; b=KQpoxkSQfdit2xhmZzXVCqv4PP9QtOxAJYfofy5Ypt06FEwDcEbbng7G 32KzIaX4VoX2eyBuGQZeIKE8/UpvaZtc6srtS/fIQEMRYvpMcCoblX5i3 AQcOtkPsUl1vQtE07ijsHJUMgTffKEtvPSmDHCjytQNmPeJ7naWqkMC9p s=;
IronPort-PHdr: =?us-ascii?q?9a23=3At3pxzxdHpsyDFZLkGI9+DzndlGMj4e+mNxMJ6p?= =?us-ascii?q?chl7NFe7ii+JKnJkHE+PFxlwaTAdfX7vtegKzXvrzuH2sa7sXJvHMDdclKUB?= =?us-ascii?q?kIwYUTkhc7CcGIQUv8MLbxbiM8EcgDMT0t/3yyPUVPXsqrYVrUry6+6DcIEV?= =?us-ascii?q?P+OBZ7YOPvFd2ag8G+zevn/ZrVbk1Bjya8ZrUnKhKwoE3Ru8AajJEkJLw2z0?= =?us-ascii?q?7Co2BDfKJdwmY7KA=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BmCACoOpZf/5ldJa1gHQEBAQEJARI?= =?us-ascii?q?BBQUBgg+BIy9RB3BZLywKhDKDSQONRpQLhG+BQoERA1ULAQEBDQEBGAEMCAI?= =?us-ascii?q?EAQGESgIXgXICJTgTAgMBAQsBAQUBAQECAQYEbYVhDIVyAQEBAQMBARARHQE?= =?us-ascii?q?BLAsBDwIBCBEDAQEBKAMCAgIlCxQJCAIEAQ0FGwQDgwQBgX5NAy4BDqNTAoE?= =?us-ascii?q?7iGh2gTKDBAEBBYE3Ag4DDy9EgkIYghAJgTiCcoNwhjodG4IAgREnHIJNPoJ?= =?us-ascii?q?cAQEBAQEBgR0mOA0JCIJZM4IskDmDHYcUjAeRGQqCaokEkXUDH4MXgSqIY5Q?= =?us-ascii?q?6kz2KdpVCAgQCBAUCDgEBBYFrI4FXcBUaISoBgj4JRxcCDY4fg3GFFIVBAXQ?= =?us-ascii?q?CNgIGAQkBAQMJfIw7AYEQAQE?=
X-IronPort-AV: E=Sophos;i="5.77,417,1596499200"; d="scan'208,217";a="607920008"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Oct 2020 02:58:33 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by rcdn-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 09Q2wXlv001123 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 26 Oct 2020 02:58:33 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 25 Oct 2020 21:58:33 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 25 Oct 2020 21:58:33 -0500
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Sun, 25 Oct 2020 22:58:33 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cHinhPzxKi7Yf2Y3d6ocT20gf6Kp5DC0ZaeSaEfccMyv63CAZ4zZ4F2YyP/+jjzQ/QgvGjibCdEigL7JMD4lxdU6dR94fQyjrID7HgHwqGWDXfjDZL26bnq5koVqN8IqBulcgAybQOwMbzK/C6WFrAig1FUFCKhh8IhC3VmFzoDYoES7LydgEKroDcYfP1xnv4znGJ8lGLfLQUxhs3pTtZpwwfR1p2VSS8nLLiYYgnDFoOoq6eLXoyVaIoI2nG/uL557ARYM+VUj/5lA0N9x3G6aTrFHWlw5y6UrvGewa0fyUck2/1koTTmvH3rSANlAWBuKYcWlNcFMCbj2Jia6nQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Eg5fWf91KpwC57JBtlCyyDWDqi3ww2mBO+IU1hKoJDw=; b=icExaRRIAqsSmBtDZdHK1HIjXMJlCsnp6fZ37ySOzVinYgtpNIxqPqgfY0KD0EQ3FyzzhUk7dkvNvrNhlvqjfGqq+2dlLMUsvIXyvuWnAPiwBen3mV6leg67Ziy5YQaGcJaB+8w1wCjfQu3uRGuAgwxyVrt2C3z/OgEFJMdCZxvyc/LpHO4IBIrBLLziCIfaz6VI9n6P4bL7+fR42Bg+JJcpEbjr64qIED1Jw0pZoEQNIx2bpwEn2ZlWEBa93b2bVPs1HBQsjTZ01zy03BJjHNjosNcP7MWNXlL7tFQQDUQiDaxwBSZvk4/5g5IZ6oTIeVta3zVK36/opQOEM7ku0Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Eg5fWf91KpwC57JBtlCyyDWDqi3ww2mBO+IU1hKoJDw=; b=TxQbUYfKyALXwI633XnKlefwiLb7WNIPFOOkhcGPHJLh+N9CaGOqIGHWYSojoU4nxTcZdGXnj3p9Jhj2qQzm1OXfjEMXzTwresXed3xQNmAyRcAwwMNJC92HuRoP6mNJZd5uKHI5co9enZ21FOpDpMJTXgaZak8dp3k+zsmxRys=
Received: from BY5PR11MB4070.namprd11.prod.outlook.com (2603:10b6:a03:181::16) by BYAPR11MB3463.namprd11.prod.outlook.com (2603:10b6:a03:1e::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.18; Mon, 26 Oct 2020 02:58:30 +0000
Received: from BY5PR11MB4070.namprd11.prod.outlook.com ([fe80::8842:3f1e:4ffc:32c1]) by BY5PR11MB4070.namprd11.prod.outlook.com ([fe80::8842:3f1e:4ffc:32c1%3]) with mapi id 15.20.3477.028; Mon, 26 Oct 2020 02:58:30 +0000
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: "Eric Wang (ejwang)" <ejwang=40cisco.com@dmarc.ietf.org>, tom petch <ietfa@btconnect.com>
CC: "opsec@ietf.org" <opsec@ietf.org>
Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-ns-impact-00.txt
Thread-Index: AQHWSbnyJHIJtM2GSkK2u2qnFDPtgqjnopMAgDYKT4D//7zXgICMFT2A
Date: Mon, 26 Oct 2020 02:58:30 +0000
Message-ID: <A39F7678-A73A-4DAD-80A1-545835C71632@cisco.com>
References: <159295656881.2080.14897469715486353486@ietfa.amsl.com> <DB7PR07MB5340F6E82CDF3B9F71905BDAA2950@DB7PR07MB5340.eurprd07.prod.outlook.com> <4A3F376B-E82A-4C73-BA53-9AB7F0BC6316@cisco.com> <F3C9D532-C8ED-4843-A032-56D90DB9630C@cisco.com>
In-Reply-To: <F3C9D532-C8ED-4843-A032-56D90DB9630C@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.1b.201012
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [73.162.233.180]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fcb3b77b-14f3-40b6-222a-08d8795b04f8
x-ms-traffictypediagnostic: BYAPR11MB3463:
x-microsoft-antispam-prvs: <BYAPR11MB34635925EC279E7B82FC7231D6190@BYAPR11MB3463.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2887;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 94JIOJCxImPK+s1aG4DBfQwGByPTCw01SjqNkTQ7Yiaw3iFi1Rc3UYLWYvJh56mT1QsW2olXXhqykMGLXin6Adf2FjZl6+eCMWg5c8OrinMAXH/YxjE01hHI5pqcvWxD4NKWueneoWwgJg7d1iA0/mdT7Ypi6gAPiNEH+ifjFdXybvsVGD7/FbEfFc8SuOcyVbYJeZJsxb5RkQj/0MFQ/YThXfJBm6QxGbIDMSUTQDM43q3TP9zIzxFnYkwnMToGjH2661Mv6JOtvnlNFHngpXv+3IzyzpTTLSdeYJQFjy7n4/uIsZSpG4BWmtbUwrpSqm9LgZEdYzOGLZb+/p7clSvTxpwaF2eqxUZHZOto2PqOkjDs2PnPhPr6v0Raaz+FybucboIG9yOeUOAPbJ/r+A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4070.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(376002)(136003)(346002)(366004)(39860400002)(71200400001)(66476007)(166002)(64756008)(83380400001)(5660300002)(66556008)(66446008)(86362001)(66574015)(9326002)(91956017)(53546011)(6506007)(26005)(76116006)(36756003)(6512007)(2906002)(2616005)(6486002)(966005)(66946007)(110136005)(186003)(8676002)(33656002)(21615005)(478600001)(4326008)(8936002)(316002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: IumfeoYwtF2Bs0zdpAEhrv+vv6DVq1lpF1ugP5fgxQeWgP6JCZu2pFWLNR+RokVRLqxAIfHXmqXflFbGWRRxeDrdOc2Lwf3Diws5KBqco8fvvKbQqkZ/h/2umzz3ZquCEvR5KVusDvgYrSO411CV2z6lMkeu7e/IAsz7jHpsPt87nS8TReVKm9SCtVdOXgj5cDauEzlBewXZ+onMreJjPYJ4NkJooSg0hgo/ZsEXTD9G2aoC84hnO3qhe/t6cGJR5Z39JCKLJhQQkAcTKqfb4iagT3D4xZRa1p8DycDUxJAaoOBmTqI3pl+dmhMPi3ONbd9rBVUiOAyNyUg1spx53EgDuGw4q5gWohJjQOw5wgWp6ymyFpBCQDCOei7UXuR2sI2Tj1O4NsdWXCsRZNoZZYtqXiC7EGel0sB8mt/xTabpzDIvr70kLr84EFq9egBxGz0kElFqk6ulwcbjwepD2mH4orUly2ifLkDxB58hqx4Rb56nRik5TzOfvk6ojN14Jl8C6vhTXMj2yODSCHz2AXjylhhqUlNOltgKT6SFzrVpPTBNNxUC3t4mjNoZJPKlmCbJ4fT832E/f8Bf2f3GjfVKYMS4q3WDMVszcPlEzMyHihLB5lmd9+7tW6NS9gruPej8TOcvI8yxP25rP08hfQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_A39F7678A73A4DAD80A1545835C71632ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4070.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fcb3b77b-14f3-40b6-222a-08d8795b04f8
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Oct 2020 02:58:30.4131 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hrc7jvFJJ2JNdmCm2hddU4R86MT3EwEdXBgk/ifNuK1ATxPJMYteiooAi13FzyOrYDF0PBbUJCpdfxxU//Yyzw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3463
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: rcdn-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/ZL0UBAmBrEhW-DNxtRNPlEHrbxY>
Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-ns-impact-00.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 02:58:54 -0000

Hi Tom,
We’ve updated the draft to address the most recent comments received; version -02 was also targeted to address your comments.  Can you let us know if version -03 addresses them?

Thanks, Nancy

From: ncamwing <ncamwing@cisco.com>
Date: Tuesday, July 28, 2020 at 4:46 PM
To: "Eric Wang (ejwang)" <ejwang=40cisco.com@dmarc.ietf.org>rg>, tom petch <ietfa@btconnect.com>
Cc: "opsec@ietf.org" <opsec@ietf.org>
Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-ns-impact-00.txt

Hi Tom,
With respect to the channel binding, it is true that the bindings defined in RFC 5929 don’t quite map to TLS 1.3 well (especially tls-unique); the draft https://tools.ietf.org/id/draft-ietf-kitten-tls-channel-bindings-for-tls13-00.html creates a new TLS 1.3 compatible type which puts the considerations based on the older RFCs.  So, I would think the same considerations would apply and don’t see how that would have an impact on proxies other than what is noted in RFC 5929.

Best, Nancy


From: OPSEC <opsec-bounces@ietf.org> on behalf of "Eric Wang (ejwang)" <ejwang=40cisco.com@dmarc.ietf.org>
Date: Tuesday, July 28, 2020 at 1:46 PM
To: tom petch <ietfa@btconnect.com>
Cc: "opsec@ietf.org" <opsec@ietf.org>
Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-ns-impact-00.txt

Hi Tom,

Apologies again for missing your emails earlier.  We are making a new revision to address your comments.  Please see inline below...



On Jun 24, 2020, at 4:31 AM, tom petch <ietfa@btconnect.com<mailto:ietfa@btconnect.com>> wrote:

From: OPSEC <opsec-bounces@ietf.org<mailto:opsec-bounces@ietf.org>> on behalf of internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Sent: 24 June 2020 00:56

Nancy

Some general thoughts.

You assume that the server has an X.509 certificate.  Probably the right approach but I think that you need an Assumptions in s.1 ruling out PSK etc.

Good points.  Handling PSK will require some prerequisites, to be on path and proxy the previous sessions.  Will clarify it.





You assume that the client does not have a certificate; ditto.

Correct. Client authentication is possible but requires additional provisioning.  It does not change the list of operational practices.





The problem statement is that TLS1.3 cannot do what TLS1.2 can and that is not explained until s.4.  I think that some of that if not the whole section belongs earlier, section 1 or 2.

Agreed that’s a more natural flow.  Will move s.4 before discussing the list of practices.





I was going to ask if encrypted SNI belong in this I-D somewhere then saw it in the references.  I think that you need to say more than [ESNI]

ESNI/ECH impact would need more study.  You are right we should cover it for all the scenarios.  At high level, the effectiveness of passive inspection will be significantly reduced, and likely outbound proxy won’t be possible unless additional provisioning is in place.  Will capture it at this level and add more analysis as the spec finalizes and more is understood from the deployment.





Does channel binding belong in here somewhere?  I saw an I-D to provide channel binding for TLS 1.3 on the grounds that it no longer worked which is something I had not realised about TLS1.3.

Will leave it for Nancy to reply.





In passing, you have a mix of TLS 1.3 and TLS v1.3; I prefer the former but prefer consistency more!

Certainly!  Corrected.


Best,
-Eric






Tom petch


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Operational Security Capabilities for IP Network Infrastructure WG of the IETF.

       Title           : Impact of TLS 1.3 to Operational Network Security Practices
       Authors         : Nancy Cam-Winget
                         Eric Wang
                         Roman Danyliw
                         Roelof DuToit
       Filename        : draft-ietf-opsec-ns-impact-00.txt
       Pages           : 17
       Date            : 2020-06-23

Abstract:
  Network-based security solutions are used by enterprises, the public
  sector, internet-service providers, and cloud-service providers to
  both complement and enhance host-based security solutions.  As TLS is
  a widely deployed protocol to secure communication, these network-
  based security solutions must necessarily interact with it.  This
  document describes this interaction for current operational security
  practices and notes the impact of TLS 1.3 on them.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-opsec-ns-impact/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-opsec-ns-impact-00
https://datatracker.ietf.org/doc/html/draft-ietf-opsec-ns-impact-00


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec

_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec