Re: [OPSEC] I-D Action: draft-ietf-opsec-ns-impact-00.txt

tom petch <ietfa@btconnect.com> Wed, 24 June 2020 11:31 UTC

Return-Path: <ietfa@btconnect.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 295323A0D6C for <opsec@ietfa.amsl.com>; Wed, 24 Jun 2020 04:31:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SK-SNefx8sHM for <opsec@ietfa.amsl.com>; Wed, 24 Jun 2020 04:31:37 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2110.outbound.protection.outlook.com [40.107.21.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 507923A0D6B for <opsec@ietf.org>; Wed, 24 Jun 2020 04:31:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZucClNtANVARw9iWre3bwEo7I8uLBPc/kmRmxbk0wDRAyHACeo/+KxZq9phd6jRnGkvQks3daxVYgMGHOAs42e6zsopy7OmRSAfSM0eub5kUuXSrnDetAUMHdCZ3ILRF4+5kbIn2yVQ98MvNrsY5LsbiE74L4Eyf6KMCcJnI3L0Sljr8y+GdYkaNXkWT2/mryYwi8m25wgJ6it3hv31k27DvXAbq3QwT+zSpz5vZ/MpeQyaJ+R5cQSzXTpNYQc8gskVN3OqaVKCun5HW1LTMV56EU6aeMsXDMQqcD+U7s2nSHpaNeIfzWrQ8K7CspnpF2UGDiTg9hfUHxwKYJ09bSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Cd/LACbRVxttacAlF77/A/ratgb/fXoEZzoJMeoK4gs=; b=I0M/O3jmunKn8c4H7SgJIWyp9T6h9Cr4OE8ZejiLIbEspZJwfyhgGQDtvu+ZtMSOsAlASHUHkFj/7uyknlHlLwD6usyXUD692inY5tkvw5xrdACNfGkb9WOqnNr7dzQxW9wejR6iMxxBHqoGp15s6iv4LMc9w2C0I1Tk+U57ynnmI6vJ71TNmlORrp8c3j5RpkalggJCJNzAVbsn+dXed5H2dY9L+P+MSD2c7N9IcITeIzfy94J29UNDI3+QVr4d4uEWCbvznfLoMClmH8hiVTb59J33fWy3Az9zjvqHqw1xzwDxHNxLjdPl7c/1VFJ3wKd1nmxxc1H0DkMZ61dtkQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Cd/LACbRVxttacAlF77/A/ratgb/fXoEZzoJMeoK4gs=; b=a6vG6A0d01SUID45DOC/ZTx/8IqRvYZe6aNKyw9xa1/OrzA8RL/C++n5eE07/3vG+xmRRgWNcc0xEfMoaxE7sCyI9a4qyQiLipS4LKn2Ga4++T7x6/ejKFSVVWP5B0R1MYKaeB84DcLwIkKxkrYMjXAb09V3wDF5amf9t68b6K0=
Received: from DB7PR07MB5340.eurprd07.prod.outlook.com (2603:10a6:10:69::25) by DBAPR07MB6758.eurprd07.prod.outlook.com (2603:10a6:10:197::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.11; Wed, 24 Jun 2020 11:31:34 +0000
Received: from DB7PR07MB5340.eurprd07.prod.outlook.com ([fe80::f911:a06:2f4e:a103]) by DB7PR07MB5340.eurprd07.prod.outlook.com ([fe80::f911:a06:2f4e:a103%4]) with mapi id 15.20.3131.016; Wed, 24 Jun 2020 11:31:34 +0000
From: tom petch <ietfa@btconnect.com>
To: "opsec@ietf.org" <opsec@ietf.org>
Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-ns-impact-00.txt
Thread-Index: AQHWSboASIofXdoi40OM+UnjA2fhjajnn3Mz
Date: Wed, 24 Jun 2020 11:31:34 +0000
Message-ID: <DB7PR07MB5340F6E82CDF3B9F71905BDAA2950@DB7PR07MB5340.eurprd07.prod.outlook.com>
References: <159295656881.2080.14897469715486353486@ietfa.amsl.com>
In-Reply-To: <159295656881.2080.14897469715486353486@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.128.101.145]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0fd37fbd-5219-4245-08b4-08d818322689
x-ms-traffictypediagnostic: DBAPR07MB6758:
x-microsoft-antispam-prvs: <DBAPR07MB675881C42FB7754112B43F8AA2950@DBAPR07MB6758.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2733;
x-forefront-prvs: 0444EB1997
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4JKvLFCy/ElNgpOTJTVTMEycChREOk119Od0BCXtPqRhvFuTtamyrGaswyqoRRQ4cynQXlx1SXmQSSIRk7xsIpi7Ur/Z/bO8r8RqCLE50BVBBxY0/rifs1uMmII+7IsdllYZYnb5pViYGEN172w86H7HITG7cRlyUH3YLciuBcc1u4hDXvrTemkMOQUzPdY5xOLlXuL02slSKKgX1AxQnk6oLs20I8tLQxMLR5PnvxZU74HshPxVQ63ElvzEFF6Rl/Sv9wLYSol8mgNr3nr8x1vQkkT4CgrXUzRSRyKv25zoaXyYe0bssuVOpdtnY5SI7rfBFCNlrLVUFhhJb7BNTt8c48UHSB4mUrW7jrjcH/Bw3ltdS7YhWiH4QS9CBtscle53qLNgdy9vfVVDd3NZJw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR07MB5340.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(366004)(346002)(39860400002)(396003)(376002)(136003)(26005)(6506007)(9686003)(66946007)(66476007)(66556008)(66446008)(86362001)(64756008)(83380400001)(76116006)(91956017)(186003)(33656002)(55016002)(7696005)(71200400001)(8676002)(2906002)(66574015)(316002)(6916009)(5660300002)(52536014)(966005)(8936002)(478600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: nMjqoeJK4gL4QxrtVM2O4cPQ7tdMc/I6e4DHK2cpaAD8AIf9mpGetZPXwl4QCAHKD0lOH0HwdLEI8H6buxM6fjaRGKdOCyjg6ud7duCWj0Bbu1d6TxWOvhfpRt8thqzetnhQ/PuG4oZPQWV9GLAYD0Z5t0kPRpgFM5BtSN8iEcLiS+NrrExOoV1xrPTOlbf68mvAtcMJ8UzcnRCz5VwjxhNBTYxOi7kuEcwFTX1UQpBZ7Awuhk2vVVUtpmv3evwDDQgyppcjduxEoJ2BItSoXtuVbrB0XsJuiQoMPOPH74Bh/EexUbcXELFoM9MxKwkBh6eaVgpiNTrvDfVqc24rAF7+SPK93QDGH+PhbJQ91nduLco9Q+wGm5rzLX7d7d2WfIXq31Ysdz/lp4wlUY/7YVGgXj0rAtXY2jYqb9rCscW0IFMs0Am3xSNlaU2rdvraSNrNgh7Fa1kYfD5btx3w+TVZgTnzhDEIdwD6JxbZVogfcSjlMuBdirRxdCH4QNuk
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB7PR07MB5340.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0fd37fbd-5219-4245-08b4-08d818322689
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jun 2020 11:31:34.5862 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HXdiyrC5RdLBeKCB2qTcd0fmejkd7F8Zn6II4L81vvvoOjj6g/peCbmBOfLoLa3rnCINp6g3T61Io3mXY1HI/Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR07MB6758
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/mQXc8tF1jPHALcZ37TfglwFqMTI>
Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-ns-impact-00.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2020 11:31:39 -0000

From: OPSEC <opsec-bounces@ietf.org> on behalf of internet-drafts@ietf.org <internet-drafts@ietf.org>
Sent: 24 June 2020 00:56

Nancy

Some general thoughts.

You assume that the server has an X.509 certificate.  Probably the right approach but I think that you need an Assumptions in s.1 ruling out PSK etc.

You assume that the client does not have a certificate; ditto.

The problem statement is that TLS1.3 cannot do what TLS1.2 can and that is not explained until s.4.  I think that some of that if not the whole section belongs earlier, section 1 or 2.

I was going to ask if encrypted SNI belong in this I-D somewhere then saw it in the references.  I think that you need to say more than [ESNI]

Does channel binding belong in here somewhere?  I saw an I-D to provide channel binding for TLS 1.3 on the grounds that it no longer worked which is something I had not realised about TLS1.3.

In passing, you have a mix of TLS 1.3 and TLS v1.3; I prefer the former but prefer consistency more!

Tom petch


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Operational Security Capabilities for IP Network Infrastructure WG of the IETF.

        Title           : Impact of TLS 1.3 to Operational Network Security Practices
        Authors         : Nancy Cam-Winget
                          Eric Wang
                          Roman Danyliw
                          Roelof DuToit
        Filename        : draft-ietf-opsec-ns-impact-00.txt
        Pages           : 17
        Date            : 2020-06-23

Abstract:
   Network-based security solutions are used by enterprises, the public
   sector, internet-service providers, and cloud-service providers to
   both complement and enhance host-based security solutions.  As TLS is
   a widely deployed protocol to secure communication, these network-
   based security solutions must necessarily interact with it.  This
   document describes this interaction for current operational security
   practices and notes the impact of TLS 1.3 on them.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-opsec-ns-impact/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-opsec-ns-impact-00
https://datatracker.ietf.org/doc/html/draft-ietf-opsec-ns-impact-00


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec