Re: [OPSEC] I-D Action: draft-ietf-opsec-ns-impact-00.txt
tom petch <ietfa@btconnect.com> Wed, 24 June 2020 11:31 UTC
Return-Path: <ietfa@btconnect.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 295323A0D6C for <opsec@ietfa.amsl.com>; Wed, 24 Jun 2020 04:31:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SK-SNefx8sHM for <opsec@ietfa.amsl.com>; Wed, 24 Jun 2020 04:31:37 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2110.outbound.protection.outlook.com [40.107.21.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 507923A0D6B for <opsec@ietf.org>; Wed, 24 Jun 2020 04:31:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZucClNtANVARw9iWre3bwEo7I8uLBPc/kmRmxbk0wDRAyHACeo/+KxZq9phd6jRnGkvQks3daxVYgMGHOAs42e6zsopy7OmRSAfSM0eub5kUuXSrnDetAUMHdCZ3ILRF4+5kbIn2yVQ98MvNrsY5LsbiE74L4Eyf6KMCcJnI3L0Sljr8y+GdYkaNXkWT2/mryYwi8m25wgJ6it3hv31k27DvXAbq3QwT+zSpz5vZ/MpeQyaJ+R5cQSzXTpNYQc8gskVN3OqaVKCun5HW1LTMV56EU6aeMsXDMQqcD+U7s2nSHpaNeIfzWrQ8K7CspnpF2UGDiTg9hfUHxwKYJ09bSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Cd/LACbRVxttacAlF77/A/ratgb/fXoEZzoJMeoK4gs=; b=I0M/O3jmunKn8c4H7SgJIWyp9T6h9Cr4OE8ZejiLIbEspZJwfyhgGQDtvu+ZtMSOsAlASHUHkFj/7uyknlHlLwD6usyXUD692inY5tkvw5xrdACNfGkb9WOqnNr7dzQxW9wejR6iMxxBHqoGp15s6iv4LMc9w2C0I1Tk+U57ynnmI6vJ71TNmlORrp8c3j5RpkalggJCJNzAVbsn+dXed5H2dY9L+P+MSD2c7N9IcITeIzfy94J29UNDI3+QVr4d4uEWCbvznfLoMClmH8hiVTb59J33fWy3Az9zjvqHqw1xzwDxHNxLjdPl7c/1VFJ3wKd1nmxxc1H0DkMZ61dtkQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Cd/LACbRVxttacAlF77/A/ratgb/fXoEZzoJMeoK4gs=; b=a6vG6A0d01SUID45DOC/ZTx/8IqRvYZe6aNKyw9xa1/OrzA8RL/C++n5eE07/3vG+xmRRgWNcc0xEfMoaxE7sCyI9a4qyQiLipS4LKn2Ga4++T7x6/ejKFSVVWP5B0R1MYKaeB84DcLwIkKxkrYMjXAb09V3wDF5amf9t68b6K0=
Received: from DB7PR07MB5340.eurprd07.prod.outlook.com (2603:10a6:10:69::25) by DBAPR07MB6758.eurprd07.prod.outlook.com (2603:10a6:10:197::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.11; Wed, 24 Jun 2020 11:31:34 +0000
Received: from DB7PR07MB5340.eurprd07.prod.outlook.com ([fe80::f911:a06:2f4e:a103]) by DB7PR07MB5340.eurprd07.prod.outlook.com ([fe80::f911:a06:2f4e:a103%4]) with mapi id 15.20.3131.016; Wed, 24 Jun 2020 11:31:34 +0000
From: tom petch <ietfa@btconnect.com>
To: "opsec@ietf.org" <opsec@ietf.org>
Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-ns-impact-00.txt
Thread-Index: AQHWSboASIofXdoi40OM+UnjA2fhjajnn3Mz
Date: Wed, 24 Jun 2020 11:31:34 +0000
Message-ID: <DB7PR07MB5340F6E82CDF3B9F71905BDAA2950@DB7PR07MB5340.eurprd07.prod.outlook.com>
References: <159295656881.2080.14897469715486353486@ietfa.amsl.com>
In-Reply-To: <159295656881.2080.14897469715486353486@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.128.101.145]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0fd37fbd-5219-4245-08b4-08d818322689
x-ms-traffictypediagnostic: DBAPR07MB6758:
x-microsoft-antispam-prvs: <DBAPR07MB675881C42FB7754112B43F8AA2950@DBAPR07MB6758.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2733;
x-forefront-prvs: 0444EB1997
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4JKvLFCy/ElNgpOTJTVTMEycChREOk119Od0BCXtPqRhvFuTtamyrGaswyqoRRQ4cynQXlx1SXmQSSIRk7xsIpi7Ur/Z/bO8r8RqCLE50BVBBxY0/rifs1uMmII+7IsdllYZYnb5pViYGEN172w86H7HITG7cRlyUH3YLciuBcc1u4hDXvrTemkMOQUzPdY5xOLlXuL02slSKKgX1AxQnk6oLs20I8tLQxMLR5PnvxZU74HshPxVQ63ElvzEFF6Rl/Sv9wLYSol8mgNr3nr8x1vQkkT4CgrXUzRSRyKv25zoaXyYe0bssuVOpdtnY5SI7rfBFCNlrLVUFhhJb7BNTt8c48UHSB4mUrW7jrjcH/Bw3ltdS7YhWiH4QS9CBtscle53qLNgdy9vfVVDd3NZJw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR07MB5340.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(366004)(346002)(39860400002)(396003)(376002)(136003)(26005)(6506007)(9686003)(66946007)(66476007)(66556008)(66446008)(86362001)(64756008)(83380400001)(76116006)(91956017)(186003)(33656002)(55016002)(7696005)(71200400001)(8676002)(2906002)(66574015)(316002)(6916009)(5660300002)(52536014)(966005)(8936002)(478600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: nMjqoeJK4gL4QxrtVM2O4cPQ7tdMc/I6e4DHK2cpaAD8AIf9mpGetZPXwl4QCAHKD0lOH0HwdLEI8H6buxM6fjaRGKdOCyjg6ud7duCWj0Bbu1d6TxWOvhfpRt8thqzetnhQ/PuG4oZPQWV9GLAYD0Z5t0kPRpgFM5BtSN8iEcLiS+NrrExOoV1xrPTOlbf68mvAtcMJ8UzcnRCz5VwjxhNBTYxOi7kuEcwFTX1UQpBZ7Awuhk2vVVUtpmv3evwDDQgyppcjduxEoJ2BItSoXtuVbrB0XsJuiQoMPOPH74Bh/EexUbcXELFoM9MxKwkBh6eaVgpiNTrvDfVqc24rAF7+SPK93QDGH+PhbJQ91nduLco9Q+wGm5rzLX7d7d2WfIXq31Ysdz/lp4wlUY/7YVGgXj0rAtXY2jYqb9rCscW0IFMs0Am3xSNlaU2rdvraSNrNgh7Fa1kYfD5btx3w+TVZgTnzhDEIdwD6JxbZVogfcSjlMuBdirRxdCH4QNuk
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB7PR07MB5340.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0fd37fbd-5219-4245-08b4-08d818322689
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jun 2020 11:31:34.5862 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HXdiyrC5RdLBeKCB2qTcd0fmejkd7F8Zn6II4L81vvvoOjj6g/peCbmBOfLoLa3rnCINp6g3T61Io3mXY1HI/Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR07MB6758
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/mQXc8tF1jPHALcZ37TfglwFqMTI>
Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-ns-impact-00.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2020 11:31:39 -0000
From: OPSEC <opsec-bounces@ietf.org> on behalf of internet-drafts@ietf.org <internet-drafts@ietf.org> Sent: 24 June 2020 00:56 Nancy Some general thoughts. You assume that the server has an X.509 certificate. Probably the right approach but I think that you need an Assumptions in s.1 ruling out PSK etc. You assume that the client does not have a certificate; ditto. The problem statement is that TLS1.3 cannot do what TLS1.2 can and that is not explained until s.4. I think that some of that if not the whole section belongs earlier, section 1 or 2. I was going to ask if encrypted SNI belong in this I-D somewhere then saw it in the references. I think that you need to say more than [ESNI] Does channel binding belong in here somewhere? I saw an I-D to provide channel binding for TLS 1.3 on the grounds that it no longer worked which is something I had not realised about TLS1.3. In passing, you have a mix of TLS 1.3 and TLS v1.3; I prefer the former but prefer consistency more! Tom petch A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Operational Security Capabilities for IP Network Infrastructure WG of the IETF. Title : Impact of TLS 1.3 to Operational Network Security Practices Authors : Nancy Cam-Winget Eric Wang Roman Danyliw Roelof DuToit Filename : draft-ietf-opsec-ns-impact-00.txt Pages : 17 Date : 2020-06-23 Abstract: Network-based security solutions are used by enterprises, the public sector, internet-service providers, and cloud-service providers to both complement and enhance host-based security solutions. As TLS is a widely deployed protocol to secure communication, these network- based security solutions must necessarily interact with it. This document describes this interaction for current operational security practices and notes the impact of TLS 1.3 on them. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-opsec-ns-impact/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-opsec-ns-impact-00 https://datatracker.ietf.org/doc/html/draft-ietf-opsec-ns-impact-00 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
- [OPSEC] I-D Action: draft-ietf-opsec-ns-impact-00… internet-drafts
- Re: [OPSEC] I-D Action: draft-ietf-opsec-ns-impac… tom petch
- Re: [OPSEC] I-D Action: draft-ietf-opsec-ns-impac… Eric Wang (ejwang)
- Re: [OPSEC] I-D Action: draft-ietf-opsec-ns-impac… Nancy Cam-Winget (ncamwing)
- Re: [OPSEC] I-D Action: draft-ietf-opsec-ns-impac… Nancy Cam-Winget (ncamwing)