IETF Logo Mail Archive

Re: [OPSEC] Fwd: New Version Notification for draft-wang-opsec-tls-proxy-bp-00.txt

"Tobias Mayer (tmayer)" <tmayer@cisco.com> Thu, 11 June 2020 09:45 UTC

Return-Path: <tmayer@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AA083A1793 for <opsec@ietfa.amsl.com>; Thu, 11 Jun 2020 02:45:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=i/PNp5aw; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=kIww2S9T
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ji03SZP3_YrY for <opsec@ietfa.amsl.com>; Thu, 11 Jun 2020 02:45:47 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A0213A07C2 for <opsec@ietf.org>; Thu, 11 Jun 2020 02:45:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18438; q=dns/txt; s=iport; t=1591868747; x=1593078347; h=from:to:cc:subject:date:message-id:mime-version; bh=JgtUn+cTujxRgVXzivmak+5hzm4sZe2dz0w7chTRe9I=; b=i/PNp5awmu307fhMSsNXONzkZ1Cf2NvnVYsZytwWu7hKR9U7j0tORzY8 WG3xLGgYTk2ReLKZSgmMuRgpK8UbCJrmAoQf9UCYWu4yc6Y5npXwNtDyi Jw4zOGQMne24zExx2aZWDcrRX5fFeTr7ZvJNeFAYvRL0tUTdTgqRWnumK c=;
X-Files: smime.p7s : 3695
IronPort-PHdr: 9a23:QszDbRXIb2kShosAjhCbEjLwRH3V8LGuZFwc94YnhrRSc6+q45XlOgnF6O5wiEPSBN+Huf5BgvDd9aHtRWJG5oyO4zgOc51JAhkCj8he3wktG9WMBkCzKvn2Jzc7E8JPWB4AnTm7PEFZFdy4awjUpXu/vjIXEw/0cwt4OuqzHZTd3Iy70umo8MjVZANFzDO2fbJ1KkCwqgPc/skbiIdvMOA/0BzM93BJYO9Rg2hvIAGe
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AUAAC7/OFe/51dJa1mGgEBAQEBAQEBAQEDAQEBARIBAQEBAgIBAQEBgXgDAQEBAQsBgSIvUgdvKy0vLIQkg0YDjTuTaoRogS4UgRADVQQHAQEBCQMBASUIAgQBAYREAiCBfgIkNgcOAgMBAQsBAQUBAQECAQYEbYVbDIVyAQIBAxIRBBYDAQE1AgERAQgRAwECKwIEMB0KBAENBQ4UgwQBgksDHw8BDqddAoE5iGF2fzODAQEBBYE2Ag5BQoJYGIIHBwmBOAGBUoERiWcagUE/gREnHIJNPoJnAQECAQGBJyI4DRGCVjOCLZh8mz8KglmEJYJTgUOQWgMdgm+BFogCklWRE4oKkASEGgIEAgQFAg4BAQWBQBoKKIFWcBUaSwGCPglHFwINjh43gzqFFIVCdAI1AgYBBwEBAwl8j1gBAQ
X-IronPort-AV: E=Sophos;i="5.73,499,1583193600"; d="p7s'?scan'208,217";a="494461437"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 11 Jun 2020 09:45:46 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by rcdn-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id 05B9jjTD005066 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 11 Jun 2020 09:45:46 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 11 Jun 2020 04:45:45 -0500
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 11 Jun 2020 04:45:45 -0500
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 11 Jun 2020 04:45:44 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BtfpSYaPInogztdQqaG3B8miQWz7rHNCgBQY4SW70v/pqP0qBZjZfOnWsJbTOaBLb2x4QbfdI5oQ5FbG0SiKi4OhFzWmmk9Zk4TXsX7zrQ+5u9QYkNw3XllkbrxI2tXQI+gAI6S1hqake8exhOVv8wuECa7sfQj0lmiPHiMsosC2TZ0PozmvJevLXvMGql7eLieZuQ0Fdz3XuFab075LSv5TEqh7Wc5tKqKrLEkCpkWHM87bLYRakyAfft5MwKtWVCQTuSWPAFzlHeTqRWsLlN5yCdmQGOY364BEhsfnOLlgvAFzyV7heVyFUTBO6m7FyzQ55tZbNF9lFuAtnYL4hw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+jisYh54QGWe5bHVQ3iRm1KJOE75DkaWaXDGOsu5Pxs=; b=N8T5pPYUXNSB0HngxH5i6ezcg5zMrpVBb7MGtbm4jX6T1zb8DWGjw8FPHWfJ6c9psQStbhs5wM1vvOuU8/EX2Al8xn6LKnjxWy6y54nUpgQTBshbJFr5G9Jtlg4UaaQtCt+/x6At32w9egywBLrxY26B5RXDqLK3pAN+RLPa6dBajEKt7Fnt3jmN0JTvLR/s/skilpULY0jV2+F1s543hDHEbbEm4mv9Jg1M/XaqqYbrVqNv6nw8a1j+Xzcma5EnTfxwjNQsEDb8T8f0n/6wRpiJ106KarbZu2tlXLm1WAZz1oHo4EVhRaLRYi78WExP5x9OnMB2K9incyQT36OZcw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+jisYh54QGWe5bHVQ3iRm1KJOE75DkaWaXDGOsu5Pxs=; b=kIww2S9TDoi8cI64MNTXZHX+8RSUpf4Y/rjYwmwCZpK4tfbBgdRnPkk1jBsu1LbxrTVP79kVP6bdK4Usdcrt2k5M+MqlbRepCHc/83P6PrRxxNtZ8XdvOhO6ICKmd05+323wB24v0oy14VVH66K7k62EhRSofZ6Hn1PxLaxjptw=
Received: from DM6PR11MB3691.namprd11.prod.outlook.com (2603:10b6:5:146::33) by DM5PR11MB1290.namprd11.prod.outlook.com (2603:10b6:3:c::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.18; Thu, 11 Jun 2020 09:45:42 +0000
Received: from DM6PR11MB3691.namprd11.prod.outlook.com ([fe80::416c:ede1:6c0d:7437]) by DM6PR11MB3691.namprd11.prod.outlook.com ([fe80::416c:ede1:6c0d:7437%4]) with mapi id 15.20.3066.023; Thu, 11 Jun 2020 09:45:42 +0000
From: "Tobias Mayer (tmayer)" <tmayer@cisco.com>
To: "Eric Wang (ejwang)" <ejwang=40cisco.com@dmarc.ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
CC: Roelof Du Toit <roelof.dutoit@broadcom.com>, "Andrew Ossipov (aossipov)" <aossipov@cisco.com>
Thread-Topic: [OPSEC] Fwd: New Version Notification for draft-wang-opsec-tls-proxy-bp-00.txt
Thread-Index: AQHWP9USWS+DjvZlgEqhyfvB4wXhYA==
Date: Thu, 11 Jun 2020 09:45:42 +0000
Message-ID: <6774F53A-B1E6-49DC-A414-15955FE074CC@cisco.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.37.20051002
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2003:c3:3716:2900:4c9d:edad:b233:9177]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5edb8b7e-3b9f-4963-25c8-08d80dec34fb
x-ms-traffictypediagnostic: DM5PR11MB1290:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DM5PR11MB12906D1C2E46B57A61B6C71FD6800@DM5PR11MB1290.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0431F981D8
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wMdTfeW6tB8euwFb/7oIYMpSLYEMMVdAHo1Gi3pEnYZyz69SB34idvMN4+TmSTB0kMMp1Lu3FqEvOJ8bk2GZ/xn+P521esNL7FWcsKduwWjMLKqkCYyg1+MEnTaffy7c2TLXpdkws5ieGrrAaxxN9c8wO8k0hE6AEPpIDxOcIjy4DBx84zI5OojR94jrEckyak0TC7wHFKOlOCp+24MKnllCZBgrf84uDJK464vcc0QwvrHTVGqVu7K1OziBam/ur8VIDYVsq9EIdBe2i5KvcaKN/+5w4zs6Bb2dhylg5VxlF99rRohPbftEOv8DOuRv6tNWcyjj1bmgGuMXxdU8J15F7sUtFqhYbCbxqNegMfZs8t0OSM6YBBjpVIPXVoXU9pqrKX4/QfOQcEGDj/ntpw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR11MB3691.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(366004)(39860400002)(396003)(136003)(376002)(186003)(66574014)(15650500001)(166002)(76116006)(6506007)(478600001)(2906002)(64756008)(2616005)(33656002)(53546011)(66476007)(71200400001)(66946007)(66446008)(66556008)(66616009)(8676002)(91956017)(5660300002)(316002)(107886003)(54906003)(36756003)(4326008)(86362001)(966005)(83380400001)(6512007)(110136005)(99936003)(8936002)(6486002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: P0MKYW0umoEdu61UcWGU/DypmNt1K9+gBWGzShBeTvajEXfpXmU4z9liZ21UMmZ7q7hmSRQNDmKYwpNr8vy5etrlF4kiPocqdYwsL7LJWj10NtpWwlOJSGDvWNaw+OZqldZ5ES+jVxatRmexR49I2nR+ksOUi3cUA8hL2aV6mveJnWOisn2VMChdoSsnA2z0kbziC7sPIzW4k6L/LOveu47zmJxKzp/0o3axRRcarh2QYUUApvlbQxcz8543YVhAZx2rSaEXa9lamhFQrLddDA64UvkJJcPJ8LLqE/j0knqb7xWMXLGF9tgu/xtlEvO7djFxrgg12d+UOnt2fD8I4PsfLvzsKDHD1gxAlfcwADpi/wwm1r3G23Oq3/X+W6QVH9HTdMZ1tSLxverx8DoPv2l8QPg5UEyvpBAkDgnDEkE+6F9L065TuegNdTysJuFZUxgiORDgKiXu/3bAekf1T+u9EtI+rFWxBOuPf/cH4nnSBzFWxdTgon+18+NXJHmSPkie03AZhuQs9CVuqfLivzjbkE/RflyAO06V4TLcpf4=
Content-type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3674720742_563337738"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 5edb8b7e-3b9f-4963-25c8-08d80dec34fb
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jun 2020 09:45:42.4253 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: E/EEXkjTIo82OeGBh+gwOcrVBy3Su1rkaB9eijIUEuavyj7e8Uwsm52HSzyxAt0XE7x+kQcRJrMIALf17Lwa+w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1290
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: rcdn-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/cfg-Hl1JcVMvEhwqjQYVI1Xv1CY>
Subject: Re: [OPSEC] Fwd: New Version Notification for draft-wang-opsec-tls-proxy-bp-00.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jun 2020 09:45:51 -0000

Hi Eric,

 

Some minor comments on the draft:

 

4.2 Are we making a difference in a TLS Session client hello really initiated as a new client hello by the proxy on the server side or if , like some proxies might do,

the client hello from the client side is modified and forwarded? According to the text it looks like we are assuming that the proxy MUST always initiate its own session?

 

4.4 See comment on 4.2

 

4.8  typo: "updateble""-> updatable"

 

5.3 2nd paragraph. Maybe add a note that this out-of-band handshake is also giving back visibility into the certificate with TLS 1.3? Would be good to point this out.

 

 

Toby

 

 

From: OPSEC <opsec-bounces@ietf.org> on behalf of "Eric Wang (ejwang)" <ejwang=40cisco.com@dmarc.ietf.org>
Date: Friday, 5. June 2020 at 03:30
To: "opsec@ietf.org" <opsec@ietf.org>
Cc: Roelof Du Toit <roelof.dutoit@broadcom.com>, Andrew Ossipov <aossipov@cisco.com>
Subject: [OPSEC] Fwd: New Version Notification for draft-wang-opsec-tls-proxy-bp-00.txt

 

Dear OPSEC participants, 

 

We published a new revision of the TLS-proxy best practice draft for the WG review. The title was updated with “opsec” based on Ron’s suggestion.  It replaces the previous file and contains the same updates to address early comments from Eric R., Tobias Mayer and others.

 

We would like to thank those reviewers and appreciate more comments and feedback on the draft!

 

Best,

 

-Eric (on behalf of the authors)

 



Begin forwarded message:

 

From: <internet-drafts@ietf.org>

Subject: New Version Notification for draft-wang-opsec-tls-proxy-bp-00.txt

Date: June 4, 2020 at 2:59:38 PM PDT

To: Eric Wang <ejwang@cisco.com>, Roelof DuToit <roelof.dutoit@broadcom.com>, Andrew Ossipov <aossipov@cisco.com>

 


A new version of I-D, draft-wang-opsec-tls-proxy-bp-00.txt
has been successfully submitted by Eric Wang and posted to the
IETF repository.

Name: draft-wang-opsec-tls-proxy-bp
Revision: 00
Title: TLS Proxy Best Practice
Document date: 2020-06-03
Group: Individual Submission
Pages: 16
URL:            https://www.ietf.org/internet-drafts/draft-wang-opsec-tls-proxy-bp-00.txt
Status:         https://datatracker.ietf.org/doc/draft-wang-opsec-tls-proxy-bp/
Htmlized:       https://tools.ietf.org/html/draft-wang-opsec-tls-proxy-bp-00
Htmlized:       https://datatracker.ietf.org/doc/html/draft-wang-opsec-tls-proxy-bp


Abstract:
  TLS proxies are widely deployed by organizations to enable security
  features and apply enterprise policies.  This document defines a TLS
  proxy and discusses a wide range of security requirements to guide
  TLS proxy implementations.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat

v2.23.0 | Report a Bug | By Email