[OPSEC] Request comments & discussion for draft-wang-tls-proxy-best-practice

"Eric Wang (ejwang)" <ejwang@cisco.com> Thu, 05 March 2020 01:37 UTC

Return-Path: <ejwang@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D3793A07E4 for <opsec@ietfa.amsl.com>; Wed, 4 Mar 2020 17:37:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Level:
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=TnZXDvDe; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=brBy+mvG
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5kdp8EZNX7TB for <opsec@ietfa.amsl.com>; Wed, 4 Mar 2020 17:37:31 -0800 (PST)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE5373A07E2 for <opsec@ietf.org>; Wed, 4 Mar 2020 17:37:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9259; q=dns/txt; s=iport; t=1583372250; x=1584581850; h=from:to:cc:subject:date:message-id:references: mime-version; bh=kkZA5uei1yMU1DIuxFXJvWU248qG5rnvQEvRHXTVFG8=; b=TnZXDvDefp0weR/HEGXo/+9CZor4w2ShhHtw5CmQgYTVo3nk5wzfdv2d uoUpsLm243OqEar2M9UqIMUv0Z3fnTK8dyWTxarWzG8qIHPGEU8plXNn6 nDcmshGY+zvQxzfBHNsuIjnzcklGXsO3uv37TUzImbhoaEQva7v6M+6Jp c=;
X-IPAS-Result: =?us-ascii?q?A0D/AQDnVmBe/4sNJK1mGwEBAQEBAQEFAQEBEQEBAwMBA?= =?us-ascii?q?QGBe4FUUAVsWCAECyoKh1EDimmCOiWTM4RiglIDVAkBAQEMAQElCAIEAQGDD?= =?us-ascii?q?YE2AoIBJDgTAgMBAQEDAgMBAQEBBQEBAQIBBQRthVYBC4VjAQIBAxIuAQE3A?= =?us-ascii?q?Q8CARkDAQIoBzIUCQgCBA4FIoMEAYF9TQMuAQ6iSgKBOYhigieCfwEBBYEzA?= =?us-ascii?q?g5BgxYYggwJgTiFIYcGGoIAgTgMFIJNgSkZAYFfAQECAQEYgWkNCQiDBYIsl?= =?us-ascii?q?lYkmSYKgjwEh06PFByCSX+HIJBJRI4uiHyPHYMyAgQCBAUCDgEBBYE/KiKBW?= =?us-ascii?q?HAVGksBgkEJNRIYDY4dGINbhRSFQXQCgSeMDwGBDwEB?=
IronPort-PHdr: =?us-ascii?q?9a23=3AAnBv0xeMdUeHBPyA9SIjEcnqlGMj4e+mNxMJ6p?= =?us-ascii?q?chl7NFe7ii+JKnJkHE+PFxlwKYD57D5adCjOzb++D7VGoM7IzJkUhKcYcEFn?= =?us-ascii?q?pnwd4TgxRmBceEDUPhK/u/Yi4lFcJNfFRk5Hq8d0NSHZW2PgeAuHC54D8MFx?= =?us-ascii?q?m6LhJ7drinPInUgoz3z/q155DYfwRPgny6fK92KxK16w7Ws5teiop5IaF3wR?= =?us-ascii?q?zM6ndPdv8ew2R0bV6ehBfz4M6s8fsBuzxdofcg69JNXe3hcqI0QKYQDDM9L3?= =?us-ascii?q?t06Q=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.70,516,1574121600"; d="scan'208,217";a="430254830"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 05 Mar 2020 01:37:29 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id 0251bTPs028910 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 5 Mar 2020 01:37:29 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 4 Mar 2020 19:37:29 -0600
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 4 Mar 2020 19:37:28 -0600
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 4 Mar 2020 19:37:28 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; =?utf-8?q?b=3Dfdp+oxO1DsMekHszNmGquWUZnpSiFfMj5mqnGqSmoB0MTzm02+kL0qGVhFLCt?= =?utf-8?q?kUMjHPxtLEjX0y8El/i+noDVIkbQK5y8MI77DL4c4z4DkExhLbB+BfKLg6RcBhewH?= =?utf-8?q?V+7QCdcenz6witIS3zuakAVgfmasoAv7O8pdvmnxtiG95zJ/E6pAe1TSLd0h/IRiZ?= =?utf-8?q?KYu9DYycZaY2Qp0H0J83RgVIA3FOqd17iHk9B0FvTEKLNVgjKPXp6VvUVQgXXTrEk?= =?utf-8?q?P/nrqIWf/FDsOgktiFO6o+qFIUwVXfkyyOwOegf/HBWBLRkiCXtdtvFxddn+iNUs9?= =?utf-8?q?cXImOykd3jeikklc2bVSA=3D=3D?=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMessage-ID=3ACont?= =?utf-8?q?ent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADCheck=3B?= =?utf-8?q?bh=3DsGpDBL1AATR8huXgcHS3ATCSTbN9XF+k4xcdeAZqPIY=3D=3B_b=3DLd+f8m?= =?utf-8?q?8DTM71fLi/d5JO4ABgKDr7c/LlXZtMahwvdmuCz9JwcED24zE17/cQroPXgcD/IyG?= =?utf-8?q?yceHjNeW60nxoA6TF2r0Ar+netqAvUH7a4ntg3cAJsB6elQB6vsdDXPLrLwlAhYXJ?= =?utf-8?q?9aKFrtNhbkA4A3qTy31sPn4Uv/RTUVzn2ZskrTxbkhtuDsSmvL0O6HTZoWu99hP0S?= =?utf-8?q?InMWD62Qtk4BNIGgzvAo1jAA2gX3roJY38I4GJp90hJIp2QcLD27hOV7Cdd3gr497?= =?utf-8?q?SSTsMnYCgNitXE7xL8w81Rfty6cGqlinFuvfpkdX0/ysnu/j7suB1o8oeCN78Izk/?= =?utf-8?q?DsXp+oIzGDg=3D=3D?=
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AM?= =?utf-8?q?essage-ID=3AContent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADC?= =?utf-8?q?heck=3B_bh=3DsGpDBL1AATR8huXgcHS3ATCSTbN9XF+k4xcdeAZqPIY=3D=3B_b?= =?utf-8?q?=3DbrBy+mvGPjCBrJBVTN9qx1ec0RbT6HhSbVOPcvGOUWfiigznh5VcF5mw5znNDh?= =?utf-8?q?OJy0GL18i39F6Dkma4Lnp/6nTAAAwZVHm56nFFV8iaCL9QTPdigPbTWBfxiSflj5s?= =?utf-8?q?NzCxflbqLVF2ak+N1AwaaBaNQXr6uyn7pUiqmiExMzjc=3D?=
Received: from BYAPR11MB2789.namprd11.prod.outlook.com (2603:10b6:a02:cc::11) by BYAPR11MB2568.namprd11.prod.outlook.com (2603:10b6:a02:c6::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.18; Thu, 5 Mar 2020 01:37:27 +0000
Received: from BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::c1a4:a744:c5af:ea5b]) by BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::c1a4:a744:c5af:ea5b%5]) with mapi id 15.20.2772.019; Thu, 5 Mar 2020 01:37:27 +0000
From: "Eric Wang (ejwang)" <ejwang@cisco.com>
To: "opsec@ietf.org" <opsec@ietf.org>
CC: "Andrew Ossipov (aossipov)" <aossipov@cisco.com>, Roelof DuToit <r@nerd.ninja>, "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
Thread-Topic: Request comments & discussion for draft-wang-tls-proxy-best-practice
Thread-Index: AQHV8o6gGXamB5iflkuh13nIRXfUOQ==
Date: Thu, 5 Mar 2020 01:37:27 +0000
Message-ID: <D70D9FE4-1872-41E3-8D03-D8987F425698@cisco.com>
References: <158336398859.29242.5330683089303756006@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.11)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ejwang@cisco.com;
x-originating-ip: [50.196.137.195]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bb169c3c-6479-4b95-0b15-08d7c0a5c393
x-ms-traffictypediagnostic: BYAPR11MB2568:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: =?utf-8?q?=3CBYAPR11MB2568BD95A0D62CE099C66F8DD0E?= =?utf-8?q?20=40BYAPR11MB2568=2Enamprd11=2Eprod=2Eoutlook=2Ecom=3E?=
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 03333C607F
x-forefront-antispam-report: SFV:NSPM; =?utf-8?q?SFS=3A=2810009020=29=284636?= =?utf-8?b?MDA5KSgzNzYwMDIpKDM5ODYwNDAwMDAyKSgzNjYwMDQpKDEzNjAwMykoMzQ2?= =?utf-8?b?MDAyKSgzOTYwMDMpKDE5OTAwNCkoMTg5MDAzKSgxMDc4ODYwMDMpKDY2NDc2?= =?utf-8?b?MDA3KSg5NjYwMDUpKDcxMjAwNDAwMDAxKSgzNjc1NjAwMykoMjkwNjAwMiko?= =?utf-8?q?478600001=29=2833656002=29=2866574012=29=28186003=29=286916009=29?= =?utf-8?b?KDI2MDA1KSg2NjQ0NjAwOCkoNjQ3NTYwMDgpKDY2NTU2MDA4KSg2Njk0NjAwNyko?= =?utf-8?q?76116006=29=28316002=29=2881156014=29=282616005=29=286512007=29?= =?utf-8?b?KDg2NzYwMDIpKDU0OTA2MDAzKSg2NTA2MDA3KSg4NjM2MjAwMSkoNDMyNjAwOCko?= =?utf-8?q?8936002=29=285660300002=29=286486002=29=2881166006=29=3B?= DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR11MB2568; H:BYAPR11MB2789.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: =?utf-8?q?P1Uetuee5+CUSaYfNvlYKvt4aXqvAH/?= =?utf-8?q?H/a0+kWhJ4fT0Q/TFB4+HQLwXjllZmEyv5Ns5DoCT7A71RYxrwk1T3k30qwwXD0Ty?= =?utf-8?q?/AuyyaFBOnhBpVFurcGXGH276S6mdbWDgghxSsmpcsKP8c6759Kzxw1LLewgSI1PO?= =?utf-8?q?XW/dMkhUJwVMhwEpFXN+8bndu/Qzeq28LRrqb+TP2vMrJO7EgIGYidwGP45XnH/iI?= =?utf-8?q?PEs2SCFwoGtAQ5wRCgxD4yTsGwM04sAtYuYNUMhM3TRK3zMVGMxFP3tJEFnm5Nu39?= =?utf-8?q?LDpcWPee4T5ddJ0kAXUtLcWcEO4dBYvyiRjtTRhncifFSRl1g/KEHWDoNbwwqHzBz?= =?utf-8?q?IeGyxMkjVDyB6VsUOcAwtnyimy5Yxh64UhkHqgcVFc8vgXlZfKIHMEvjBpfQKTXSB?= =?utf-8?q?bXEpOcVjzBCoORL9suWOGQVv1vx8344mFUiq7IuKxILy0mH4i9hat2MskTZVnEmSe?= =?utf-8?q?FGvN6o7KYj7aBmvIB1d3yYx00DU2ih42zPZF7xrSqsh/QVCA=3D=3D?=
x-ms-exchange-antispam-messagedata: =?utf-8?q?3yptwjjMBcX9dG2KhX30S0KEdGi3Sb?= =?utf-8?q?cZGj4XDGPTZQzyrr44M/hPzyjT9HxQEqGMHjwLqaDyT682Fk2/eJW0l7rB2IvbicL?= =?utf-8?q?tr/R7thE1ec67dnMPGOaeiliZE9UMWolbdqgcny3AiLSRKsOu6irt+A=3D=3D?=
Content-Type: multipart/alternative; boundary="_000_D70D9FE4187241E38D03D8987F425698ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: bb169c3c-6479-4b95-0b15-08d7c0a5c393
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2020 01:37:27.7196 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: =?utf-8?q?5MejMBpKV0nr/yYvwjxIB?= =?utf-8?q?VXOvBrm6RAN99pqWTzJEfvabI1kUvekJbW1kERmt0zIOJC0oK0vNmbfWiisezvkRQ?= =?utf-8?q?=3D=3D?=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB2568
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: alln-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/dOIIhn4qBQOVKZDWNNhFtJA-t08>
Subject: [OPSEC] Request comments & discussion for draft-wang-tls-proxy-best-practice
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 01:37:33 -0000

Hello OPSEC participants,

We just submitted the following draft related to security best practices for implementing "TLS proxy", a common function leveraged by network operators. We thought it is relevant to this working group and would appreciate your review and comments.

This document is also related to draft-camwinget-tls-ns-impact<https://datatracker.ietf.org/doc/draft-camwinget-tls-ns-impact/> which Nancy sent out earlier.

Best,

-Eric (on behalf of the authors)


Begin forwarded message:

From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Subject: New Version Notification for draft-wang-tls-proxy-best-practice-01.txt
Date: March 4, 2020 at 3:19:48 PM PST
To: Andrew Ossipov <aossipov@cisco.com<mailto:aossipov@cisco.com>>, Eric Wang <ejwang@cisco.com<mailto:ejwang@cisco.com>>, "Roelof DuToit" <roelof.dutoit@broadcom.com<mailto:roelof.dutoit@broadcom.com>>


A new version of I-D, draft-wang-tls-proxy-best-practice-01.txt
has been successfully submitted by Eric Wang and posted to the
IETF repository.

Name: draft-wang-tls-proxy-best-practice
Revision: 01
Title: TLS Proxy Best Practice
Document date: 2020-03-04
Group: Individual Submission
Pages: 16
URL:            https://www.ietf.org/internet-drafts/draft-wang-tls-proxy-best-practice-01.txt
Status:         https://datatracker.ietf.org/doc/draft-wang-tls-proxy-best-practice/
Htmlized:       https://tools.ietf.org/html/draft-wang-tls-proxy-best-practice-01
Htmlized:       https://datatracker.ietf.org/doc/html/draft-wang-tls-proxy-best-practice
Diff:           https://www.ietf.org/rfcdiff?url2=draft-wang-tls-proxy-best-practice-01

Abstract:
  TLS proxies are widely deployed by organizations to enable security
  features and apply enterprise policies.  This document defines a TLS
  proxy and discusses a wide range of security requirements to guide
  TLS proxy implementations.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>.

The IETF Secretariat