IETF Logo Mail Archive

[OPSEC] Request comments & discussion for draft-wang-tls-proxy-best-practice

"Eric Wang (ejwang)" <ejwang@cisco.com> Thu, 05 March 2020 01:37 UTC

Return-Path: <ejwang@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D3793A07E4 for <opsec@ietfa.amsl.com>; Wed, 4 Mar 2020 17:37:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Level:
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=TnZXDvDe; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=brBy+mvG
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5kdp8EZNX7TB for <opsec@ietfa.amsl.com>; Wed, 4 Mar 2020 17:37:31 -0800 (PST)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE5373A07E2 for <opsec@ietf.org>; Wed, 4 Mar 2020 17:37:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9259; q=dns/txt; s=iport; t=1583372250; x=1584581850; h=from:to:cc:subject:date:message-id:references: mime-version; bh=kkZA5uei1yMU1DIuxFXJvWU248qG5rnvQEvRHXTVFG8=; b=TnZXDvDefp0weR/HEGXo/+9CZor4w2ShhHtw5CmQgYTVo3nk5wzfdv2d uoUpsLm243OqEar2M9UqIMUv0Z3fnTK8dyWTxarWzG8qIHPGEU8plXNn6 nDcmshGY+zvQxzfBHNsuIjnzcklGXsO3uv37TUzImbhoaEQva7v6M+6Jp c=;
X-IPAS-Result: A0D/AQDnVmBe/4sNJK1mGwEBAQEBAQEFAQEBEQEBAwMBAQGBe4FUUAVsWCAECyoKh1EDimmCOiWTM4RiglIDVAkBAQEMAQElCAIEAQGDDYE2AoIBJDgTAgMBAQEDAgMBAQEBBQEBAQIBBQRthVYBC4VjAQIBAxIuAQE3AQ8CARkDAQIoBzIUCQgCBA4FIoMEAYF9TQMuAQ6iSgKBOYhigieCfwEBBYEzAg5BgxYYggwJgTiFIYcGGoIAgTgMFIJNgSkZAYFfAQECAQEYgWkNCQiDBYIsllYkmSYKgjwEh06PFByCSX+HIJBJRI4uiHyPHYMyAgQCBAUCDgEBBYE/KiKBWHAVGksBgkEJNRIYDY4dGINbhRSFQXQCgSeMDwGBDwEB
IronPort-PHdr: 9a23:AnBv0xeMdUeHBPyA9SIjEcnqlGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwKYD57D5adCjOzb++D7VGoM7IzJkUhKcYcEFnpnwd4TgxRmBceEDUPhK/u/Yi4lFcJNfFRk5Hq8d0NSHZW2PgeAuHC54D8MFxm6LhJ7drinPInUgoz3z/q155DYfwRPgny6fK92KxK16w7Ws5teiop5IaF3wRzM6ndPdv8ew2R0bV6ehBfz4M6s8fsBuzxdofcg69JNXe3hcqI0QKYQDDM9L3t06Q==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.70,516,1574121600"; d="scan'208,217";a="430254830"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 05 Mar 2020 01:37:29 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id 0251bTPs028910 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 5 Mar 2020 01:37:29 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 4 Mar 2020 19:37:29 -0600
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 4 Mar 2020 19:37:28 -0600
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 4 Mar 2020 19:37:28 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fdp+oxO1DsMekHszNmGquWUZnpSiFfMj5mqnGqSmoB0MTzm02+kL0qGVhFLCtkUMjHPxtLEjX0y8El/i+noDVIkbQK5y8MI77DL4c4z4DkExhLbB+BfKLg6RcBhewHV+7QCdcenz6witIS3zuakAVgfmasoAv7O8pdvmnxtiG95zJ/E6pAe1TSLd0h/IRiZKYu9DYycZaY2Qp0H0J83RgVIA3FOqd17iHk9B0FvTEKLNVgjKPXp6VvUVQgXXTrEkP/nrqIWf/FDsOgktiFO6o+qFIUwVXfkyyOwOegf/HBWBLRkiCXtdtvFxddn+iNUs9cXImOykd3jeikklc2bVSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=sGpDBL1AATR8huXgcHS3ATCSTbN9XF+k4xcdeAZqPIY=; b=Ld+f8m8DTM71fLi/d5JO4ABgKDr7c/LlXZtMahwvdmuCz9JwcED24zE17/cQroPXgcD/IyGyceHjNeW60nxoA6TF2r0Ar+netqAvUH7a4ntg3cAJsB6elQB6vsdDXPLrLwlAhYXJ9aKFrtNhbkA4A3qTy31sPn4Uv/RTUVzn2ZskrTxbkhtuDsSmvL0O6HTZoWu99hP0SInMWD62Qtk4BNIGgzvAo1jAA2gX3roJY38I4GJp90hJIp2QcLD27hOV7Cdd3gr497SSTsMnYCgNitXE7xL8w81Rfty6cGqlinFuvfpkdX0/ysnu/j7suB1o8oeCN78Izk/DsXp+oIzGDg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sGpDBL1AATR8huXgcHS3ATCSTbN9XF+k4xcdeAZqPIY=; b=brBy+mvGPjCBrJBVTN9qx1ec0RbT6HhSbVOPcvGOUWfiigznh5VcF5mw5znNDhOJy0GL18i39F6Dkma4Lnp/6nTAAAwZVHm56nFFV8iaCL9QTPdigPbTWBfxiSflj5sNzCxflbqLVF2ak+N1AwaaBaNQXr6uyn7pUiqmiExMzjc=
Received: from BYAPR11MB2789.namprd11.prod.outlook.com (2603:10b6:a02:cc::11) by BYAPR11MB2568.namprd11.prod.outlook.com (2603:10b6:a02:c6::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.18; Thu, 5 Mar 2020 01:37:27 +0000
Received: from BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::c1a4:a744:c5af:ea5b]) by BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::c1a4:a744:c5af:ea5b%5]) with mapi id 15.20.2772.019; Thu, 5 Mar 2020 01:37:27 +0000
From: "Eric Wang (ejwang)" <ejwang@cisco.com>
To: "opsec@ietf.org" <opsec@ietf.org>
CC: "Andrew Ossipov (aossipov)" <aossipov@cisco.com>, Roelof DuToit <r@nerd.ninja>, "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
Thread-Topic: Request comments & discussion for draft-wang-tls-proxy-best-practice
Thread-Index: AQHV8o6gGXamB5iflkuh13nIRXfUOQ==
Date: Thu, 05 Mar 2020 01:37:27 +0000
Message-ID: <D70D9FE4-1872-41E3-8D03-D8987F425698@cisco.com>
References: <158336398859.29242.5330683089303756006@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.11)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ejwang@cisco.com;
x-originating-ip: [50.196.137.195]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bb169c3c-6479-4b95-0b15-08d7c0a5c393
x-ms-traffictypediagnostic: BYAPR11MB2568:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BYAPR11MB2568BD95A0D62CE099C66F8DD0E20@BYAPR11MB2568.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 03333C607F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(39860400002)(366004)(136003)(346002)(396003)(199004)(189003)(107886003)(66476007)(966005)(71200400001)(36756003)(2906002)(478600001)(33656002)(66574012)(186003)(6916009)(26005)(66446008)(64756008)(66556008)(66946007)(76116006)(316002)(81156014)(2616005)(6512007)(8676002)(54906003)(6506007)(86362001)(4326008)(8936002)(5660300002)(6486002)(81166006); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR11MB2568; H:BYAPR11MB2789.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: P1Uetuee5+CUSaYfNvlYKvt4aXqvAH/H/a0+kWhJ4fT0Q/TFB4+HQLwXjllZmEyv5Ns5DoCT7A71RYxrwk1T3k30qwwXD0Ty/AuyyaFBOnhBpVFurcGXGH276S6mdbWDgghxSsmpcsKP8c6759Kzxw1LLewgSI1POXW/dMkhUJwVMhwEpFXN+8bndu/Qzeq28LRrqb+TP2vMrJO7EgIGYidwGP45XnH/iIPEs2SCFwoGtAQ5wRCgxD4yTsGwM04sAtYuYNUMhM3TRK3zMVGMxFP3tJEFnm5Nu39LDpcWPee4T5ddJ0kAXUtLcWcEO4dBYvyiRjtTRhncifFSRl1g/KEHWDoNbwwqHzBzIeGyxMkjVDyB6VsUOcAwtnyimy5Yxh64UhkHqgcVFc8vgXlZfKIHMEvjBpfQKTXSBbXEpOcVjzBCoORL9suWOGQVv1vx8344mFUiq7IuKxILy0mH4i9hat2MskTZVnEmSeFGvN6o7KYj7aBmvIB1d3yYx00DU2ih42zPZF7xrSqsh/QVCA==
x-ms-exchange-antispam-messagedata: 3yptwjjMBcX9dG2KhX30S0KEdGi3SbcZGj4XDGPTZQzyrr44M/hPzyjT9HxQEqGMHjwLqaDyT682Fk2/eJW0l7rB2IvbicLtr/R7thE1ec67dnMPGOaeiliZE9UMWolbdqgcny3AiLSRKsOu6irt+A==
Content-Type: multipart/alternative; boundary="_000_D70D9FE4187241E38D03D8987F425698ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: bb169c3c-6479-4b95-0b15-08d7c0a5c393
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2020 01:37:27.7196 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5MejMBpKV0nr/yYvwjxIBVXOvBrm6RAN99pqWTzJEfvabI1kUvekJbW1kERmt0zIOJC0oK0vNmbfWiisezvkRQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB2568
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: alln-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/dOIIhn4qBQOVKZDWNNhFtJA-t08>
Subject: [OPSEC] Request comments & discussion for draft-wang-tls-proxy-best-practice
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 01:37:33 -0000

Hello OPSEC participants,

We just submitted the following draft related to security best practices for implementing "TLS proxy", a common function leveraged by network operators. We thought it is relevant to this working group and would appreciate your review and comments.

This document is also related to draft-camwinget-tls-ns-impact<https://datatracker.ietf.org/doc/draft-camwinget-tls-ns-impact/> which Nancy sent out earlier.

Best,

-Eric (on behalf of the authors)


Begin forwarded message:

From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Subject: New Version Notification for draft-wang-tls-proxy-best-practice-01.txt
Date: March 4, 2020 at 3:19:48 PM PST
To: Andrew Ossipov <aossipov@cisco.com<mailto:aossipov@cisco.com>>, Eric Wang <ejwang@cisco.com<mailto:ejwang@cisco.com>>, "Roelof DuToit" <roelof.dutoit@broadcom.com<mailto:roelof.dutoit@broadcom.com>>


A new version of I-D, draft-wang-tls-proxy-best-practice-01.txt
has been successfully submitted by Eric Wang and posted to the
IETF repository.

Name: draft-wang-tls-proxy-best-practice
Revision: 01
Title: TLS Proxy Best Practice
Document date: 2020-03-04
Group: Individual Submission
Pages: 16
URL:            https://www.ietf.org/internet-drafts/draft-wang-tls-proxy-best-practice-01.txt
Status:         https://datatracker.ietf.org/doc/draft-wang-tls-proxy-best-practice/
Htmlized:       https://tools.ietf.org/html/draft-wang-tls-proxy-best-practice-01
Htmlized:       https://datatracker.ietf.org/doc/html/draft-wang-tls-proxy-best-practice
Diff:           https://www.ietf.org/rfcdiff?url2=draft-wang-tls-proxy-best-practice-01

Abstract:
  TLS proxies are widely deployed by organizations to enable security
  features and apply enterprise policies.  This document defines a TLS
  proxy and discusses a wide range of security requirements to guide
  TLS proxy implementations.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>.

The IETF Secretariat

v2.23.0 | Report a Bug | By Email