Re: [OPSEC] Review of draft-camwinget-opsec-ns-impact

"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> Thu, 18 June 2020 22:04 UTC

Return-Path: <ncamwing@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 632183A1006 for <opsec@ietfa.amsl.com>; Thu, 18 Jun 2020 15:04:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=X2VbXY+a; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=rYsxT+dw
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EtncfZHffqhc for <opsec@ietfa.amsl.com>; Thu, 18 Jun 2020 15:04:16 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E4FD3A1004 for <opsec@ietf.org>; Thu, 18 Jun 2020 15:04:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=19903; q=dns/txt; s=iport; t=1592517855; x=1593727455; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=z9OgmddrFxWzn1owpfLiQuJ6oM+ojO5S+bk6zEYpnOg=; b=X2VbXY+aCXVa3KHMzGQ3JbPTxHO0XLphniTalZ7SDlo/rqicAS0hJRWH nSaeGzN0ijlMO4BWjXOsrT5cI91MPrwq2n6QmE6P2HrDebRtG0kmoK53B vXHvncaNEpj9XbvUhQ54z+E4FuMR2jahxHN6wCyCuPKzL5DbOTe635hze o=;
IronPort-PHdr: =?us-ascii?q?9a23=3AaObKfRyHYkU3LZLXCy+N+z0EezQntrPoPwUc9p?= =?us-ascii?q?sgjfdUf7+++4j5ZRWDt/pohV7NG47c7qEMh+nXtvXmXmoNqdaEvWsZeZNBHx?= =?us-ascii?q?kClY0NngMmDcLEbC+zLPPjYyEgWsgXUlhj8iK0NEFUHID1YFiB6nG35CQZTx?= =?us-ascii?q?P4Mwc9L+/pG4nU2sKw0e36+5DabwhSwjSnZrYnJxStpgKXvc4T0oY=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DhBQB+4+te/4gNJK1mHAEBAQEBAQc?= =?us-ascii?q?BARIBAQQEAQGCCoEjLyMuB29YLywKhBqDRgONGiWJf4lshGiCUgNVCwEBAQw?= =?us-ascii?q?BAS0CBAEBhEQCF4IPAiQ4EwIDAQELAQEFAQEBAgEGBG2FWwyFcgEBAQEDEhE?= =?us-ascii?q?dAQE4DwIBCBEDAQIrAgICHxEdCAIEARIbB4MEAYF+TQMuAa0tAoE5iGF2gTK?= =?us-ascii?q?DAQEBBYJJglgNC4IOCYE4gmeJWx0aggCBEScMEIFPfj6CGoF6SYJ0M4Itj0m?= =?us-ascii?q?CHkKGN5sjTAqCWpQ9hGoDHYJwiR+SZJEljGiRUwIEAgQFAg4BAQWBaiKBVnA?= =?us-ascii?q?VZQGCPlAXAg2OHgwXg06KVnQCNQIGAQcBAQMJfI0jgTUBgRABAQ?=
X-IronPort-AV: E=Sophos;i="5.75,253,1589241600"; d="scan'208,217";a="776200489"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 18 Jun 2020 22:04:14 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 05IM4EOX008022 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 18 Jun 2020 22:04:14 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 18 Jun 2020 17:04:14 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 18 Jun 2020 17:04:13 -0500
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 18 Jun 2020 18:04:13 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dVaMUknRwY3cJa5wZrgLbC4frzxWGQQ9LDIgTZUMC5EMWbSmGTFxIG+FZyPQJeO+KWAYLok2hs4ya91hPV7fqcQCYCx9LCquG1TOzUEjEPvR8eZJWBZiI1VfKkBvMLocBgB25u15HkMpg5KqbdQHliGLo6smO6xKGkphT2MwfaZDfQKoS0aXtKEcV/Pl8PaI/1EgD8zWqc6DEW9yTrqR0a9HhpaH/EcF7bqtOUtR6idisTL6fhF8RGBG/QiTZxe4ouA0azTPqk0jwBCaiO7UjaBEhiqg2pQksEFJi5fvf5Lp/ae6tDpYLn8M3JzHavndmkhqrhPpgWTyepKQHBECEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=z9OgmddrFxWzn1owpfLiQuJ6oM+ojO5S+bk6zEYpnOg=; b=haPh4DPYkZaWVBVypfJxrDkOJxPiqBrKCDwSLWLMnPsDARL2Ct2NmheqXAv35NDxkaLYGJ/cIWtNoRjYl6iJgVfOhp6jalEISa9eGnmd74c79NkmcIeIm/mW8DI5/zoVDeZO7tb8XpM129D8I+YwMPSdwIYvcoXfQMkXAq4w+OVK1kR6u6w5GI3M6elqv7/b0LPhl+sgJZz1IxmJsJd6PKUqJin8qxKZD+u4lLcSgl+/0paLHvP5jRUPtt4qJ/np7XrMYJ9eu5UdrnPpS1PFLaKHfa03joiblSqVuUodG7cl3g9Y0EzufKLg/Q1kxPyh6XntzfjSUlRQbENmpKML/g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=z9OgmddrFxWzn1owpfLiQuJ6oM+ojO5S+bk6zEYpnOg=; b=rYsxT+dwFTC2gNEymrmJ8FU0lEH6J1wdX6Vbu/ieUelfXGwyNY85cdHuR3iuffcTb/4rwiOxUga1zbY1FLrsrqKc/W1chQGDBJdAtsOy9HKLxYqp85he8lt9m8H/XW7hCPLENiAaHlGA3LSG8NkYhjpvnXRmVq3rRXRsK5xAhI4=
Received: from BY5PR11MB4070.namprd11.prod.outlook.com (2603:10b6:a03:181::16) by BYAPR11MB3464.namprd11.prod.outlook.com (2603:10b6:a03:7d::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.22; Thu, 18 Jun 2020 22:04:12 +0000
Received: from BY5PR11MB4070.namprd11.prod.outlook.com ([fe80::e42f:216e:af3e:8ce5]) by BY5PR11MB4070.namprd11.prod.outlook.com ([fe80::e42f:216e:af3e:8ce5%7]) with mapi id 15.20.3109.021; Thu, 18 Jun 2020 22:04:12 +0000
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "opsec@ietf.org" <opsec@ietf.org>
Thread-Topic: [OPSEC] Review of draft-camwinget-opsec-ns-impact
Thread-Index: AQHWQD/G3QWpLJzkyUeUWJMlyKwgpajegvEA
Date: Thu, 18 Jun 2020 22:04:12 +0000
Message-ID: <96E17BAE-82DF-4653-AADB-5FC7CA489FE7@cisco.com>
References: <CAHbuEH5nkuS9Lng9zD88uyayoUPYOtP=TAMj689CMA47LdBNYg@mail.gmail.com>
In-Reply-To: <CAHbuEH5nkuS9Lng9zD88uyayoUPYOtP=TAMj689CMA47LdBNYg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.16.200509
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [73.162.233.180]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0a692a58-2ee2-4a63-8000-08d813d388be
x-ms-traffictypediagnostic: BYAPR11MB3464:
x-microsoft-antispam-prvs: <BYAPR11MB34644FEDFF84AC1ED52A2D74D69B0@BYAPR11MB3464.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0438F90F17
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: NXKigw9rfXnEmP487OeaTGM/hxJEb25ORVtOJ+JDppwbgHtlBoGgyQkr9or9TPrCTWMzwjXUUDmCHI+eUocFAweNKDVu8GRik3xV5kdPGWm/vZWrbK0UvNF7naQ9dZXn/6BYhOvQl7VdlLhyr/fOWOuSeedzu3RGoUJJ+Ay5lMXwvBn0CFljwwcfLCkPUZybRnMnnrfYl4pBRm6yVTWzAhXrSJOe5/1JKm+HOO/1Vbl0Hp+hY1Iiq+FfDWl/WUbvUptpJ+iVoegHv64iVuEK12P/Az37hOiMsf1i8y1N/LNq9CyqcMeIwDrOUq8cIl5DkjuWQGp2XApVepg8ArfWmg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4070.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(39860400002)(376002)(136003)(396003)(346002)(86362001)(36756003)(2616005)(6512007)(6486002)(5660300002)(71200400001)(478600001)(53546011)(8676002)(9326002)(33656002)(2906002)(8936002)(76116006)(66946007)(186003)(316002)(110136005)(66446008)(64756008)(66556008)(66476007)(26005)(6506007)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: l8en5YYCyZxWg8rnBZH5cw3NP00teDFkCCXJmZOh61yMtpABpt4tKsioL3xIO7uLvTYvcLtgG2KH4u9VpKNckVb0rg678Xr2JEecVZ8/tfVMJA5S+6IWpnzCIwzMWamIspf/349BpWGP9DQjbBPBkHDta8+7R05Pk+gd9WnMymQhzV3SMkLNZt7nPFfH6oVlmzDvsLb1WM5COyKc9gmmWtEx/HPtFx1jCYIfl9hrph1RYVw/W1zZbKHD2XYRQ2W0x73m0l9ZPNpxnUIoUhZpCYIuv8CovpA1YLxRLReU9VGhJkjut64nhIqrVn9F+8jQLxPgi/DFpgrH5IB9VNr2RVXLW0qtGAs8cfcRGdy+9Q/eNaq1+o+lQY6IABzPMXCP/oaGs/SgXtNT7p93xuJLP+LRgVIny6eUEZdH5v2oMxb4y//oWzcZOE0NIP4dI0gnoA4jnL60GfLkIsjKYBLBK5aB26GJn3ojr544H1Mm9+LcSjrAkugvV6HjMSVLzc6S
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_96E17BAE82DF4653AADB5FC7CA489FE7ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 0a692a58-2ee2-4a63-8000-08d813d388be
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jun 2020 22:04:12.4619 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: h4hdyQtmWACvjo3aG6N5iRUqWB7V2MxmDJyq3OsmFjEzVV6x0yfjx2T60rlFoKtDZtRN6xrIZ80I33eLGdKBzg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3464
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/fEy4Syhf4yhwUI1vx0QPLngUO38>
Subject: Re: [OPSEC] Review of draft-camwinget-opsec-ns-impact
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2020 22:04:19 -0000

Hi Kathleen,
Many thanks for the thorough review!  More comments below:

From: OPSEC <opsec-bounces@ietf.org> on behalf of Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Thursday, June 11, 2020 at 3:29 PM
To: "opsec@ietf.org" <opsec@ietf.org>
Subject: [OPSEC] Review of draft-camwinget-opsec-ns-impact

Thank you for your work on this draft, it has come a long way since it was first written!  I support it's adoption and provided a review.  I am also happy to review again before final publication if helpful.

Introduction

I think it's worth adding a bullet that specifies a system that's not able to itself detect and repent threats as is needed when you embrace a fully E2E encrypted solution.  It will take a bit of time before those models are practical everywhere.
There's a definite need to document this current situation as the network is one of the active methods used to detect and prevent threats today.  As such, I support this document being adopted and have a few comments for consideration.
[NCW] How about this as a bullet: “a single system may itself may not be able to detect and mitigate threats”

For the quote on RFC8404, I'd characterize that document as a catalog of what's impacted when encryption is deployed E2E to help develop new methods, where appropriate, to evolve with an E2E model.

   [RFC8404] documented such a need with the effect of
   pervasive encryption on operations..

Even though it's said, I think it would help to make a tiny change:
  [RFC8404] documented a need to evolve with the effect of
   pervasive encryption on operations.
[NCW] That is fair and I can make the change.


Section 3

You may want to change the following sentence to fit in line with an OpSec practice documentation draft>
From:"Each deployment scenario describes relevant operational practices."
To:"Each deployment scenario describes current operational practices."
[NCW] Will do


The categorizations look good, I think this in new from my last review.

Section 3.1..1

I like how you've categorized the impact, but I think the display of it may make all the difference.  This is int he current document:

TLS 1.3 impact: reduced effectiveness.  Per Section 4.2, domain
   categorization and application identification will be limited to IP
   address and SNI information (beyond additional correlation possible
   with other means such as DNS).

How about:

Impact Category: Reduced Effectiveness.  Per ...
[NCW] Will do

3.1.2 uses a different format, so making these consistent would be good.  It says TLS 1.3 considerations.  I think leaving TLS out and just saying impact category makes the same point and may not be objectionable.
Also for this section, the last line says the Certificate is not available.  I think it's that the ALPN response is encrypted that matters here as that tells you what cipher suites were negotiated.
[NCW] Thanks for catching it, we actually are using “TLS 1.3 considerations” we happened to miss the one in section 3.1.1


Section 3.1.4
Do you want to add that the ALPN response is encrypted here as well?
[NCW] We can, I’ll confer with co-authors in how best to incorporate.


Section 3.2.2
It should note that DLP can also be addressed on endpoints, whether or not you add a comment on scaling.
[NCW] OK

Section 3.2.3
You may not want to add alternate approaches, but I would think one designing this today would opt for use of a routing overlay protocol, no?
[NCW] I don’t think we are listing alternate approaches?  Overlay could be an alternate, but our point is not to suggest other approaches other than to state how the TLS proxies get used today and their impact.


SFC, NSH, GENEVE

Section 3.3.3
Just a note that I am not sure you'd want in the document, but web application firewalls are falling out of favor as a defense.
[NCW] OK; I think we included it based on previous feedback (to include as a consideration too)


Section 4 heading
Consider changing from:
Changes in TLS v1.3 Relevant to Security Operations
To: Changes from TLSv1.2 to TLS v1.3 Relevant to Security Operations
[NCW] But the context is to summarize the 1.3; while some of the uses can apply to 1.2 the impact is really more due to the way 1.3 applies them.


Section 4.1 Please not that RC7525 has recommended against use of RSA static keys and has recommended use of AEAD cipher suites.
[NCW] OK


Section 5 Security Considerations
Consider changing the initial sentence from:
"This entire document discusses security considerations in existing
   operational security practices interacting with TLS."
To:
"This document discusses the impact to common security monitoring and detection functionality with a move from TLSv1.2 to TLSv1.3 considering existing
   operational security practices interacting with TLS."
Or something that reads better with the same point :-)
[NCW] OK

--

Best regards,
Kathleen