Re: [OPSEC] New OPSEC individual draft on probe attribution
Fernando Gont <fernando.gont@edgeuno.com> Fri, 18 February 2022 13:55 UTC
Return-Path: <fernando.gont@edgeuno.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD2F93A10DB for <opsec@ietfa.amsl.com>; Fri, 18 Feb 2022 05:55:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.613
X-Spam-Level:
X-Spam-Status: No, score=-2.613 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.714, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=edgeuno.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Vj54CZzUtvb for <opsec@ietfa.amsl.com>; Fri, 18 Feb 2022 05:55:19 -0800 (PST)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2072e.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5a::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64BD43A10DE for <opsec@ietf.org>; Fri, 18 Feb 2022 05:55:19 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dgXEBj3PbZWjgMuDqqkdHRqcbr189C1OhCBdZy8vRbCrpW9YYHzbpmiB2VCzMeIaI5FclJeOwSGz0zdaeD5LVarnWYnBaRxbW00vjKP1OC9VZvOdMvfJXRvCK23bQ8jtf47BJRpAOgFUnJWkY/gdcmR6R9kLm0UI/8W2GOD77vPA4eaCBgbb4cSLWORaOiQUzbTgdgIauxKz9fC/PLRIeK+Xz+/UgDME4rN+ogi1ThKqQhemaSk32rGvhMYwkSzLYYHQhR/s6K5vG/rrHKUNUzvQx9YjZy9sn92DVWSKr5a/kW6Gx3MVXB7uu7W5TTNwjO5urynL7DAS4KsNHj5ubg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+azu1vCkiFlQ050pnTVf28eBsIrAqhHyOaGHnuciRi0=; b=gaGD+ZSpD3dHR/1CQwmHI+TRRPLMt+HqhPXcZD+j1rqkLjOeWvUpWGRL0zAJchvvCtXWA8GW6Z+fSiQuxb8Tina/gLiybTubE/mMIk1khMxdo9whGeHKbxB3VGPQfqwaCptuUa2/+EoqPpA2/QbekDhGTPprhNFwvT0qcV4zMK+ElcDH+QojtNWhKZRF/hMvgPyjUjZlWptWIZ+8dmKNuz7etrDyNm3ivZxwdn4vBt6W/f/J7oPiH0i2uRYid18wSIXkozUT6UEBmCjtFQVpXFFi3K39Nnr18aE7XK3yQitciVcC7Vwmu5E3kzQbq4QO8ANJuuBc1TNCLdmjMl0SFw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=edgeuno.com; dmarc=pass action=none header.from=edgeuno.com; dkim=pass header.d=edgeuno.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=edgeuno.onmicrosoft.com; s=selector1-edgeuno-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+azu1vCkiFlQ050pnTVf28eBsIrAqhHyOaGHnuciRi0=; b=cnDZpi2WWxeAdb1A4RSnmYxr91BG62yE44lsfloAEsH9UTy6kQYac9ftKQ56Q/H/dPyQee9gjJQr8XHJrVY2qewsuq+VYMTz7Zc9dUKwGzAALLjXjJ+iJNAMBg3K91YXf221PI4pC88f+exZ4J9UC3GN84tJcDv2AzrabZJhBQA=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=edgeuno.com;
Received: from CO1PR05MB8039.namprd05.prod.outlook.com (2603:10b6:303:f0::7) by BYAPR05MB4469.namprd05.prod.outlook.com (2603:10b6:a02:f4::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.7; Fri, 18 Feb 2022 13:55:15 +0000
Received: from CO1PR05MB8039.namprd05.prod.outlook.com ([fe80::c1e6:4709:820e:bb54]) by CO1PR05MB8039.namprd05.prod.outlook.com ([fe80::c1e6:4709:820e:bb54%7]) with mapi id 15.20.4995.015; Fri, 18 Feb 2022 13:55:15 +0000
Message-ID: <85904cdc-7874-ac26-ad6e-3dc354aa3c50@edgeuno.com>
Date: Fri, 18 Feb 2022 10:55:09 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: "Eric Vyncke (evyncke)" <evyncke=40cisco.com@dmarc.ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
Cc: Benoît <Benoit.Donnet@uliege.be>, Justin Iurman <justin.iurman@uliege.be>
References: <EDA6831B-1A74-4C5C-8BA7-9440C3785ACC@cisco.com>
From: Fernando Gont <fernando.gont@edgeuno.com>
In-Reply-To: <EDA6831B-1A74-4C5C-8BA7-9440C3785ACC@cisco.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: MN2PR15CA0033.namprd15.prod.outlook.com (2603:10b6:208:1b4::46) To CO1PR05MB8039.namprd05.prod.outlook.com (2603:10b6:303:f0::7)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 04e60729-2815-48eb-12f6-08d9f2e64a51
X-MS-TrafficTypeDiagnostic: BYAPR05MB4469:EE_
X-Microsoft-Antispam-PRVS: <BYAPR05MB446964DAA720BE21FE731291E5379@BYAPR05MB4469.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: HKwU4CqHk2xpz5ckA1dQkA9vnU234SorG/7n5ob0/zWuOOFBkf+mZUNHWnEYniwN6dYpBmIhs7fDlkgLpICR6+wOIsu50Sfge75a0jnnk1mjE9Uz85gTCsxGaenTMqNW0/hoo1LpyJzMcSLKcdJduAehImu6Y+jllfOhtSImaSBl/LM5tjMINIXDBaesEl3CYNl7B0eA6nBQ7YqDc7eQFctIjsPB2eZIfgmEeVzJxh8iMzqP+6co0wtMgGka6ZdfzE1M9eczjGciCb62YFUcVEAgBdO6BrWlwusixuViUPUzuvUgv/k/GAssu9VpAtJxKH3QVXPzGWC3LYCEO7LFG7yl/XJf+XXm4JpJNz6xlCWYwnVoM/Te3f5uy05O0iIcDDzX8xis5LB+FeuPYqj3WXTbnavHvNx65U7DJlKJbocZHOmTKPWkwLX8lWpwpfRLJ0ys6UJY4sN9BZ0BDfOTuhZDHFvAY9dO8O5YyqCEO9nRDCqM9T1TI7GAlgvDjQHrbRerMMVjG9Ol/sR/kj/JSCERWH8Dw3mCc32OBqwrMey8a8dIpXLCxDWBPQjtC5fS9s3lDNfYkbT8v+ADL1WA5Uu9uyFJxW9Z4Hjthd27QyZirODfZ/yHdUtyEZk2QvvlS/anbCS13nnXMx8bVFY6qSdN/vMn2Z6TJdQ5owPBK/7R6kU4NrN7APLFuH2vIeE35P4sHZqs9YP2qoM/0vdZlf+a3WmQYcT9JUPqo8pY5r9V2phI8vKo4s6Ch/loM75kWXT2r/3AKBTQG26HtzNavDlSxNWR49VY3v47jPP6Z3As6IYNXpO6JO4Qv2Hh7B1L
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR05MB8039.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(376002)(346002)(39850400004)(366004)(396003)(136003)(26005)(8936002)(38350700002)(36756003)(186003)(6512007)(2906002)(44832011)(83380400001)(2616005)(508600001)(6486002)(110136005)(54906003)(31696002)(316002)(38100700002)(5660300002)(6666004)(86362001)(8676002)(66946007)(4326008)(66476007)(66556008)(6506007)(52116002)(31686004)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: ZrM4ElM7twtlHXatqso6Vbi8qcBWBbvzyV41KX0TvASSphq0bLxGtmLniUCjzyA+mxMEty5vuwpRsvC4dXiUs3yRAfKxN8t0G+mB2hm8zxojI1dDoSNV3jGykhOqPHDMfZxfibHOoE4FShvwitc9k7fuKFsCDcvC6QqZ2Y/Sg+Ee7M8NBRI49q3A7Fa4mWL2kipFALarwomhWwtxUE1OWoZHeIcz3lBg74Bq3sF1/qsR5fhEBqVh/sLMFxOyA8Zw1ClWuiiqVC/G8FuBwQqf/04E7vbhXHMdP0Qp/SKwiZaaNgEINx8p2fxNDg6tm0rrkbWHW9cBSQJjc15SEO34N6XlgNmBznDcOrpg1eXuvc/sZpJBZxQ6siU9MwDa2uXW9CKDxN+ZPnCXHCoTGNlVALMTVMXqkVv3wQNMAhSv+iBBdwF9BanGA95aWovj4BykOwMNEqovtXSjs0P4PrCJTefN0ZhcdE8zYcf76pPLbUdxFsdlxSc4xF07Kf6d5ul7QJVQ9CqZmCHOxXnq5T4rA7sXKV3NAX1HIVecxhTha02gBfmggz/mMYtTxMnHOD/ofm0fXmvzEIy0YpNUUR1JjNEz7V3Ll4UwD2uHT3UXoE83TGJBm7/HjhK9a06NZ9pL6HcqxoaBLTRkO8bRWXAcj91DWneqkEtdlTouDSe/X1CYXY1U0LU6MkCI0S0h1qcDFxTR5/urz8gvSbcpRyAnREtaPqQHo0T2g+Dm4QBRxTh3vKv+PhL6e6ZShsKUWDS8vl0kuum6PfoycVirI23iPgZikEhGWSYCQlvM4bnYabjxAgFIFFsJjlMt893iE7UppZhRIX9nH31tdLOVnfhmttT8NopwFoZO9+W3AMaWsU8A3V5/xHhc14sCM/9LUer8dPvmo0cDXJYVRLrNZcMf97vI0im8X83NX7SFC3ltJyAkVib097UDCccYaRzMw49T6MHZCfwaPSXhL+XVBdrSPjj22J2n5Efip5zUrzuuDFAoA7+46oLdAMSkjoPpWw0zExA9LA7t9Q9UBzvluw2KEAVuTQg4ho0IR4bFNA/tQhjj/lkrXmKV7aqvRFy662Z9EtHtbPbTgEG7nO3bX0DFH3bgecbIFJa1GI+uIQoJsu+XaG4EqRf5hj3o7Bj5PlhxXXntqWXVzPW1DE/eDef7pN3LNAN5fh9/JhC8ztXjTrsn3WAFcA/i2PQaQYBZ3Y2gGbLx12F3eVdVLRCq6f83v0BOGUS6HQlZu6cBJQfAOtSVXEmmxIHivtygJ00zpOvHHO7ZyQyUkmGFSG4mWBgmX3TllwBMscIrEwhsCXGkbQ3Ld1xh5R0gV3SE46N2a6j4MKswu837ovqY42gGATcGJIhku28zi+PLvvgg7TMDWwqRRL92mQ+fp+xzWGis+t7S3jrtMa01sJA18Ua/9iXEiyC+p3UqsBgpt+Lr7XRHTS7FG/C6jdqZ4rOD59u0lVgPjREyhh26jqXSMxblgR9pwMtW1Rd6bYalHTAY7nT2z5Wp51r4lR6gf+zhmY7kKCjeijyq75lOv/8z56khOP1JVQLqZWbrCjr/4x43zB6AnKR82uKRSkNZfgNwydfP5uh2kvFnLEAEgOD0vqR8rcUL3nnugOtMDARg8txC5Ie9GsWzqDSwmq7PKkJpwB9BG1/cQpNiBhL8tzitcg5Kf2H5S06pQf70COw8+IeScoTNEZU=
X-OriginatorOrg: edgeuno.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 04e60729-2815-48eb-12f6-08d9f2e64a51
X-MS-Exchange-CrossTenant-AuthSource: CO1PR05MB8039.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Feb 2022 13:55:15.5206 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 20879dba-fabf-45da-8300-60b8ce560217
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: lNtiRDRYdvyRGO1dI82KUkL7MQyOWNxYds1MVLHLmrXPBcGV7UFS3odaz/WC0rni4xit0oeRL+VUWUZVBxaRnChMbzbmx8BcuFE314VKKCE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4469
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/nfRXwsC1M4WE4bYYQ4mxwT54XsQ>
Subject: Re: [OPSEC] New OPSEC individual draft on probe attribution
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Feb 2022 13:55:24 -0000
Hi, Eric, and all,
Thanks for the heads up on this document!
FWIW, I agree with the "principle, but not with the proposed solution.
Meta: the easiest way to provide information about the probe is to:
1) simply run a web server on the probing machine, with a web page that
describes the experiment, and/or,
2) have a reverse mapping in the DNS that hints about what's going on,
and possible leads to a web page as #1 above.
Regarding the proposed "in-band probe attribution", this is generally
not possible, since it may interfere with the probing experiment itself.
e.g.:
> 3. In-band Probe Attribution
>
> When the desired measurement allows for it, one "probe description
> URI" should be included in the payload of all probes sent. This
> could be:
>
> * for a [RFC4443] ICMPv6 echo request: in the optional data (see
> section 4.1 of [RFC443]);
>
> * for a [RFC792] ICMPv4 echo request: in the optional data;
These two *may* be possible. But:
1) You'd normally not use ping for probing, since it may be filtered
and/or rate-limited.
2) Sensors at the target network might be configured to not capture the
payload
> * for a [RFC768] UDP datagram: in the data part;
This one is not possible: When scanning UDP services, the probe packet
needs to be a valid request for the target service -- otherwise it would
not elicit a response.
> * for a [RFC793] TCP packet with the SYN flag: data is allowed in
> TCP packets with the SYN flag per section 3.4 of [RFC793] (2nd
> paragraph);
This is theoretically possible -- maybe feasible now. But for quite some
time this wouldn;t work (implementation bugs that wouldn't allow data in
the SYN, even when protocol-wise legitimate), and because firewalls
would block these.
>
> * for a [RFC8200] IPv6 packet with either hop-by-hop or destination
> options headers, in the PadN option. Note that, per the
> informational [RFC4942] section 2.1.9.5, it is suggested that PadN
> option should only contain 0x0 and be smaller than 8 octets, so
> the proposed insertion of the URI in PadN option could have
> influence on the measurement itself;
You'd probably never use IPv6 EHs for probing, since the reliability of
the experiment will be degraded significantly -- unless you're actually
trying to measure *that* (as in RFC7872 ;-) ).
Thanks!
Regards,
--
Fernando Gont
Director of Information Security
EdgeUno
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531
“This communication is the property of EdgeUno or one of its group companies and/or affiliates. This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and if you are not the intended recipient be aware that any non-explicitly authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, and will be considered a criminal offense. Please notify legal@edgeuno.com about the unintended receipt of this electronic message and delete it.”
- [OPSEC] New OPSEC individual draft on probe attri… Eric Vyncke (evyncke)
- Re: [OPSEC] New OPSEC individual draft on probe a… Fernando Gont
- Re: [OPSEC] New OPSEC individual draft on probe a… Eric Vyncke (evyncke)
- Re: [OPSEC] New OPSEC individual draft on probe a… Eric Vyncke (evyncke)