Re: [OPSEC] Request comments & discussion for draft-wang-tls-proxy-best-practice

"Eric Wang (ejwang)" <ejwang@cisco.com> Tue, 26 May 2020 18:52 UTC

Return-Path: <ejwang@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C4993A0ED1 for <opsec@ietfa.amsl.com>; Tue, 26 May 2020 11:52:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=nHK1UNrr; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=oHJYVPE/
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RZTLh1U1CwJq for <opsec@ietfa.amsl.com>; Tue, 26 May 2020 11:52:56 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 953073A0ECE for <opsec@ietf.org>; Tue, 26 May 2020 11:52:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15033; q=dns/txt; s=iport; t=1590519176; x=1591728776; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=U9jthe5XNj4rOOexXdIzNHxBYcF43lc6G6c5RrL8jDk=; b=nHK1UNrrG0+uMzEt+jsGMMckp6IgEtRVeTBxuxVXaYphG1znFMLyO1M+ y13K0wcHhf8c8JF5sRbCXFn5+X8P9cu2cPeEBuBSzEeBYU2lOXwJ46FNC DYzhE5HxuhpkaWDEYHcIaehYCCPoHMDvpX/X0Ppl7p6qwjPjLsNGfI5n9 I=;
IronPort-PHdr: =?us-ascii?q?9a23=3AGGuerR90DYyALP9uRHGN82YQeigqvan1NQcJ65?= =?us-ascii?q?0hzqhDabmn44+7ZRaN5PhxghnOR4qIo/5Hiu+DtafmVCRA5Juaq3kNfdRKUA?= =?us-ascii?q?NNksQZmQEsQavnQU32JfLndWo2ScJFUlI2/nynPw5SAsmtL1HXq2e5uDgVHB?= =?us-ascii?q?i3PAFpJ+PzT4jVicn/1+2795DJJQtSgz/oarJpJxLwpgLU5cQ=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CoAABJZM1e/4YNJK1mGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQEBAQEBARIBAQEBAQEBAQEBAQGCB4FUUQdvWC8sCoQbg0YDjR4lk1a?= =?us-ascii?q?EZoFCgRADVQsBAQEMAQElCAIEAQGERAIXgXgkOBMCAwEBCwEBBQEBAQIBBQR?= =?us-ascii?q?thVYBC4VyAQEBAQMSER0BATcBDwIBCBEDAQIoAwICAjAUCQgCBA4FIoMEAYF?= =?us-ascii?q?+TQMuAQ6jHwKBOYhhdoEygwEBAQWBNgIOQYMqGIIOCYE4AYJjgkiHGBqCAIE?= =?us-ascii?q?4DBCCTT5rGQGBYgEBAgEBGIEPOSENCQiCVjOCLZFmhiQlmnoKglSIKZAzHYJ?= =?us-ascii?q?jgRKHcJIdRJAKiW6PYUqDSQIEAgQFAg4BAQWBPyoigVZwFRpLAYI+CTUSGA2?= =?us-ascii?q?QQBiDWoUUhUJ0AjUCBgEHAQEDCXyLSQGBDwEB?=
X-IronPort-AV: E=Sophos;i="5.73,437,1583193600"; d="scan'208,217";a="764447897"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 May 2020 18:52:54 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by alln-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 04QIqsJZ010716 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 26 May 2020 18:52:54 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 26 May 2020 13:52:54 -0500
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 26 May 2020 13:52:53 -0500
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 26 May 2020 13:52:53 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=loRKZt+szbbmAQ9MTYSJCqcxl7I12LKWe83iTrTjs49If5TRQcPRUJbP9DFSPAQ6nCvofOyP1PLGh2D7gbYGdMIGWmPed8m5sMcIhYAbFCeuKRXL4PF3uCRmTfkXjDUNyDoTbris6zXF0Q0TGp8uVAuG5rJk5eEw5lH+3LH4xp4kJqzlBV+etl/YUGdC1D5c3GVKVqIK/5+ZD1F7L/fglQ2SKZDGvhUQrPERpvjBdBDyhZkedl6ZA9GN/oqovA8ZIFq6ZK60XvQATS7x0QLGuGROG8pIf4lTEpLE3TZIdm5mmgOHKKcq52bbIwrAi0zoGTbnZR//lfgIRPqrzeWcpg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=U9jthe5XNj4rOOexXdIzNHxBYcF43lc6G6c5RrL8jDk=; b=kE6RistoXOzon8sXy9MKWMYFxMPNcDJ/F78pNsylk84XAfNjgkYhMbcLNJCnQg4/DE3olGjRwgi371q2NyDPhDNmMlIjYLd3ipvveGx8zp7VVVpe2JGhe3j4Dy9RBzaNY2pD6Eijjpjbo7wOQUfgfbjahzW+LgZ2UqzeQBmCMZiuINu1fVgp71xGBLZwRUxWVlEI2g6i9w4j0MykN9cGS+lchGKqAuRaem/kStbu1V4JlZRm8w0/vWGFvpGbi6Df30nQl58BVAxc9TuKhk2zls6uXciknKHs46AEUmnWGntXeag4SIRi8IxS9qT9hiEIvtm9gkFOq9xXrXAU7n3JDQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=U9jthe5XNj4rOOexXdIzNHxBYcF43lc6G6c5RrL8jDk=; b=oHJYVPE/+asi32qpSZe25XTdj5gMfurDQ/U/QuLSjv85oIHLmPQrU6L5g5hrYQiw6/Cfl4QnNwT1RPC68xlwxKn9EOi7KlR6kTRQ8rhN5zm7zY9SLMvpnEzOIhF5amfbvJaTPfrir2Wsbnf90vEifFcEyigbPwDgUarWwJGVBZY=
Received: from BYAPR11MB2789.namprd11.prod.outlook.com (2603:10b6:a02:cc::11) by BYAPR11MB3704.namprd11.prod.outlook.com (2603:10b6:a03:f9::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.24; Tue, 26 May 2020 18:52:50 +0000
Received: from BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::ddf3:f144:ef74:8f4c]) by BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::ddf3:f144:ef74:8f4c%7]) with mapi id 15.20.3045.016; Tue, 26 May 2020 18:52:50 +0000
From: "Eric Wang (ejwang)" <ejwang@cisco.com>
To: "opsec@ietf.org" <opsec@ietf.org>
CC: "Andrew Ossipov (aossipov)" <aossipov@cisco.com>, Roelof DuToit <r@nerd.ninja>, "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
Thread-Topic: Request comments & discussion for draft-wang-tls-proxy-best-practice
Thread-Index: AQHV8o6h+NFYRhI+8kyredkdn/eMt6i7OJaA
Date: Tue, 26 May 2020 18:52:50 +0000
Message-ID: <625F3C37-67D1-4344-8E8E-EB24796B25AF@cisco.com>
References: <158336398859.29242.5330683089303756006@ietfa.amsl.com> <D70D9FE4-1872-41E3-8D03-D8987F425698@cisco.com>
In-Reply-To: <D70D9FE4-1872-41E3-8D03-D8987F425698@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.14)
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [128.107.241.171]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cd07f517-7104-481a-3b16-08d801a5fd7b
x-ms-traffictypediagnostic: BYAPR11MB3704:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BYAPR11MB3704846670805A4342D70300D0B00@BYAPR11MB3704.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 041517DFAB
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Fo70BvahaOxc+KboPzvS1euZ/v4mFpmL4Q27VfmTy+bRT/5OpbKDwaLZmOXGy/m9RqN84F86c1g88xRlhiEyAp+4ywhGRvrAwzBAvBInX6TrR35OuaeDe9/gCCuUahuhx2QUXvEYBlD3zD8n6X+ni8oD/CHE6/y7vr44NM/VRGIr3T4Rd7RfLrEyFEbKznPv+o3jvuC/kmgV1hHpEOjz7HIvO2RbyU2xCGQj4d/0XQmG8eXsSGUPI71o5cQl7h/Q03pYFeJrcgx5dcTWUZjDad+u++YHy4bsODZY24TiNsqngHnoK6PVOJmNYKtibH8tT5bw1R4lrKnFoUyw3Bt7u4x0CAxBbOAJR0k4IXyWTJwYo7Qb2MFw+KuNVVqseWj16jGpLLQqNY9mF40xkXwUKA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB2789.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(136003)(376002)(346002)(396003)(366004)(26005)(66476007)(33656002)(966005)(66556008)(64756008)(66446008)(6506007)(66946007)(53546011)(186003)(86362001)(478600001)(76116006)(316002)(8676002)(2906002)(8936002)(54906003)(2616005)(6486002)(6916009)(4326008)(6512007)(66574014)(166002)(71200400001)(36756003)(107886003)(5660300002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 8PX1ePHQmNeZ6PfVg6mJRWTQzs/BCDYT/mD1/dL1++e2DpiOiR90IcdsGmzDjg6SP3kw9c3VbLPSJw5qNlAp+PPfPQ+tQxQK57T44/bvIcATuNIc6K5vxULDP6t3VFYVP6IXHLCzA3SwuOIF3xoyS18yUEJIazJH4vDv45JxPpY0n7K5opPP8d1VNB4HxiHIwW8f3WHL8DP44K1sdxEzN3KzCosq0g/66JD9naUUG/amLaGGqJuZhvoZa4s36G/cmDTIW6gEUeQfASERFlou+yTp+hwYzLf6QHk6fjkVsGCdtY8MQIGVpiUoSDadxlhvvTEi/IsQjFrsaoHKgE4kUF05lhTkzcbY0dCKsNeyNRJGFW7F0tRJNuh4fECs6Jt2QUbvmEB1wDclRCo7cWMJ4MJiIfENox42H0r4PYmsOKguJOPZb0iGNTqD4nDsfYF1QkQN534eELUoMFpbzjQh6klS5O+RDttSJcMf/WCcC2aVtEw91EyOsBgE+CfSZDtN
Content-Type: multipart/alternative; boundary="_000_625F3C3767D143448E8EEB24796B25AFciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: cd07f517-7104-481a-3b16-08d801a5fd7b
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 May 2020 18:52:50.5129 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: REJUcPwEJQCoH6LLlytpEH0w/Zo0sFmm6toQqcYvAYm1lUAVj+0UrBmhz6vFMsd2NU/acU5VMCrs8evGeu1flQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3704
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: alln-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/pszFup4OrAgsFHS574U8Ngw1E3c>
Subject: Re: [OPSEC] Request comments & discussion for draft-wang-tls-proxy-best-practice
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2020 18:52:58 -0000

Dear OPSEC members,

I hope everyone has been safe and healthy during this special time...

We submitted this “TLS proxy best practice” draft for review by the OPSEC WG.  Since it is related to the implementation of a critical network function offered and deployed by security vendors, we thought it would be suitable to be discussed here and eventually adopted by this WG.

https://tools.ietf.org/html/draft-wang-tls-proxy-best-practice-01
(this revision incorporated several offline review comments.)

Please let us know your feedback and comments. Your review is much appreciated!

Best,
-Eric



On Mar 4, 2020, at 5:37 PM, Eric Wang (ejwang) <ejwang@cisco.com<mailto:ejwang@cisco.com>> wrote:

Hello OPSEC participants,

We just submitted the following draft related to security best practices for implementing "TLS proxy", a common function leveraged by network operators. We thought it is relevant to this working group and would appreciate your review and comments.

This document is also related to draft-camwinget-tls-ns-impact<https://datatracker.ietf.org/doc/draft-camwinget-tls-ns-impact/> which Nancy sent out earlier.

Best,

-Eric (on behalf of the authors)


Begin forwarded message:

From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Subject: New Version Notification for draft-wang-tls-proxy-best-practice-01.txt
Date: March 4, 2020 at 3:19:48 PM PST
To: Andrew Ossipov <aossipov@cisco.com<mailto:aossipov@cisco.com>>, Eric Wang <ejwang@cisco.com<mailto:ejwang@cisco.com>>, "Roelof DuToit" <roelof.dutoit@broadcom.com<mailto:roelof.dutoit@broadcom.com>>


A new version of I-D, draft-wang-tls-proxy-best-practice-01.txt
has been successfully submitted by Eric Wang and posted to the
IETF repository.

Name: draft-wang-tls-proxy-best-practice
Revision: 01
Title: TLS Proxy Best Practice
Document date: 2020-03-04
Group: Individual Submission
Pages: 16
URL:            https://www.ietf.org/internet-drafts/draft-wang-tls-proxy-best-practice-01.txt
Status:         https://datatracker.ietf.org/doc/draft-wang-tls-proxy-best-practice/
Htmlized:       https://tools.ietf.org/html/draft-wang-tls-proxy-best-practice-01
Htmlized:       https://datatracker.ietf.org/doc/html/draft-wang-tls-proxy-best-practice
Diff:           https://www.ietf.org/rfcdiff?url2=draft-wang-tls-proxy-best-practice-01

Abstract:
  TLS proxies are widely deployed by organizations to enable security
  features and apply enterprise policies.  This document defines a TLS
  proxy and discusses a wide range of security requirements to guide
  TLS proxy implementations.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org/>g/>.

The IETF Secretariat