Re: [OPSEC] Request comments and discussion for draft-camwinget-tls-ns-impact

"Eric Wang (ejwang)" <ejwang@cisco.com> Thu, 05 March 2020 01:07 UTC

Return-Path: <ejwang@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81A7F3A0524 for <opsec@ietfa.amsl.com>; Wed, 4 Mar 2020 17:07:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.589
X-Spam-Level:
X-Spam-Status: No, score=-9.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=W1p91Lm1; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=uT1zfJrQ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6xuNvH2U9Dwu for <opsec@ietfa.amsl.com>; Wed, 4 Mar 2020 17:07:22 -0800 (PST)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EC263A048D for <opsec@ietf.org>; Wed, 4 Mar 2020 17:07:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=19847; q=dns/txt; s=iport; t=1583370442; x=1584580042; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=ThYIajbPQ/Q5fOOmLR9RzjuxHymqMA9+dfjlmyb29bw=; b=W1p91Lm1VOes22yNG36CnPAdlqlyFiruyQMGNR+jmauApSpomHhkhr7I lHzRMvlHgyxBF4uRlbjBRRolIoopfeNgCldSDWZibtLieQPV2XKpDEZjs PXZ4nA7pBf6BiK3iFHem6HucZp8kOuMzuPwp9rIdZXm2F9AAt5vetnqPL c=;
IronPort-PHdr: =?us-ascii?q?9a23=3AKduS0R1j2XwGfE4usmDT+zVfbzU7u7jyIg8e44?= =?us-ascii?q?YmjLQLaKm44pD+JxGOt+51ggrPWoPWo7JfhuzavrqoeFRI4I3J8RVgOIdJSw?= =?us-ascii?q?dDjMwXmwI6B8vQBE/kJfjlRyc7B89FElRi+iLzPA=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BAAACVUGBe/4gNJK1mGgEBAQEBAQE?= =?us-ascii?q?BAQMBAQEBEQEBAQICAQEBAYFqAgEBAQELAYEkLyknBWxYIAQLKgqEC4NGA4p?= =?us-ascii?q?pgl+TM4RiglIDVAkBAQEMAQEYAQwIAgQBAYNvVAIXgWokNwYOAgMBAQsBAQU?= =?us-ascii?q?BAQECAQUEbYVWDIVkAQEBAwEBEBEdAQEsCwEPAgEIGCcDAgICJQsUEQIEDgU?= =?us-ascii?q?bB4MEAYF9TQMuAQ6iVQKBOYhidYEygn8BAQWBLwETQUCCRBiCDAMGgTgBhSC?= =?us-ascii?q?GaR0aggCBOCCCTT5rGQGBXwEBAgEBgUkXLoJkMoIskGaFcJlKCoI8h1KPFBy?= =?us-ascii?q?CSYgfgzqND0SOKokAjx2DMgIEAgQFAg4BAQWBaCOBWHAVOyoBgg0BATI+Ehg?= =?us-ascii?q?Njh0YgQ8BCIJDhRSFQXQCgSeKXi2BBAGBDwEB?=
X-IronPort-AV: E=Sophos;i="5.70,516,1574121600"; d="scan'208,217";a="734803618"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 05 Mar 2020 01:07:21 +0000
Received: from XCH-RCD-002.cisco.com (xch-rcd-002.cisco.com [173.37.102.12]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 02517K7E005570 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 5 Mar 2020 01:07:21 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-RCD-002.cisco.com (173.37.102.12) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 4 Mar 2020 19:07:20 -0600
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 4 Mar 2020 19:07:19 -0600
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 4 Mar 2020 19:07:19 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; =?utf-8?q?b=3DdzJTeoejL+5ZGsep39HlrCOFzbHZJNi241o69jIryTp75jT6H6PA7mh2lleKM?= =?utf-8?q?46PBCYXe+YYOOJLghKwq+BRs5ybDUuCfxc1eQeEnvWR9oz28PuJCbDjTbxZnZxjcQ?= =?utf-8?q?6rzYRmftWixd1pOybx1zBiJTgjHpTCvXH2zlO8bwt/mWwa0AbT99ktPfbhpK2Fjen?= =?utf-8?q?t5lnhnIbFN0ZGx7mOPlNHOFev0Pb8nvSHwmndc5W6HHWpkPXe1O7Hevd1I/4T0pNr?= =?utf-8?q?6ikvTgz+HNScZAPBUwTtFZpzBsEk6CSJsjs/iyKx05wp2oR+nB2oS9Iy9GloAr/Rq?= =?utf-8?q?CnpRD/WKTWFuN32TJHslg=3D=3D?=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMessage-ID=3ACont?= =?utf-8?q?ent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADCheck=3B?= =?utf-8?q?bh=3DThYIajbPQ/Q5fOOmLR9RzjuxHymqMA9+dfjlmyb29bw=3D=3B_b=3DlcbsgQ?= =?utf-8?q?exZLSo8XSZvoZFgSEOt1wTdQSdHa3nkPEtJRo3rOpgd9+UiRqhMSST1pV2nmkXlVj?= =?utf-8?q?wuAGpVPeXMgP9dp6dCqkGRctKdoh3W7Zu8d5wNRF+nCrPEBV9XtDbpwSd9CcA/BuE?= =?utf-8?q?EhkuBRuuuLudYGT+txKDd1LVQVUItwP9uQEL48DaI+gerSCzCrxpFyL69+TrtGzd3?= =?utf-8?q?K/46UwxMiByq2K2p1KJ0MI1qxTSUFZRO7wv2Svp606tXYkanUanaWTCgAFbHgrSbs?= =?utf-8?q?LPH/ZcD3hpCHnBRITMbh2o2iiEZJGjcCPBAc+k5N5CpvIMJp+E6voqMg3GIAaO9aF?= =?utf-8?q?T8KUB/SHemA=3D=3D?=
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AM?= =?utf-8?q?essage-ID=3AContent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADC?= =?utf-8?q?heck=3B_bh=3DThYIajbPQ/Q5fOOmLR9RzjuxHymqMA9+dfjlmyb29bw=3D=3B_b?= =?utf-8?q?=3DuT1zfJrQk08LQm310JBb+NMRRPFK5oI08sriurZ+r7Di2TlhX5wfM8Dtt+g6hA?= =?utf-8?q?qtbKBzzAve72RsqPTMHAVIlTxE6fw0FB2I9eG4Rjw7HOVUWVt24LgYTUlg7wCUDpC?= =?utf-8?q?+n1z/kt7dDRy57sFxcEKqeWTjcfrWPcPgFOsBsuYSL/g=3D?=
Received: from BYAPR11MB2789.namprd11.prod.outlook.com (2603:10b6:a02:cc::11) by BYAPR11MB2661.namprd11.prod.outlook.com (2603:10b6:a02:c5::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.18; Thu, 5 Mar 2020 01:07:18 +0000
Received: from BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::c1a4:a744:c5af:ea5b]) by BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::c1a4:a744:c5af:ea5b%5]) with mapi id 15.20.2772.019; Thu, 5 Mar 2020 01:07:18 +0000
From: "Eric Wang (ejwang)" <ejwang@cisco.com>
To: Warren Kumari <warren@kumari.net>
CC: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>, "opsec@ietf.org" <opsec@ietf.org>
Thread-Topic: [OPSEC] Request comments and discussion for draft-camwinget-tls-ns-impact
Thread-Index: AQHV8nwcYsKhHxIehEywrwBbi+N8c6g5L9uA
Date: Thu, 5 Mar 2020 01:07:18 +0000
Message-ID: <C31C56BA-EF7F-4CA8-A8D0-3851A8565EEB@cisco.com>
References: <748DB099-D180-4B5D-9346-A745D226A091@cisco.com>
In-Reply-To: <748DB099-D180-4B5D-9346-A745D226A091@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.11)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ejwang@cisco.com;
x-originating-ip: [50.196.137.195]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0ff4e40a-afe5-4d18-fbfc-08d7c0a18d0a
x-ms-traffictypediagnostic: BYAPR11MB2661:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: =?utf-8?q?=3CBYAPR11MB266177BD34F584B6FE9919B2D0E?= =?utf-8?q?20=40BYAPR11MB2661=2Enamprd11=2Eprod=2Eoutlook=2Ecom=3E?=
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03333C607F
x-forefront-antispam-report: SFV:NSPM; =?utf-8?q?SFS=3A=2810009020=29=284636?= =?utf-8?b?MDA5KSgzOTg2MDQwMDAwMikoMzc2MDAyKSgzOTYwMDMpKDM0NjAwMikoMTM2?= =?utf-8?b?MDAzKSgzNjYwMDQpKDE4OTAwMykoMTk5MDA0KSg4MTE2NjAwNikoODExNTYwMTQp?= =?utf-8?b?KDg2NzYwMDIpKDE4NjAwMykoNzYxMTYwMDYpKDMxNjAwMikoNTY2MDMwMDAwMiko?= =?utf-8?b?MjYwMDUpKDQzMjYwMDgpKDY0ODYwMDIpKDg2MzYyMDAxKSg2NjU3NDAxMiko?= =?utf-8?q?36756003=29=286506007=29=2866476007=29=2854906003=29=28478600001?= =?utf-8?b?KSg2NjQ0NjAwOCkoMzM2NTYwMDIpKDY0NzU2MDA4KSg5NjYwMDUpKDI5MDYwMDIp?= =?utf-8?q?=2866556008=29=2853546011=29=286916009=29=2871200400001=29=286694?= =?utf-8?b?NjAwNykoNjUxMjAwNykoMjYxNjAwNSkoODkzNjAwMik7?= DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR11MB2661; H:BYAPR11MB2789.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: =?utf-8?q?V4EalWKkKqfv0GT2dUyjo/i6371EjDf?= =?utf-8?q?0QvnwT1QaPms9JcLForv3/y9m5DOvD9t0TzHtx1URFlc5gkOXR89tNLh0Z5VAF80x?= =?utf-8?q?lBKJbYiEjamRujqYV/KsKOvdDqnD7JjQWleIJohrEn0XB/K7lw/0D18iIHFT45u6M?= =?utf-8?q?Qx/9/VHWAkhMdFILxn1Lw7alE2pVy19CRIyPPGBT+xzocQ311rVKtdnYRtmj8Eol/?= =?utf-8?q?Bmew4RZmy6uFNv7H6KyH6x+RlHsTdwHK0rKT6yp+DqW9UWAvofpcHjfQQJKo2hLgB?= =?utf-8?q?jlXVCynPnJPqUp0YhKlNCxbQbRpJ/3UNZzNJJvOEOjxUi/40SBsEVAF0KzXa5ZEQp?= =?utf-8?q?EiMlyf0drLVeshFULO4jxYY+ljuH8DXJFg2Cd87amlVI6GPKayN/gRplqaGhiF153?= =?utf-8?q?Q0lUnjiOQ0UHcltgT9FOwn3rMVVVt1w+fJ8oLYhnnpfFsfDn2lJBT20VSOAa19luZ?= =?utf-8?q?2eARjPGYLR31p2VcuxO8lRQ57B6CMbrjDEri0M3kT0nkrwvg=3D=3D?=
x-ms-exchange-antispam-messagedata: =?utf-8?q?anHigsVbAjXfYTmkbPheV3HoAebOd2?= =?utf-8?q?Vgur6Be9FAXBvqxEZGd09YIIpHJCSyCfCXbngBbjI4iB55xJHjXnFM0weWZ+jyvlU?= =?utf-8?q?SpLY3TQs1PO/+UgIBkS2xjkyCT6jRXa0Gm2Je2vSSgNZV8q8z59W28A=3D=3D?=
Content-Type: multipart/alternative; boundary="_000_C31C56BAEF7F4CA8A8D03851A8565EEBciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 0ff4e40a-afe5-4d18-fbfc-08d7c0a18d0a
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2020 01:07:18.3070 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: =?utf-8?q?9H2IHPcIVDLp2Tkt4heyD?= =?utf-8?q?2vzLnb7zWkNDcQWKzp1xCtPdCXOMc2L8A2qwpp9CKh1JIoJDaOD8+E7JuWHgU5j7Q?= =?utf-8?q?=3D=3D?=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB2661
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.12, xch-rcd-002.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/vl9oQUPQNxBAuVfYos4NtLPWUsw>
Subject: Re: [OPSEC] Request comments and discussion for draft-camwinget-tls-ns-impact
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 01:07:25 -0000

Hi Warren,

Thanks a lot for your quick review and comments.

You are right, for the first web proxy scenario, the proxy could be terminating the transport layer so the client and server’s IP addresses may not be preserved.

However, the TLS layer remains the same because the client always attempts to establish an end-to-end TLS session with the actual server, even if it is configured with a web proxy (after an HTTP CONNECT to the web proxy).  The proxy has to rely on the fact that the client would trust the proxy’s certificate to proxy the TLS session.  This is the same for a web proxy and a network middlebox like a firewall.

Please let me know if I misunderstood your points.  There is a scenario with CDN and TLS offloading (deployed in front of the server) where the proxy is the other “end” of TLS session.  This was referred as “inbound TLS proxy" in the draft), but it seems not the case here.

We will revise the text related to “preserving IP addresses”, and describe the two deployment types explicitly.

Best,
-Eric


On Mar 4, 2020, at 3:24 PM, Eric Wang (ejwang) <ejwang@cisco.com<mailto:ejwang@cisco.com>> wrote:

Re: [OPSEC] Request comments and discussion for draft-camwinget-tls-ns-impact

Warren Kumari <warren@kumari.net<mailto:warren@kumari.net>> Wed, 04 March 2020 15:35 UTCShow header<https://mailarchive.ietf.org/arch/browse/opsec/#>

On Tue, Mar 3, 2020 at 9:18 PM Nancy Cam-Winget (ncamwing)
<ncamwing=40cisco.com@dmarc.ietf.org><mailto:&lt;ncamwing=40cisco.com@dmarc.ietf.org&gt;> wrote:
>
> Hello OPSEC participants,
>
>
>
> Given the trends to improve on security and privacy, we thought it important to also
> document how network security solutions are used and how they interact with TLS.
>
> We have submitted https://datatracker.ietf.org/doc/draft-camwinget-tls-ns-impact/
> and believe it is appropriate to discuss in this working group.

Thank you for this document -- I found it to be nicely readable and
understandable -- other than one major questions / point.

I'm sure I'm going to mess up the terminology horribly here -
apologies in advance...

Section 3:
" To achieve this, a TLS Proxy must be able to present a valid X.509
   certificate to the TLS client to appear as a valid TLS Server;
   similarly, the client must be able to validate the X.509 certificate
   using the appropriate trust anchor for that TLS connection."

I'm seen at least 2 deployment types for this sort of inspection - the
first is where a client is informed that there is a proxy server that
they need to send their traffic through -- i.e the system or browser
is configured with a proxy server (OS X called this "Secure Web
Proxy"), and is configured with something like
https://proxy.example.com:8080<https://proxy.example.com:8080/>0/>.

The second is a security appliance which does MiTM type stuff, and the
client installs a corporate CA certificate.
These are two very very different deployment scenarios, and the
"valid" part in "valid X.509 certificate" have very different
meanings[0]. I think that it would be useful to clearly outline these
two methods of watching "encrypted" user traffic, and clarify which
one(s) you are talking about.
The sentence: "This TLS Proxy is a transparent hop on the packet path;
and where necessary, preserves the client's and server's original IP
address and the intended source and destination TCP ports." implies
only the second, but I think it would be useful to be much clearer in
the introduction...



W
[0]: Yup, technically they are both valid, but (at least in my
opinion) the second is much less so :-P


>
>
>
> Warm regards,  Nancy (and my co-authors)
>
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org<mailto:OPSEC@ietf.org>
> https://www.ietf.org/mailman/listinfo/opsec



--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf



  *   [OPSEC] Request comments and discussion for draft…<https://mailarchive.ietf.org/arch/msg/opsec/GkSgkHStvNR_4lyE1Udk4gWb3Us/>  Nancy Cam-Winget (ncamwing)
  *   Re: [OPSEC] Request comments and discussion for d…<https://mailarchive.ietf.org/arch/msg/opsec/sHj-qUF1lluxVTEZYbBZL7LFZxM/>  Schönwälder, Jürgen
  *   Re: [OPSEC] Request comments and discussion for d…<https://mailarchive.ietf.org/arch/msg/opsec/6NiImtrcCoCfkZVaGKfJuQN5yUg/>  Warren Kumari