Re: [OPSEC] Roman Danyliw's Discuss on draft-ietf-opsec-probe-attribution-07: (with DISCUSS and COMMENT)
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Wed, 05 July 2023 15:41 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D436C1519A8; Wed, 5 Jul 2023 08:41:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.895
X-Spam-Level:
X-Spam-Status: No, score=-11.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="aO5NzMrW"; dkim=pass (1024-bit key) header.d=cisco.com header.b="GEhv+RAR"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6M6ITsCPO-b2; Wed, 5 Jul 2023 08:41:25 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77A15C15198B; Wed, 5 Jul 2023 08:41:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9878; q=dns/txt; s=iport; t=1688571686; x=1689781286; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=cf0kV3FqpHjJbPKTl++AAFzlDiraKh3KJQQ6o8ac5wY=; b=aO5NzMrWXfIIGGTkVk0+MlZjSPZ+YOUo99yos3rS4N5ZmZeidGWmg25D 1xInh9ydz/0B8ed9fkxbX1SZn1hAwzCP0/X5gyI5FyqDGe64qgis2Earj A/aS2/uWYDpKPzdwUapdTc7z3EPGAUrOYQpUrHoB1uZnNeoDKCA4vQ+3+ k=;
X-IPAS-Result: A0ADAAA8jqVkmJtdJa1aGgEBAQEBAQEBAQEDAQEBARIBAQEBAgIBAQEBQCWBFgUBAQEBCwGBYFJzAlkqEkeEUYNMA4ROX4hcl1+BOIRfFIERA0IUDwEBAQ0BATsJBAEBhQYCFoV5AiU0CQ4BAgICAQEBAQMCAwEBAQEBAQMBAQUBAQECAQcEFAEBAQEBAQEBHhkFDhAnhWgNhgUCAQMSEREMAQEwBwEPAgEGAg4MAiMDAgICMBQBEAIEAQ0FFA6CXAGCXAMBEIwhj04BgUACiVcaNXqBMoEBggkBAQYEBYFOQbBdAwaBFS0Bh2F8ZYN2ggKBKw17JxuBSUSBFSccgWYBgQE+gmIBAQOBHgEJARIBDSkCg0Q5gi6LIg0MgmGDCIIPGC4HMoEbi2OBJ2+BHoEeegIJAhFBJoEICF+Bbz4CDVQLC2OBHIJOAgIRJxMUBU54GwMHA4EFEC8HBDIdCQYJGBgXJQZRBy0kCRMVQQSDWAqBCz8VDhGCWCICBzY8G02CagkXDjVTgQEQMzgDGSsdQAMLcD01FBsGJgEeAiiBVzCBPwokJKI7A2aBT2sFAyk5BCIFFAgIBAQEEAwoCCsEICwPDwQQBQEQFAUHNZIvGwo3gltImSiTLIEuCoQLi32PF4YHBC+EAYxsmAlimCQgjT+VGgiFFAIEAgQFAg4BAQaBYzprcHAVZQGCCAEBATFSGQ9WAo1IGR6DPYUUimV1OwIBBgEKAQEDCYpqXgEB
IronPort-PHdr: A9a23:xdd3SBeqwaHXNzub5s9GW4zOlGM/foqcDmcuAtIPkblCdOGk55v9e RCZ7vR2h1iPVoLeuLpIiOvT5rjpQndIoY2Av3YLbIFWWlcbhN8XkQ0tDI/NCUDyIPPwKS1vN M9DT1RiuXq8NBsdA97wMmXbuWb69jsOAlP6PAtxKP7yH9vfkdWx3OO/05bSeA5PwjG6ZOA6I BC/tw6ErsANmsMiMvMo1xLTq31UeuJbjW9pPgeVmBDxp4+8qZVi6C9X/fkm8qZ9
IronPort-Data: A9a23:KhmluKlJjru/uwXeGgtLMxXo5gy8JkRdPkR7XQ2eYbSJt1+Wr1Gzt xJMX2uHM/veMTD9etAkPt6w/EICsJaEydIyQFc9/3g9RltH+JHPbTi7wugcHM8zwunrFh8PA xA2M4GYRCwMZiaA4E/raNANlFEkvU2ybuKU5NXsZGYpHGeIdA970Ug4w7Fh39Yy6TSEK1rlV e3a8pW31GCNg1aYAkpMg05UgEoy1BhakGpwUm0WPZinjneH/5UmJM53yZWKEpfNatI88thW6 Ar05OrREmvxp3/BAz4++1rxWhVirrX6ZWBihpfKMkSvqkAqm8A87ko0HOsFM24Pi3awo8pW5 NdxsLDoWR4tZbKZzYzxUzEAe81/FbdN9LmCKn+lvInPiUbHaHDrhf5pCSnaP6VBpb0xWj4Ip KdecW1QBvyAr7reLLaTR/d9gM8gIeHgPZgUvTdryjSx4fMOHs2bGfibtYMwMDEYjcUeJvOBX fIgVWR3TDjuRRMIJVhHF8dr9AuvriCvL2IHwL6PnoIw+3PexyRw3aTjdt3PdbSiQt1Ok03dr WLP/n7iKhAXKNLZziCKmlqgnObBgWb6VZ4cUbqg7fNhxUWJwWYeTRQKSUG6q+Sli0m4c9NSN 0JS/TAhxYAz+VekZtjwQxP+p2SL1iPwQPJKGOE8rQqK0KeRv0CSB3MPSXhKb9lOWNIKqSICx 0bTtovpRgVTqpq5S06Y2u+EtDfpJn1ARYMdXhMsQQwA6tjlhYg8iBPTU9pueJJZaPWoRFkcJ BjX8kADa6UvYd0jjPrkoAiW6964jt2YEV5vv1S/sneNt1shPOaYi5qUBU83BMuswa6DRVWH+ XMDgcXbsKYFDIqGk2qGR+Bl8FCVCxStbmS0bb1HRslJG9GRF5iLJt84DNZWeB8BDyr8UWW1C HI/QCsIjHOpAFOkbLVsf6W6ANkwwK7rGLzND66EPoYfP8QqKFbcoUmCgHJ8OUizyCDAdolhY f+mnTqEVh729Iw+lmPtHrdBuVPV7nFumAs/uqwXPzz+gebBOxZ5uJ8OMUCFaagi/biYrQDOm +uzxOPUoyizpNbWO3GNmaZKdAhiBSFiWfje9ZcNHsbdeVUOJY3UI6KLqV/XU9Y7z/09eyah1 izVZ3K0P3Kl3SebclXQMyE6AF4tNL4mxU8G0eUXFQ/A81AoYJ2k6+EUcJ5fQFXt3LULISJcJ xXdR/i9Pw==
IronPort-HdrOrdr: A9a23:ignoW6hH/WXqNw6zhW/1qSH483BQX3x13DAbv31ZSRFFG/FwyP rOoB1L73HJYWgqN03IwerwR5VoIUm3yXZ0ibNhWotLxGHdySSVxfJZnPXfKlrbamPDH49mpO tdms1FaOEYYmIK9voSjDPIdurIheP3jJxA5t2ujkuFLzsaEZ2Ihj0RYm32Yy4GJjWuR6BJaa Z0jfA3wQZIDE5nFvhTcUN1JtQryee78K4OZyRqOzcXrC21yR+44r/zFBaVmj0EVSlU/Lsk+W /Z1yTk+6SKqZiAu1zh/l6Wy64TtMrqy9NFCsDJoNMSMC/QhgGhY5kkc6GevQoyvPqk5D8R4Z vxSlYbToFOAkHqDyaISCjWqk/dOfEVmibfIGqj8D/eSArCNWoH4oR69Nlkm1DimjsdVZlHod J2NiSixtpq5deqplWh2zAOPCsazHZd6xAZ4J0upm0aXo0EZLBLq4sDuEtTDZcbBSr/rJsqCe 90Eajnlb1rmH6hHjnkV1NUsZSRd2V2Gg3DTlkJu8ST3TQTlHdlz1EAzMhamnsb7poyR5RN+u yBa81T5fxzZ95Tabg4CPYKQMOxBGCISRXQMHiKKVCiEK0cIXrCp5P+/b1w7uC3f54Dyoc0hf 36IRllnH93f1irBdyF3ZVN/ByISGKhXS71wsUb/JR9sq2UfsucDcRCciFYryKNmYRqPiSAYY fABHt/OY6XEVfT
X-Talos-CUID: 9a23:eueVj24V3k3yirViS9ss5VdOM5glMUTh1lD8IXO9JT55UbnOVgrF
X-Talos-MUID: 9a23:Cd9hgwibz3HvZvNC1EE7g8MpP8I42KHxMng0rcsem+WqEyI3JDjNk2Hi
X-IronPort-Anti-Spam-Filtered: true
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 05 Jul 2023 15:41:24 +0000
Received: from rcdn-opgw-4.cisco.com (rcdn-opgw-4.cisco.com [72.163.7.165]) by rcdn-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 365FfOG3028685 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 5 Jul 2023 15:41:24 GMT
Authentication-Results: rcdn-opgw-4.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=evyncke@cisco.com; dmarc=pass (p=quarantine dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="6.01,183,1684800000"; d="scan'208";a="3834824"
Received: from mail-co1nam11lp2170.outbound.protection.outlook.com (HELO NAM11-CO1-obe.outbound.protection.outlook.com) ([104.47.56.170]) by rcdn-opgw-4.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Jul 2023 15:41:23 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LJBeWO5MFNgunuKfOdDMehsvJIJmOrtSykDeoC1Gxd47lah/mN/ceVu28bG8vsiGcoJw7D5iGoEaxTplOLY6LG4e6U47fptqCkEjT/4PJVLrgR/+gHxrEfCqGosCwbm/KaPP56neKyEeIoFEJ+czO8N1GAXnIXGVcUa8ME+yRPuV8ZN/C59b5mcqdKkr6Q9RBHyimEdhfTeMUQh3KRl9hXQGBt0yF3sAHx7DNTSTLnRQg1yDm8QYwOzKD6TUys7bG4Q2R3OBAkK5I7xs8FEHjVIAssdeMnTEbTrzsL/DyF1rpiK+hSOTBWVvUduwGEAgcGG7aHyo+Fmvzm3GY2IPSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cf0kV3FqpHjJbPKTl++AAFzlDiraKh3KJQQ6o8ac5wY=; b=LufC8htRbw+4F0hUIxg53FmcBGX2/lCrwJgTA9On7p5FtAX+3EgVSjvX8qF/LiJv94jSXrD+57ngt56x5Wz3Cryp3SiUJDBFmkVJi0UHTQgPd4/mpCnqjXyMmHpc4Qmrp0gqaToZivfcxXt2Re3gt1Csqku+dMP5HD99+SDiKoHrXvAZPTfki2i53AFNmlwdh+I/19la5f/Cg60Kkwfl10waR9q+BptgWqpyTy04Zf38eZa+hLjQSz76I+AXjOMv40CpdEIf2CrhFzYVgMVDrSV1kiRDI6w8kl34JvrAeGZyPwc+RFdJUFqQbQC0ECxVJ1JwQ+d1jrDjl7XwNoZAWA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cf0kV3FqpHjJbPKTl++AAFzlDiraKh3KJQQ6o8ac5wY=; b=GEhv+RARPnjLtxSGB721p7oUZFIgKB2acF/30JZo6q6nNgaQYTJFQEPNiTb1E+oCQXqMIqF3Y/CDjsOgh5YrZU2njkaWWsB46hBD8aSs3FXWo/WMh/ilQkxfnrdrmHvpaNCQJgI0rIhvzFm4SYqryJtN0LpymPWkr6zWdT12TME=
Received: from PH0PR11MB4966.namprd11.prod.outlook.com (2603:10b6:510:42::21) by CO1PR11MB5139.namprd11.prod.outlook.com (2603:10b6:303:95::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6565.17; Wed, 5 Jul 2023 15:41:21 +0000
Received: from PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::6098:a11f:49e5:c244]) by PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::6098:a11f:49e5:c244%4]) with mapi id 15.20.6565.016; Wed, 5 Jul 2023 15:41:21 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
CC: "draft-ietf-opsec-probe-attribution@ietf.org" <draft-ietf-opsec-probe-attribution@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "furry13@gmail.com" <furry13@gmail.com>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-opsec-probe-attribution-07: (with DISCUSS and COMMENT)
Thread-Index: AQHZrnlQXQsv7625NkuPpGqVAHlii6+rct4A
Date: Wed, 05 Jul 2023 15:41:21 +0000
Message-ID: <C6C9A546-A590-490D-8AD3-DAD2EB367041@cisco.com>
References: <168847636988.23180.16211496796614010068@ietfa.amsl.com>
In-Reply-To: <168847636988.23180.16211496796614010068@ietfa.amsl.com>
Accept-Language: fr-BE, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.74.23061800
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH0PR11MB4966:EE_|CO1PR11MB5139:EE_
x-ms-office365-filtering-correlation-id: b8bb1757-1c03-45f8-cf50-08db7d6e47fe
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: QCRoebuMioCzulEclFF/iTGYRyLbSrn66Je9SOs13sj6wUZrYf09s1iVCqSnLmEhYHRiLd06H8EfC+1aSEXPRLxKxkeyOvUlivMCfSZOtXTM11zy28i65i2Cijc1mNSd1qXNGsM7K84PIB8O6Zgp92tU/8zk4NzDkQLC+ElKpjLXgVI4KlqpSv1rHtSCjwlptth6f/Vx75jrPtknu6KPzvi+2W/SF9RHJIpYM9sQnQhCo1Wys4r7O4UvEsjbxL1scoXC68C/Hsxx7B/0AJSakXp6zCPioBMVhWRIDvH1RW0a6jRhSfWXBeFKEj1jKlqcur/1cegs3qRpDRe1Ip56dWF5pOut+KACP5E0q1Xjp1WRfPUS4H7TUKzjrx7LQpycPgEPq6XK6Y0K7wXq0pqhEpkfnE0HJ2B12cDmGssJRrsBKdSsvDZVmJ4Y4RpVgzU8BYIbxYDYtGxW0EA8/H40gN5pZnOUOQABd5zSy1ompZtN3N3KbDJXWIeY6C8MMxZWEUoRXq/Y5jJb4VuPobRtXm0+F4sqPkoIEd43yjbCUbRy+669ZsKjWfPCQlrqlTiGcTlkgNV/IzNspyr2Yhbuv6K1J/qGkNcEMwkUdWvVUxwOhuOxVLzNXpXxx+NeEFtb0btVWPMedeMplTnfU//eZ1b0vxUhBL0bmgNCE3zDIgg=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB4966.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(376002)(39860400002)(366004)(136003)(396003)(346002)(451199021)(6512007)(966005)(6486002)(33656002)(36756003)(2616005)(122000001)(186003)(6506007)(38100700002)(71200400001)(66574015)(2906002)(8936002)(66446008)(66476007)(66556008)(66946007)(64756008)(76116006)(8676002)(91956017)(38070700005)(5660300002)(41300700001)(86362001)(83380400001)(316002)(4326008)(54906003)(478600001)(66899021)(110136005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: aJFLUUcaFR/lU3o8tVcOIuHKZXXpjbforE+fF6/K/REgugRFRcYBICgLN/Jt1ffx7/DOnyMflihe4khvAXc6UhwTGzTJa8KgM4rl0d2RQhjPvP/IdcXVkECCUAU/0jyjAXAw/woYHvkrDp1AWL30/3Lgmhn9tLZAX2V8wPVWlb+x8jEXBGuZ4TKDiO6rgeKRd7ibBIBkEWZoyoSZ9Bg3xpwOeCMT2mXx5lNbhwQEMWqzYG6rwtn8M7bEadGiGSl94FffK1g0zXGYFvmmVAO8ZKv2h+n8XkJvPFlAHxnGW0GWYqk/3WvuYBsVx8yWiGSmYOO5qUhc3kfWz3oQeqFcu+uysKR+cValBkDSnCrRu+KTVXq1d72PZnbo4RHxkgr0hFgLwJe8GTCTKG3ba3npiJcfMxpUdNHV3vIWh3p6TC4QCM72qbN9vol9pEtx/st6HaUVFEho4XNsP5ZqrCf6x4flCTUJgGmwgJBocceyblQ9LOpquO0f3qXb/ekcthIyco8xSOAkRGbXZHsWLyzXAtKyWkNWO1WA+ug0p+K6Fwk9x53y/qS8wKCxP8hlY6mkiJo4/7vJOGOcjwP7bD9DwdwWfC4fbPbBTvNKnh+7rJLRpsSPRMt3wSgPv84zApZZhn2THwfA4hcE0pL5KByZ/XkBIVEX1hlVOttqvE8KcsFwDqmf3YEUAbfMrybE/CP6mnr1UYKS9jpDstYlL+GSpdQNhsZ6gJMgGH4CIvx6JSjYK4lRuyvYFglMhr+TY9o0obPhCjUrafKLHdGbo06GovdSIv+Ffcl0X11j9mu/TNk/bcRbfhahQQcxJsQm+1OEJXe+dH7uKr92VuBiPwdIyOA2hqHoLqOGJdQQ73DNunCTk8gbZjMqpZuKWo61dpnmMH9FWhmX5eg9GUXOoXpmHMevj3p/Cn4eScVKuTcmoj3ulXDnxU9EqJXi+H5o5bhDPQh2C4L9lYGtJVVjDmFsQGnUe12FhyiEf3cQYL3Sp3CZ4yp7IpsMPBL0svcET8ewoGpHaejEmD9vwks6CVI2bTtA/9QT+FGIsVuwFT61eGLFXpKn76X//lrPicoWrnWIed+1hSEQkAdL+x6Qssm+vNgVzMpFJCcVphwg7qQY1DpqNFZqK3ZTeIp6wZsoDkvVbwF/gPYAJZ2sKW3mdXWBdt19ZvLev1qNvvRXZkjEzz+wGfu4CzoCZifZ7lmekI8j8OBnBSEaREuoFVktLU5s7MgptSkRZVTuI9SwPVCsDKIHkqcHKVtY7DOSJMYIroOhmMrrcFC1rdZV34e4qc/MxS+1fIiC5WMT7BN11MBDMzbadsyTUYpbhRjBrbXqOvalXq9tGPI27G90BRxVVH0Ejz8v54OHgyc1FrDIADCRPpS9D9b8gCav8jO2BDOB6+Qmt0xbdaR1+45d6XXmeHGhdOf0/G9xlyXpOFbE/aD684abpvCSRhl21pU4RuALEIzjIgUbb+8IDjWRPykcV0vTIRvH33oZyEJWj1DZJTJtWNs0onZkugsrC1FXcX8Nb7mGIPf00j2ot5qBiQKtkQkW0uHXIVWMOJKD/dZOCNtm0r+jAY/2wjzCeL7y35AIaZ3LvKcTZ8KlyNjMPj26EOeYMOMjF524K/MqoPuXJB0aEIPk+oOHo+ShkP6nIk3JVTOM
Content-Type: text/plain; charset="utf-8"
Content-ID: <C536E439773C484CBE472353B020C92A@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b8bb1757-1c03-45f8-cf50-08db7d6e47fe
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jul 2023 15:41:21.0206 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6WxgzLpeoSZSUyl+fepnbOvq/52nMxcqTyfYQkWXWmn+sqyWbE8erDETjEpqq1Zs0JayWIl+SWNnywWw9xk2xw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB5139
X-Outbound-SMTP-Client: 72.163.7.165, rcdn-opgw-4.cisco.com
X-Outbound-Node: rcdn-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/vx_5EyiVFTe9LjP7gExOj33FUQU>
Subject: Re: [OPSEC] Roman Danyliw's Discuss on draft-ietf-opsec-probe-attribution-07: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jul 2023 15:41:30 -0000
Hello Roman, Thank you for your review. My understanding of your DISCUSS ballot is that this I-D is worse than the cure. If the above statement is correct, then there is probably a disconnect between your view and the actual purpose of this I-D, which is more like "if you bumped into another car on a parking lot, then please leave a message on the damaged car windshield with your contact information". I.e., propose a reasonably sensible way to contact the researcher(s) sending those probes. Those probe research are not common; I know about 5 teams doing (and counting me twice) such probing over the public Internet over a period of 10 years... And a vast majority of them (if not all) have applied similar mechanisms, so let's document them in an *informational* document that starts with "This document suggests some simple techniques". More background: I was contacted only *once* in those 2 measurement campaigns of mine, and it proved really useful as it allowed a forensic analyst to contact me in a matter of hours (more information in a private / confidential discussion if you want). This was really critical and valuable in that case, therefore the suggestions in this I-D, while not perfect, are rather useful. We could provide more context of course based on the above if it helps the IETF community. Please below some answers prefixed by EV> Regards -éric (with -justin) On 04/07/2023, 15:13, "Roman Danyliw via Datatracker" <noreply@ietf.org <mailto:noreply@ietf.org>> wrote: Roman Danyliw has entered the following ballot position for draft-ietf-opsec-probe-attribution-07: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ <https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/> for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsec-probe-attribution/ <https://datatracker.ietf.org/doc/draft-ietf-opsec-probe-attribution/> ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- It isn’t clear how the safest practice is not to always ignore this attribution information? ** The text notes in numerous places that this is only intended for “researchers with good intentions” (Section 1 and 7) but it isn’t clear how this intention translates into the workflow of the probe recipient (i.e., how does a recipient know it came from someone with good intentions?). Specifically: EV> better than nothing... -- Per the out-of-band attribution (Section 3), the suggested workflow is directing a network defender to visit an arbitrary location of the attackers choosing (i.e., by spoofing the probe source address) or by redirecting the defender to an infrastructure controlled by the attacker. This seems risky as this location could be serving malware or the connection itself could be facilitating a DDOS reflector-style attack. EV> as written above, the probes are not an attack but could look suspicious enough to the eyes of a network security analyst. And the download by the security analyst is just a plain ASCII file pointing to another page. Let's hope that forensic analysts do not click on any link... EV> Usure how it could become a dDoS attack as it would require multiple sites receiving this probe, doing the off-line analysis, and contacting phone/email the research team. There are many other and more efficient ways to distribute 3rd party contact information in the hope that they will be called / sent email messages. -- Per the in-path attribution (Section 4), there are no integrity guarantees so any on-path attacker could also modify legitimate attribution information to information of their choosing. See out-of-band attribution. EV> sure, and they can be spoofed, ... ** Section 7. If a recipient cannot confirm the information or does not wish to do so, it should treat the flows as if there were no probe attribution. What does confirmation mean in this case? How is that realized? Per the URI-based attribution, there is no strong binding between the sender and the information. As the Section 7 text notes, nothing prevents false attribution (i.e., attributing the traffic to someone else to cover my own behavior) or a false flag (e.g., attributing the traffic to someone else so as to blame them)? Additionally, nothing prevents an attacker from staffing a response to an email or telephone provided in the URI. If the network defender makes contact via provided mechanisms, why should there be any confidence in that communication? EV> we (the authors but also some other measurement teams) have considered this issue and were unable to find something 'really secure', probes are atomic packets with often size constraints (for the measurements) to non-collaborative parties. EV> I would be glad to accept any suggestion of yours to do it correctly. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Tiru Reddy for the SECDIR review. ** Section 3. What is the procedure for handling multiple reverse DNS records being returned? EV> if you do it well, there will be only one (again assuming that the sender is a well-behaved sender) ** Section 3 * else (or in addition), the Probe Description URI is "https://[2001:db8:dead::1]/.well-known/probing.txt". If there is no certificate associated to this address (e.g., via [RFC8738]), then there will be a certificate verification issue. -- RF8738 is cited as an example. Can its relationship to the described workflow be explained -- What is the implication of there being a certificate verification issue? Does the information get discarded? EV> suggest then to remove the last sentence ** Section 4. * For a UDP datagram [RFC768], include it in the data payload if its content has no structure; * For a TCP segment [RFC9293], include it in the data payload if its content has no structure; What does “… has no structure mean”? EV> what about s/if its content has no structure/if there is no upper-layer protocol after the transport layer/ ** Section 4. * For an IPv6 packet [RFC8200], include it in a PadN option either inside a Hop-by-Hop or Destination Options header. Doesn’t Section 3.5.1.1 of RFC9288 guide transit routers to drop hop-by-hop traffic? EV> Please note that RFC 9288 is informational and is not so assertive on dropping HbH extension headers EV> Finally, even if RFC 9288 was standard track and with a MUST discard, then doing the measurement is still valuable if only to check how many routers are implementing this putative RFC 9288-bis
- [OPSEC] Roman Danyliw's Discuss on draft-ietf-ops… Roman Danyliw via Datatracker
- Re: [OPSEC] Roman Danyliw's Discuss on draft-ietf… Eric Vyncke (evyncke)
- Re: [OPSEC] Roman Danyliw's Discuss on draft-ietf… Roman Danyliw