Re: [Patient] [EXT] Re: Internet Draft posted as requested -

Brian Witten <brian_witten@symantec.com> Thu, 14 December 2017 23:16 UTC

Return-Path: <brian_witten@symantec.com>
X-Original-To: patient@ietfa.amsl.com
Delivered-To: patient@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4D7C129431; Thu, 14 Dec 2017 15:16:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=symc.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C9WyaxAKV8eP; Thu, 14 Dec 2017 15:16:32 -0800 (PST)
Received: from tussmtoutape01.symantec.com (Tussmtoutape01.symantec.com [155.64.38.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D9E6127369; Thu, 14 Dec 2017 15:16:32 -0800 (PST)
Received: from tussmtmtaapi02.symc.symantec.com (tus3-f5-symc-ext-prd-snat2.net.symantec.com [10.44.130.2]) by tussmtoutape01.symantec.com (Symantec Messaging Gateway) with SMTP id C0.64.60992.F46033A5; Thu, 14 Dec 2017 23:16:31 +0000 (GMT)
X-AuditID: 0a2c7e31-3f8e99c00000ee40-8a-5a33064f2873
Received: from tus3xchcaspin01.SYMC.SYMANTEC.COM (tus3-f5-symc-ext-prd-snat3.net.symantec.com [10.44.130.3]) by tussmtmtaapi02.symc.symantec.com (Symantec Messaging Gateway) with SMTP id BF.84.04468.F46033A5; Thu, 14 Dec 2017 23:16:31 +0000 (GMT)
Received: from TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) by tus3xchcaspin01.SYMC.SYMANTEC.COM (10.44.91.13) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Thu, 14 Dec 2017 15:16:31 -0800
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (10.44.128.8) by TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) with Microsoft SMTP Server (TLS) id 15.0.1236.3 via Frontend Transport; Thu, 14 Dec 2017 15:16:31 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symc.onmicrosoft.com; s=selector1-symantec-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=8DSfLBhCdVT3Lrik8ihsNfaNFBNSNJTGJZHvODvJoBc=; b=mWuldMcYKz6dwodOkQ0lniWajg7gSh34MAYVe7zL1GGz9365qpwNtMUiLvLECGNvI0Fvrk9GbEa5V5Y6a6E825ba09KFIUbICFLQpIZx7k523YE4yoSVtWBeOrHNmF28QNcT9lpvZM/n+28gRU2qtRX+BTFRwNrmqD9R6eTNJ7U=
Received: from MWHPR16MB1488.namprd16.prod.outlook.com (10.175.4.146) by MWHPR16MB1487.namprd16.prod.outlook.com (10.175.4.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.302.9; Thu, 14 Dec 2017 23:16:29 +0000
Received: from MWHPR16MB1488.namprd16.prod.outlook.com ([10.175.4.146]) by MWHPR16MB1488.namprd16.prod.outlook.com ([10.175.4.146]) with mapi id 15.20.0302.017; Thu, 14 Dec 2017 23:16:29 +0000
From: Brian Witten <brian_witten@symantec.com>
To: Paul Wouters <paul@nohats.ca>
CC: "patient@ietf.org" <patient@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [EXT] Re: [Patient] Internet Draft posted as requested -
Thread-Index: AQHTdG3hrR7/CZZMykmDXlV3KMVAN6NDcJ4GgAAIGoCAAAB1DA==
Date: Thu, 14 Dec 2017 23:16:29 +0000
Message-ID: <MWHPR16MB148859D8FC007D9B9D5005E6930A0@MWHPR16MB1488.namprd16.prod.outlook.com>
References: <MWHPR16MB14881688FE400E3277CA8A9393310@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB14889BEE3EB0ED5F328D7C3993370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB14889B7535153E5844649CA393370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB14880A12D15AC58FDD5CEC8793370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB1488D43F3B53BC7BBE9D836593370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB1488853B0E4F7BB8E557288D93370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB148845FB069D03625BC399B193370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB1488848D7AC828EBB8DA90B093350@MWHPR16MB1488.namprd16.prod.outlook.com> <DM5PR16MB148477E1FAA4C210A3B013F7930A0@DM5PR16MB1484.namprd16.prod.outlook.com>, <alpine.LRH.2.21.1712141805020.15188@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1712141805020.15188@bofh.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=brian_witten@symantec.com;
x-originating-ip: [2605:e000:9394:6500:a5ed:2f5c:12b1:afaa]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR16MB1487; 6:m67/82sUplg31I83yyFErdzCdjxNhLhLoqiVY4Vk/i35Kt7fa1Y07xwnUK3iY6x9Zqay5r64Mn9gWwa4pHrc8P+6ijE+Wj+iJSX6kCvhka2skyoyrSx6hmap3PTdqX1F/21am23Xs03XcaXNCJRwJuXQcc/emfBKgBOnOt7gIompThc9VHWiOdJHDu0vrLnRKdIDKQxWT1JgP84NlzjXoxndS7JHSeSqMjw4sCwyxf+Jt+bBA0dbWMUf+BJ5C5ODfUGuy6CPzO9Bj9l/My4VLHDrFINTYITXs5oae/JtNrFsPVvgO49fYCi2iFEkiTqVSfP0MGxIlJ0OwZf+OEhttQQ6/V7B1QVeiInzrY/rEpA=; 5:F59il+/lLJ/zUY/1qf/Ntvn5m/FB50/FFyJBzYjJVvjOE2Bz0u1ScyA7h9xvaVfAmpgbFTQWull2l9Ut/pxTmk2Zk3icc1pbuJX4RlgiSSELHr4bUWDaZraxKXsww9BOoJeymukHt6rT0rV+BaSR6KTGHAUmVyhlaFZe6USma3Q=; 24:JtBZfQ8uXgjAE5rXiJbiYnlQZZb+AyACMv6n9RASwzBJZyeKvOeSA5wMimCk/RB+aY+3Xqc33LFU2hyRPvDkTwOXYld3vseDYFtu5RxhbZU=; 7:29ib88cbrHmMx5fdBm9eBwa89eKKFAju+4L6z4ZLt+3UFHa7EXTZnjyQmICPRqUfWaFPBFPVndU4JUNV2HZvQVRocbcH8aWxByN5WRBC7gyN9elmOcx5eGYpbUsZlIsqsvQ1TC1laUkPmYV+A0yqXyUSK48x700uqlfiHUGBbb63SQe+3BjP/D5/y3I5VihaHb3MoJxCsKUn5p1StD7533bWRhZFgpxEu3/BJrTvbzBwEz1JDBf1utqI5jnJ/0o8
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 72fe1888-f116-46fa-3c04-08d54348b4e0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603307); SRVR:MWHPR16MB1487;
x-ms-traffictypediagnostic: MWHPR16MB1487:
x-microsoft-antispam-prvs: <MWHPR16MB1487C45DAA45ED4B20006919930A0@MWHPR16MB1487.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(8121501046)(5005006)(3002001)(10201501046)(3231023)(93006095)(93001095)(6041248)(20161123558100)(20161123555025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123562025)(6072148)(201708071742011); SRVR:MWHPR16MB1487; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:MWHPR16MB1487;
x-forefront-prvs: 05214FD68E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(366004)(39860400002)(376002)(346002)(51414003)(24454002)(43784003)(189003)(199004)(8936002)(6506007)(81156014)(68736007)(8676002)(7736002)(81166006)(74316002)(53546011)(76176011)(3280700002)(2906002)(86362001)(478600001)(59450400001)(25786009)(10290500003)(99286004)(93886005)(7696005)(14454004)(316002)(54906003)(3660700001)(105586002)(106356001)(6246003)(97736004)(33656002)(54896002)(9686003)(55016002)(4326008)(77096006)(6436002)(229853002)(2900100001)(102836003)(6116002)(561944003)(19627405001)(5660300001)(6606003)(6916009)(53936002)(2950100002)(9010500006); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR16MB1487; H:MWHPR16MB1488.namprd16.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: symantec.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR16MB148859D8FC007D9B9D5005E6930A0MWHPR16MB1488namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 72fe1888-f116-46fa-3c04-08d54348b4e0
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Dec 2017 23:16:29.2062 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 3b217a9b-6c58-428b-b022-5ad741ce2016
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR16MB1487
X-OriginatorOrg: symantec.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrJKsWRmVeSWpSXmKPExsXCpdPEpOvPZhxlMGeFvsXLA8YW729dYrKY 0t/J5MDssWTJTyaP7/OYApiiuGxSUnMyy1KL9O0SuDL2/ljHXvDUuOLXrbfMDYyvtLsYOTkk BEwkNs34xdzFyMUhJPCJUeLihb+sMIktT3rYIBI/GCWWNLezQzhHGSWu3XsDViUk8IJR4snq RJAEi0Ans8SUa7ugWqYwSRw+fQvKOcIo8fzWfmaQFjYBPYmjf++AtYsIKEpMOvOIBcRmFvCS +DT3OZgtLOAqcWJjGxtEjZvE8t0XoeqdJH4sb2cEsVkEVCVmz9nCBGLzCsRI7OxbywixbAOb xMWV58ESnAKOEt1/poEtZhQQk/h+ag0TxDJxiVtP5jNBfCogsWTPeWYIW1Ti5eN/rBD1MRKn 1r6CiltLtN09AVUvK3FpfjfYMgmBQ+wSD/YuZoFI6ElsnfgWKMEBZPtKLHtRBFGzhFHiVM8q dogaLYnDPduhBmVLbDg5m30Co9EsJDdB2PkS3ccnsMwCe05Q4uTMJywQcQOJ9+fmM0PY2hLL Fr6GsvUlNn45y4gsvoCRfRWjQklpcXFuSX5pSWJBqoGhXnFlbjKISAQmp2S95PzcTYzgBFVn uIPx0QafQ4wCHIxKPLyvWIyjhFgTy4AqDzFKcDArifBeaTWKEuJNSaysSi3Kjy8qzUktPsQo zcGiJM776atalJBAemJJanZqakFqEUyWiYNTqoGR1+X1jJrQYwt9RB68cGXZIP3z/rFpJds7 7QuW5pR8fLlHp+LUFqfUKIFvnzmrpynJcR9+GPxbKs2ve57OroUVWkbzdt4r2L7H5f7D/ORb jmeE5z788HGp/one6q93Pq6e+k911syUDNUjkeK6D5Iqb0/ftqlHKOqwWkn348/vHp567Wkg +fTJdCWW4oxEQy3mouJEAING3RxMAwAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprHKsWRmVeSWpSXmKPExsXCpdPErOvPZhxlsGWXpsXLA8YW729dYrKY 0t/J5MDssWTJTyaP7/OYApiiuGxSUnMyy1KL9O0SuDL2/ljHXvDUuOLXrbfMDYyvtLsYOTkk BEwktjzpYeti5OIQEvjBKLGkuZ0dwjnKKHHt3htWkCohgReMEk9WJ4IkWAQ6mSWmXNsF1TKF SeLw6VtQzhFGiee39jODtLAJ6Ekc/XsHrF1EQFFi0plHLCA2s4CXxKe5z8FsYQFXiRMb29gg atwklu++CFXvJPFjeTsjiM0ioCoxe84WJhCbVyBGYmffWkaIZRvYJC6uPA+W4BRwlOj+Mw1s MaOAmMT3U2uYIJaJS9x6Mp8J4lMBiSV7zjND2KISLx//Y4Woj5E4tfYVVNxaou3uCah6WYlL 87vBlkkIHGKXeLB3MQtEQk9i68S3QAkOINtXYtmLIoiaJYwSp3pWsUPUaEkc7tkONShbYsPJ 2ewwC1a++sAK0bCAGRjCU5knMOrNQnIshJ0v0X18AssssK8FJU7OfMICETeQeH9uPjOErS2x bOFrKFtfYuOXs4zI4gsY2VcxKpSUFhfnluSWJCYWZBoY6RVX5iaDiERgckrWS87P3cQITlDO kjsYD/3xOcQowMGoxMNr0WYUJcSaWAZUeYhRmoNFSZz3nQZTlJBAemJJanZqakFqUXxRaU5q 8SFGJg5OqQZGAZv6nX89HqRl+KSoZZ27qm4cssrFz7t7af3Kp1xz1x7edZhbhE/u4/PM+dkL M5R3PGtjmqxasN1Q7ccRnlaHZ1cq3Pbazfl9NESj+/lnlzde7z2Vd/27+7hMu/CuSOq16Msv LP6cj974TejzceONS7herPFwbH/x8O1UDeOJriw8by0ZBHk0lFiKMxINtZiLihMBoS935TED AAA=
X-CFilter-Loop: TUS03
Archived-At: <https://mailarchive.ietf.org/arch/msg/patient/XSvBfZc2oTag95Si7-j857xhEGw>
Subject: Re: [Patient] [EXT] Re: Internet Draft posted as requested -
X-BeenThere: patient@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Protecting against Attacks Tunneling In Encrypted Network Tunnels <patient.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/patient>, <mailto:patient-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/patient/>
List-Post: <mailto:patient@ietf.org>
List-Help: <mailto:patient-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/patient>, <mailto:patient-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Dec 2017 23:16:37 -0000

Hi Paul,


Thanks!  I'm not against true end2end client-auth.  That would help the server know for sure to whom they are talking, including both an endpoint that couldn't be impersonated, and the middlebox which the client wants helping with security.  Sending data "back" into the network just often has a too-ugly bandwidth cost.  Doing things in-flow is far better from a bandwidth perspective, and I'm happy to make these middleboxes (currently impersonating) more explicitly accountable for their presence in the communications...


I hope that helps!  Thanks Again!!


Brian


________________________________
From: Paul Wouters <paul@nohats.ca>;
Sent: Thursday, December 14, 2017 3:10:53 PM
To: Brian Witten
Cc: patient@ietf.org; saag@ietf.org
Subject: [EXT] Re: [Patient] Internet Draft posted as requested -

On Thu, 14 Dec 2017, Brian Witten wrote:

> As a side comment, I’d also note the use of pejorative phrasing.  “argues for the mitm attacks on https,” … It seems that you’re calling “network based blocking of malicious webpages” an “attack” when the blocking is actually blocking the server's _attack_ against the client.  Where I choose to have a network proxy protect from evil on the net, I don’t consider that proxy to be attacking me.  I consider that proxy to be protecting me, and many organizations manage keys accordingly.  We see more and more people needing network help in protecting themselves from such attacks, as laid out in (1) through (5) above.  I look forward to your feedback there.

Some call it that because you are actively trying to circumvent protection
that https offers.

If you let the client decrypt the data and then sent that data (encrypted)
to the network agent, no one would call it mitm attack.

But your proposal is to give private (session) keys from endpoint to
the network agent, basically giving it the full power to impersonate
the endpoint. That is a dangerous and needlessly insecure compromise.

Similarly, an email message can be received over TLS, and then forwarded
to the network agent for scanning without giving the network agent the
key material to sit in between network agent and remote mail server.

Paul