Re: [Patient] Requested Feedback - Protecting Endpoints
Bret Jordan <jordan.ietf@gmail.com> Fri, 15 December 2017 23:48 UTC
Return-Path: <jordan.ietf@gmail.com>
X-Original-To: patient@ietfa.amsl.com
Delivered-To: patient@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 913D2126D73 for <patient@ietfa.amsl.com>; Fri, 15 Dec 2017 15:48:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s5g05nKx2McS for <patient@ietfa.amsl.com>; Fri, 15 Dec 2017 15:48:23 -0800 (PST)
Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A34F51241FC for <patient@ietf.org>; Fri, 15 Dec 2017 15:48:23 -0800 (PST)
Received: by mail-qk0-x22e.google.com with SMTP id u184so12350466qkd.6 for <patient@ietf.org>; Fri, 15 Dec 2017 15:48:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=nu3xA8OtD8PqjBbfr2YaNkk2xbnFfizOr/xM2K476M0=; b=F8ryNxN8Y3KqILnOkTt6Cvhgo7ILHY49lWm6T6GoEDI1yAy0SWDQb8H+5lIUnw/sI3 AYjIJlt1j4j79BSrJWueUp77UKYJx0g/50T/H9zhsG6KztbNxmqD0ekXihYVQH0j6St/ JqhRfgA7XGDE2j5GNDceS8viLLRpI/G2r1z3RO1/ezGQn9OCn/wLJjwlhO0/KyDQkuvI Z4YqpmusePwznMn8oQXG3PkIW3XVW+kRwQHxajdJ3DN0/KZOxvCVS5kKTSydRxq/+QNv RHhoBMD8t7kpMHkvNSpEjl+opHyokm7d3IcWgxfAImlHMkqLrQuMNadgs2VkqL026GHT LhtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=nu3xA8OtD8PqjBbfr2YaNkk2xbnFfizOr/xM2K476M0=; b=m/5waJdohB53lN097xZQOlpHkvbzLV2q9dyypiJrYfMi4fkytTDxX7LxgjlITqH+bc OOE16ei9ZwY+VXD6zbG3U+hrmqoHYnuiIKag8lZJRhW4NcIj4bTUBs9CykI5l/PmTZRL D2XEcfnqkJzsJPJ0036FWlAGGV3eX6BzPLBLsoEpuOCZeXtjuyNMHdAbIW9z5xHNatdr mGmE+fTLBum3pSHCAbEjH7Il8Y2duw/bP5xADsrMWDGiTJQlZy3QvW6rhKJlUY2lM9v/ RxF4c/1Cz2ZfcypF7lpQ2UGl0QL9OuOhtMuTIjp1gUF9gDkbKJmyUUjPCZCTci8sfMgL RWYg==
X-Gm-Message-State: AKGB3mLrxVHaiGVlg0f/onmuoHOaUeWrAiZpYVnkOPME04K8nIf0payA j25+IpkO8nmdH8J1a2MhG6ZkfRw/cWA7JA==
X-Google-Smtp-Source: ACJfBosFvTAJ9POGaIkpqUPkRE48hRX/CHc3H7uQuJwIt7+XgnkPY0fP+60jD5r0k3pt4CbOlc1HYA==
X-Received: by 10.55.79.22 with SMTP id d22mr24216184qkb.247.1513381702887; Fri, 15 Dec 2017 15:48:22 -0800 (PST)
Received: from ?IPv6:2605:a601:3116:8400:5557:213a:958c:1162? ([2605:a601:3116:8400:5557:213a:958c:1162]) by smtp.gmail.com with ESMTPSA id w41sm4708320qtc.19.2017.12.15.15.48.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 Dec 2017 15:48:21 -0800 (PST)
From: Bret Jordan <jordan.ietf@gmail.com>
Message-Id: <E88BAE56-17B2-461C-BDB3-71D8C9BC8DED@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F65A5CBE-01A0-4749-A680-14AC99AA5751"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Fri, 15 Dec 2017 16:48:20 -0700
In-Reply-To: <B36DAF90-A27A-49E7-B40E-5CC7315BA18D@wapacklabs.com>
Cc: patient@ietf.org
To: Patrick Maroney <pmaroney@wapacklabs.com>
References: <B36DAF90-A27A-49E7-B40E-5CC7315BA18D@wapacklabs.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/patient/aH6pDYuhvF5gFHoqb7jaC7fBMpE>
Subject: Re: [Patient] Requested Feedback - Protecting Endpoints
X-BeenThere: patient@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Protecting against Attacks Tunneling In Encrypted Network Tunnels <patient.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/patient>, <mailto:patient-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/patient/>
List-Post: <mailto:patient@ietf.org>
List-Help: <mailto:patient-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/patient>, <mailto:patient-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2017 23:48:25 -0000
Pat, These are excellent points. Bret > On Dec 14, 2017, at 08:54, Patrick Maroney <pmaroney@wapacklabs.com> wrote: > > Brian, > > Per your request for comment*: > > I'm glad to see this discussion. > > Having directly observed nation state adversaries enjoying the benefits of "legitimate" channels, there's an oft overlooked aspect of the dichotomy of secure channels. > > An adversary controlling an endpoint may simply wait for establishment of a secure channel (with strong Multi-factor Authentication from the legitimate user/application) to the target endpoint to obfuscate their presence, activities, and objectives. The strongest secure channels can be exploited - giving all of the advantages of same to the adversary. Though typically the case for many tunneling attacks, the adversary does not need interactive command and control of the initiating endpoint. They merely need to be able to sense/test the state/existence of the secure channel to execute "store and forward" command and control. > > > Patrick Maroney > Principal Engineer - Data Science & Analytics > Wapack Labs LLC > (609)841-5104 > pmaroney@wapacklabs.com <mailto:pmaroney@wapacklabs.com> > > Public Key: http://pgp.mit.edu/pks/lookup?op=get&search=0x7C810C9769BD29AF <http://pgp.mit.edu/pks/lookup?op=get&search=0x7C810C9769BD29AF> > * "If you get a chance, please read the v00 Internet Draft which we just posted to IETF ( https://www.ietf.org/id/draft-witten-protectingendpoints-00.txt <https://www.ietf.org/id/draft-witten-protectingendpoints-00.txt> ) then send a quick comment, like "hate it," "love it," "glad to see the discussion," or (apparently popular) "why you hate the IETF" type comment to patient@ietf.org <mailto:patient@ietf.org> mailing list." > > _______________________________________________ > PATIENT mailing list > PATIENT@ietf.org > https://www.ietf.org/mailman/listinfo/patient
- [Patient] Requested Feedback - Protecting Endpoin… Patrick Maroney
- Re: [Patient] Requested Feedback - Protecting End… Bret Jordan