IETF Logo Mail Archive

Re: [Patient] [EXT] Re: [saag] Internet Draft posted as requested -

Mark Kennedy <mkennedy@symantec.com> Tue, 19 December 2017 06:30 UTC

Return-Path: <mkennedy@symantec.com>
X-Original-To: patient@ietfa.amsl.com
Delivered-To: patient@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61857120721 for <patient@ietfa.amsl.com>; Mon, 18 Dec 2017 22:30:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.23
X-Spam-Level:
X-Spam-Status: No, score=-4.23 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=symc.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id modxiJOxgNzD for <patient@ietfa.amsl.com>; Mon, 18 Dec 2017 22:30:15 -0800 (PST)
Received: from asbsmtoutape02.symantec.com (asbsmtoutape02.symantec.com [155.64.138.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25EAE1205F0 for <patient@ietf.org>; Mon, 18 Dec 2017 22:30:15 -0800 (PST)
Received: from asbsmtmtaapi01.symc.symantec.com (asb1-f5-symc-ext-prd-snat3.net.symantec.com [10.90.75.3]) by asbsmtoutape02.symantec.com (Symantec Messaging Gateway) with SMTP id 28.10.62423.6F1B83A5; Tue, 19 Dec 2017 06:30:14 +0000 (GMT)
X-AuditID: 0a5af81a-bccd09c00000f3d7-f2-5a38b1f6f9ce
Received: from tus3xchcaspin01.SYMC.SYMANTEC.COM (asb1-f5-symc-ext-prd-snat6.net.symantec.com [10.90.75.6]) by asbsmtmtaapi01.symc.symantec.com (Symantec Messaging Gateway) with SMTP id 9C.8A.04260.5F1B83A5; Tue, 19 Dec 2017 06:30:14 +0000 (GMT)
Received: from TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) by tus3xchcaspin01.SYMC.SYMANTEC.COM (10.44.91.13) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Mon, 18 Dec 2017 22:30:13 -0800
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (10.44.128.9) by TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) with Microsoft SMTP Server (TLS) id 15.0.1236.3 via Frontend Transport; Mon, 18 Dec 2017 22:30:13 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symc.onmicrosoft.com; s=selector1-symantec-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=pbtURvTVEM/g4PbPocq5aCbG3F+lIlX3np88ZCoUb+E=; b=IEwByyc21tkJ0A1Hp4KCHgHBG+nURWPxJJaC4MGi4ct2oVsdC9CcMvacfpfsJ14BwcEK2tzwSNzjpsQxzR68jOd2HMtPVQV47vWUiivI1dSOXwuzLlgIzcEXM8F4bWyMhA/qGDIpoJc6MUCE1S5p08SpprkSjE/qgVgGJlruIfg=
Received: from BN6PR16MB1410.namprd16.prod.outlook.com (10.172.207.16) by BN6PR16MB1411.namprd16.prod.outlook.com (10.172.207.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.323.15; Tue, 19 Dec 2017 06:30:11 +0000
Received: from BN6PR16MB1410.namprd16.prod.outlook.com ([10.172.207.16]) by BN6PR16MB1410.namprd16.prod.outlook.com ([10.172.207.16]) with mapi id 15.20.0323.018; Tue, 19 Dec 2017 06:30:11 +0000
From: Mark Kennedy <mkennedy@symantec.com>
To: Bret Jordan <jordan.ietf@gmail.com>, "patient@ietf.org" <patient@ietf.org>
Thread-Topic: [EXT] Re: [Patient] [saag] Internet Draft posted as requested -
Thread-Index: AQHTdoJwzWR643C2vUGQ7pDJ5UmHoKNILeAAgAASEQCAAZDugIAAWkSAgAAL+yA=
Date: Tue, 19 Dec 2017 06:30:11 +0000
Message-ID: <BN6PR16MB14108747465400A24176371DB40F0@BN6PR16MB1410.namprd16.prod.outlook.com>
References: <MWHPR16MB14881688FE400E3277CA8A9393310@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB14889BEE3EB0ED5F328D7C3993370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB14889B7535153E5844649CA393370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB14880A12D15AC58FDD5CEC8793370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB1488D43F3B53BC7BBE9D836593370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB1488853B0E4F7BB8E557288D93370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB148845FB069D03625BC399B193370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB1488848D7AC828EBB8DA90B093350@MWHPR16MB1488.namprd16.prod.outlook.com> <DM5PR16MB148477E1FAA4C210A3B013F7930A0@DM5PR16MB1484.namprd16.prod.outlook.com> <dfdb52ca-81ae-50b7-cd5f-e256b5cb047d@cs.tcd.ie> <AF4C62E0-61AB-45DB-B3E6-56AB67A1070A@telefonica.com> <d47e82af-5c6f-9be5-4226-4d6713701148@cs.tcd.ie> <98E78B0A-0351-4702-98F5-62DAF2C125CD@telefonica.com> <217613C9-9D51-4CC9-8C8C-D632E1CECFF6@gmail.com>
In-Reply-To: <217613C9-9D51-4CC9-8C8C-D632E1CECFF6@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mkennedy@symantec.com;
x-originating-ip: [155.64.38.117]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR16MB1411; 6:hGz9njnOMBbOK95xp3bv4+Mkxa31a/xU66LqFiWYXlPV9vTPhWuf13W8ghhi2xidAYr5znXRRDhznzvVQ1oXtql9MGVdkbqZFLD7TE/laOz/zk9oLjebFFIBOwaO/LsPlGKy185dU/WJYbw/2ASK9CQ//P66oMWAOBgm30/wtpHuNgLqoftGDgFftJ98Q9EqRR3UWOrKkvpw6dD7fyz/9KjJJm4m3ywgoz87mrObjmKBBBReZzE9++jJuEkIQAUUYri0ql6aiPih4nQPYY7ewFSUBJ7OZYXc4uOvvq3nLrs/uGPgYU7JCcRScp7GYFYoXaqjAh/5MKcZJOYw+jpXitLrGXbWRlDUqiq7qqr3Aks=; 5:47CUekAIMb7WZpItlbfR+mdUe7pNjSM90noQPioAijxIRlrQNK4zYjebClTF5V1lePDVdmoQIvOOJG4blgYtWJNcgTiao4uG6Y6WyY+YaOfugPGNzRVu8sDgENc2fDDzA13orofSUv5RxyXBHl6RKCfQtBAXc8LFh5juxShs9K0=; 24:CwitArEKDCXxOSIqypZtPoui15T/klZUpVhzpXShEMZx6h6dvLUdAvel48Bbv/xn/xtbVC8ulEYs3YoIG7WonbV69rVxuXc82+Jja+IFIBs=; 7:ryfH/DKEpcHzdy0DeO4n2U2oBKnBHqxtg1VPFPk9moTpwNrMa359IcZjnmjEU71jA+KZL1JZewrMDrfSzUPlBP9VMLay3fM9OiMcCKz0/c6p5O5vXUNEERgYzl2ppv8o7opFhENsuL9Qv8TN5bDdWpdKUZ5PLfK9Xh1NPy4xDNCj21j+gmj7ewXl42f9f3pp2RoxYcXsWMIK6K4+mGblTFW2ErtqtrWDh+DiA8YjOc0+FVHI0cNaWLnd4zBQJOjZ
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: b312fa30-f18e-48c1-0c72-08d546a9f502
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603307); SRVR:BN6PR16MB1411;
x-ms-traffictypediagnostic: BN6PR16MB1411:
x-microsoft-antispam-prvs: <BN6PR16MB14111C014F4A8C113496A0E0B40F0@BN6PR16MB1411.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(258766100185102)(164924216521020);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3231023)(3002001)(6041248)(20161123562025)(20161123558100)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123560025)(6072148)(201708071742011); SRVR:BN6PR16MB1411; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:BN6PR16MB1411;
x-forefront-prvs: 052670E5A4
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(396003)(366004)(39860400002)(346002)(252514010)(199004)(189003)(13464003)(5660300001)(77096006)(6506007)(7736002)(74316002)(105586002)(97736004)(110136005)(305945005)(106356001)(81166006)(59450400001)(3846002)(102836003)(6116002)(2950100002)(8676002)(14454004)(316002)(3660700001)(33656002)(93886005)(39060400002)(15974865002)(25786009)(81156014)(2501003)(53546011)(66066001)(3280700002)(53936002)(575784001)(86362001)(2906002)(6306002)(99286004)(7696005)(68736007)(9686003)(478600001)(6246003)(76176011)(10290500003)(2900100001)(55016002)(229853002)(8936002)(966005)(6436002)(9010500006); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR16MB1411; H:BN6PR16MB1410.namprd16.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: symantec.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: b312fa30-f18e-48c1-0c72-08d546a9f502
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Dec 2017 06:30:11.5668 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 3b217a9b-6c58-428b-b022-5ad741ce2016
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR16MB1411
X-OriginatorOrg: symantec.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupjleLIzCtJLcpLzFFi42LhivJm1v220SLKYMdybovHu3+xWbw8YOzA 5LFz1l12jyVLfjIFMEVx2aSk5mSWpRbp2yVwZcyf9oixYIJGxZnDC5kaGLcqdjFyckgImEjs 2LybtYuRi0NI4COjxNe9XxlhEivmtTCD2EIC3xklpq8WhCg6yijRv/M8C4TzglFi5ZEOMIdF oJNZ4tPxE1CzpjNJnH7VzArRf4xRoumpWxcjBwebgJbE6u3OIGERAT+Jaw//soDYwgI+Esu/ tDJDxH0lNk08zwRT83L2WrAaFgFViQvNB8HO4xWIkdg/7SA7xK6/7BIzHt0B28UpYCtx6v1V sCJGATGJ76fWgA1iFhCXuPVkPhPEbwISS/acZ4awRSVePv7HClEfIfHh61Z2iLiixMLDi9kg bFmJS/O7GUGWSQgcYpdY0XocapCexNaJb6EB5itx4/51doiiJYwSJx5sYgH5WALo42vzhCBq siWeTbzJDBGOlVg/p3oCo9EsJOdB2HoSN6ZOYYOwtSWWLXzNPAvsZ0GJkzOfsCxgZFnFqJBY nFScW5JfWpJYkGpgpFdcmZsMIhKBaSRZLzk/dxMjOJX8kNrB+OSOzyFGAQ5GJR7e3assooRY E8uAKg8xSnAwK4nw8q4HCvGmJFZWpRblxxeV5qQWH2KU5mBREued9E0tSkggPbEkNTs1tSC1 CCbLxMEp1cBo8eLA9YUcbB3tK5p+eTo/nHE/jGmLpO7HJ/aXJERUJ/6WNrn1d0H9pEM3avYc D+2Xnr9kdU0Kz//Qnbsm3rk9Y++Ep4xbU55l3bxgJfB8jrBMTYWOTfLbWY/YMjc3V8y1Ohrs t0fKcW1two9owQ+KzmcjrsTW75BzVZrh0rLn/GG+MwLbv54NU2Ipzkg01GIuKk4EAD8dwlwh AwAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrEIsWRmVeSWpSXmKPExsXCFeXNpvtto0WUwYPr7BaPd/9is3h5wNiB yWPnrLvsHkuW/GQKYIrisklJzcksSy3St0vgypg/7RFjwQSNijOHFzI1MG5V7GLk5JAQMJFY Ma+FGcQWEvjOKDF9tWAXIxeQfZRRon/neRYI5wWjxMojHWAOi0Ans8Sn4ydYITLTmSROv2pm heg/xijR9NSti5GDg01AS2L1dmeQsIiAn8S1h39ZQGxhAR+J5V9amSHivhKbJp5ngql5OXst WA2LgKrEheaDjCA2r0CMxP5pB9khdv1ll5jx6A7YLk4BW4lT76+CFTEKiEl8P7UGbBCzgLjE rSfzmSB+E5BYsuc8M4QtKvHy8T9WiPoIiQ9ft7JDxBUlFh5ezAZhy0pcmt/NCLJMQuAQu8SK 1uNQg/Qktk58ywhh+0rcuH+dHaJoCaPEiQebWEA+lgD6+No8IYiabIlnE28yQ4RjJdbPqYYo X8As8f33CUaIuIzE/bkmExj1ZiE5G8LWk7gxdQobhK0tsWzha+ZZ4LAQlDg58wnLAkaWVYwK icVJxbkluSWJiQWZBoZ6xZW5ySAiEZhEkvWS83M3MYITyW+xHYwH/vgcYhTgYFTi4Z1x1TxK iDWxDKjyEKM0B4uSOO9jDaYoIYH0xJLU7NTUgtSi+KLSnNTiQ4xMHJxSDYznRUo5Vv5+FbTe huNJYdlyM7b+UunbFnfXKd7Of56tZ9HJqLUxipE98/7ty2dF+u+u1/f/0ey2+sxus90/N309 E35wR90VFUsp/te+rSIJ7Aufrp1YsltPYpGg4/Fft1Y5Rp5jWObx39TlphtHA2/649YPx35O XGk9ZV6F2cM92zsnFCfPFv2oxFKckWioxVxUnAgAq5LL7AUDAAA=
X-CFilter-Loop: ASB04
Archived-At: <https://mailarchive.ietf.org/arch/msg/patient/j_fEB6-8MastQGqkJ4Pxi97_ubU>
Subject: Re: [Patient] [EXT] Re: [saag] Internet Draft posted as requested -
X-BeenThere: patient@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Protecting against Attacks Tunneling In Encrypted Network Tunnels <patient.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/patient>, <mailto:patient-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/patient/>
List-Post: <mailto:patient@ietf.org>
List-Help: <mailto:patient-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/patient>, <mailto:patient-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Dec 2017 06:30:17 -0000

This might be a good place to inject the work from ICSG's Encrypted Traffic Inspection group.  Give this a read as a starting point for some very broad requirements.

Requirements
Definitions: 

An ETI middlebox is any device (physical or virtual) that is designed and deployed to inspect/modify encrypted traffic, including the encrypted payload. These devices include but are not limited to security devices, performance enhancing devices (caching), traffic shaping devices.

A participant is an endpoint (terminator of the encrypted connection) or an ETI middlebox.

Requirements

1.	All ETI middleboxes must be visible to everyone in the communication.
2.	Participants must be able to set policies on which ETI middleboxes can decrypt which parts of their traffic. 
3.	Participants must be able to set policies on which ETI middleboxes can modify which parts of their traffic. 
4.	The protocol must produce a cryptographically strong audit trail of who changed, or inspected, what, when, where, and why whenever an ETI middlebox changes/inspects content.
5.	ETI middleboxes must provide an attestation of the degree to which they conform to the standard.
6.	ETI middleboxes must not negatively impact the strength of the encryption.

We feel these are minimal requirements to ensure that nothing is hidden, everyone knows who the players are and by what rules they are playing.  All the participants can then decide if they are satisfied with the landscape and whether or not to allow the conversation.

Mark 

Mark Kennedy
Distinguished Engineer
Security Technology And Response
Symantec Corporation
www.symantec.com
-----------------------------------------------------
Office: 424-750-7661
Interoffice: 6 [424] 7661
Mobile: 310-722-1934
Fax: 424-750-7001
Email: mkennedy@symantec.com
-----------------------------------------------------


-----Original Message-----
From: PATIENT [mailto:patient-bounces@ietf.org] On Behalf Of Bret Jordan
Sent: Monday, December 18, 2017 9:42 PM
To: patient@ietf.org
Subject: [EXT] Re: [Patient] [saag] Internet Draft posted as requested -

Diego, I agree with you and your points are valid.

I think there is a fundamental element that many are overlooking...  Whether you like network based protections or not, they are not going away.  TLS 1.3 does not prevent or restrict network based security solutions at all. In fact, many large organizations are rolling out new ways of using network based protections to protect their clients and data, just look at Google's BeyondCorp for an example of a new and innovative solution.

Given that network based protections are going to exist, and some percentage of the population will elect to use them. It would be nice if there was a better way for clients to:
1) know more about what was being done to their session
2) know if there are additional upstream solutions that they can not see
3) know for sure what was changed or defanged to protect them

We as a community need to try and find ways to enable the network and clients to be more robust and more secure. Simply thinking that if the session is encrypted, then it is secure, is lacking. Threat actor groups and intrusion sets make good use of encrypted sessions, and if history is a guide, we can bet that all malware sites, phishing sites, droppers sites, and CnC sites will be fully encrypted with valid certs at some point in the near future. 

While some members of this community may philosophically not like network based protections or want all of the protections to reside on the client, it is not theirs to decide. Users, clients, organizations, businesses, grandmas, cats, and dogs should all have a choice of how they want to be protected. Further, the market should ultimately decide what solution or set of solutions is the best way to protect users, we just need to make sure the protocols works and are solid. 

I would ask that we focus on figuring out how we can make things better for everyone. Just like we do not get to say in the HTTP WG that everyone should use HTTP and no other protocol should be worked on by the IETF, we can not say that everyone should secure their networks the way I, you, or someone else secures their network.  We design protocols not policy or business plans.  

Bret
_______________________________________________
PATIENT mailing list
PATIENT@ietf.org
https://clicktime.symantec.com/a/1/cDSVRFwNPy0Yz41-lsHsP0BgkS7znx9HGbYfCtQkgCg=?d=R72HnQP6upzIjCWnwQhbW-p60Le7-AcIkbdbnoh2s_f8Syjzm4rJmGZXLgJZjVMCW1gf-n2tpBkb6gaIn9xEi934vDdmK0vMt5JP4Vp1xlAr7QY6u6293eyVI0frq74G39zOx7VmBaFWCGUFpzlLNrt1gyqoLDeoSDytkHc2aAQ8MFzpcibtup1Ca29rv1Lw7_a25WVtZp9nU_J9eHuiMSZ82KGCA9VJjAbvGrDRfOAK8vtWNc6152nIKlRP80Xu68R9xZT9KIKCl3p3Oeoujmvj2rZRZKwW7aF2KzzoKexz43gzA6PyxxsDAcqb3ubyYZqgUFoo2XUyyetMjoaDRXvFbDJ2W7WRHIkui1svcU6wnaOL-Owt2dOfTDylvz6ISBPi7WODX4ZVYLUhrNAnOA8feJk%3D&u=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fpatient

v2.23.0 | Report a Bug | By Email