IETF Logo Mail Archive

Re: [saag] draft-mm-wg-effect-encrypt-03

<nalini.elkins@insidethestack.com> Thu, 13 October 2016 12:28 UTC

Return-Path: <nalini.elkins@insidethestack.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C84A1296D6 for <saag@ietfa.amsl.com>; Thu, 13 Oct 2016 05:28:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id efXvrdLqETav for <saag@ietfa.amsl.com>; Thu, 13 Oct 2016 05:28:08 -0700 (PDT)
Received: from nm20-vm5.bullet.mail.ne1.yahoo.com (nm20-vm5.bullet.mail.ne1.yahoo.com [98.138.91.242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 490531294A4 for <saag@ietf.org>; Thu, 13 Oct 2016 05:28:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1476361687; bh=N1bVDE31iORGKloP5yTt+Fsq7ayMDfbKT3T3blOH/J4=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=BZHLualiW/5+93k9qzMo/Ef0aSZN/cYoN01XuQOfieXsWh/F3EcLMlQp7Up0wztmbQ5eKi7w9gw2kFxNImK1UFsEjEFAwIXMcIJaOYt/oLuxxoD8U0HPaoKHrk8SPQ/eUD7LFcKL9yO/KPEGEWZDpJ0Zv0ee5g2OEJy9N4pgtgmor2mKg9NExVjiPdCc91QDPZ1oRBfY4semmpRxgboK0LwQIllLxfK1pd0mDQRhDfcKvknKLNgXQ3StABnB+YTdV3nIJ/0xGFN8urIazqTA6ogbKS9J9tpuLYQQFgIXhK7+YXve9ui19OUA/nXqp4Az4a5G5+SgIzouuVjoM7raqw==
Received: from [98.138.100.117] by nm20.bullet.mail.ne1.yahoo.com with NNFMP; 13 Oct 2016 12:28:07 -0000
Received: from [98.138.89.246] by tm108.bullet.mail.ne1.yahoo.com with NNFMP; 13 Oct 2016 12:28:07 -0000
Received: from [127.0.0.1] by omp1060.mail.ne1.yahoo.com with NNFMP; 13 Oct 2016 12:28:07 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 570802.80719.bm@omp1060.mail.ne1.yahoo.com
X-YMail-OSG: Co.__xsVM1n1mmNUbvxrsvyQ2HbnFJRh7dbL1pJ1zCbxvTrHUHfjNFNb2dwupCN o.wDo1RjVUUIpuH_aV3Fv8u5vaxIE9r3sTep4_9XEkbV43c4Wr0HVm4vdUK_QabrBVXt8oPNt3_T 16T_2ZxSBN8qXCEsp5cNqjDbiStVloHP0bedn7qQGwH0L1O.pFNZa65x1y2QqLVw4x5clKBPksNf xZjQh0neVSlB8P9Pt7Th7QwEPsyKsEGFm0VY0WgNby.3VhGqjO_zE5t_HVqCbptlMhwP9O12bMr8 8UJlAlxB6U8Q0QBAyfydrvAhA.8mkReqAarmetRT6MYi14YfVhqs7V8kBoyxyHsu0BgKVz4m8wOw Pshmr95O_vQw8T.2xkNQ_LfWayZqf_Pae1dCuZYKPacgD8u4xo_8LAWqImUt8akxb4Jah1s1.IOZ FSnNCO6B_XZmOfINlXLLaZRQWrY8zUl1YMOCLrWEUjAH_EVoQBuWjMAIrAAQACLPXheKeH0aTOwU QuEEyaVJsU66OoMUOvx9JKejMKTxHWXVf5OH5u_V8oEbkcaO.f2k3laJaQ4VWub16itcj9JpLew--
Received: from jws200148.mail.ne1.yahoo.com by sendmailws104.mail.ne1.yahoo.com; Thu, 13 Oct 2016 12:28:07 +0000; 1476361687.140
Date: Thu, 13 Oct 2016 12:28:03 +0000
From: nalini.elkins@insidethestack.com
To: "saag@ietf.org" <saag@ietf.org>
Message-ID: <2122275166.97735.1476361683603@mail.yahoo.com>
In-Reply-To: <1901933387.417923.1476328888389@mail.yahoo.com>
References: <1901933387.417923.1476328888389.ref@mail.yahoo.com> <1901933387.417923.1476328888389@mail.yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_97734_1854904787.1476361683597"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/0-0XEt7NLL5R_RzZMXNbtWkNKY0>
Cc: "MORTON ALFRED C (AL)" <acmorton@att.com>
Subject: Re: [saag] draft-mm-wg-effect-encrypt-03
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: nalini.elkins@insidethestack.com
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2016 12:28:11 -0000

Kathleen and Al,



The "Effect of Ubiquitous Encryption" draft is an excellent summary of the impact on operations and network management posed by the changes to the security environment.  
Great work, guys!!!

I wanted to comment on a few things as far as they impact private enterprises.


1. In the Abstract: we may want to remind the reader that network management includes troubleshooting because a number of changes will need to be made in how troubleshooting is done.  I would suggest the following:

Old: This draft includes a collection of current security and network management functions that may be impacted by this shift to increased use of encryption. 


New: This draft includes a collection of current security and network management (including troubleshooting) functions that may be impacted by this shift to increased use of encryption.



2.  At the end of section 1, we might want to add that private enterprises are also considered.

Suggested words:

"We will also consider the situation of the private enterprise, where IP packet transport, applications, and infrastructure are privately owned and contained within or interconnect private data centers." 

 

3.  Then, I would suggest replacing Sections 4 and 4.1 of the draft in its entirety with the words below:

********************************************

4.  Encryption for Enterprise Users

Encryption of network traffic within the private enterprise is a growing trend, particularly in industries with audit and regulatory requirements. Some enterprise internal networks are almost completely TLS and/or IPsec encrypted.

For each type of monitoring, different techniques and parts of the data stream may be necessary.  As we transition to an increased use of encryption that is increasingly harder to break, alternate methods of monitoring for operational purposes may be necessary to prevent the need to break encryption and thus privacy of users (which may not apply in a corporate setting by policy).


4.1.  Monitoring Needs of the Enterprise

Large corporate enterprises are the owners of the platforms, data, and network infrastructure that provide critical business services to their user communities.  As such, these enterprises are responsible for all aspects of the performance, availability, security, and quality of experience for all user sessions. These responsibilities break down into three basic areas:

          1. Security Monitoring and Control
          2. Application Performance Monitoring and Reporting
          3. Network Diagnostics and Troubleshooting 

In each of the above areas, technical support teams utilize collection, monitoring, and diagnostic systems that in some organizations currently use static RSA private keys to decrypt
passively monitored copies of encrypted TLS packet streams.


To an enterprise (and the customers that it serves), the cost of network and/or application down time can be great.  The focus of enterprises in their private data centers is to deliver expected levels of service, performance, protection, and availability.


4.1.1 Security Monitoring in the Enterprise

Enterprise Security Monitoring breaks down into the following areas:

1.  Data Loss Prevention - intercept outbound session traffic to monitor for intellectual property leakage (by users or more likely these days through malware and trojans),

2.  Intrusion Detection/Intrusion Prevention - detect viruses/malware entering the network via email or web traffic,

3.  Malware Detection - detect malware/Trojans in action, possibly connecting to remote hosts, 

4.  Security Analytics - detect attacks (Cross site scripting and other common web related attacks),

5.  Track misuse and abuse by employees,

6.  Restrict the types of protocols permitted to/from the corporate environment,

7.  DDoS Prevention - detect and defend against Internet DDoS attacks, including both volumetric and layer 7 attacks.

A significant portion of malware hides its activity within TLS or other encrypted protocols.  This includes lateral movement, Command and Control, and Data Exfiltration.  These functions are critical to security and fraud monitoring.

To an enterprise (and the customers that it serves), the cost of network and/or application down time can be great.  The focus of enterprises in their private data centers is to deliver expected levels of service, performance, protection, and availability. AND this can be accomplished using some form of traffic analysis sometimes including examination of the payload.



4.1.2 Application Performance Monitoring in the Enterprise
1.  Assess traffic volume on a per-application basis, for billing, capacity planning, optimization of geographical location for servers or proxies, and other needs, 

2.  Assess performance in terms of application response time and user perceived response time,

Network-based Application Performance Monitoring tracks application response time by user and by URL, which is the information that the application owners and the lines of business need. Content Delivery Networks (CDNs) add complexity in determining the ultimate endpoint destination.  By their very nature, such information is obscured by CDNs and encrypted protocols -- adding a new challenge for troubleshooting network and application problems. URL identification allows the application support team to do granular, code level troubleshooting at multiple tiers of an application. 

New methodologies to monitor user perceived response time and to separate network from server time are evolving.  For example, the IPv6 Destination Option implementation of Performance and Diagnostic Metrics (PDM) will provide this. [draft-ietf-ippm-6man-pdm-option-06]



4.1.3 Enterprise Network Diagnostics and Troubleshooting

One primary key to network troubleshooting is the ability to follow a transaction through the various tiers of an application in order to isolate the fault domain.  A variety of factors relating to the structure of the modern data center and the modern multi-tiered application have made it impossible to follow a transaction in network traces without the ability to examine some of the packet payload.


4.1.3.1 NAT

Content Delivery Networks (CDNs) and NATs obscure the ultimate endpoint designation.  Troubleshooting a problem for a specific end user requires finding information such as the IP address and other identifying information so that their problem can be resolved in a timely manner.

NAT is also frequently used by lower layers of the data center infrastructure.  Firewalls, Load Balancers, Web Servers, App Servers, and Middleware servers all regularly NAT the source IP of packets. Combine this with the fact that users are often sprayed randomly by load balancers to all these devices, the network troubleshooter is often left with no option in today's environment except to trace all packets at a particular layer, decrypt them all, and look at the payload to find a user session.


This kind of bulk packet capture and bulk decryption is frequently required when troubleshooting a large and complex application. Endpoints typically don't have the capacity to handle this level of network packet capture, so out-of-band networks of robust packet brokers and network sniffers, which depend on static RSA private  keys, have evolved to fill this need.

4.1.3.2 TCP Pipelining/Session Multiplexing

When TCP Pipelining/Session Multiplexing is used, usually by Middle boxes today, multiple end user sessions share the same TCP connection.  Today's  network troubleshooter often relies upon session decryption to tell which packet belongs to which end user.

With the advent of HTTP2, session multiplexing will be used ubiquitously, both on the Internet and in the private data center. 


4.1.3.3 HTTP Service Calls

When an application server makes an HTTP service call to back end services on behalf of a user session, it uses a completely different URL and a completely different TCP connection.  It must be possible  to match up the user request above with the HTTP service call below.  Today, this is done by decrypting the TLS packet and inspecting the payload.


4.1.3.4 Application Layer Data

Modern applications often use XML structures in the payload of the data to store application level information.  When the network and application teams must work together, each has a different view of the transaction failure. It is important to be able to correlate the network packet with the actual problem experienced by an application.
  


Thanks,

Nalini Elkins
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360

v2.23.0 | Report a Bug | By Email