IETF Logo Mail Archive

Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-tsvwg-transport-encrypt-19.txt> (Considerations around Transport Header Confidentiality, Network Operations, and the Evolution of Internet Transport Protocols) to Informational RFC

Michael Richardson <mcr@sandelman.ca> Thu, 11 February 2021 21:44 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B4C83A0BF5; Thu, 11 Feb 2021 13:44:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3U2iz3kT6BWK; Thu, 11 Feb 2021 13:44:33 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 269883A0BF1; Thu, 11 Feb 2021 13:44:33 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 5237438A16; Thu, 11 Feb 2021 16:47:54 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id qP8YqVGsDZVG; Thu, 11 Feb 2021 16:47:53 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id BEEDE38A15; Thu, 11 Feb 2021 16:47:53 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 98CE2320; Thu, 11 Feb 2021 16:44:30 -0500 (EST)
From: Michael Richardson <mcr@sandelman.ca>
To: Fernando Gont <fgont@si6networks.com>, "tsvwg@ietf.org" <tsvwg@ietf.org>, "saag@ietf.org" <saag@ietf.org>
In-Reply-To: <1005a57d-d24b-a71e-e977-2be84ad63695@si6networks.com>
References: <161257199785.16601.5458969087152796022@ietfa.amsl.com> <20210210062551.GI21@kduck.mit.edu> <f1a1aaef-5400-89ca-fe26-786686800036@gont.com.ar> <MN2PR19MB4045B25A78B3C0841CC8EAFE838D9@MN2PR19MB4045.namprd19.prod.outlook.com> <2fb9d724-7f8a-93cd-9045-eb3852345a9e@erg.abdn.ac.uk> <1416490d-6532-59ce-e09f-388db716af8f@si6networks.com> <CALx6S35_Rb_vUyDddaiJtt2iT2Gvev=bLs7Rip8TQ8yZppMLDQ@mail.gmail.com> <1005a57d-d24b-a71e-e977-2be84ad63695@si6networks.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <3716.1613079870.1@localhost>
Content-Transfer-Encoding: quoted-printable
Date: Thu, 11 Feb 2021 16:44:30 -0500
Message-ID: <3717.1613079870@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/2Nhl8dlbyHVtblTa83HO3pEx5uY>
Subject: Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-tsvwg-transport-encrypt-19.txt> (Considerations around Transport Header Confidentiality, Network Operations, and the Evolution of Internet Transport Protocols) to Informational RFC
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 21:44:36 -0000

Fernando Gont <fgont@si6networks.com> wrote:
    >> When the transport layer is encrypted, network devices would only see
    >> the plaintext EH and that is only what that is what they can act on.
    >> At the destination, we could try to rectify transport information in
    >> HBH with decrypted plaintext transport headers, but I suspect that
    >> wouldn't typically be done. The HBH information is only operationally
    >> useful to the network, not the transport endpoints that have access to
    >> the transport header.

    > Then this is what an attacker would do: He/she would advertise on a HBH
    > option something that looks sensible to the guy enforcing a
    > network-based security policy, and then at transport would do what
    > he/she needs to do. :-)

    > e.g., HBH could advertise that my packets are directed to ports 80/443,
    > while in transport they are actually directed to port, say, 22.

That's silly amount of subterfuge.
Since you have the cooperation of the target machine, just run SSH on port 443.
In fact,  https://packages.debian.org/buster/sslh  does this for you.

Network middle boxes need to get the *($%#$% out of transport protocols.
Back in 1996 (!) I explained how to have authorized audit boxes for IPsec
using securityhop-by-securityhop ESP and end-to-end AH.
It requires the blessing of the end points, and we regularly do way more
complex and stupider things in TLS today.
People thought my solution was crazy.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.23.0 | Report a Bug | By Email