IETF Logo Mail Archive

[saag] feedback for draft-mm-wg-effect-encrypt

"Smith, Kevin, (R&D) Vodafone Group" <Kevin.Smith@vodafone.com> Thu, 08 October 2015 15:37 UTC

Return-Path: <Kevin.Smith@vodafone.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BE7E1A9076 for <saag@ietfa.amsl.com>; Thu, 8 Oct 2015 08:37:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SnIIyjlyMMmf for <saag@ietfa.amsl.com>; Thu, 8 Oct 2015 08:37:44 -0700 (PDT)
Received: from mail1.bemta5.messagelabs.com (mail1.bemta5.messagelabs.com [195.245.231.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68E891A9072 for <saag@ietf.org>; Thu, 8 Oct 2015 08:37:44 -0700 (PDT)
Received: from [85.158.139.163] by server-12.bemta-5.messagelabs.com id 90/71-19220-6CD86165; Thu, 08 Oct 2015 15:37:42 +0000
X-Env-Sender: Kevin.Smith@vodafone.com
X-Msg-Ref: server-7.tower-188.messagelabs.com!1444318661!22251897!1
X-Originating-IP: [195.232.244.136]
X-StarScan-Received:
X-StarScan-Version: 6.13.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 27477 invoked from network); 8 Oct 2015 15:37:41 -0000
Received: from mailout04.vodafone.com (HELO mailout04.vodafone.com) (195.232.244.136) by server-7.tower-188.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 8 Oct 2015 15:37:41 -0000
Received: from mailint03.vodafone.com (mailint03.vodafone.com [195.232.244.200]) by mailout04.vodafone.com (Postfix) with ESMTP id 3nWxVs46P6znTYX for <saag@ietf.org>; Thu, 8 Oct 2015 17:37:41 +0200 (CEST)
Received: from mailint03.vodafone.com (localhost [127.0.0.1]) by mailint03.vodafone.com (Postfix) with ESMTP id 3nWxVs396xz16J9f for <saag@ietf.org>; Thu, 8 Oct 2015 17:37:41 +0200 (CEST)
Received: from VOEXC02W.internal.vodafone.com (voexc02w.dc-ratingen.de [145.230.101.22]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mailint03.vodafone.com (Postfix) with ESMTPS id 3nWxVs369Xz16J5c for <saag@ietf.org>; Thu, 8 Oct 2015 17:37:41 +0200 (CEST)
Received: from VOEXM18W.internal.vodafone.com ([169.254.2.125]) by VOEXC02W.internal.vodafone.com ([145.230.101.22]) with mapi id 14.03.0224.002; Thu, 8 Oct 2015 17:37:41 +0200
From: "Smith, Kevin, (R&D) Vodafone Group" <Kevin.Smith@vodafone.com>
To: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] feedback for draft-mm-wg-effect-encrypt
Thread-Index: AdEB3L2IVB4bc+CARb+CJn/cEegD/Q==
Date: Thu, 08 Oct 2015 15:37:39 +0000
Message-ID: <A4BAAB326B17CE40B45830B745F70F10A7B24477@VOEXM18W.internal.vodafone.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/cF76rY_ODsvT72xpIGYqhziZ300>
Subject: [saag] feedback for draft-mm-wg-effect-encrypt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2015 15:37:47 -0000

Hi Kathleen,

As discussed at MaRNEW[1] , here are two sections of draft-smith-encrypted-traffic-management-03[2] which can be added to 'Effect of Ubiquitous Encryption' [3] . Once agreed,  I can remove the same text from [2] and simply point to the relevant section in [3]; and hence [2] will focus on solutions to persist traffic management for encrypted traffic (whilst maintaining privacy/security). 

Many thanks
Kevin

[1] https://www.iab.org/activities/workshops/marnew/ 
[2] http://tools.ietf.org/html/draft-smith-encrypted-traffic-management-03 
[3] https://datatracker.ietf.org/doc/draft-mm-wg-effect-encrypt/ 

---------------------------------------------------------------------------
Additions for draft-mm-wg-effect-encrypt
---------------------------------------------------------------------------
{for section 2.1: new sub-section}

Access and policy enforcement

   Server load balancing

   Where network load balancers have been configured to route according
   to application-layer semantics, an encrypted payload is effectively
   invisible. This has resulted in practices of intercepting TLS in front
   of load balancers to regain that visibility, but at a cost to
   security and privacy.

   Network access

   Approved access to a network is a prerequisite to requests for
   Internet traffic - hence network access, including any authentication
   and authorisation, is not impacted encryption. 

   Cellular networks often sell tariffs that allow free-data access to
   certain sites, known as 'zero rating'.  A session to visit such a
   site incurs no additional cost or data usage to the user. This feature
   may be impacted if encryption hides the domain from the network.   

   Regulation and policy enforcement
   
   Mobile networks (and usually ISPs) operate under the regulations of their 
   licencing government authority. These regulations include Lawful Intercept, 
   adherence to Codes of Practice on content filtering, and application of court order filters.  
   These functions are impacted by encryption, typically
   by allowing a less granular means of implementation.  The enforcement
   of any Net Neutrality regulations is unlikely to be affected by
   content being encrypted.

   SPAM and malware filtering

   This has typically required full access to application data to filter
   various keywords, fraudulent headers and virus attachments.
   
   
  {New top level section} 
  
  Flow information visible to a network

   IP 5-tuple

   This indicates source and destination IP addresses/ports and the
   transport protocol.  This information is available during TLS, TCP-
   layer encryption (except ports), and IP-layer encryption (IPSec);
   although it may be obscured in Tunnel mode IPSec.

   This allows network management at a coarse IP-source level, which
   makes it of limited value where the origin server supports a blend of
   service types.

   TLS Server Name Indication

   When initiating the TLS handshake, the Client may provide an
   extension field (server_name) which indicates the server to which it
   is attempting a secure connection.  TLS SNI was standardized in 2003
   to enable servers to present the "correct TLS certificate" to clients
   in a deployment of multiple virtual servers hosted by the same server
   infrastructure and IP-address.  Although this is an optional
   extension, it is today supported by all modern browsers, web servers
   and developer libraries.  Notable exceptions are Android 2.2 and
   Internet Explorer 6 on Windows XP.  It should be noted that HTTP/2
   introduces the Alt-SVC method for upgrading the connection from
   HTTP/1 to either unencrypted or encrypted HTTP/2.  If the initial
   HTTP/1 request is unencrypted, the destination alternate service name
   can be identified before the communication is potentially upgraded to
   encrypted HTTP/2 transport.  HTTP/2 implementations MUST support the
   Server Name Indication (SNI) extension.

   This information is only visible if the client is populating the
   Server Name Indication extension.  This need not be done, but may be
   done as per TLS standard.  Therefore, even if existing network
   filters look out for seeing a Server Name Indication extension, they
   may not find one.  The per-domain nature of SNI may not reveal the
   specific service or media type being accessed, especially where the
   domain is of a provider offering a range of email, video, Web pages
   etc.  For example, certain blog or social network feeds may be deemed
   'adult content', but the Server Name Indication will only indicate
   the server domain rather than a URL path to be blocked.

   Application Layer Protocol Negotiation (ALPN)

   ALPN is a TLS extension which may be used to indicate the application
   protocol within the TLS session.  This is likely to be of more value
   to the network where it indicates a protocol dedicated to a
   particular traffic type (such as video streaming) rather than a
   multi-use protocol.  ALPN is used as part of HTTP/2 'h2', but will
   not indicate the traffic types which may make up streams within an
   HTTP/2 multiplex.
  
   Content length, bitrate and pacing
   
   The content length of encrypted traffic is effectively the same as 
   the cleartext. Although block ciphers utilise padding this makes a 
   negligible difference. Bitrate and pacing are generally application
   specific, and do not change when the content is encrypted. Multiplexed 
   formats (such as HTTP/2 and QUIC) may however incorporate several application streams
   over one connection, which makes the bitrate/pacing no longer application-specific.

v2.23.0 | Report a Bug | By Email