Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-tsvwg-transport-encrypt-19.txt> (Considerations around Transport Header Confidentiality, Network Operations, and the Evolution of Internet Transport Protocols) to Informational RFC
"C. M. Heard" <heard@pobox.com> Thu, 11 February 2021 19:11 UTC
Return-Path: <heard@pobox.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 49A343A187A;
Thu, 11 Feb 2021 11:11:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=pobox.com; domainkeys=pass (1024-bit key)
header.from=heard@pobox.com header.d=pobox.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id tbr_M4Mstzhc; Thu, 11 Feb 2021 11:10:59 -0800 (PST)
Received: from pb-smtp20.pobox.com (pb-smtp20.pobox.com [173.228.157.52])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 85A9A3A1879;
Thu, 11 Feb 2021 11:10:59 -0800 (PST)
Received: from pb-smtp20.pobox.com (unknown [127.0.0.1])
by pb-smtp20.pobox.com (Postfix) with ESMTP id 9E09210F2C0;
Thu, 11 Feb 2021 14:10:58 -0500 (EST) (envelope-from heard@pobox.com)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=mime-version
:references:in-reply-to:from:date:message-id:subject:to:cc
:content-type; s=sasl; bh=tFG2N3YTRooPsRcDNpbxAvdKaJ0=; b=Xj8DFC
mHr1DoeWAbWGs/tjnJqoTyOoiB69kdShPV5cnH3UTpLJRPd/chi+2rp331E9/SYd
7Mg7e1JhircMxuRdezgHDTopYX5SoXymYr8dNA1N5VDIHenDp5cTYhyqTfqAycnK
p/ipDCoxiuYE0b3gPJfeYey9xmHKTiz2KUnn4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=mime-version
:references:in-reply-to:from:date:message-id:subject:to:cc
:content-type; q=dns; s=sasl; b=fdN1jOTlcMVS+9E+U3XCz5s8ywRIcyEt
aYEhvFrfy4GCv9X1en9MhP46Qe8t4BPhXAvRXVgg0be0Zs1HHtBEJ6cwf9cAUBN4
bGIvN0GyTEa+SjkDg3rdu/ogUK41nIRfxdGo3JncJQ8nieZfwSCeQZSwqu1lc5l1
IXWeNo6hJ+g=
Received: from pb-smtp20.sea.icgroup.com (unknown [127.0.0.1])
by pb-smtp20.pobox.com (Postfix) with ESMTP id 9515110F2BA;
Thu, 11 Feb 2021 14:10:57 -0500 (EST) (envelope-from heard@pobox.com)
Received: from mail-il1-f182.google.com (unknown [209.85.166.182])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by pb-smtp20.pobox.com (Postfix) with ESMTPSA id 2D9A110F2AF;
Thu, 11 Feb 2021 14:10:55 -0500 (EST) (envelope-from heard@pobox.com)
Received: by mail-il1-f182.google.com with SMTP id y15so6048958ilj.11;
Thu, 11 Feb 2021 11:10:55 -0800 (PST)
X-Gm-Message-State: AOAM531562rK0BHs1Gvhx3Ltgw6PGyiCpcv9izp9n4NF89TAw4nYvYzT
9xk9PSEpxMF4x+VAqu2hLu5YdUNfAVFP7WO+fOw=
X-Google-Smtp-Source: ABdhPJzuOaEw0R02RguSJW5a495FFgnf5dOjArqf6jZowzRzUsXNmFDuYRuH99xj76RaIw5dKPt6c6wWxEKHb9h9mjc=
X-Received: by 2002:a05:6e02:152f:: with SMTP id
i15mr7014410ilu.183.1613070653952;
Thu, 11 Feb 2021 11:10:53 -0800 (PST)
MIME-Version: 1.0
References: <161257199785.16601.5458969087152796022@ietfa.amsl.com>
<20210210062551.GI21@kduck.mit.edu>
<f1a1aaef-5400-89ca-fe26-786686800036@gont.com.ar>
<MN2PR19MB4045B25A78B3C0841CC8EAFE838D9@MN2PR19MB4045.namprd19.prod.outlook.com>
<2fb9d724-7f8a-93cd-9045-eb3852345a9e@erg.abdn.ac.uk>
<1416490d-6532-59ce-e09f-388db716af8f@si6networks.com>
<CALx6S35_Rb_vUyDddaiJtt2iT2Gvev=bLs7Rip8TQ8yZppMLDQ@mail.gmail.com>
<1005a57d-d24b-a71e-e977-2be84ad63695@si6networks.com>
In-Reply-To: <1005a57d-d24b-a71e-e977-2be84ad63695@si6networks.com>
From: "C. M. Heard" <heard@pobox.com>
Date: Thu, 11 Feb 2021 11:10:42 -0800
X-Gmail-Original-Message-ID: <CACL_3VGjqehho=JeuyAqipm1W28GndxvfwH+iKa+7Y0NRJVxxA@mail.gmail.com>
Message-ID: <CACL_3VGjqehho=JeuyAqipm1W28GndxvfwH+iKa+7Y0NRJVxxA@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: Tom Herbert <tom@herbertland.com>, Gorry Fairhurst <gorry@erg.abdn.ac.uk>,
"tsvwg@ietf.org" <tsvwg@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>,
"saag@ietf.org" <saag@ietf.org>, Fernando Gont <fernando@gont.com.ar>
Content-Type: text/plain; charset="UTF-8"
X-Pobox-Relay-ID: DD83828A-6C9C-11EB-8116-E43E2BB96649-06080547!pb-smtp20.pobox.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/jwYc8p10WISMMe07fTGUTw5UkEE>
Subject: Re: [saag] [tsvwg] Fwd: Last Call:
<draft-ietf-tsvwg-transport-encrypt-19.txt> (Considerations around
Transport Header Confidentiality, Network Operations,
and the Evolution of Internet Transport Protocols) to Informational RFC
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>,
<mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>,
<mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 19:11:01 -0000
On Thu, Feb 11, 2021 at 10:41 AM Fernando Gont <fgont@si6networks.com> wrote: > > On 11/2/21 15:18, Tom Herbert wrote: > [...] > > > > When the transport layer is encrypted, network devices would only see > > the plaintext EH and that is only what that is what they can act on. > > At the destination, we could try to rectify transport information in > > HBH with decrypted plaintext transport headers, but I suspect that > > wouldn't typically be done. The HBH information is only operationally > > useful to the network, not the transport endpoints that have access to > > the transport header. > > Then this is what an attacker would do: > He/she would advertise on a HBH option something that looks sensible to > the guy enforcing a network-based security policy, and then at transport > would do what he/she needs to do. :-) > > > e.g., HBH could advertise that my packets are directed to ports 80/443, > while in transport they are actually directed to port, say, 22. Wasn't this the sort of problem that AH was intended to solve? Mike Heard
- [saag] Fwd: Last Call: <draft-ietf-tsvwg-transpor… Benjamin Kaduk
- Re: [saag] Fwd: Last Call: <draft-ietf-tsvwg-tran… Fernando Gont
- Re: [saag] Fwd: Last Call: <draft-ietf-tsvwg-tran… Black, David
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Gorry Fairhurst
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Tom Herbert
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… C. M. Heard
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Tom Herbert
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Tom Herbert
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Michael Richardson
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Michael Richardson
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Tom Herbert
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Tom Herbert
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Sebastian Moeller
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Tom Herbert
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont