Re: [Smart] [Secdispatch] New Version Notification for draft-lazanski-smart-users-internet-00.txt

Eliot Lear <lear@cisco.com> Mon, 15 July 2019 08:01 UTC

Return-Path: <lear@cisco.com>
X-Original-To: smart@ietfa.amsl.com
Delivered-To: smart@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8974E12001E for <smart@ietfa.amsl.com>; Mon, 15 Jul 2019 01:01:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id knZwdvJRnVLC for <smart@ietfa.amsl.com>; Mon, 15 Jul 2019 01:01:44 -0700 (PDT)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EB02120074 for <smart@irtf.org>; Mon, 15 Jul 2019 01:01:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1659; q=dns/txt; s=iport; t=1563177704; x=1564387304; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=DT44yFxss/vyM1I3fKBf5AKRUL7m9TiYbAZ0OLUMe0k=; b=LjXaN0b8DJz8t7Z6AQYzHwfW/ZvEZfwxwqAJ3Zaysh9EjcvF3wgToTDR j9wta+OyJh9jpreR2VNrvkCv6DY8UAyK40URhWfy+S0nwJXUMjhyg862N 4hK2oML21SwaAduT6KKrHoIcw/EszBKR6IodEYktT2r5ACsPLLDFhkAbj 8=;
X-Files: signature.asc : 195
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AHAAABMixd/xbLJq1lGgEBAQEBAgEBAQEHAgEBAQGBVAQBAQEBCwGDUQEgEoREiHuLd5h9gXsCBwEBAQkDAQEvAQGEQAKDATUIDgEDAQEEAQECAQVthUiFSwECAgEjUQMCEAtCAgJXBoM1AYF7D6osgTKFR4RjEIE0AYFQh0V2gWqBf4E4H4IeLj6HTjKCJgSUcZVyCYIbgh+BDJBhG5gKoXqDCwIEBgUCFYFSAzM+gRozGggbFWUBgVlpPYIPFxSODz0DkFsBAQ
X-IronPort-AV: E=Sophos;i="5.63,493,1557187200"; d="asc'?scan'208";a="14312101"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 15 Jul 2019 08:01:42 +0000
Received: from ams3-vpn-dhcp3718.cisco.com (ams3-vpn-dhcp3718.cisco.com [10.61.78.134]) by aer-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id x6F81fLb027082 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 15 Jul 2019 08:01:41 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <469416D4-F549-4CAD-9C81-3D4A5A271B6A@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_7A3F131B-C9C8-4863-9760-29E96A502C13"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 15 Jul 2019 10:01:40 +0200
In-Reply-To: <AC7FADF1-A556-46AF-9A5C-F464AA4772B9@gmail.com>
Cc: Melinda Shore <melinda.shore@nomountain.net>, secdispatch@ietf.org, smart@irtf.org
To: Bret Jordan <jordan.ietf@gmail.com>
References: <0A8948DB-F97C-4F68-9173-7E627FB5019C@lastpresslabel.com> <4B10655B-8753-4B10-ACC9-16D7F78AD9F9@gmail.com> <CAMm+Lwh3KW6ZBbMktwmLcKyY8=_ysLYJF_7MsAuiOat6baQ=Kg@mail.gmail.com> <B551EF79-7E6E-4C4E-ADCA-6538F7972222@gmail.com> <CAMm+Lwg+2RFiXK43nJv7pD3OgM8y=ziVYxBkXD3F2kJyz37SxQ@mail.gmail.com> <50E59504-CA00-4792-AA72-FC08051E2486@gmail.com> <CAHbuEH5WUv-a4nKt5YAZosO-vE773Jh3xn1+-hA=4J7RBERc3g@mail.gmail.com> <45cc67f6-3dd4-9788-29e5-4cc82471e6ee@nomountain.net> <9683DFBC-1816-4C0A-8D8A-4CE36318C72C@cisco.com> <d5f05651-849f-4048-3123-8ee17a0c0a96@nomountain.net> <C2AD999E-2B53-4E17-B033-4B722ADFA677@cisco.com> <AC7FADF1-A556-46AF-9A5C-F464AA4772B9@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Outbound-SMTP-Client: 10.61.78.134, ams3-vpn-dhcp3718.cisco.com
X-Outbound-Node: aer-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/smart/vH0cnAxFIIR1GlLqSmp7hHBgkMo>
X-Mailman-Approved-At: Mon, 15 Jul 2019 01:27:53 -0700
Subject: Re: [Smart] [Secdispatch] New Version Notification for draft-lazanski-smart-users-internet-00.txt
X-BeenThere: smart@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Stopping Malware And Researching Threats <smart.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/smart>, <mailto:smart-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smart/>
List-Post: <mailto:smart@irtf.org>
List-Help: <mailto:smart-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/smart>, <mailto:smart-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 08:01:46 -0000

Hi Bret,

> 
> 1) Is the content or content provider that the user is going to compromised and trying to attack the endpoint?
> 2) Is the content provider that the user is going to a stage 2 delivery site?
> 3) Is the content provider that the user is going to the location for outbound malicious content (data exfiltration, CnC traffic)
> 4) Is the content provider that the user is going to adversely tracking and monitoring everything the end client does, aka active surveillance versus passive surveillance?
> 5) Is the remote site that the user did not go to attack the end point.

While we tend to think of endpoints as being equivalent in class, in which case your use of the term "content provider” would be somewhat redundant, from a scaling perspective I am far more concerned about unwatched unmanaged endpoints than I am about content services.  And again, to me it is a matter of what problems I think might be tractable.

Eliot