Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls

Eliot Lear <lear@cisco.com> Wed, 23 September 2020 10:29 UTC

Return-Path: <lear@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FAAC3A0AFE; Wed, 23 Sep 2020 03:29:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FF-OK7Q4BToE; Wed, 23 Sep 2020 03:29:33 -0700 (PDT)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 864DD3A0AF3; Wed, 23 Sep 2020 03:29:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3712; q=dns/txt; s=iport; t=1600856972; x=1602066572; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=X2cuZLuS82pfHMBrUZI7EVRvZ+UITnp8BoWZMzBEJ/w=; b=WG7fzcK2FPZukNDBuI0qZODN5hPJXkS+bw1ZahFNoTJErNaDQdsS4/Fu c5bTTLZqYiBfSfw3MFjkhCai6k1goW0r6r8A0pe5TZu4vuSlUHcKJxN05 Ed2XeSXbd36iZQsTl2E4AxRH6/CK4+/aedxVeWPxYNSk7S7n5kdW92va7 E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CPCQAxImtf/xbLJq1gHAEBAQEBAQc?= =?us-ascii?q?BARIBAQQEAQFAgU8Cg20BIBIsjTyIGiaKDol6hh2BJANVCwEBAQ0BAS8EAQG?= =?us-ascii?q?ESwKCKyU6BA0CAwEBCwEBBQEBAQIBBgRthS8IMYVyAQEBAQIBHVwFCwsEFCc?= =?us-ascii?q?HISURBhODJoJMAw4gtTx0gTSFU4JiDYIkgTgBjUaCAIERJwwQgk0+ghqFbYI?= =?us-ascii?q?tBLZiUYJxgxOMOYV9hQgDFgmDDIl6hRGOcaBLjlaDXAIEBgUCFYFuCRc3gSA?= =?us-ascii?q?zGggbFWUBgj4+EhkNhRqXTj8DMDcCBgoBAQMJjl8BAQ?=
X-IronPort-AV: E=Sophos; i="5.77,293,1596499200"; d="scan'208,217"; a="29851786"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Sep 2020 10:29:28 +0000
Received: from [10.61.219.209] ([10.61.219.209]) by aer-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 08NATPIc016072 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 23 Sep 2020 10:29:28 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <E892B419-1A60-427F-9972-FB1FFA01291C@cisco.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4811EA35-BC69-477E-A2D2-D6180CCCB308"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Date: Wed, 23 Sep 2020 12:29:24 +0200
In-Reply-To: <CAFpG3gd9OTZexW9_XCmeO-2uBc8OcVx5HJzs1Qq-zR8zAbnmGg@mail.gmail.com>
Cc: Ben Schwartz <bemasc@google.com>, opsawg <opsawg@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
To: tirumal reddy <kondtir@gmail.com>
References: <21BA8D05-DD83-44DE-81B9-457692484CAD@cisco.com> <053b286e-4780-1818-a79d-71b9c967bbd2@sandelman.ca> <CAHbrMsANEA4omTm5dPYLN9zGde2YdT_71ujpBcCEer_xSkPhbw@mail.gmail.com> <CAFpG3gepojPJoK8W+o9Qr66gPSUqHY+sDX-v+-fuwcM9Y56C_g@mail.gmail.com> <20200911114054.184988dc@totoro.tlrmx.org> <FF4995F8-53F1-450B-A305-A095A7BAE057@cisco.com> <CAFpG3gcS951QfTZb+qFstjnBxfxP54B=VDSSPP3xyP3dtuabQg@mail.gmail.com> <CAHbrMsD5qj2ovcUVMRYStXN01RiX2RiJ+N8cakeGPH3wU2nqBQ@mail.gmail.com> <CAFpG3gd9OTZexW9_XCmeO-2uBc8OcVx5HJzs1Qq-zR8zAbnmGg@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
X-Outbound-SMTP-Client: 10.61.219.209, [10.61.219.209]
X-Outbound-Node: aer-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FDLpLF7hmAGp9eh_1hvXmCoC_Ow>
Subject: Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 10:29:34 -0000

Tiru

> On 23 Sep 2020, at 11:50, tirumal reddy <kondtir@gmail.com> wrote:
> 
> Hi Ben,
> 
> Please see inline 
> 
> On Tue, 22 Sep 2020 at 20:45, Ben Schwartz <bemasc@google.com <mailto:bemasc@google.com>> wrote:
> I'm not able to understand the new text in Section 6.  Are you saying that clients MUST include all the listed extensions/features, but MAY also include extensions/features not listed in the MUD profile?  So the MUD profile only acts as a "minimum" set of features?
> 
> Section 6 discusses the firewall behaviour when it sees a) known extensions/features in a TLS session but not specified in the MUD profile b) unknown extensions/features in a TLS session either specified or not specified in the MUD profile c) updated MUD profile specifying extensions/features  not supported by the firewall.
> 

I think it would be good to step through a couple of example extensions that could be viewed both separately and together, and what the order of operations would look like in each case.

Eliot