Re: [TLS] draft-green-tls-static-dh-in-tls13-01

"Roland Dobbins" <rdobbins@arbor.net> Fri, 14 July 2017 18:42 UTC

Return-Path: <rdobbins@arbor.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C149124217 for <tls@ietfa.amsl.com>; Fri, 14 Jul 2017 11:42:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.702
X-Spam-Level:
X-Spam-Status: No, score=-4.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thescout.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z58JsitpraSl for <tls@ietfa.amsl.com>; Fri, 14 Jul 2017 11:42:16 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0112.outbound.protection.outlook.com [104.47.36.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75F0112778D for <tls@ietf.org>; Fri, 14 Jul 2017 11:42:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thescout.onmicrosoft.com; s=selector1-arbor-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=YHlXFL8RI2I8vQ69lSNoKCtJEwl3oIWW4kvOjMddCbQ=; b=HK56jHAYvE5TFlhdwT8kfh8UjgsSCQykRdF46NtaQ9mjdS5auUZY4MjFlBIMSyvnMpbV8lP1bPKjSn07s+8dLakLNd2NL5VpzMJQLfpdXsIBfPseq/qGLM1KL/zcPhmhWyqZj8W25wlaa18caE2tTv/GbevAuBZnKMMVqDc7FrY=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arbor.net;
Received: from [172.19.254.116] (49.228.100.193) by BY1PR0101MB1029.prod.exchangelabs.com (10.160.199.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1240.13; Fri, 14 Jul 2017 18:42:13 +0000
From: Roland Dobbins <rdobbins@arbor.net>
To: tls@ietf.org
Date: Sat, 15 Jul 2017 01:41:57 +0700
Message-ID: <6AF150DF-D3C8-4A4A-9D56-617C56539A6E@arbor.net>
In-Reply-To: <a0a7b2ed-8017-9a54-fec0-6156c31bbbfa@nomountain.net>
References: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com> <CAOjisRxxN9QjCqmDpkBOsEhEc7XCpM9Hk9QSSAO65XDPNegy0w@mail.gmail.com> <CABtrr-XbJMYQ+FTQQiSw2gmDVjnpuhgJb3GTWXvLkNewwuJmUg@mail.gmail.com> <72BACCE6-CCB9-4DE9-84E6-0F942E8C7093@gmail.com> <a0a7b2ed-8017-9a54-fec0-6156c31bbbfa@nomountain.net>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.6r5347)
X-Originating-IP: [49.228.100.193]
X-ClientProxiedBy: KL1PR0601CA0022.apcprd06.prod.outlook.com (10.170.160.160) To BY1PR0101MB1029.prod.exchangelabs.com (10.160.199.154)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 3a23fd30-a3d2-4b60-97bb-08d4cae80bd6
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(300000503095)(300135400095)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BY1PR0101MB1029;
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 3:u0SsFdpstIOnr0chPsX70Mbaoi0RJdnVA+0MACPEAM8lrESeJVmvMEoKY08xEoOdx36A4haqXQTcHOGCwcKNdM2iGO64UIcgwR10AkSUynR9VyrbD/zl5ikQJIOsigHHW6vNetxnedmEPkh5qPxB5k9cv1J2HZD/2WGct1qozYMOMRsz08qHQftuvuQcubWk93Ywl/ZMPAPHLCayiL1UA0aS2zRoGmsl6ins+laKBtmApwnp3X/sa834XfxSqBJl4vgXPaXhg18jsyO21OY+34tXyEPYxYWEm64HrsrsxGalveOdUqegBjzQ5LGv8RxsZU5ssmbvUAUtlrmIQtPVgjuWNQfR4WX/5BDt5mX0xvLLec6Gr14ws+upWLJW2Otnpf5h+kkZqi7vU8CT9CZCZI9dtccQcPK2o63gvFfD92vT+fOh9k2Tmurh9yvXQPl4s+re71Wogbc4zpvqcCdesDGKtHFZTaBseTMQrnSic6yESofAV4lwB5Ws4zX1Va8dS+n+wi3cMBb0gfuSkmc5gnatmYCuGwolSH9zGbnO5lImoAJVeh2Ux6RS4Mmep+1idQTxK2M2R8I/fOAoASC6j9ikEwIBrq1BVN+hsZAWlAkOhvq+2H7/Ob3b48u8I6Jt3UEA7Wge9i0HDdld16H6CdAFRzbUuC2+hC2P6KX8jDZj8U4RLZ9i+Qzo/uvxmEJLjJG4BtAxfci4fwlcYC++/ON1zSqZ6proVJ59xjjywcg=
X-MS-TrafficTypeDiagnostic: BY1PR0101MB1029:
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 25:j3BK3VO7O8H5DA29rhi4F422/TqgijFJ1HKwFUaL2Fqn525BgQYZFgjlIUAfMHrVGnEDM/e4XQHOiW1bRsCHmEsBkUAsj/8WqFzTSQWN63QgUED0Y5O7YSAeIyi1OG58MuEfdyjqCi0rjdOuUv3f3SEq586VJU/1VBmzZvvEMdYPzf9DGplC3b8o+F8UqF4n1VRbjQxapewrAfHibaeYAeyeC7TmBVYlVu9EfKLjn3O4LmeUfgWFEvKMhap7EUowGdlApMSc+v8gVtzP1E6xGdaGtDUnFHc/eDmvA1Z+RrWPq8M6mRzfc+s0uF6ZplI+u9iSPRGcIeyTSiEOwiAJy+5Rbgo3dxxfXTdsILj/vDe4KVzfDwCBXKvB4xZHc+ySSOxg4KbtfTxpkznB6lzMSqVXsLOgeqDRJz0S90aiqAPATl3sedlVVkUwH7yUrWDFPkI8sosoxXJE5nGSklU7UzGzskEuYD5uBy3LYFde3maxY6uImePbMdEj7JgqNYAtF/5YCOA4mJDLb1nLrQZD25h7u4ps8NXZMRtZcwe+PsoqD/A49MVAjuL1Is7m5IwYW6Mo1webURzgtdeynLMuF1bb6m5/6+vdgAU1FwUICZ1IZPK+hgLfEE+2pVkStlGPHERqav5FuqvTObqTlqwiB+AyLbyb+SZg62XuajioAC4frJMgl2ss+nGikRViDWkp1PJR3reuQMu98rEpfmX+XAvclro8voXHvAw/YfebMCOafaQj6Bmi44hLQhBHi07gawYjtCC7tK3HDJv+tthF0kKg2XYOnc8lNk+hSA8sKhJRlukzgWmyz2+7dVwQbuA6k+RRqEO4FTWJhuTn61wnSp/QBHHT5M3pQEOdwG/XEz147mpRB/darBm2/oJCQOpmMI2RTwTwLZ9n5G407+DT80UZjv0vZiiu3vNX7oMj3S4=
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 31:uzYxkFFJ5tqXEULaBh8rkMdVCO0VXJrJeBKvpoiNvVPoUZJdx8lCgulNnh4pr9zh4zAzMHnYP/ZUmDRCpZPpJqJwDwN6bg92rww0LjfMtE2EFSgugjCPVZ8SDzACtug7/orz5ALFOwn/aV/EyQ8lPBUYqVTywOoJq7lTJjwDd04xxwLWjeFOcxgaY/vYFUoGhpM8RZraMmOlF/Hy1bib7mUzIaFhrHfeWFFjaS4TDOsd6Kq5RYSbHoP5I9IElg8Yozmc5nQiKU8WosQil0sONmnRJRrzBfPltnHf76L4Y9beXFLR0H4Sx0X9YY148tE5JPCeWOwedhL9lYblaZVu+6Wv4p3s4OgkZePY38gQamrtdMTV2SHUqo7tf7CWBLz7PUBtJVGXAaAiP1WO6KwZhd+aT6fQjr1HhqxS5tCxzq+g/btKqylA8gaf0ZklSSHXzQ+BIG7Hv45ouAa0b0URbrGVTnhfudurbN+74VWE0jOiOU6JhrfrxwumJw6PvZDjcduM9RYqIgqR3ikisDAZOWb/0jsA1nV6xHGFxhWVxJhwgnfDmsUZTl9jfkrzzBhOcZ1r76j529l9Q+Lw7HPre/hpEwWFA1KIWVdQPVwyF37lzaP/GSix6SLBr9/yTU1EKcrrrPdbIuASYAUfW26nkkiT3Wm+I+MhKcrK6en7pwRMp4JYB073G6hm28SEYPBJtiXZwz0tzbpfV3e/L6mJ3g==
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 20:tKh98/FwjFX3XMgCIpvN9NhUwygZ0Sn8NRVzqXAF7haxzuJ5N9SWaO+VfEHzamHEwUdb1Cby92JqoUi8IrSA1t6F2IApVnX0RjzAkg8cbN1kwwJseyW75WhCmNQ3KB2AKjbwB06+4eWT2UTlG6xvUyB/fzYX058+h7UVG8Cqk+QtwMAr/ZlD6Jiog3iFBLV/YFcnc6ag6Qlxzv0AtLZu9ubVoVPexCrRCjWGS9mYiZ9/0wEM0+jHh9pw115tKFuRy4RVbbMYCs5xb0oq7ZNdpUPIgP5zc5NCgtPRhMFVMALjHy21NrspcBl972lAfytttfow42JXpR3MqqBsuQ3kZHcIb7uSvEhEqtBo1Nh5I3Qwc/czU/z71ThxZAfXfxNNv3oSq68ssMCyk1Kxty2xXdbMIPHa8bnOdTUgxsYHTRqIPCG/S2X1XlaliJSC1QQPivm4VWwrpFsJdOF15/o4mMFezRvqOOVhdzzYWID4xK/fMqKqH8HtukWvjmSMyytR
X-Exchange-Antispam-Report-Test: UriScan:(278428928389397)(72170088055959)(236129657087228)(192374486261705)(35073007944872)(158140799945019)(247924648384137);
X-Microsoft-Antispam-PRVS: <BY1PR0101MB10294C264C286AA1C29D6368CAAD0@BY1PR0101MB1029.prod.exchangelabs.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(2017060910075)(93006095)(93001095)(10201501046)(100000703101)(100105400095)(3002001)(6041248)(20161123564025)(20161123562025)(20161123560025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BY1PR0101MB1029; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BY1PR0101MB1029;
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 4:OjygqCS1/BMha5TsHRb3oHY68NgFHMv6Kc0Zab5/bKbZfB9bIMXB0tzmmGGUs7cZU9p2liDiyZi3pdwoxcx2oKNE2qpQznI2sMPo60VMjLsacLQVWHvGj5C+S6Izzv7rMI06uTft+HXDIEb8Z29bbqENdO1B9vWg2Rk5XqoAQ8fWmezAnZQwC9LlqrP+ONZBBiZdtCntpcu7UYdTN/91k0aJcgR7GThKj9rQEpYs93vpjeOnyOJtI4JtuxbE62R2+3wVUK8yNES4aUVbzE6BvtprcPZ5J3eYkK+qhJYR9wJC7vOQWQ9XeNNB/d8W1LWGcKzVZCSUkxKSNH2kfRtv6oJa4U6rzVC+zmDsrj8dHEG1Lhqe+/8G8lfVYjy//i/bAAzUhTk+i456dna16QflSpjdoEVWP8YsSqUN/Nzf15zFIBCQ3nGQYvEOo56NWIXqBmBWsMDZNcdaU7knCgDT73iOsD6K8OeE6nKn73hpAJpPX3KvlHW18zFf4U4FR8a3OeBExOng9k7AXp6xkGxZYxq1RE4772ujH60c6JKsda+lzTqk04b/zaTFNYyeLksiqyBI3FVUO8HBe1QS5Tk+Pu14NhO5ZNc4EFOkG8fE9lGnTpKwbBzVJqOHaFxpjaqPkvZyKzcVskDPJy9aZQNfx/QoXnvJHZ2mZtXubYFdtcGGgssndvDjjLRjdDEpG95l89C/f78hKfM5jMAJtd1W7huabcg5T51buURgQwYZ+NdmR8O916rcJuxjORis2EpzzTYCqglGe0nw2Ru3IeUHkVfXc1FIjvAVFzmz7Dh79CIrD+zK4NC57SWZ+fczhK0JlsrMqRplGtTJ+wLXW/lBBt8Jjn9gY0f24SUrmR2wtVa48jgZ9Lr3/ck1Dja+Z46Ob8n1/+07rTrCd9h6ljDi+jTWeaa45ZIPrf6Fr089RlCNSkfLWed2vlIzRUO0Zw5Bq8hwuUwfLKlGSH/kh2ohk9I9eB8DOMAcyPwWgEJJN8VljOmvNnBStxGX6ad5sGOk4+0Eh3iRploCWo76K+eV5BKRwcBB2psiuU0xAUVVSryOjFbTh0EHCHk/d6CFgrjY+tThdkfMOb9oHFlusuDCRBI3wh37Y9LeSG6gGHNnB96MmF3fxrQ9yXcHEHWrLljgkgovP3C6idzQCfJlTc6qTfPEXUMO2XyW84tb29jGdCHu+Pju+pa7iGqonay4C7VbwIX+zkCR1sLVY/PjGtvuoPeV4T4d7/y0QFuzWzS7xYeaksbQWai7NraMip2KoehY2jc8ItaY29UfnkApRipb7xmHyqDxoEo8qYg4thfSB2NgcYxLA2+19fFjlnrq8LajtLtkw+R89Y1VThy8UYvGBfaFNVTEZgWnXpYjB4Nlu9qy/qkhqk00EQgGj/qPyj+8ZZ2ZpV/Z09l1e5iWvKbFbw==
X-Forefront-PRVS: 0368E78B5B
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4630300001)(7370300001)(6049001)(6009001)(39840400002)(39450400003)(39400400002)(39850400002)(39410400002)(24454002)(50226002)(5003940100001)(6246003)(230783001)(86362001)(53936002)(189998001)(110136004)(66066001)(93886004)(7350300001)(53546010)(6486002)(6666003)(5660300001)(82746002)(229853002)(83716003)(478600001)(6916009)(2950100002)(77096006)(305945005)(36756003)(6116002)(7736002)(33656002)(3846002)(50986999)(76176999)(2361001)(38730400002)(50466002)(25786009)(81166006)(8676002)(47776003)(2351001)(2906002)(42186005); DIR:OUT; SFP:1102; SCL:1; SRVR:BY1PR0101MB1029; H:[172.19.254.116]; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 23:OkgTDKd1bxxS1c2xusicOiDkduGIAMEwXd9SPr9+jP+lg3HNVC3KJvRptYv5C0geYAiy0cfMXDt69GxHKdl+yDQKI/54uHiwa7DwUBLjnPSmsgDS43gKKa33Ed7knuK11OrIFMsHDLJWQ558sCvye2pr5VLcg0OlXBe2eOYVcB/+xydUeoVEEVO37KtNQZaeSKfHtuiAZfTACC42cQlp1HZyjVlAx+rWsZpm5x3CgwM8x6tb7LSejrcTZ+zX/Kmn3YPoZ2WAQDc4+e3+EZ7bMTGBrgAf29IOSQwdlc4Pya5kgtXu0FiOzpxooYNrx8NY99hmB2lfDanIV0pRt+hs4yw0/36kLAToPXpua2U3uIBOf7IrGaw6fFM1hwSOer1zjIpPSpeb/GYwmVo8BgyeyRr4Ic7ahxEjaay/eakCCBO9Ly9oQkBG4ByxL9PYraUWDaHKrtpj1VvfM/tdNySzuebrt7N04FezwkQxYhTBC7ZbZYBETZTUtcMel1S49og84y72RujO3ERG5D+ZY7ogUkIUARV4gF2So75BPtWD+LCSqPw23jKwSnI+CUjL/byt00KDMkc+TWunctYpN45v4YMk5PVMdAJfO5Q90Ody9tt1SRsD20gfJysR/CxUNILOrRx+899wyMdJrYA5pFnPItysBpNDXnckpMvyfdUP4U9R5l/z35LcHehLRCynQOO9kloZy615Im2uHfM6xscHXaAVOPQ9ipBoXKgV+Q0CBHp7PFidS3UzV/K7GJhuqnYL0jTfynjHp6N8r2GzSCV/TmWWjyAmv9ssIroR7zD5n92tAfoTlt/EFTRKWuo4Z2D1Kl5+UD1Ub4lGp73PpiYuHgUeLZwcEQeE9TzufrtC3oJJJm+SIGS/9DG8jbfp61zYMg1edPA2Asy+FF0kgY8nCro7hDP3c8m9GWbOVKpHj0rFUeVX98/BRjdvnGXJMaA/HzmdRA6FEUe7GTYifFDJUlyYsymRcRx1AzvhjHdRvilCQ+q3A3V1knJnQ+c6zIBAxKJ2uApit+0VJVK7C9LEnUQoBJmMIhOGfp2bcTyugSfk46wM8//q3210lyFc0sLoYIBurxEM62Im7eASnn61WnbsnIn6EnT4Qjpv+FnQWAtktKkeaHiA1006tepFChm5G5pTtQqNzxRlSG3c81jNkeT3AzaO6qHnKoT/AKX2Hk1gfWEOV0YfamPjyIDeCNTGzs03yzXJVFKKhMxT2EA+xFxB47sHWfCvjXiZH4CoCQs=
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 6:A6H2HuK86z0gtCUZBvDInPqRXtQ5HNBz+vGoYgZ27F86+xDrYv3L+IYNnz8cpZLiak0C4jp/X3izelDQQCj/8PkE19y7xBPf6wfCiR4t2+tiPD+El5z19z84uSoXJkyHZf0JDCLaXhLDSKzjtm2nKy/LyBM5jlfbln7dnrW355NDUR5lIdFy765VSwfEvLh6fXQbJf9uXLoPeGohPaOP99ncu2wxCHkc9k/aCkt9HxERdW2qJzPJHc3IiLOT3s2ufCogftjrHOxymKFE5sU0cVmlj5OJK5cw7DP2kqly/XIx3aA9dPElp/z3PHBVs2AybCAWnx3gv0vi6XjKuUQbU9ZBzcFtpgyVDisdsrpScrzM4RZ1gU9roJokAmnsjqC/FUhVQczOYx79wr8kjPcYL9NAGdnV1hUjzm49+yf+W1lC/1ya0YwA0PyXtZ1KbjU0IObleXILNDygX+Pvz0rCwkgl5TV/UzBC4LMl8aPoWK5TmzV2DeFqdr0SrancpTEoeJPObK3uD1KQPUqDkmPR9tVBuPnbi1dhALhYYVbJLn5+k/4G7bO9B3928TVgMIRdTTvI6lyZ/rKrY8wBex526WIBuq+1tG/glpuiiONliBZ6tyB1IHhUUq6gg1Tlm5ztz6FjtQJasInLTyM7apAXLaVxehUNctpD4Cye8YNOi5H2Ka1ft1BRGZyeftBxYx69uPA9ykH/eKO3zBj/b7pSguusGmb4Mw56tzUspWljaRHMNp48utvpuYSW9T9r1s0Am06N2IROi38X0kHhfo2Nf0aj6MdLIGuYi6d6CLki4pZ2uevwm3AOEwyVN8TFhPeeR5ii2JRSl/aXS7zdQFmf9DKGjdZh3DiP+YF/+6XUuzhUv/9C+BUth8j5yxUclaoeLu1qIWrZwSWQsqdIYUASZvRm8Wi80fIN5TZpj6BraLycTkzT1YK8uKmz60rbRXPfFvWkgcMj5NqdqV6v97u3LYtmwDFe4zK67QHzwNkSEpM=
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 5:I6y1WfGgIsh/Q53VYdZlm0NR0Y4/P6S/66Aw9cV3ilLrlucATl4zjM7vmofuuts68ihc5Es8dB97T4QAosnZ2uS8sEcsAycT1AQiauYDKSc9jZ9GQtfJHKq0tq+1lQ5M7gYYYb/9oX5sVpSONeZR8amD81SX28tib4uBqwwMeUosI8PcbRUi0t9VspmnYQVmwVq/idX0fL8qM9nm2XM1YEn84xnMOBXnPORPjMRrCw6OPSz2uDEFIhbCJ0uEfe7WrSlz6LFG+czkXrVEh9AKuHUYB3cYkNJP1GksDhknnr4a5Kg7lwcvNiyR5VaVDmriEIQKty7HTEKw4QWYPEhxEnlsOw9D+kylKY3hG21bio76F40cmYBS73gWPfl5b3ZoePjjnMuUpQSrISu70SzohXXSfSqa4OhNSbkR7UMfkrU1QOeHHIH0tdNh0N3ffT3aUEIn95Vt/kSmRG3Uu5L9JM+B86JO4BblG7nVj6PTpmYD1SNkQ8JyBDR7zdvqwQEc; 24:t5FyisOdum3vbj9YPIuI1DWZfWPqW2ZAqsyhMVyv4wIFv5S11DdFwJ9dhaLBozwqwMJsdwIJJUAEkX4p8hAR2mPm38M7vi9O/skOJfxoYwU=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; BY1PR0101MB1029; 7:gfkNBy30d3KOukylLhvDweagAkUmjwkR8yimsni+H8t+9J/hqvJTOeln622vTTE6BWqFwYiavTEP8kc/45FJgspNAk+2wPHDK3aTC3iVJwzig5uzGEiQyA7vdntWXah0pzgrEqfz+hQmSs7dBkdlFKh736mfeah9izE9KkgNBbql+FL5QMWzaqdBreeR6U8b2WJLv+vSLKLuYTwxylXVioRDRAjo1/w1De0ttJ9HEKftz/wfY7jhPDLjoX39pMUMWfRny9bhtMW7zKnjNdjby4wgWDYNaW/mDET5AmTenbX4XJuEoe/ytaj3HCVdksw7/sSS+k6OeQSsQEBSGpX7u+7bgQ8T1QF5E7/fcSU3kotLQYql39BXHJA/LGf5IKmvoo/LsSJE3rRmW8GpPagBnnxWk4qFXaoN3/PSs9LgLV2c8qgTF52RiQZ8icbXxhBW/blA1lx42nH+UiDmioCypj/gfJViNUYYuZ+zxuIrpOEOkKtPishBq2hWznDOhDVnEpgo/4VFNQmGCE8onxLBW/hT54zAavqdbmCy+g/adLesyGXrcONXryJ5fRnJZ0qChEgEWrNbSId2UoFSNIoBLLQYPXQWk7dm7iA/WzQX2ErE69He2h1mpb8VMeScUs7TMhn1U0l1wflJHRC88xGQ/t5KOYWnlfgwU+fswjnkUPklIhPkvIVoI6MoUrBdKX7OrkTG3Bxaag+c/IMICCDFwcBhSVT3HVF5DjWx65odf+TTPjzorK6kylzQ4UzIZABabmgqubCXm4bM2bq26mkQa7UevT7jNeV70Iq/jp3oMkw=
X-OriginatorOrg: arbor.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Jul 2017 18:42:13.8731 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0101MB1029
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Xhivc6PKV9jUcP4820aImLXP8ng>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jul 2017 18:42:19 -0000

On 15 Jul 2017, at 1:01, Melinda Shore wrote:

> It might make sense to kick it over to ops for a discussion with 
> people whose meat and potatoes is monitoring, management, and
> measurement.

As someone who is ops-focused, I think this is an excellent suggestion!

There have been several assertions posted to the list recently regarding 
various aspects of security and their intersection with encryption.  It 
may be useful to take a moment and clarify a few of them.

With regards to DDoS mitigation as it relates to encrypted attack 
traffic, only a subset of attacks in a subset of situations can actually 
be adequately mitigated without full visibility into (and often the 
ability to interact with) the traffic within the cryptostream.  There 
are various ways to approach this issue, including full session 
termination and 'transparent' detection/classification, the latter of 
which isn't of course feasible in a PFS scenario.  Each of these general 
approaches has its advantages and drawbacks.

Very specifically, fingerprints of encrypted streams are not in fact 
adequate for DDoS defense; again, they're only useful for a subset of 
attack types in a subset of situations.

In the case of detecting and classifying hostile activity within a given 
network - which isn't limited to malware spreading, but includes data 
extraction, attempts at unauthorized access, attempts at subverting 
additional devices, et. al. - the same basic caveats apply.  It is not 
in fact possible to adequately detect and classify all, or even a large 
subset, of hostile network traffic without visibility into the 
cryptostream.  There are some gross behaviors which can be 
detected/classified whilst standing outside the tunnel, but assertions 
to the effect that all or most of what's required in this arena is 
possible without visibility (one way or another) into the relevant 
encrypted traffic are incorrect.

It's also important to understand that inserting proxies into multiple 
points of a network topology is not cost-free, nor an unalloyed good.  
It is impractical in many circumstances, and has highly unwelcome 
side-effects in many more, including a negative impact on reliability, 
performance, and availability, as well as broadening the potential 
attack surface.  Endpoint monitoring does not scale well, is often 
impossible to implement due to both technical and administrative 
challenges - and one can't really trust endpoints to self-report, 
anyways, as they can be subverted.

In many scenarios, one form or another of network-based visibility into 
encrypted traffic streams within the span of administrative control of a 
single organization is legitimate, vital and necessary.  It is not 
'wiretapping', any more than tools such as tcpdump or telemetry formats 
such as IPFIX and PSAMP can be categorized as 'wiretapping'.  The fact 
is, the availability, confidentiality, and integrity of systems, 
applications, and networks that everyone on this list relies upon is 
highly dependent upon the ability of organizations to have visibility 
into encrypted traffic streams within their own networks, for purposes 
of security as well as testing and troubleshooting.

How this can be accomplished is a matter for further discussion.  But 
it's important that everyone focused on this topic understands that it 
is simply not possible to successfully defend against many forms of DDoS 
attacks nor to detect and classify hostile network traffic in the 
context of encrypted communications without visibility into the traffic 
in question, via some mechanism.  The same goes for troubleshooting 
complex problems.

Those with operational experience at scale will likely recognize and 
acknowledge the difficulties and challenges noted above; others may wish 
to consider these factors and their impact on the operational community 
and the networks, services, and applications for which they are 
responsible, and upon which we all depend, every day.

-----------------------------------
Roland Dobbins <rdobbins@arbor.net>