IETF Logo Mail Archive

Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls

Eric Rescorla <ekr@rtfm.com> Sat, 19 September 2020 22:36 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3195B3A07B3 for <tls@ietfa.amsl.com>; Sat, 19 Sep 2020 15:36:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L6w9KlRSWq11 for <tls@ietfa.amsl.com>; Sat, 19 Sep 2020 15:36:30 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD3653A07CE for <tls@ietf.org>; Sat, 19 Sep 2020 15:36:29 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id a15so8010386ljk.2 for <tls@ietf.org>; Sat, 19 Sep 2020 15:36:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JDufI6JPyzXFXyHM+iHDGT4JqFFOS1BTIjhbJQ9UFts=; b=s4TOu10GeENkViBlO8eZzs/dWVv9BKUZpGbEix4PSByfQ8UAB4r1Nj2Lb/LSfcwyA9 XPK1lVwT51JMAMM9LW8PT8OLuD4+n+Pbe73k1opXsFh4wl3DCbvD1dQAE47HwKVj5evr zTK/YCWwgW91hGL7+qQGS3ZB3cY9EmTeHYDkTttLJl2ALS52GLfYdp2FQaWVgn/GB026 wsBbnvmQXKPheaeD1jKBPos0FOXIQW0FaMx9FOkBPixEciDLzgMk9WrXngKrpJuLaYMx enG9PFm2SY7VhPXaRCbPj8+mnl1ODwzZG8eHV5YqX8XhGBAeVXwEMXZJ//qGOyedq1M7 Zl5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JDufI6JPyzXFXyHM+iHDGT4JqFFOS1BTIjhbJQ9UFts=; b=pD4/8G1oqWpvBxmpsSJBJQVnumc/ooNFcr2JsjOcqGp5nVZgizI3DIMEIQSeXeAdul CCgCZt9yV5IaZKVEkMlWxJlOjyJ1hJLMJTILvIv+ebobVWC7w+kYKN4HAj1y74m6qp3T EmLm3uKRQY+t9Q0xtaLrcw8zskqj7gTuvmjBsDm/t3nvnONbsAMbzfFiJL1EY9ErAXTI 7Mhyda0oSQ2scGMduKCHi8Bl2anMW4ourea3ndGjKwiepdq2+1kghHZXS8xwgrPZXbpC cVZtl4j4LUylkJNAsGKEwnnMXeZ7aH50pZvXHUzoVRLmlqdRVDds2bdgYFmJadZpYjy4 rSPw==
X-Gm-Message-State: AOAM5319YjWyWtarf5q98OqO71Q9SVNerxtzPi5kAtFJiNOabHnoKlcd pkGeyrbz2Yqm3ucP9MPUbuQV443v5N/04FwoVtnfxlx4suJXRg==
X-Google-Smtp-Source: ABdhPJxzf1iUzcCjBAW+H8BZWQI/L0K/JHROxMDMPUsuAoTWuIaZ8ptGchw7fYP15xC/SLy1OsgR+krxrfsZhSZn7s0=
X-Received: by 2002:a2e:8114:: with SMTP id d20mr13060425ljg.409.1600554988045; Sat, 19 Sep 2020 15:36:28 -0700 (PDT)
MIME-Version: 1.0
References: <21BA8D05-DD83-44DE-81B9-457692484CAD@cisco.com> <053b286e-4780-1818-a79d-71b9c967bbd2@sandelman.ca> <CAHbrMsANEA4omTm5dPYLN9zGde2YdT_71ujpBcCEer_xSkPhbw@mail.gmail.com> <CAFpG3gepojPJoK8W+o9Qr66gPSUqHY+sDX-v+-fuwcM9Y56C_g@mail.gmail.com> <20200911114054.184988dc@totoro.tlrmx.org> <CAFpG3gdRUAAYmvV1+m=+4_0GUd_SDS0hZHhpSXa2qQ6Civtf-g@mail.gmail.com> <CAHbrMsD=BOxYLaJyOkv-t9p+Cm4cEpOui7sQdL9Mmfi=Ufh3mA@mail.gmail.com> <7207C73E-FB80-4BD3-AE68-627355B10708@cisco.com> <CAHbrMsBLrGsg+beMhNadqs+QC9icOsGLxLJYGghEg339=c0b0Q@mail.gmail.com> <5F503ED8-38B0-414A-906A-FE8DCF94AC92@cisco.com> <CAFpG3gdcy2Drm+7j6M_oSfuG5VRH5qE+0nY8joZG3g9yszKf2Q@mail.gmail.com> <CAHbrMsBOhZ+sMxM3KJYT=OkZGzp_1GipkFpwxLKVBckXhDRt2Q@mail.gmail.com> <FFAAF9F3-CAB7-4AC1-A15B-4AF58345331D@cisco.com> <CACsn0cnphGR2dgLcUjWLDs+PvRjmF-7JA7JGjhambArOQGUC2w@mail.gmail.com> <CACdeXiLb8exX-x1RrqJFVNEf1Fck9_nwy48Ywigv2j9ifrxKiA@mail.gmail.com> <CAFpG3gedM=ZqjxGtQ6g64n99Ke21jc2aG5Nh3WmJnQhEYq0DSg@mail.gmail.com> <107735.1600467171@dooku> <CABcZeBP_yYdKvvt5ry3w0RRQzNpj2PKGrmzPW0a2zVWSygUzhw@mail.gmail.com> <15520.1600553270@localhost>
In-Reply-To: <15520.1600553270@localhost>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 19 Sep 2020 15:35:51 -0700
Message-ID: <CABcZeBM=g_eitJL2UnTEHiiini5OhftaSQnAeDxt5WWt89-a6g@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: "<tls@ietf.org>" <tls@ietf.org>, opsawg <opsawg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000819c2105afb23fac"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Z4-sQ-zm9acSX63A1TR-X6CC3t0>
Subject: Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2020 22:36:32 -0000

On Sat, Sep 19, 2020 at 3:07 PM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Eric Rescorla <ekr@rtfm.com> wrote:
>     ekr> As a thought example, consider a hypothetical TLS 1.4 which
> decided to
>     ekr> adopt QUIC-style obfuscation of the CH and SH, putting the
> obfuscated
>     ekr> CH/SH in extensions in a stereotyped outer CH/SH. The system
> described
>     ekr> here would be unable to do anything useful with that, which
> creates
>     ekr> pressure to block TLS 1.4 entirely, which obviously is not
> awesome.
>     >>
>     >> I believe that without a mechanism described in this document, many
>     >> enterprises may conclude that they need to block TLS 1.3.
>     >>
>
>     > Perhaps you mean some hypothetical TLS 1.4?
>
> No, I do mean 1.3.   Many enterprises still think that they can stop it.
> Are they winning? probably not.
>

Can you say more about this? While during previous transitions clients
would "fall back" to lower versions of TLS, both Chrome and Firefox (and I
imagine Edge and Safari but I have less information) do not do so. As a
result any middlebox which blocks 1.3 will effectively cause failures on
any site which offers 1.3, which seems like it would cause a lot of
problems.


>     >> The idea of having a WASM file is an
>     >> interesting one, but being an executable of a sort, it has other
> security
>     >> problems.
>
>     > Well, one always has to worry about the security of processing data
> one
>     > receives from the network, but I'm not sure that the distinction
> between
>     > the kind of DSL we're talking about here and an executable is really
> that
>     > sharp. The argument for WASM or something like it is that there has
>
> Such as DSL would have to limit the number of cycles it is allowed to
> consume, otherwise the middle box might have to solve the halting problem
> :-)
> BPF could be another model.
>

Agreed. I know BPF less well but my understanding is that it has gotten
quite powerful.

-Ekr

v2.23.0 | Report a Bug | By Email