IETF Logo Mail Archive

Re: [TLS] OpSec WGLC for draft-ietf-opsec-ns-impact

"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> Mon, 26 October 2020 02:57 UTC

Return-Path: <ncamwing@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20F063A1836; Sun, 25 Oct 2020 19:57:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=gIGNCSBZ; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Zotrheo8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0AAe6TV01wHp; Sun, 25 Oct 2020 19:57:44 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 814AA3A1834; Sun, 25 Oct 2020 19:57:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3360; q=dns/txt; s=iport; t=1603681064; x=1604890664; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=I9Vou05VCKVEvuKjF3YFEr390m3KpZv7HQfkmeekOuQ=; b=gIGNCSBZcbrPspTpLosbNBP2+nIQs//lEh7HIt0Uz/KXaAqqksWBuXIg ZukbRV9idTykDm/Md68pLGeazwJp2s8kunG2ShlQzDosTWoM0nW2u/VVh gdLGX5O5jzrk5zU/Cl9FN5/31a8fNVN31Hil5Y2KvefFzpNNVV4KZMipD k=;
X-IronPort-AV: E=Sophos;i="5.77,417,1596499200"; d="scan'208";a="825252687"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Oct 2020 02:55:55 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 09Q2ttBc027866 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 26 Oct 2020 02:55:55 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 25 Oct 2020 21:55:55 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 25 Oct 2020 22:55:53 -0400
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Sun, 25 Oct 2020 22:55:53 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aVK0maUrwhqYdqChbf4fu3tA5NP4zikyqaTVgq9mx3LzbcAzKsI679gOU3gh1vS8gxjL0stFHUix/0xtsT1nALqJ3rVVHNLX7UCJhcG38B66fJbg/MjSvXBAgKUV9JCJ5NkvGy+6lLsSGFK+V/T4ypxfPcUKaw/YBEAEaaMXZ1wTcgjyDQnNwU2axVxh0L7FWT8cfx7dFo++byl4a/UECnYHei0/no7wj3lzGNtsbJ+xBLgDLbqYMwLPxFv90a0fUW0gRqOdbfs6GGIsR+xDfEps5ROctEwah3csKHDKnvYteyzqFsv2yruUXgy3fk+9qAWJ+7HQlBLgbkBuO3SUcQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=I9Vou05VCKVEvuKjF3YFEr390m3KpZv7HQfkmeekOuQ=; b=Eq1JaAaAhLdmlbttCYLfb5AfLQV2xfEdxs/0MPvxSZYt12fHpxzafyXVNJp1VAp7ef7Zz3LyjWvEZwv95km3d+hau0h03/5SrQ/bde21z6sdimYAZTJyALns51h0I8aF5GRNGyhbyDTB0RbH/RIVQOyg8zBpo1hAnpT2vPAvEwE2XE3JpHs+WzttTDqjGzJTt+Epy3kxzg0LtwMTiP7e196CV0II9alUxxfhomm8pouqwaGAjuSBJC8laB3s83wqfeiB7D/Ex7CX49G9LIqElSxUuUHsltIAcl382AILHhElaWcAZWpQIlLJ4unzwSYrc5M+tjtRLOqxSoi/WXquOQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=I9Vou05VCKVEvuKjF3YFEr390m3KpZv7HQfkmeekOuQ=; b=Zotrheo8G7S2x24drmPgeIk8crfMJTybuo4xk5BtlN+rba7TvzpPqPB7TfLoa9YhcE+AZNFZWbYclZHc2EVAmizlyVFdTP1K1eVtVpaufA9dQqA4zc2LrAx6TRoSutjVmwNCVcKQ5H4S3RYShTP7dUXDLK2Uj/9Gj2e61LR+ADM=
Received: from BY5PR11MB4070.namprd11.prod.outlook.com (2603:10b6:a03:181::16) by BYAPR11MB3750.namprd11.prod.outlook.com (2603:10b6:a03:f9::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3477.22; Mon, 26 Oct 2020 02:55:52 +0000
Received: from BY5PR11MB4070.namprd11.prod.outlook.com ([fe80::8842:3f1e:4ffc:32c1]) by BY5PR11MB4070.namprd11.prod.outlook.com ([fe80::8842:3f1e:4ffc:32c1%3]) with mapi id 15.20.3477.028; Mon, 26 Oct 2020 02:55:52 +0000
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: Nick Lamb <njl@tlrmx.org>, Roelof DuToit <r@nerd.ninja>
CC: "opsec@ietf.org" <opsec@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] OpSec WGLC for draft-ietf-opsec-ns-impact
Thread-Index: AQHWdKy3EuzQbe4YYUORvBwC+sTNmak/UzCAgAC3tQCAAP/aAIAAokkAgGd7TIA=
Date: Mon, 26 Oct 2020 02:55:52 +0000
Message-ID: <281772AB-0042-494C-B5C8-38CE21E8BC42@cisco.com>
References: <20200817163938.07580cee@totoro.tlrmx.org> <2B1FF3B4-949A-4A29-ABDC-B2B91878B947@cisco.com> <20200819234314.29c3bbdc@totoro.tlrmx.org> <387460EC-D00A-4D12-9E12-713E9E0049B1@nerd.ninja> <20200821003948.04bc5308@totoro.tlrmx.org>
In-Reply-To: <20200821003948.04bc5308@totoro.tlrmx.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.1b.201012
authentication-results: tlrmx.org; dkim=none (message not signed) header.d=none;tlrmx.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [73.162.233.180]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bbe9bbc2-2446-46af-4e07-08d8795aa6bf
x-ms-traffictypediagnostic: BYAPR11MB3750:
x-microsoft-antispam-prvs: <BYAPR11MB37501A6D2EC894CAE61B243AD6190@BYAPR11MB3750.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wf75ZIjR4FLAaIQmGukmZY+DrpZ7VdR8IIa9MKzXJC1Fxn4aEjYBq1eMpVt6r+W5kCE4j3tKLm9NzCxdlp3eBLHuDeiMrgzVwIEei4M20Hvoao4zpFkK14uu7RwPv95c0F5/+aDoy65BM1xlX4MPC3edHyax8zLtpEii+mu2ofhHmB5KzX0P5uxcifhudOsO98AJpcVHqPI/k9OvBUevuYyi+Qzx9+Mi2d7Gr9wpbqbX6mR4Vtkb2nF3V8ysm5NYlA6/ImHSUT7vOukOL+NE3UxasPHM7HFn41Hn/glQvG1mpkoA9WFnhocAUSdc33j2xEgk7WeZ/WQ3gZvUe/MJVg2BsrVDISh8canpY5LnVfk21Hhasfqvh72r6U8AZ8VZ
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4070.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(6029001)(39860400002)(136003)(346002)(376002)(396003)(366004)(316002)(33656002)(86362001)(76116006)(83380400001)(66556008)(66446008)(66946007)(66476007)(54906003)(186003)(36756003)(6512007)(2906002)(64756008)(6486002)(4326008)(2616005)(8936002)(91956017)(71200400001)(110136005)(478600001)(26005)(8676002)(6506007)(5660300002)(781001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: MolmMcT5V8HiBjGc0LrR0+Ew2EPEC4pvyUgUhfzxPiN3CkdfSDFphqyM5ZMnbrsP9Uzok5fVleCfjNYIGPjAsEgx2702u2zP7m+srfjQDERW2wpvTP3kYIVj/PHPES8UtPvpcUUlmbozuZec7Cn4+ldp6BN+7GIRur9CsI/4di1OHPiihjfOmdd3mHqO/x3P8Z0c1bbJ3PhxtEaZpctyJbYoc2oEPZNiRatxRxOg1WKhIKkVeC1Y0zjCjQFMhrIHKrKTnpBtNBk1tpW25fwgrQF5ra4J7fDeFixx9FjGpxZfSdMMrHTnsGgfQvXoZgDcqmA8IQnilLtaZFKCXsIo285A/cTOP3XODwoz88E4QiuD2Hez1yoODs1df43KCRw3DHAJCNWiI8hSmGwphTafQpJBXar9GUS3uYT7YPOG9gbY05d0P6gSBSfktq2ANKMr8fWZJyLmS1MVjuZgBjMJkL9zp3Vhn+CHMczidFvzl2RsyOLfwY7CSc7PspUXZpygqsapfVU4cMoUaiHJYbxTwOxe6NeVFG+fI1Oa8paUhAILUaItO8owZYVYyjp/KHjaXNKeNp3HgdXBHks+aPNb6YbAoML+TFCPWxHJ4hTFVSGNo25Fm1DsSFqbvRI2V9tnzrxVR9AoWbc/P7haC47iCA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <EDA5000E55F64E4CAC861426D09177D0@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4070.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bbe9bbc2-2446-46af-4e07-08d8795aa6bf
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Oct 2020 02:55:52.3158 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8d1whI+VqGtXZIGz7sC0Yb4Xhjd6C8hInnHQaJ3RT2oJJO2P3vOw04+RDoEgFRAh8Qwr6NLsPnb7sdCGdpMl1g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3750
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.14, xch-rcd-004.cisco.com
X-Outbound-Node: alln-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/cahPRxzbkRb2gbCPzLCd-2JdW3g>
Subject: Re: [TLS] OpSec WGLC for draft-ietf-opsec-ns-impact
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 02:57:46 -0000

Hi Nick and EKR,
Please see below:

On 8/20/20, 4:40 PM, "Nick Lamb" <njl@tlrmx.org> wrote:

    On Thu, 20 Aug 2020 09:58:58 -0400
    Roelof DuToit <r@nerd.ninja> wrote:
    
    > As co-author I am not a proponent of passive TLS inspection - not
    > least because of the ossification implications.  It cannot be labeled
    > as ineffective though (see further comments below), even if the
    > document strongly hints at not using passive TLS inspection in a
    > post-TLS-1.2 world.
    
    Mostly I endorse Ekr's comment that a document like this should
    actually spell out any convolutions and conditions necessary to the
    effective use of passive inspection. I would try to find time to
    examine a revised document that did this.
[NCW] The specific conditions are more deployment and vendor specific and proprietary so it'd be difficult to enumerate (and enumerate them all)...as well as which we believe is out of scope for the document.  I did add a paragraph to state that as well as we (the authors) are not proponents for these techniques but as it had been asked to how the deployments 'inspect' we thought it important to document the most common known practices.  Please look over the updates and see if that clarifies intent.
    
    But I do want to address one such in particular now:
    
    > 1. Policy-based control over the use of RSA key exchange.  It should
    > not be allowed.
    
    Qualys estimates that when TLS 1.3 was finalised RSA was required for
    about 5.7% of web sites (it had been larger previously). That's a
    pretty huge caveat.
    
    The same document we're discussing, draft-ietf-opsec-ns-impact-02
    actually several times relies upon RSA key exchange (in section 5.3) for
    methods it says will now be impacted by TLS 1.3 because that doesn't
    allow RSA key exchange.
    
    As written there's no problem, but it seems to me that if you add a
    condition saying to disallow RSA key exchange in section 5.1, this has
    the effect of implicitly rebuking this approach from section 5.3.
    
    That would be a little bit silly in a single document but it's even
    sillier when you recall that actually products in this space straddle
    both categories.
[NCW] Right, our intent was not to prescribe what should or should not be done, but rather educate as to what is being done in practice today.
    
    Nick.

v2.23.0 | Report a Bug | By Email