IETF Logo Mail Archive

Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp

Nick Harper <nharper@google.com> Mon, 27 July 2020 14:12 UTC

Return-Path: <nharper@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D0CF3A19BA for <tls@ietfa.amsl.com>; Mon, 27 Jul 2020 07:12:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OQGCtqEAGGYk for <tls@ietfa.amsl.com>; Mon, 27 Jul 2020 07:12:08 -0700 (PDT)
Received: from mail-oo1-xc2c.google.com (mail-oo1-xc2c.google.com [IPv6:2607:f8b0:4864:20::c2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46B3B3A19B7 for <tls@ietf.org>; Mon, 27 Jul 2020 07:12:08 -0700 (PDT)
Received: by mail-oo1-xc2c.google.com with SMTP id z23so3168919ood.8 for <tls@ietf.org>; Mon, 27 Jul 2020 07:12:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9ITzvljWIStBLwJHX9a3MQcJtkbNyykjDFLgKhZBY4o=; b=n5l6ZwwaNSOEmRVAHPd6agzakHFLLRPP2uuvSAKyO9OzR98E9tV5t/QhrUtbn/tcCh 40e74e8ff7JnVApt3V+mNC1Onmh7ciERjVfcesvgHntbK3V8E4IJNBqTI7PPLp88NGO4 dBd/ykd54nHP0N+OHHigzc4WgZaNCUGIx0dX2T8DlH7eFGEiGxojweXgAlEzsN4Je9O8 GLg/CV3+/MFM29Q/TeyxlLh6sSH5dfSneXOMn0hPw/rMjbWvVSBDYz5BvDebbO9vkSvv CXLrZkLHF2BxLozLtDUzMdJ0aNg4TbMxVrXH+CPzX82PsIPn0Lw9nRyx0hD3oweT0uAl ysUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9ITzvljWIStBLwJHX9a3MQcJtkbNyykjDFLgKhZBY4o=; b=PIaA4JNrTuiuJZtzwOz+8p+ZCyEGJr5OlY8b2eiHCMx0I2X9QcLie5QUmU7FUUrxDF N1rczRflgCELC57cu2bmoZ5LUqYOL0wnNKkH7qws+kM923Oz1Q2Thei2ojtiMdWY/ceA QZZOkScq436KcUmrgtlDXfGju8FGT9tVHsX5g/4boTM9gU88IggUA//rquB0Qs9Zu6x1 NfZhVMIYAzxnkJazK685UKu8T+3pkEAiEOeJAyDw9Dbpqa+sZnvUVHukxtf9nTe4EdjM T8syMdaBbs5sgAYX5rGLrrFIR33jCixRzdNEmjVMjQD2EfMWWpB1yzW5o1Mg/gHXbB3o 4yBQ==
X-Gm-Message-State: AOAM533srduJAF8Cgmxc/tHdGm5XNVUWZOr5/NA9YtHvBj+Rk1X/c5qs nXNxgzR5B2BSre5phHxYNJ9uQwmbbJBmbtC+dDm7ac1o
X-Google-Smtp-Source: ABdhPJx5tyrn4jOB+XQxXrvzzrMWVjWthykIvI6CNDBF5bmZems2ywOkn4PTf4mimYRvrGR99m3mfybbfo5OARnd/90=
X-Received: by 2002:a4a:9572:: with SMTP id n47mr13356536ooi.37.1595859126895; Mon, 27 Jul 2020 07:12:06 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com> <CAFU7BAS=ymUPTAGB_fOSrHTG0OajV1n5M1-yOBWxvGam-a89AA@mail.gmail.com> <d9d6d8c2-3916-be28-d01f-f040a28ce361@cs.tcd.ie> <9F2FDA20-12AA-4523-905D-7C9380B7A390@ll.mit.edu> <43A56381-0BA8-4123-A2D5-950FD1EDFC86@cisco.com> <CAHbrMsC6AL=CrpponmJaab4DijY=mgqbUN6YFaC8eHYf-aeORQ@mail.gmail.com>
In-Reply-To: <CAHbrMsC6AL=CrpponmJaab4DijY=mgqbUN6YFaC8eHYf-aeORQ@mail.gmail.com>
From: Nick Harper <nharper@google.com>
Date: Mon, 27 Jul 2020 07:11:55 -0700
Message-ID: <CACdeXiL1J-WzZM4XAudRbz7NZWOCquH=SXZL9BkRLO3NpsfTTg@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>, Jen Linkova <furry13@gmail.com>, OPSEC <opsec@ietf.org>, "tls@ietf.org" <tls@ietf.org>, OpSec Chairs <opsec-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005f511d05ab6ce8fc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hRcfHxrO4XXxFoVCiT9DFMyOXI8>
Subject: Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2020 14:12:11 -0000

As currently written, this draft has multiple problems.

Section 4 decides not to repeat the Protocol Invariants described in
section 9.3 of RFC 8446. However, further sections are written assuming
that a proxy acts in a way contrary to those Protocol Invariants. One such
example is section 4.2 in this draft. It describes how a proxy might
generate its list of cipher suites by modifying the client's list. A proxy
that copies the cipher suites from the client-initiated ClientHello into
its own ClientHello is violating the 1st and 3rd points of the TLS 1.3
Protocol Invariants. For a best practices document, I think it would be
reasonable to reiterate the Protocol Invariants.

In addition to reiterating the Protocol Invariants, it should also
summarize the advice from the cited papers SECURITY_IMPACT and
APPLIANCE_ANALYSIS. One of the problems pointed out by those papers is that
TLS proxies will make connections to a server that presents a certificate
the client wouldn't accept, but because of the proxy, the client isn't
aware of the certificate issues. I don't see this issue addressed at all in
the draft. (A similar issue with the server selecting a weak cipher suite
is possibly implied by section 4.2, but it is not spelled out well.)

If this draft is adopted, it needs to say the following things, which it
currently doesn't.

- When a TLS proxy generates its ClientHello, it should be created
independently from the client-initiated ClientHello. The proxy MAY choose
to omit fields from its ClientHello based on the client-initiated
ClientHello, but it MUST NOT add fields to its ClientHello based on the
client-initiated ClientHello. This is effectively a restatement of the 1st
(a client MUST support all parameters it sends) and 3rd (it MUST generate
its own ClientHello containing only parameters it understands) points of
the TLS 1.3 Protocol Invariants.

- If a proxy chooses to conditionally proxy TLS connections and needs more
information than what is contained in the client-initiated ClientHello,
then the only way to make that decision is to send its own ClientHello to
the server the client is connecting to and use information observed on that
connection to make the decision to proxy the pending connection.

- If a proxy chooses to not proxy some TLS connections, the proxy will fail
open. The only way to avoid failing open is to proxy all connections.

On Mon, Jul 27, 2020 at 6:31 AM Ben Schwartz <bemasc=
40google.com@dmarc.ietf.org> wrote:

> I'm concerned about this work happening outside the TLS working group.
> For example, the question of proper handling of TLS extensions is not
> addressed at all in this draft, and has significant security and
> functionality implications.  There are various other tricky protocol issues
> (e.g. version negotiation, TLS 1.3 record padding, TLS 1.3 0-RTT vs. TLS
> 1.2 False Start, round-trip deadlock when buffers fill, ticket (non-)reuse,
> client certificate linkability pre-TLS-1.3, implications of SAN scope of
> synthesized certificates) that could arise and are going to be difficult to
> get right in any other WG.
>
> The title "TLS Proxy Best Practice" implies that it is possible to proxy
> TLS correctly, and that this document is the main source for how to do it.
> I think the TLS WG is the right place to make those judgments..  For the
> OpSec group, I think a more appropriate draft would be something like "TLS
> Interception Pitfalls", documenting the operational experience on failure
> modes of TLS interception.
>
> On Mon, Jul 27, 2020 at 8:57 AM Nancy Cam-Winget (ncamwing) <ncamwing=
> 40cisco.com@dmarc.ietf.org> wrote:
>
>> The document is not imposing any standards but rather provide guidelines
>> for those implementing TLS proxies;  given that proxies will continue to
>> exist I'm not sure why there is a belief that the IETF should ignore this.
>>
>> Warm regards, Nancy
>>
>> On 7/27/20, 5:20 AM, "OPSEC on behalf of Blumenthal, Uri - 0553 - MITLL"
>> <opsec-bounces@ietf.org on behalf of uri@ll.mit.edu> wrote:
>>
>>     I support Stephen and oppose adoption. IMHO, this is not a technology
>> that IETF should standardize.
>>
>>
>>     On 7/25/20, 10:07, "TLS on behalf of Stephen Farrell" <
>> tls-bounces@ietf.org on behalf of stephen.farrell@cs.tcd.ie> wrote:
>>
>>
>>         I oppose adoption. While there could be some minor benefit
>>         in documenting the uses and abuses seen when mitm'ing tls,
>>         I doubt that the effort to ensure a balanced document is at
>>         all worthwhile. The current draft is too far from what it'd
>>         need to be to be adopted.
>>
>>         Send to ISE.
>>
>>         S.
>>
>>         On 23/07/2020 02:30, Jen Linkova wrote:
>>         > One thing to add here: the chairs would like to hear active and
>>         > explicit support of the adoption. So please speak up if you
>> believe
>>         > the draft is useful and the WG shall work on getting it
>> published.
>>         >
>>         > On Mon, Jul 20, 2020 at 3:35 AM Ron Bonica
>>         > <rbonica=40juniper.net@dmarc.ietf.org> wrote:
>>         >>
>>         >> Folks,
>>         >>
>>         >>
>>         >>
>>         >> This email begins a Call For Adoption on
>> draft-wang-opsec-tls-proxy-bp.
>>         >>
>>         >>
>>         >>
>>         >> Please send comments to opsec@ietf.org by August 3, 2020.
>>         >>
>>         >>
>>         >>
>>         >>
>>  Ron
>>         >>
>>         >>
>>         >>
>>         >>
>>         >> Juniper Business Use Only
>>         >>
>>         >> _______________________________________________
>>         >> OPSEC mailing list
>>         >> OPSEC@ietf.org
>>         >> https://www.ietf.org/mailman/listinfo/opsec
>>         >
>>         >
>>         >
>>         > --
>>         > SY, Jen Linkova aka Furry
>>         >
>>         > _______________________________________________
>>         > TLS mailing list
>>         > TLS@ietf.org
>>         > https://www.ietf.org/mailman/listinfo/tls
>>         >
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email