Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls

Michael Richardson <> Sat, 19 September 2020 22:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 35FAA3A0138; Sat, 19 Sep 2020 15:07:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id l24YVh9oFoPK; Sat, 19 Sep 2020 15:07:53 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E06393A0128; Sat, 19 Sep 2020 15:07:52 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0CB05389CB; Sat, 19 Sep 2020 17:46:32 -0400 (EDT)
Received: from ([]) by localhost (localhost []) (amavisd-new, port 10024) with LMTP id ZhlVcLPvmI1S; Sat, 19 Sep 2020 17:46:31 -0400 (EDT)
Received: from (unknown [IPv6:2607:f0b0:f:2:103c:9eff:fecb:2eac]) by (Postfix) with ESMTP id 20000389A9; Sat, 19 Sep 2020 17:46:31 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id C0A5C72; Sat, 19 Sep 2020 18:07:50 -0400 (EDT)
From: Michael Richardson <>
To: Eric Rescorla <>, "<>" <>, opsawg <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <CABc> <107735.1600467171@dooku> <>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 19 Sep 2020 18:07:50 -0400
Message-ID: <15520.1600553270@localhost>
Archived-At: <>
Subject: Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 19 Sep 2020 22:07:55 -0000

Eric Rescorla <> wrote:
    ekr> As a thought example, consider a hypothetical TLS 1.4 which decided to
    ekr> adopt QUIC-style obfuscation of the CH and SH, putting the obfuscated
    ekr> CH/SH in extensions in a stereotyped outer CH/SH. The system described
    ekr> here would be unable to do anything useful with that, which creates
    ekr> pressure to block TLS 1.4 entirely, which obviously is not awesome.
    >> I believe that without a mechanism described in this document, many
    >> enterprises may conclude that they need to block TLS 1.3.

    > Perhaps you mean some hypothetical TLS 1.4?

No, I do mean 1.3.   Many enterprises still think that they can stop it.
Are they winning? probably not.

    >> We don't have to have the client provide it, it can be encoded by the
    >> manufacturer in the MUD file, assuming that it depends upon the model, not
    >> some local decision in the client.

    > Sorry, yes. I meant "client" in the sense that the client tells the
    > middlebox what rules to use. Whether it does so directly or by reference to
    > the manufacturer doesn't seem to matter too much for these purposes.


    >> The idea of having a WASM file is an
    >> interesting one, but being an executable of a sort, it has other security
    >> problems.

    > Well, one always has to worry about the security of processing data one
    > receives from the network, but I'm not sure that the distinction between
    > the kind of DSL we're talking about here and an executable is really that
    > sharp. The argument for WASM or something like it is that there has

Such as DSL would have to limit the number of cycles it is allowed to
consume, otherwise the middle box might have to solve the halting problem :-)
BPF could be another model.

Michael Richardson <>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide