Re: [TLS] Four concerns (was Re: draft-rhrd-tls-tls13-visibility at IETF101)

"Salz, Rich" <rsalz@akamai.com> Wed, 14 March 2018 22:18 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78D9712D77B for <tls@ietfa.amsl.com>; Wed, 14 Mar 2018 15:18:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d1eOHl2vyzKv for <tls@ietfa.amsl.com>; Wed, 14 Mar 2018 15:18:05 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8C771276AF for <tls@ietf.org>; Wed, 14 Mar 2018 15:18:05 -0700 (PDT)
Received: from pps.filterd (m0122331.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2EMHb7W013800; Wed, 14 Mar 2018 22:18:02 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=IRHYHL5lKyTV115hve8vD4wMhPsyQ2+MeOrf+nGEScU=; b=gNT0JkUSziJAMGM0qRKm4ZuqrhNfRqJ1Om8FWvD4j04s+SSwoO9sVN4EME2wXSAdxTnr XdGqTvjcB0G72R+OYNPWcIfupSxl1Xc5ISygE9LVfSNc8qpppeXwgVfNXOGKlKd7XYQ4 zKBmLM2+J4wOP8NxR4NdBcAp8KCgmDrX9RU57PBlnLqwoZKBDWrcr3YIv60/tUBwPhtK guYx3G5pxlar433PZ0hQ6OfamcJqkdp60twyBYO4IP7w50GWV1YGM0DbH6PURC3OAL7B s7XxyS57GGKTjmHuze+4kLeKcHywj/eYV4WOIoiodTcM/BA8c0sUC7vYWOOPUueE8y7n 5w==
Received: from prod-mail-ppoint4 ([96.6.114.87]) by mx0b-00190b01.pphosted.com with ESMTP id 2gpjrh3f41-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 14 Mar 2018 22:18:01 +0000
Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w2EMGEKk006237; Wed, 14 Mar 2018 18:18:01 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.57]) by prod-mail-ppoint4.akamai.com with ESMTP id 2gmbk1c5rj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 14 Mar 2018 18:18:01 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 14 Mar 2018 18:17:59 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Wed, 14 Mar 2018 18:17:59 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Hot Middlebox <hot.middlebox@gmail.com>
CC: Martin Thomson <martin.thomson@gmail.com>, Russ Housley <housley@vigilsec.com>, IETF TLS <tls@ietf.org>
Thread-Topic: [TLS] Four concerns (was Re: draft-rhrd-tls-tls13-visibility at IETF101)
Thread-Index: AQHTu3E/vxrzKY2eGU+X0cwp6J3VjqPPvawAgADQiAD//7+GAA==
Date: Wed, 14 Mar 2018 22:17:59 +0000
Message-ID: <7B23C71A-22D2-4537-B60F-6F680021A2EE@akamai.com>
References: <CABkgnnUiQsCtQ+u_-yAg90FkLOM96PunqoeyeOP-9AvJhpdtPw@mail.gmail.com> <99D1D595-F5FA-439B-A7EF-882F82EF587E@akamai.com> <CAEPpgVDXQRDDG5UwKxLvoYXBL7NFxtftjd=kFutgKxXd91mWaA@mail.gmail.com>
In-Reply-To: <CAEPpgVDXQRDDG5UwKxLvoYXBL7NFxtftjd=kFutgKxXd91mWaA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.b.0.180311
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.41.158]
Content-Type: multipart/alternative; boundary="_000_7B23C71A22D24537B60F6F680021A2EEakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-14_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=900 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803140239
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-14_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=860 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803140239
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qxGdnwbShxyLYp8AQPAwdMdvuGY>
Subject: Re: [TLS] Four concerns (was Re: draft-rhrd-tls-tls13-visibility at IETF101)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2018 22:18:07 -0000

  *   The requirements for visibility exist in an array of regulated environments worldwide.  It is one of the presentation areas in the Hot Middlebox Workshop.  http://www.etsi.org/etsi-security-week-2018/middlebox-security?tab=1<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.etsi.org_etsi-2Dsecurity-2Dweek-2D2018_middlebox-2Dsecurity-3Ftab-3D1&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=Yz_0b8nsA9CDyOxIGLCsjdmfsbcx2aanAH-oeuvMpkk&s=NW0inE5_1gzb4brUZGMm47dZyrYtkYXtAXf7Ii6S8kk&e=>

Do you know if they require packet traces to be decoded, or if one of the nodes can just log the traffic?  Do they require this to be true for traffic over the public Internet or just within an enterprise?