Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls

Dan Wing <danwing@gmail.com> Wed, 16 September 2020 20:48 UTC

Return-Path: <danwing@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 383C83A10D4; Wed, 16 Sep 2020 13:48:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bM2ifkPqM9Ki; Wed, 16 Sep 2020 13:48:41 -0700 (PDT)
Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41C6C3A10E1; Wed, 16 Sep 2020 13:48:41 -0700 (PDT)
Received: by mail-pf1-x441.google.com with SMTP id d9so4696977pfd.3; Wed, 16 Sep 2020 13:48:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=itd3dFv1Ku5OYKTll9eAT8TUVvUmQJvKM+T6qUnHhmU=; b=K0YDT5lhfvpNBf17+S59GB4mpRZMTFCIJLrpXuyhLbQmdWbuaJdHk5EoP8E8NOAxiN 3vV91GIkXNiv+yoa2f817ropwu9u7NPOwnsJmHZj9BA93iir5xTC9HEiXsPZZ5g8pqKm QWhwzUHKutfA8+MTv89DbllXkt1ax7HPVntCsKMSnrP7VCOLCIvG8obYrSAVhjUwtvwf fjx7i7mvylbP19MDCDfBmzA2i8RH47tKxBl8ubKVhu3TQLEGFSMZUJ1/w1JpkGSSz+tR nx3AVlPzK7EkrToLXbKDmtvFA7nP/JmxAHwE+9UFB6A/Sv9432sZ/bNd1l07DTyHcB+p YxLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=itd3dFv1Ku5OYKTll9eAT8TUVvUmQJvKM+T6qUnHhmU=; b=VItZBFIuA+1ehFSVVuSgCOppB7EvVyCotxljzDWwHfCpQbMTrDEY28Hj9BXLz5qOg0 TRycAAzobSpq1OEm0yei5PQ+Lg4ravLDOdxX3nVx1KX/gmOAub59PtXec0ZxLibMlPJ7 MOYC3e79cFXl32VaAINULoJbllAFL4ogLIs3j5EjeYoidwduVSGyhhVfXzF+uRtjFiKC yhyf1dHW8R1GxKc/om2pdUd+js4S8DC2ixI12RaI+cSaTMeZMSZUjHWWGox1mSmMoKKa HH31bWhgW0hiGUl4PZvmE/+AboYJ7fBuSJjkS7vCzyDp3o8wTSR0P5mzJfyxwqDC1lda Jfnw==
X-Gm-Message-State: AOAM532xuh/XH4KaCSo+jv3xaRfT5YTXwv70P6petca07JeYvmT3x+ZM RVrE4FfTutv8h0436vmbaXc=
X-Google-Smtp-Source: ABdhPJwH8v7Tr2kRI39BZ/LqI5mhLxFNNPu0qTp4ExHe4HTfcjJa+ddn2pkLtds0FMwp5fqj8MXzRw==
X-Received: by 2002:a63:4822:: with SMTP id v34mr19515407pga.342.1600289320745; Wed, 16 Sep 2020 13:48:40 -0700 (PDT)
Received: from [192.168.1.60] (47-208-190-34.trckcmtc01.res.dyn.suddenlink.net. [47.208.190.34]) by smtp.gmail.com with ESMTPSA id d15sm10087992pfo.85.2020.09.16.13.48.39 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 16 Sep 2020 13:48:40 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Dan Wing <danwing@gmail.com>
In-Reply-To: <CACdeXiLGD_o91nJ6fGrE_H78BO2noCP1VBnUbOXbr-E2d9MZFg@mail.gmail.com>
Date: Wed, 16 Sep 2020 13:48:38 -0700
Cc: Tirumaleswar Reddy <kondtir@gmail.com>, Watson Ladd <watsonbladd@gmail.com>, opsawg <opsawg@ietf.org>, Eliot Lear <lear=40cisco.com@dmarc.ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E723B9E0-E57D-4545-A0BC-E5A8BC2E621B@gmail.com>
References: <21BA8D05-DD83-44DE-81B9-457692484CAD@cisco.com> <053b286e-4780-1818-a79d-71b9c967bbd2@sandelman.ca> <CAHbrMsANEA4omTm5dPYLN9zGde2YdT_71ujpBcCEer_xSkPhbw@mail.gmail.com> <CAFpG3gepojPJoK8W+o9Qr66gPSUqHY+sDX-v+-fuwcM9Y56C_g@mail.gmail.com> <20200911114054.184988dc@totoro.tlrmx.org> <CAFpG3gdRUAAYmvV1+m=+4_0GUd_SDS0hZHhpSXa2qQ6Civtf-g@mail.gmail.com> <CAHbrMsD=BOxYLaJyOkv-t9p+Cm4cEpOui7sQdL9Mmfi=Ufh3mA@mail.gmail.com> <7207C73E-FB80-4BD3-AE68-627355B10708@cisco.com> <CAHbrMsBLrGsg+beMhNadqs+QC9icOsGLxLJYGghEg339=c0b0Q@mail.gmail.com> <5F503ED8-38B0-414A-906A-FE8DCF94AC92@cisco.com> <CAFpG3gdcy2Drm+7j6M_oSfuG5VRH5qE+0nY8joZG3g9yszKf2Q@mail.gmail.com> <CAHbrMsBOhZ+sMxM3KJYT=OkZGzp_1GipkFpwxLKVBckXhDRt2Q@mail.gmail.com> <FFAAF9F3-CAB7-4AC1-A15B-4AF58345331D@cisco.com> <CACsn0cnphGR2dgLcUjWLDs+PvRjmF-7JA7JGjhambArOQGUC2w@mail.gmail.com> <CACdeXiLb8exX-x1RrqJFVNEf1Fck9_nwy48Ywigv2j9ifrxKiA@mail.gmail.com> <CAFpG3gedM=ZqjxGtQ6g64n99Ke21jc2aG5Nh3WmJnQhEYq0DSg@mail.gmail.com> <CACdeXiLGD_o91nJ6fGrE_H78BO2noCP1VBnUbOXbr-E2d9MZFg@mail.gmail.com>
To: Nick Harper <nharper=40google.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rf4TvUGVdGPHut9lx6rw-fv12Sw>
Subject: Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2020 20:48:42 -0000

On Sep 16, 2020, at 1:08 PM, Nick Harper <nharper=40google.com@dmarc.ietf.org> wrote:
> On Wed, Sep 16, 2020 at 12:24 AM tirumal reddy <kondtir@gmail.com> wrote:
> Hi Nick,
> 
> Please see inline
> 
> On Wed, 16 Sep 2020 at 06:00, Nick Harper <nharper@google.com> wrote:
> I agree with EKR, Ben Schwartz, and Watson Ladd's concerns on this draft.
> 
> The grease_extension parameter shouldn't exist, and there should be no special handling for GREASE values. GREASE doesn't need to be mentioned in this draft, except to say that a client may send values (cipher suites, extensions, named groups, signature algorithms, versions, key exchange modes, ALPN identifiers, etc.) that are unknown to the middlebox and that the middlebox MUST NOT reject connections with values unknown to the middlebox.
> 
> The grease_extension parameter in the YANG model is a "boolean" type to indicate whether the GREASE values are offered by the client or not.  The MUD YANG model does not convey the GREASE values.
>  
> This is still problematic.
> 
> Unknown values MUST be ignored; GREASE is a mechanism used by endpoints to check that their peers correctly ignore unknown values (instead of closing the connection). If a device special-cases GREASE values when processing TLS messages, that device has completely missed the purpose of GREASE and is likely to cause interoperability failures when in the future it sees a TLS message that contains a new extension/cipher suite/etc. that isn't a GREASE value.
> 
> The IETF should not be encouraging devices to special-case GREASE values. I can see no use of the grease_extension parameter in the YANG model that does not involve special-casing GREASE values. Hence it needs to be removed.

Yes, that is the better way to handle GREASE:  expect Grease from any client, on any TLS value (as Ben pointed out supported_versions may well be Grease'd next).

-d