Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp

"Eric Wang (ejwang)" <ejwang@cisco.com> Wed, 29 July 2020 22:55 UTC

Return-Path: <ejwang@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 767823A0915; Wed, 29 Jul 2020 15:55:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.619
X-Spam-Level:
X-Spam-Status: No, score=-9.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=PuOxFI61; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=tKljYrYS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MwBIBmwLLOUr; Wed, 29 Jul 2020 15:55:25 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0074B3A090E; Wed, 29 Jul 2020 15:55:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6191; q=dns/txt; s=iport; t=1596063325; x=1597272925; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=kZZjOhUl2QL6pAiuVeWFAxSgXvMZcqJLoqOyE9bt5/g=; b=PuOxFI61VQh6vxAWR8egqbHIeuoQGd+GIW0t6192oEea4ShKLl9/GcUV thCZ2WjSWrIucVp5/C0jOejvd/5aK/4uz/E+dnQvl6pVFVG7cJ4wY1gkr nQdb/A2QRgnfPPOsoobS5Mg1FOZOa38BcycklV+/UrVBIMO7ckT8ap4Rq 0=;
IronPort-PHdr: =?us-ascii?q?9a23=3AifjV3xQLSLp/kHI/8VYYiV+A4dpsv++ubAcI9p?= =?us-ascii?q?oqja5Pea2//pPkeVbS/uhpkESQB9mJ7/VbhuzKqaf4SCoG7IrS+HwBcZkZUR?= =?us-ascii?q?gDhI1WmgE7G8eKBAX9K+KidC01GslOFToHt3G2OERYAoDyMlvVpHDh6TkNFx?= =?us-ascii?q?PjLw1tN6LzF5KBx8iy3vq5rpvUZQgAjTGhYLR0eROxqwiZtsQfjYZ4bKgrzR?= =?us-ascii?q?6cqXpTcOMQzmRtdl8=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CAAACt/SFf/5FdJa1gHQEBAQEJARI?= =?us-ascii?q?BBQUBgXYIAQsBgVFRB4FHLywKhCuDRgOEWIhTlBqEbIEugSUDVQsBAQEMAQE?= =?us-ascii?q?tAgQBAYRMAheCDQIkNAkOAgMBAQsBAQUBAQECAQYEbYVcDIVyAgQSCwYdAQE?= =?us-ascii?q?3AQ8CAQgECjEDAgICMBQRAQEEDgUigwSBf00DLgGkfQKBOYhhdoEygwEBAQW?= =?us-ascii?q?FGhiCDgmBOAGCboNfhj8aggCBOAwQgk0+hCUXgxczgi2ScIZdi1aQZQqCX5l?= =?us-ascii?q?/Ax6fdK1pg1YCBAIEBQIOAQEFgVM6gVdwFWUBgj4+EhcCDY4eg3GKVnQ3AgY?= =?us-ascii?q?BBwEBAwl8jmoBgRABAQ?=
X-IronPort-AV: E=Sophos;i="5.75,412,1589241600"; d="scan'208,217";a="537556315"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 29 Jul 2020 22:55:24 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id 06TMtOqb019326 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 29 Jul 2020 22:55:24 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 29 Jul 2020 17:55:23 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 29 Jul 2020 18:55:22 -0400
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 29 Jul 2020 17:55:22 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MoI8SAQha+6bMLe+3No2Q5Dgzqgnv65aE0nYZZ99KaOi+4M4I1iUKXip8znrKMJOriz0t5UuRn/oGbUS1bhpICES/OKVSoSk6a0BvlW4iChmyHSTootzUhA/y87TIEjA7rbavj+Ka+IbLrw9IY3D7rdtX/O+XWc8O2J6Vg80Fkl/hlIAMyDVcDDlyzTHJgUVW6h6LRx+H9GDnaKtU5SsdeBMmLU5voLOiAYFa/2Cw6H4ibZc8scm6OENkWN6mxsfKXzDbFamWQnChGzovdOmWrbBkYU+EEH6njVCsz8X7AQ2IxCobcjHBE/cQKGqzLXywMwOGxFAwCq3NHsZ+b6+Ww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kZZjOhUl2QL6pAiuVeWFAxSgXvMZcqJLoqOyE9bt5/g=; b=TTaGyK/Py90Q8Qm4GRBJ/mfCebkiyW0eKJzJLqTirkYszquchCaQPu8Fonmz0o+Hnn1A/S7szQstjy+2DuS7rF11KgRqC3iFqjeUfFkfrz70b++CvrZ+ENzWN+399VzG2ndXzHwtkTm51TMkEer8mve1IkbXSzDzeh0dQnHV9D/NnW6EVa6CuyTAG600caqWb70c3GADhsA5GW6fFqGN/+6AvaHPkLEs6uypEcVqYx65HTr+Zy11/adENeXbh73V9CZMdAfJYIIu+labU2z+hdzbwFBY7rWm5JVhIOL+5hsMA+ZH+Mz5g0H+1Yz6FnaNtkbzUInYYEB0FLM6s8T2hA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kZZjOhUl2QL6pAiuVeWFAxSgXvMZcqJLoqOyE9bt5/g=; b=tKljYrYSCBRPRQI7nBNORgwLo55A7WvTzp4Ctg+vmyZf14jUX6MrDlqdHujw0YriP/hdWz3XwbKzDC+63ZL8zaNLODAkOZtwy4kGzSje+YpmwVpkA1FHyIZVcVnjFOQijo/4JFtMbel7jpqRsTsvH9rgVoFSBcQZbhHiyMfrJA8=
Received: from BYAPR11MB2789.namprd11.prod.outlook.com (2603:10b6:a02:cc::11) by BY5PR11MB4465.namprd11.prod.outlook.com (2603:10b6:a03:1c0::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.17; Wed, 29 Jul 2020 22:55:21 +0000
Received: from BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::9913:ef92:7ce3:8870]) by BYAPR11MB2789.namprd11.prod.outlook.com ([fe80::9913:ef92:7ce3:8870%6]) with mapi id 15.20.3216.033; Wed, 29 Jul 2020 22:55:21 +0000
From: "Eric Wang (ejwang)" <ejwang@cisco.com>
To: Martin Thomson <mt@lowentropy.net>
CC: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>, OPSEC <opsec@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [OPSEC] [TLS] Call For Adoption: draft-wang-opsec-tls-proxy-bp
Thread-Index: AdZd8qs4MVhjKcpfSaSC3eC5PK0rEQGvaUsAAB0Y8YAADNOfgAAo1N6A
Date: Wed, 29 Jul 2020 22:55:21 +0000
Message-ID: <F357E87C-E652-4048-BF17-F9C039D2CF19@cisco.com>
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com> <d9a9ea94-4c4a-40eb-8841-7a92fa31103e@www.fastmail.com> <34226646-93F3-4592-A972-A55B160D5B78@cisco.com> <90e5b7d5-a015-40f6-9d5b-b263c85cb2d3@www.fastmail.com>
In-Reply-To: <90e5b7d5-a015-40f6-9d5b-b263c85cb2d3@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.15)
authentication-results: lowentropy.net; dkim=none (message not signed) header.d=none;lowentropy.net; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [128.107.241.169]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bc9c254e-9adf-48e1-b71d-08d8341278f2
x-ms-traffictypediagnostic: BY5PR11MB4465:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BY5PR11MB4465705FE906EA47DB80CF82D0700@BY5PR11MB4465.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: m5BQZlFYbY3Zb4X1wN4xVAu03LfcBC2FdaWETtviiDawQ4EEK4MAEcpwdhPRUj3D7KuyyToNGDNWmYGMFSHQeZVI1KBF7mrj6QL7HxZvzJ7NxOXEzUdq704zLPJFwtYf+vO/KS11QDfSgUibxl1KjdxXsyA+C5dvuc4cvndSoz9pJxtYOmw1Vy8mQehWIoznb2UGq1/Od4RkBh6khIp5V1S44HpwtBMZhDEQkerqJgwp8jw4iJ6hHXsLReJmeBcbIu7l95+y5JGmNJbwYgBXFul/ssYWgKFo2blm9vezbIUWVxIPOybEmZzF5fKYyetx7SuZ8kwBZgK5LurqHUmhbw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB2789.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(346002)(396003)(376002)(366004)(39860400002)(86362001)(8936002)(2616005)(2906002)(478600001)(8676002)(91956017)(6506007)(53546011)(4326008)(71200400001)(26005)(316002)(6486002)(66946007)(66446008)(6916009)(186003)(33656002)(6512007)(66476007)(64756008)(54906003)(36756003)(66556008)(5660300002)(76116006); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: EH38XYmwoHxZWaK6SX8IiauY8j4nPAbGBjFtttYgokgpvimPGecDv5Q0RdutKbqV+yTYGL7PNoTicfDuQpjZDuAXQnWwjhz4y+AJz+55pnFUoJ5E+vsEU7tA7Dd2c+DyoioN3mWpR4R1IBUK4Z5oizHkMih5vxWK//gNPZ/BM/TSYtyhCLtYd6ts5r26Z9yktRTsRSoUJ/Vh6Hp9imIueQQ0wh1GhLqTnc+SkdSasbYFbyS1bEYzvij/GnjMqX2prH2UqveF/o3pnPrrr4mM5IF+V4q/YF10lk1F8EuO/6oUHJ6GO4D3JCzGHQV9DVNumz9pi06VQ8kPiV4a1/mpYLf+qlsOa4V6RcRXfkO3TCCOL6GNxWcROhcn9dEfyIKPYT8ch5rZ3QClzV2DBIftgYpfczfCWqfisCbM5RMIEb1HjBkZlHIw8TQUnzKGglANujoG/GKbf65vS+yjLaFX61Y2QcmAAWzFR3xA8jWKMRNfXpNcS/OIHtjtE7sTTIqwfwkuGEdCgfMUf4q3fCu2XO2TqqhNL3oIc82q5AEPDd/OdaKf9j15T72xabg/zfxSUptBn1pnH/I5Hb+XiSjkSO9cYMvU/e75h/h/5874veNvJcwSkpIuVbhyuKshazuFN8HvIRMpSR2NqQrI+cO5+A==
Content-Type: multipart/alternative; boundary="_000_F357E87CE6524048BF17F9C039D2CF19ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB2789.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bc9c254e-9adf-48e1-b71d-08d8341278f2
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jul 2020 22:55:21.5403 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9wJFJmomnZRmN3RmDWi+BF2H5P3ulW7p2d9nMDxfweEpFtNMtVwlSJtWsjETlIjaJti6Nn+pXFnrleocXNxwPQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR11MB4465
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: rcdn-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tf43ZLfE86npCYtA-MrHX0DPbHI>
Subject: Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 22:55:28 -0000

Hi Martin,

I understand your point.

When starting this document, we analyzed TLS proxy for 3 possibilities:

1. It may violate existing specs inevitably;

2. It can be compliant but needs development work for some new “helper” protocol;

3. Neither #1 or #2, but it needs a set of requirements to be defined.

From the discussions so far, a plain TLS proxy fits in #3.  To the end, it is a TLS server and a TLS client deployed back to back, and both must be and can be compliant.

It looks “selective proxying” is in question and requires deeper discussions, so it should be addressed separately.

How about a scope of #3 as a starting point given no design work needed by the TLS working group?


On Jul 28, 2020, at 8:26 PM, Martin Thomson <mt@lowentropy.net<mailto:mt@lowentropy.net>> wrote:

Hi Eric,

On Wed, Jul 29, 2020, at 07:18, Eric Wang (ejwang) wrote:
In any case, the proxy has to conduct selective proxying in a safe,
non-disruptive manner.

I will try to be clearer on this point.

This requires design work and this document is a poor vehicle for that.  It needs a separate document that documents the design, the properties of that design, and the assumptions that it requires to achieve those properties.

The TLS working group has decided not to undertake work in this area.  That TLS working group decision needs to be respected by other parts of the IETF.