IETF Logo Mail Archive

Re: [TLS] TLS Impact on Network Security draft updated

"Ackermann, Michael" <MAckermann@bcbsm.com> Tue, 23 July 2019 21:55 UTC

Return-Path: <mackermann@bcbsm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADCB0120995 for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 14:55:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); domainkeys=pass (1024-bit key) header.from=MAckermann@bcbsm.com header.d=bcbsm.com; dkim=pass (1024-bit key) header.d=bcbsm.com header.b=SmPzZxgX; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=bcbsm.onmicrosoft.com header.b=GoBeYEz2
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BP8e0dnYoYtd for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 14:55:55 -0700 (PDT)
Received: from mx.z120.zixworks.com (bcbsm.zixworks.com [199.30.235.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33782120352 for <tls@ietf.org>; Tue, 23 Jul 2019 14:55:55 -0700 (PDT)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1]) by Outbound.z120.zixworks.com (Proprietary) with SMTP id 814C2C0D72 for <tls@ietf.org>; Tue, 23 Jul 2019 16:55:54 -0500 (CDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ZIXVPM1670e2ded26; d=bcbsm.com; h=From:To:Subject:Date; b=bmPssYkGQn8BYZNesOgrMHvPXnSUJAhiG1D7Y6HXZ87OBiwro3Av5Jc0ICiooqKR vq6gD39Uxdupdq9QD5QjabuT3TalLN+X2ifIHLWMJ0n/Cgz4Hhjuib6q8RIRzr WaxPhBbhbkaN1+AzAYdS1CAvSwJykiCJ1dJAIY1MIozQI=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bcbsm.com; s=ZIXVPM1670e2ded26; t=1563918954; bh=ctcEu8jpfEEziQ4hit90oIHqO+cWUMlpMJb1Nh+mgoU=; h=From:To:Subject:Date; b=SmPzZxgXW2EA4opbh9ZcCwSvqp7sP/8kmeqlFqpqk25asdqYF2UYIoQm0eeei4hqB 34qGIdA6PWnZ/IVwjVrw2LLAwXTsa4UW0xvhl6H9w1UOjTX3E/qrk5XbnLCgEZ1JRj bS/u5UeVfONMqmhYC6uk86m1aehTit6yGYWLuydU=
Received: from imsva1.bcbsm.com (inetmta03.bcbsm.com [12.107.172.80]) by mx.z120.zixworks.com (Proprietary) with SMTP id EE43EC0C99; Tue, 23 Jul 2019 16:55:52 -0500 (CDT)
Received: from imsva1.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id ADCD492057; Tue, 23 Jul 2019 17:55:52 -0400 (EDT)
Received: from imsva1.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7633992053; Tue, 23 Jul 2019 17:55:52 -0400 (EDT)
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (unknown [104.47.49.55]) by imsva1.bcbsm.com (Postfix) with ESMTPS; Tue, 23 Jul 2019 17:55:52 -0400 (EDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UGKfJ4yIhWmNygCYww/85FmOPpn4dIPV5B92yFWiHIrHGijUz0c/CWF7Osw8KjBOYlQc/3VCUfKvdKVhd6y2NVmf2FQqr/4p6uWBd8CnqU4JNNGamqlxEwhMsTfsbxhJ9gVyvSfzegK6D8tTcThl7Hep4IZQELLLwUpvxfW0FtncmaVkDvk9gjoghinjgQupiHqriedQ5rQoLX/H0NIHP4geZuFag6ZWzyss6f6JlUqydee5ENVm8G8AVX/7LHaQfDf+Yo6Blk9akQvOwIX15xPMMCHU/oJCczDs7sWs72MsRtZx/HiRuPp7adbRZycWULzHNY4PmeBUlSinD+pvkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bx8lJz+n3TfmvwhbZhGV0dM1XySOlaw0c/DxemZLzQk=; b=T4KNZ99CY1B1+qQMY4fnWW0LdRDtopWERuvkyZu98ZcuDUMVV+bDsOUB7IT1VdjyBLYYy+jfIa3IaQuL/JhxUzdvOuFbo90KLxVVhrGGCdRyggWZYT0fxqeK3hS75bP+T9SY9InobuVvRlKoKpuxPQyG80SANL0dt0/JKsxh6qmd2ViwCvj1aU+vnbKy6kgE1c+s2aOHEiavP3LHOnhuF6CA/gN74HaflbKY0msQ2gVYaIbN1akyBwdtTiq95iqV0GtnBG7MNs/TOBfw6aH1xJObActlMmaq/de3XExEDlCQhz/0A+O1apnC3qlqOccnk9y40iG/0EgE4nepcUiBdQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=bcbsm.com;dmarc=pass action=none header.from=bcbsm.com;dkim=pass header.d=bcbsm.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bcbsm.onmicrosoft.com; s=selector1-bcbsm-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bx8lJz+n3TfmvwhbZhGV0dM1XySOlaw0c/DxemZLzQk=; b=GoBeYEz21a4DeFU2WzWGgZVo2cqt+Tn4TQFJkR4lyjcaHsKgHts6Jd7hCoHbaEygS8R+O21uqU4i2oNzqdW2qdXquC9HocWAKZtJDRJHUHhQpzVGBLRZw462N6zVpGwVqFGYMoM8gonrjytPIIlylY5RqDIUVFj8KRk5xWTpCFU=
Received: from DM6PR14MB2474.namprd14.prod.outlook.com (20.177.221.205) by DM6PR14MB2620.namprd14.prod.outlook.com (20.178.31.26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.10; Tue, 23 Jul 2019 21:55:50 +0000
Received: from DM6PR14MB2474.namprd14.prod.outlook.com ([fe80::168:5560:a095:93e3]) by DM6PR14MB2474.namprd14.prod.outlook.com ([fe80::168:5560:a095:93e3%7]) with mapi id 15.20.2094.013; Tue, 23 Jul 2019 21:55:50 +0000
From: "Ackermann, Michael" <MAckermann@bcbsm.com>
To: Bret Jordan <jordan.ietf@gmail.com>, Sean Turner <sean@sn3rd.com>
CC: Tony Arcieri <bascule@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] TLS Impact on Network Security draft updated
Thread-Index: AQHVP8tnovYBmAyQbUu5TybMCHUv66bYpD2AgAANEgCAABDogIAAANCQ
Date: Tue, 23 Jul 2019 21:55:50 +0000
Message-ID: <DM6PR14MB2474B49DAFBBDC3158F67CC5D7C70@DM6PR14MB2474.namprd14.prod.outlook.com>
References: <6AF48228-19C2-41C7-BA86-BA16940C3CFF@cisco.com> <CAHOTMVJSqZxstAs6nBiXaqWDBLY8R=gYZ4WooYVXGax0UmRL-w@mail.gmail.com> <E29654E9-4AE7-4558-910D-133529ABBCC4@sn3rd.com> <FAB677BB-E812-4626-B549-01C730987C01@gmail.com>
In-Reply-To: <FAB677BB-E812-4626-B549-01C730987C01@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=MAckermann@bcbsm.com;
x-originating-ip: [165.225.39.74]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 78b5017c-caf8-43b8-185f-08d70fb886d0
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7167020)(7193020); SRVR:DM6PR14MB2620;
x-ms-traffictypediagnostic: DM6PR14MB2620:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <DM6PR14MB26202280AE6E85ABD71C31CCD7C70@DM6PR14MB2620.namprd14.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5797;
x-forefront-prvs: 0107098B6C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(396003)(39860400002)(366004)(136003)(346002)(54164003)(189003)(199004)(6306002)(55016002)(316002)(3846002)(6116002)(26005)(71190400001)(486006)(476003)(6506007)(71200400001)(55236004)(54906003)(110136005)(11346002)(446003)(9686003)(236005)(790700001)(478600001)(25786009)(53936002)(53546011)(14454004)(6246003)(54896002)(4326008)(966005)(66066001)(66574012)(81156014)(8936002)(80792005)(7110500001)(33656002)(5024004)(86362001)(74316002)(606006)(256004)(14444005)(7736002)(6436002)(66946007)(99286004)(2906002)(66476007)(64756008)(2420400007)(68736007)(66556008)(66446008)(76116006)(186003)(7696005)(102836004)(76176011)(15650500001)(8676002)(5660300002)(229853002)(52536014)(81166006); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR14MB2620; H:DM6PR14MB2474.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: bcbsm.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: AtLoiQtlKiqjDurOCGsNXFzjOPszj4RFYAfkAAlCJpVPwmAvKT8B0LZGSKK8U2WUkIPAjgSEVUMpPybupREKXbmD0U4O9asp+ZUFjmsw7l4COFuIt4w1uHyD7INZXa4CiEqnI0QQ9q3JHxsMDqhLcNabXbrZuyheCtgSubhCijKElwmhVJdjxQFII/uxxNbW2qtrzPZG2kjZWYt4EoZF/JcuRsf38RyXOL7GxQsU6W4zniYbo5ZiAseu3GidKy6HTGSI4qhFkRO1lW9wGfF2b2Ad7/x7lQbThL34SwAxV+Fu5XytogJPlmEXwbFwzuDvrr+pakJPMIhy2R+HV4U2rctFRHptXJJYxbbo2nrpiOkNoK1HLcAMruEgr7QZM3EufRIzZzVHhis8GYKDCUevUygD6EWZ1BFMlHTWJt0Zns8=
Content-Type: multipart/alternative; boundary="_000_DM6PR14MB2474B49DAFBBDC3158F67CC5D7C70DM6PR14MB2474namp_"
MIME-Version: 1.0
X-OriginatorOrg: bcbsm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 78b5017c-caf8-43b8-185f-08d70fb886d0
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2019 21:55:50.5328 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6f56d3fa-5682-4261-b169-bc0d615da17c
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MAckermann@bcbsm.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR14MB2620
X-TM-AS-GCONF: 00
X-VPM-HOST: vmvpm02.z120.zixworks.com
X-VPM-GROUP-ID: b14c11d8-e56a-4a0a-a4a3-b1bf5f484777
X-VPM-MSG-ID: 66454bdb-abed-4376-8908-d36958a7bb01
X-VPM-ENC-REGIME: Plaintext
X-VPM-IS-HYBRID: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Oz066ifXFqEKf3SL7l_9E6Pe7CM>
Subject: Re: [TLS] TLS Impact on Network Security draft updated
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 21:56:06 -0000

+1

From: TLS <tls-bounces@ietf.org> On Behalf Of Bret Jordan
Sent: Tuesday, July 23, 2019 5:52 PM
To: Sean Turner <sean@sn3rd.com>
Cc: Tony Arcieri <bascule@gmail.com>; tls@ietf.org
Subject: Re: [TLS] TLS Impact on Network Security draft updated

 ALERT This email was sent from a source external to BCBSM/BCN.
 DO NOT CLICK links or attachments unless you recognize the sender and trust the content.

Thanks Sean.

It is critical that we understand and discuss all sides of an issue and address all use cases that market has. Beating people down and trying to attack people or their use cases is not something we should be doing in formal standards, especially here at the IETF.


Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."


On Jul 23, 2019, at 4:51 PM, Sean Turner <sean@sn3rd.com<mailto:sean@sn3rd.com>> wrote:

Tony,

While you may have concerns or otherwise disagree with the contents of this draft, let’s please keep discussion on this list, on all issues, polite and professional.

spt
(as co-chair)


On Jul 23, 2019, at 16:05, Tony Arcieri <bascule@gmail.com<mailto:bascule@gmail.com>> wrote:

On Sun, Jul 21, 2019 at 6:51 AM Nancy Cam-Winget (ncamwing) <ncamwing@cisco..com<mailto:ncamwing@cisco..com>> wrote:
Hi,

Thanks to all the feedback provided, we have updated the https://tools.ietf.org/html/draft-camwinget-tls-use-cases-04

draft.  At this point, we believe the draft is stable and would like to request its publication as an informational draft.


I read this draft as the latest attempt in a disinformation campaign by manufacturers and users of middleboxes that passively decrypt TLS connections to politicize and reframe the argument around what is, at its core, a fundamentally insecure practice which is incompatible with technically sound and highly desirable protocol improvements to TLS.

I implore you stop using overly broad terminology, euphemisms, weasel words, and other deceptive language to argue your points.

This draft is titled "TLS 1.3 Impact on Network-Based Security", but the subtext is quite clearly the much narrower subfield of middlebox TLS decryption. By using such a grandiose title which is deceptively hiding the true subject matter, you are implying that middleboxes are the sum total of network security.

The draft begins "Enterprises [...] need to defend their information systems from attacks originating from both inside and outside their networks." I am co-owner of a company which heavily leverages firewalls for layer 3/4 network security in conjunction with TLS. We care deeply about network security, and believe that our network is *more secure* specifically because we *don't* perform middlebox interception of TLS.

I consider our company to be in the category of enterprise TLS users, and as an enterprise TLS user who cares deeply about network security, I do not identify whatsoever with the claims this draft is making about the needs of enterprise TLS users as a whole. In as much as what it describes to "network security", it is but one niche consideration within a vastly broader field, and one which is increasingly controversial.

I will point out, since you appear to work at Cisco, that your company works on approaches to network security (e.g. malware detection) which avoid decrypting TLS:

https://blogs.cisco.com/security/detecting-encrypted-malware-traffic-without-decryption

There is an entire world of network IDS systems beyond middleboxes which passively decrypt TLS.

It is factually inaccurate for this draft to be described as "TLS 1.3 Impact on Network-Based Security". If you are going to write a draft about the impact of TLS 1.3 on middleboxes for passive TLS decryption, please call a spade a spade and don't try to hide your true intentions under a bunch of weasel words and overly broad claims that make it sound like middlebox-related TLS decryption problems are the end of network security as we know it.

My 2c, on behalf of non-middlebox-using enterprise TLS users who feel that attempts by middlebox-using enterprise TLS users to weaken TLS in order to retain compatibility with their traffic decryption appliances is a threat to the security of our enterprise TLS deployments.
_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls



The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.

v2.23.0 | Report a Bug | By Email