IETF Logo Mail Archive

Re: [tsvwg] [saag] Fwd: Last Call: <draft-ietf-tsvwg-transport-encrypt-19.txt> (Considerations around Transport Header Confidentiality, Network Operations, and the Evolution of Internet Transport Protocols) to Informational RFC

Tom Herbert <tom@herbertland.com> Thu, 11 February 2021 19:11 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A58093A189F for <tsvwg@ietfa.amsl.com>; Thu, 11 Feb 2021 11:11:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4kQ6gld0TW68 for <tsvwg@ietfa.amsl.com>; Thu, 11 Feb 2021 11:11:23 -0800 (PST)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF36A3A18C6 for <tsvwg@ietf.org>; Thu, 11 Feb 2021 11:11:20 -0800 (PST)
Received: by mail-ed1-x52d.google.com with SMTP id t5so8076040eds.12 for <tsvwg@ietf.org>; Thu, 11 Feb 2021 11:11:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YO2SRXdPlFo/91MEMU1J2NLIKIA86vTYJL5dEfcVYf0=; b=GZ19Vk1CtJnBVyKyTUDKEVP7en6h6MR3SXmmqWQlMnTGrcWor8LhfT5mljjkH5fWJO W6Mt/K+9T0Ld2gzKFH7PXuycRh+fnELN6sD0ssSCAf6LnO6UFvSCjUQXwbo2ak6Q+aVW n9JEcykSVesb5kwsQxwCJpX2CcLGt2+a+vmXwni6jDuTi1Ssip4C9Y+DClJlzGQzbQMF TkcMJmarHfFabqGqQMBwBAtkEfjxRe04FTC8FJiYv4Q/IMZD8y4PNndap9dD21QshChk jXSK/V9ULv5gPEYqhEi4aPAxk+mnFd0XIS5/65r/3ztzKTxnF8z7tEuV35HgaPS33fI4 pTTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YO2SRXdPlFo/91MEMU1J2NLIKIA86vTYJL5dEfcVYf0=; b=JaTQIjMHIDYVVgZu3SGbzp3EngQZ/McJLGEVmk946mVtXQVjW1Th0vY6Kwq8qxxlHd E3JQUBxJ609CX/QN3nerGCCEBp8Kenkx9DLzijhVoQ+AaYig/mAAvlEvAd7UvD0vi72y uE8dndKlkDQr//8W9lXYDSnq290Rsy/3fYU221r8JwgZ17bQ+/nuRKVtrO2a6kqVimM3 xtQpxOII0Jk7dDhKLviMvqMDB9g/40Do4GIw2poYY3VICk8Fpv4Q5uHTguVrFL5N59sc MjwkZQdYf5zrkDxbZUP30gWTcVg0NmP2GHnhmUXHcNHk4rDLPDIlSrLcQ1ILFfzbPRxk u3Dw==
X-Gm-Message-State: AOAM530bOq1Kf95yOB5NTqP5ogaUp8/XhLCgx2R7dbW/om15OxQgxPH/ XcY1c0n2aw4mgkqs3SKxcufhychm25txw7Z4jXgjeQ==
X-Google-Smtp-Source: ABdhPJxdK9Uh5PiFArnt3/wUxaTvlXtFceba01VImx6L4A80eahwH4hCGuOyvbr2YVu0IWDH2RaajEb4gHYsU4IT/6s=
X-Received: by 2002:a05:6402:3070:: with SMTP id bs16mr9585052edb.22.1613070678236; Thu, 11 Feb 2021 11:11:18 -0800 (PST)
MIME-Version: 1.0
References: <161257199785.16601.5458969087152796022@ietfa.amsl.com> <20210210062551.GI21@kduck.mit.edu> <f1a1aaef-5400-89ca-fe26-786686800036@gont.com.ar> <MN2PR19MB4045B25A78B3C0841CC8EAFE838D9@MN2PR19MB4045.namprd19.prod.outlook.com> <2fb9d724-7f8a-93cd-9045-eb3852345a9e@erg.abdn.ac.uk> <1416490d-6532-59ce-e09f-388db716af8f@si6networks.com> <CALx6S35_Rb_vUyDddaiJtt2iT2Gvev=bLs7Rip8TQ8yZppMLDQ@mail.gmail.com> <1005a57d-d24b-a71e-e977-2be84ad63695@si6networks.com>
In-Reply-To: <1005a57d-d24b-a71e-e977-2be84ad63695@si6networks.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 11 Feb 2021 12:11:07 -0700
Message-ID: <CALx6S35U_Re0T5f9m4AbNyvv7Gk6s9UoN1wdo7_j_phSMm+2gg@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: Gorry Fairhurst <gorry@erg.abdn.ac.uk>, "Black, David" <David.Black@dell.com>, Fernando Gont <fernando@gont.com.ar>, Benjamin Kaduk <kaduk@mit.edu>, "saag@ietf.org" <saag@ietf.org>, "tsvwg@ietf.org" <tsvwg@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/it4mMKhyiVqOIXXqdMm1-itKYsA>
Subject: Re: [tsvwg] [saag] Fwd: Last Call: <draft-ietf-tsvwg-transport-encrypt-19.txt> (Considerations around Transport Header Confidentiality, Network Operations, and the Evolution of Internet Transport Protocols) to Informational RFC
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 19:11:31 -0000

On Thu, Feb 11, 2021 at 11:40 AM Fernando Gont <fgont@si6networks.com> wrote:
>
> On 11/2/21 15:18, Tom Herbert wrote:
> [...]
> >
> > When the transport layer is encrypted, network devices would only see
> > the plaintext EH and that is only what that is what they can act on.
> > At the destination, we could try to rectify transport information in
> > HBH with decrypted plaintext transport headers, but I suspect that
> > wouldn't typically be done. The HBH information is only operationally
> > useful to the network, not the transport endpoints that have access to
> > the transport header.
>
> Then this is what an attacker would do:
> He/she would advertise on a HBH option something that looks sensible to
> the guy enforcing a network-based security policy, and then at transport
> would do what he/she needs to do. :-)
>
>
> e.g., HBH could advertise that my packets are directed to ports 80/443,
> while in transport they are actually directed to port, say, 22.
>
It's more likely that information in the HBH would be generic and
abstract, afterall the whole point of encrypting the transport header
is to hide information from the network that it doesn't require, not
to just blindly volunteer the same information somewhere else in the
packet. Port numbers, for instance, are not required for delivery and
in fact are prone to misinterpretation in the network (RFC7605)-- IMO
it makes no sense to put those in a HBH option.

Regardless of HBH though, if the preponderence of transport headers
are encrytped then network security policiy that relies on the
information will need to change.

Tom

>
>
> > The only point of the end host comparing the
> > data would be to enforce the network's security policy, but it's not
> > common that end hosts actually know what the network security policies
> > are.
>
> The point for the end-node comparing both values is so that it makes
> sense in the first place to enforce a security policy based on e.g.
> HBH-conveyed information.
>
> Otherwise, the operator/admin knows that attackers will do what I'd
> suggested above, and they wouldnt even bother to try to enforce security
> policy which is circumvent-able  "by design", so to speak :-)
>
> If consistence cannot be guaranteed, then the mechanism won't be useful
> for enforcing security policies.
>
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>

v2.23.0 | Report a Bug | By Email