Hi Sandeep, Please see inline
On Wed, 16 Sep 2020 at 02:35, Sandeep Rao <[email protected]> wrote: > Hi, > > > I have read this document and its support adoption here. > > > There’s one comment, maybe the authors can clarify this in the draft. > > > I believe though not widely used, was recently involved in a talk about > usefulness of TLS session resumption in IoT implementations to improve > session establishment efficiency and speed. As the resumption handshake > would not carry the typical ClientHello parameters , how would the MUD IoT > firewall profile such legitimate ingress with no specific profile > parameters or indications in the handshake ? > The client does not know whether the server will honor the ticket or not, it will include all the ClientHello parameters (see https://tools.ietf.org/html/rfc5077 and https://tools.ietf.org/html/rfc8446#section-2.2) to allow the server to decline the resumption and fall back to a full handshake. > Probably this is expressed in ‘mud-tls-profile’ with an attribute such as > “sessionTicket” : "T/F" or in “extension-types” indicating the > possibility of such behaviour of the IoT device and let Firewall handle it > in its implementation. Will help to get some clarity around this in the > document. > In TLS 1.2, SessionTicket is an extension (see value 35 in https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml). If the client supports this extension, it will be included in the "extension-types" list defined in the YANG module. TLS 1.3 obsoletes the session resumption mechanism in TLS 1.2 and defines a new session resumption mechanism in the base TLS 1.3 spec (RFC8446) itself. In other words, TLS 1.3 clients will always support session resumption (unlike TLS 1.2 clients). Cheers, -Tiru > Thanks > > -Sandeep > > >> >> ---------- Forwarded message --------- >> From: Joe Clarke (jclarke) <[email protected]> >> Date: Wed, 2 Sep 2020 at 20:36 >> Subject: [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls >> To: opsawg <[email protected]> >> >> >> Hello, opsawg. This draft as underwent a number of revisions based on >> reviews and presentations at the last few IETF meetings. The authors feel >> they have addressed the issues and concerns from the WG in their latest >> posted -05 revision. As a reminder, this document describes how to use >> (D)TLS profile parameters with MUD to expose potential unauthorized >> software or malware on an endpoint. >> >> To that end, this serves as a two-week call for adoption for this work. >> Please reply with your support and/or comments by September 16, 2020. >> >> Thanks. >> >> Joe and Tianran >> _______________________________________________ >> OPSAWG mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/opsawg >> > _______________________________________________ > OPSAWG mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/opsawg >
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
