Thank you for your work on this draft, it has come a long way since it was first written! I support it's adoption and provided a review. I am also happy to review again before final publication if helpful.
Introduction I think it's worth adding a bullet that specifies a system that's not able to itself detect and repent threats as is needed when you embrace a fully E2E encrypted solution. It will take a bit of time before those models are practical everywhere. There's a definite need to document this current situation as the network is one of the active methods used to detect and prevent threats today. As such, I support this document being adopted and have a few comments for consideration. For the quote on RFC8404, I'd characterize that document as a catalog of what's impacted when encryption is deployed E2E to help develop new methods, where appropriate, to evolve with an E2E model. [RFC8404] documented such a need with the effect of pervasive encryption on operations. Even though it's said, I think it would help to make a tiny change: [RFC8404] documented a need to evolve with the effect of pervasive encryption on operations. Section 3 You may want to change the following sentence to fit in line with an OpSec practice documentation draft> From:"Each deployment scenario describes relevant operational practices." To:"Each deployment scenario describes current operational practices." The categorizations look good, I think this in new from my last review. Section 3.1.1 I like how you've categorized the impact, but I think the display of it may make all the difference. This is int he current document: TLS 1.3 impact: reduced effectiveness. Per Section 4.2, domain categorization and application identification will be limited to IP address and SNI information (beyond additional correlation possible with other means such as DNS). How about: Impact Category: Reduced Effectiveness. Per ... 3.1.2 uses a different format, so making these consistent would be good. It says TLS 1.3 considerations. I think leaving TLS out and just saying impact category makes the same point and may not be objectionable. Also for this section, the last line says the Certificate is not available. I think it's that the ALPN response is encrypted that matters here as that tells you what cipher suites were negotiated. Section 3.1.4 Do you want to add that the ALPN response is encrypted here as well? Section 3.2.2 It should note that DLP can also be addressed on endpoints, whether or not you add a comment on scaling. Section 3.2.3 You may not want to add alternate approaches, but I would think one designing this today would opt for use of a routing overlay protocol, no? SFC, NSH, GENEVE Section 3.3.3 Just a note that I am not sure you'd want in the document, but web application firewalls are falling out of favor as a defense. Section 4 heading Consider changing from: Changes in TLS v1.3 Relevant to Security Operations To: Changes from TLSv1.2 to TLS v1.3 Relevant to Security Operations Section 4.1 Please not that RC7525 has recommended against use of RSA static keys and has recommended use of AEAD cipher suites. Section 5 Security Considerations Consider changing the initial sentence from: "This entire document discusses security considerations in existing operational security practices interacting with TLS." To: "This document discusses the impact to common security monitoring and detection functionality with a move from TLSv1.2 to TLSv1.3 considering existing operational security practices interacting with TLS." Or something that reads better with the same point :-) -- Best regards, Kathleen
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
