Hi Kathleen, Many thanks for the thorough review! More comments below: From: OPSEC <[email protected]> on behalf of Kathleen Moriarty <[email protected]> Date: Thursday, June 11, 2020 at 3:29 PM To: "[email protected]" <[email protected]> Subject: [OPSEC] Review of draft-camwinget-opsec-ns-impact
Thank you for your work on this draft, it has come a long way since it was first written! I support it's adoption and provided a review. I am also happy to review again before final publication if helpful. Introduction I think it's worth adding a bullet that specifies a system that's not able to itself detect and repent threats as is needed when you embrace a fully E2E encrypted solution. It will take a bit of time before those models are practical everywhere. There's a definite need to document this current situation as the network is one of the active methods used to detect and prevent threats today. As such, I support this document being adopted and have a few comments for consideration. [NCW] How about this as a bullet: “a single system may itself may not be able to detect and mitigate threats” For the quote on RFC8404, I'd characterize that document as a catalog of what's impacted when encryption is deployed E2E to help develop new methods, where appropriate, to evolve with an E2E model. [RFC8404] documented such a need with the effect of pervasive encryption on operations.. Even though it's said, I think it would help to make a tiny change: [RFC8404] documented a need to evolve with the effect of pervasive encryption on operations. [NCW] That is fair and I can make the change. Section 3 You may want to change the following sentence to fit in line with an OpSec practice documentation draft> From:"Each deployment scenario describes relevant operational practices." To:"Each deployment scenario describes current operational practices." [NCW] Will do The categorizations look good, I think this in new from my last review. Section 3.1..1 I like how you've categorized the impact, but I think the display of it may make all the difference. This is int he current document: TLS 1.3 impact: reduced effectiveness. Per Section 4.2, domain categorization and application identification will be limited to IP address and SNI information (beyond additional correlation possible with other means such as DNS). How about: Impact Category: Reduced Effectiveness. Per ... [NCW] Will do 3.1.2 uses a different format, so making these consistent would be good. It says TLS 1.3 considerations. I think leaving TLS out and just saying impact category makes the same point and may not be objectionable. Also for this section, the last line says the Certificate is not available. I think it's that the ALPN response is encrypted that matters here as that tells you what cipher suites were negotiated. [NCW] Thanks for catching it, we actually are using “TLS 1.3 considerations” we happened to miss the one in section 3.1.1 Section 3.1.4 Do you want to add that the ALPN response is encrypted here as well? [NCW] We can, I’ll confer with co-authors in how best to incorporate. Section 3.2.2 It should note that DLP can also be addressed on endpoints, whether or not you add a comment on scaling. [NCW] OK Section 3.2.3 You may not want to add alternate approaches, but I would think one designing this today would opt for use of a routing overlay protocol, no? [NCW] I don’t think we are listing alternate approaches? Overlay could be an alternate, but our point is not to suggest other approaches other than to state how the TLS proxies get used today and their impact. SFC, NSH, GENEVE Section 3.3.3 Just a note that I am not sure you'd want in the document, but web application firewalls are falling out of favor as a defense. [NCW] OK; I think we included it based on previous feedback (to include as a consideration too) Section 4 heading Consider changing from: Changes in TLS v1.3 Relevant to Security Operations To: Changes from TLSv1.2 to TLS v1.3 Relevant to Security Operations [NCW] But the context is to summarize the 1.3; while some of the uses can apply to 1.2 the impact is really more due to the way 1.3 applies them. Section 4.1 Please not that RC7525 has recommended against use of RSA static keys and has recommended use of AEAD cipher suites. [NCW] OK Section 5 Security Considerations Consider changing the initial sentence from: "This entire document discusses security considerations in existing operational security practices interacting with TLS." To: "This document discusses the impact to common security monitoring and detection functionality with a move from TLSv1.2 to TLSv1.3 considering existing operational security practices interacting with TLS." Or something that reads better with the same point :-) [NCW] OK -- Best regards, Kathleen
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
