Thank you for your response and updates. I read the full message and responses look good.
Best regards, Kathleen Sent from my mobile device > On Jun 18, 2020, at 6:04 PM, Nancy Cam-Winget (ncamwing) <[email protected]> > wrote: > > > Hi Kathleen, > Many thanks for the thorough review! More comments below: > > From: OPSEC <[email protected]> on behalf of Kathleen Moriarty > <[email protected]> > Date: Thursday, June 11, 2020 at 3:29 PM > To: "[email protected]" <[email protected]> > Subject: [OPSEC] Review of draft-camwinget-opsec-ns-impact > > Thank you for your work on this draft, it has come a long way since it was > first written! I support it's adoption and provided a review. I am also > happy to review again before final publication if helpful. > > Introduction > > I think it's worth adding a bullet that specifies a system that's not able to > itself detect and repent threats as is needed when you embrace a fully E2E > encrypted solution. It will take a bit of time before those models are > practical everywhere. > There's a definite need to document this current situation as the network is > one of the active methods used to detect and prevent threats today. As such, > I support this document being adopted and have a few comments for > consideration. > > [NCW] How about this as a bullet: “a single system may itself may not be able > to detect and mitigate threats” > > For the quote on RFC8404, I'd characterize that document as a catalog of > what's impacted when encryption is deployed E2E to help develop new methods, > where appropriate, to evolve with an E2E model. > > [RFC8404] documented such a need with the effect of > pervasive encryption on operations.. > > Even though it's said, I think it would help to make a tiny change: > [RFC8404] documented a need to evolve with the effect of > pervasive encryption on operations. > > [NCW] That is fair and I can make the change. > > > > Section 3 > > You may want to change the following sentence to fit in line with an OpSec > practice documentation draft> > From:"Each deployment scenario describes relevant operational practices." > To:"Each deployment scenario describes current operational practices." > > [NCW] Will do > > > > The categorizations look good, I think this in new from my last review. > > Section 3.1..1 > > I like how you've categorized the impact, but I think the display of it may > make all the difference. This is int he current document: > > TLS 1.3 impact: reduced effectiveness. Per Section 4.2, domain > categorization and application identification will be limited to IP > address and SNI information (beyond additional correlation possible > with other means such as DNS). > > How about: > > Impact Category: Reduced Effectiveness. Per ... > > [NCW] Will do > > 3.1.2 uses a different format, so making these consistent would be good. It > says TLS 1.3 considerations. I think leaving TLS out and just saying impact > category makes the same point and may not be objectionable. > Also for this section, the last line says the Certificate is not available.. > I think it's that the ALPN response is encrypted that matters here as that > tells you what cipher suites were negotiated. > > [NCW] Thanks for catching it, we actually are using “TLS 1.3 considerations” > we happened to miss the one in section 3.1.1 > > > > Section 3.1.4 > Do you want to add that the ALPN response is encrypted here as well? > > [NCW] We can, I’ll confer with co-authors in how best to incorporate. > > > > Section 3.2.2 > It should note that DLP can also be addressed on endpoints, whether or not > you add a comment on scaling. > > [NCW] OK > > > Section 3.2.3 > You may not want to add alternate approaches, but I would think one designing > this today would opt for use of a routing overlay protocol, no? > > [NCW] I don’t think we are listing alternate approaches? Overlay could be an > alternate, but our point is not to suggest other approaches other than to > state how the TLS proxies get used today and their impact. > > > > SFC, NSH, GENEVE > > Section 3.3.3 > Just a note that I am not sure you'd want in the document, but web > application firewalls are falling out of favor as a defense. > > [NCW] OK; I think we included it based on previous feedback (to include as a > consideration too) > > > > Section 4 heading > Consider changing from: > Changes in TLS v1.3 Relevant to Security Operations > To: Changes from TLSv1.2 to TLS v1.3 Relevant to Security Operations > > [NCW] But the context is to summarize the 1.3; while some of the uses can > apply to 1.2 the impact is really more due to the way 1.3 applies them. > > > > Section 4.1 Please not that RC7525 has recommended against use of RSA static > keys and has recommended use of AEAD cipher suites. > > [NCW] OK > > > > Section 5 Security Considerations > Consider changing the initial sentence from: > "This entire document discusses security considerations in existing > operational security practices interacting with TLS." > To: > "This document discusses the impact to common security monitoring and > detection functionality with a move from TLSv1.2 to TLSv1.3 considering > existing > operational security practices interacting with TLS." > Or something that reads better with the same point :-) > > [NCW] OK > > > -- > > Best regards, > Kathleen
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
