Hi Nick, Many thanks for the detailed comments.
In general, the draft tried not to repeat the TLS RFCs. From section 4.2, “Because a TLS proxy effectively builds two TLS sessions, one with a TLS client and one with a server respectively, … The TLS server and client stacks in the TLS proxy MUST be conformant to [RFC8446] and [RFC5246].” It was the intention with Protocol Invariants as well, but it appears the text caused some confusion in S 4.2. We will clarify it, and it is worthwhile to capture points from the cited papers too. Section 5.3<https://tools.ietf.org/html/draft-wang-opsec-tls-proxy-bp-00#section-5.3> describes selective decryption which is related to your last two points. Will update it with your comments (there are techniques to “fail open” from proxy but only possible before certain stage of the handshake). Best, -Eric On Jul 27, 2020, at 7:11 AM, Nick Harper <nharper=40google....@dmarc.ietf.org<mailto:nharper=40google....@dmarc.ietf.org>> wrote: As currently written, this draft has multiple problems. Section 4 decides not to repeat the Protocol Invariants described in section 9.3 of RFC 8446. However, further sections are written assuming that a proxy acts in a way contrary to those Protocol Invariants. One such example is section 4.2 in this draft. It describes how a proxy might generate its list of cipher suites by modifying the client's list. A proxy that copies the cipher suites from the client-initiated ClientHello into its own ClientHello is violating the 1st and 3rd points of the TLS 1.3 Protocol Invariants. For a best practices document, I think it would be reasonable to reiterate the Protocol Invariants. In addition to reiterating the Protocol Invariants, it should also summarize the advice from the cited papers SECURITY_IMPACT and APPLIANCE_ANALYSIS. One of the problems pointed out by those papers is that TLS proxies will make connections to a server that presents a certificate the client wouldn't accept, but because of the proxy, the client isn't aware of the certificate issues. I don't see this issue addressed at all in the draft. (A similar issue with the server selecting a weak cipher suite is possibly implied by section 4.2, but it is not spelled out well.) If this draft is adopted, it needs to say the following things, which it currently doesn't. - When a TLS proxy generates its ClientHello, it should be created independently from the client-initiated ClientHello. The proxy MAY choose to omit fields from its ClientHello based on the client-initiated ClientHello, but it MUST NOT add fields to its ClientHello based on the client-initiated ClientHello. This is effectively a restatement of the 1st (a client MUST support all parameters it sends) and 3rd (it MUST generate its own ClientHello containing only parameters it understands) points of the TLS 1.3 Protocol Invariants. - If a proxy chooses to conditionally proxy TLS connections and needs more information than what is contained in the client-initiated ClientHello, then the only way to make that decision is to send its own ClientHello to the server the client is connecting to and use information observed on that connection to make the decision to proxy the pending connection. - If a proxy chooses to not proxy some TLS connections, the proxy will fail open. The only way to avoid failing open is to proxy all connections. On Mon, Jul 27, 2020 at 6:31 AM Ben Schwartz <bemasc=40google....@dmarc.ietf.org<mailto:40google....@dmarc.ietf.org>> wrote: I'm concerned about this work happening outside the TLS working group. For example, the question of proper handling of TLS extensions is not addressed at all in this draft, and has significant security and functionality implications. There are various other tricky protocol issues (e.g. version negotiation, TLS 1.3 record padding, TLS 1.3 0-RTT vs. TLS 1.2 False Start, round-trip deadlock when buffers fill, ticket (non-)reuse, client certificate linkability pre-TLS-1.3, implications of SAN scope of synthesized certificates) that could arise and are going to be difficult to get right in any other WG. The title "TLS Proxy Best Practice" implies that it is possible to proxy TLS correctly, and that this document is the main source for how to do it. I think the TLS WG is the right place to make those judgments.. For the OpSec group, I think a more appropriate draft would be something like "TLS Interception Pitfalls", documenting the operational experience on failure modes of TLS interception. On Mon, Jul 27, 2020 at 8:57 AM Nancy Cam-Winget (ncamwing) <ncamwing=40cisco....@dmarc.ietf.org<mailto:40cisco....@dmarc.ietf.org>> wrote: The document is not imposing any standards but rather provide guidelines for those implementing TLS proxies; given that proxies will continue to exist I'm not sure why there is a belief that the IETF should ignore this. Warm regards, Nancy On 7/27/20, 5:20 AM, "OPSEC on behalf of Blumenthal, Uri - 0553 - MITLL" <opsec-boun...@ietf.org<mailto:opsec-boun...@ietf.org> on behalf of u...@ll.mit.edu<mailto:u...@ll.mit.edu>> wrote: I support Stephen and oppose adoption. IMHO, this is not a technology that IETF should standardize. On 7/25/20, 10:07, "TLS on behalf of Stephen Farrell" <tls-boun...@ietf.org<mailto:tls-boun...@ietf.org> on behalf of stephen.farr...@cs.tcd.ie<mailto:stephen.farr...@cs.tcd.ie>> wrote: I oppose adoption. While there could be some minor benefit in documenting the uses and abuses seen when mitm'ing tls, I doubt that the effort to ensure a balanced document is at all worthwhile. The current draft is too far from what it'd need to be to be adopted. Send to ISE. S. On 23/07/2020 02:30, Jen Linkova wrote: > One thing to add here: the chairs would like to hear active and > explicit support of the adoption. So please speak up if you believe > the draft is useful and the WG shall work on getting it published. > > On Mon, Jul 20, 2020 at 3:35 AM Ron Bonica > <rbonica=40juniper....@dmarc.ietf.org<mailto:40juniper....@dmarc.ietf.org>> wrote: >> >> Folks, >> >> >> >> This email begins a Call For Adoption on draft-wang-opsec-tls-proxy-bp. >> >> >> >> Please send comments to op...@ietf.org<mailto:op...@ietf.org> by August 3, 2020. >> >> >> >> Ron >> >> >> >> >> Juniper Business Use Only >> >> _______________________________________________ >> OPSEC mailing list >> op...@ietf.org<mailto:op...@ietf.org> >> https://www.ietf.org/mailman/listinfo/opsec > > > > -- > SY, Jen Linkova aka Furry > > _______________________________________________ > TLS mailing list > TLS@ietf.org<mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls > _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls _______________________________________________ OPSEC mailing list op...@ietf.org<mailto:op...@ietf.org> https://www.ietf.org/mailman/listinfo/opsec
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
