On 10/22/17 5:26 PM, Steve Fenter wrote: > I know of a number of large enterprises in verticals including financial, > health care, retail, and government, across multiple countries, who are using > packet payload inspection within their data centers. Most of these > enterprises are reluctant to step forward in a public forum and reveal their > internal network structure and their internal security and monitoring > practices. This gives the false impression that out of band decryption of TLS > is not a big deal. It is in fact mission critical to a significant number of > large enterprises. > > I have been saying to anyone who will listen that the IETF needs a private > forum for enterprises, to enable them to come forward and discuss their real > requirements. Without this input the IETF is trying to architect and engineer > solutions without knowing the complete set of requirements, at least on the > enterprise side. This results in sub-optimal design decisions (from an > enterprise perspective), which in this case will break mission critical > enterprise monitoring and troubleshooting systems.
The IETF doesn't run private forums behind closed doors. You'd need to do that kind of work elsewhere (these large enterprises could, of course, start their own industry forum, where they could work in ways that the IETF doesn't). > We've already experienced what a rollout of TLS 1.3 will be like, at more > than one enterprise, when certain vendors decided to move Diffie Hellman > ciphers to the top of their priority list on a code upgrade. This caused > severity one outages of critical monitoring systems. It sounds as if different internal teams might not have been communicating well about the rollout of those new cipher suites. Operational issues in large enterprises are not a problem that requires protocol work. > This means that critical applications depend on these monitoring systems, > and if the monitoring system is down the application is completely down. This > is not the outcome we want when TLS 1.3 is rolled out, but it is what we are > headed for. Enterprise monitoring should be tested as part of the operational > TLS 1.3 testing before TLS 1.3 is approved as a standard, and TLS 1.3 should > not be approved if enterprise monitoring breaks. Operational testing is always good, but very strong arguments need to be made for the latter claim. Among other things, you're adding a new requirement to the Internet Standards Process, which would necessitate IETF consensus on changes to RFC 2026! > The only other option being presented to enterprises is that we continue to > run on a TLS spec that is nine years old, and then continue running it until > it is 14 to 19 years old. It makes no sense to me to put out a TLS 1.3 > standard, but say that enterprises cannot upgrade to it. There are many options, some of which Kathleen outlined in her blog post. It's not helpful to say there is just one option when we haven't fully explored either the problem space or the solution space. And by "we" I mean especially those who are claiming the need for TLS visibility. Peter
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
