[NCAP-Discuss] Defining CI/CE
Casey Deccio
casey at deccio.net
Wed Nov 9 21:47:47 UTC 2022
Jeff,
I'm just looking at this now (apparently I missed it back in February). I think that the issues (happily, but not surprisingly) correlate very well with those in the comparison doc. In particular:
1. "TCP/!(80 & 443)" [1] -> On SYN return RST" and "UDP/all -> Drop"
- considered in "User Experience" under "Communication Interruption". The differences are:
- the comparison doc doesn't really specify which ports/applications, but rather speaks more generically (because, again, it doesn't seek to define/specify).
- the comparison doc proposes suggests that UDP is responded to with ICMP port unreachable for "quick response" rather than dropping.
2. "TCP/80"
- considered in "User Experience" under "Communication Interception" / "Web Browser / HTTP"
3. "TCP/443"
- considered in "User Experience" under "Communication Interception" / "Web Browser / HTTPS"
4. "Timestamp, IP, sport, dport":
- considered in "Telemetry".
5. "SSL Certificate Note":
- There is a whole discussion on this in the "User Experience" section under "Communication Interception" / "Web Browser / HTTPS".
Casey
[1] Should be "!(80 | 443)" :)
> On Nov 9, 2022, at 10:38 AM, Jeff Schmidt via NCAP-Discuss <ncap-discuss at icann.org> wrote:
>
> Agreeing with Matt (L) - recall in Feb I sent the below/attached to this list attempting to pin down some pesky technical details on these techniques being promoted. My content is only intended to be a starting point - I would love to see the promoters of these techniques make additions/corrections so at least we're debating from a common frame of reference.
>
> Jeff
>
>
>> -----Original Message-----
>> From: Jeff Schmidt <jschmidt at jasadvisors.com>
>> Sent: Friday, February 25, 2022 6:28 PM
>> To: ncap-discuss at icann.org
>> Subject: Re: [NCAP-Discuss] Defining CI/CE
>>
>> Sorry, I was too imprecise in my SSL certificate language in the last one.
>> Please replace with this one.
>>
>> Thx,
>> Jeff
>>
>>
>> On 2/25/22, 6:20 PM, "NCAP-Discuss on behalf of Jeff Schmidt via NCAP-
>> Discuss" <ncap-discuss-bounces at icann.org on behalf of ncap-
>> discuss at icann.org> wrote:
>>
>> All:
>>
>> I think a very important point has come out of this discussion - one of the
>> reasons for the circular arguments is that we have never carefully defined CE
>> and therefore we're operating under a number of assumptions which have
>> vastly different implementation outcomes. Credit to Matt L and Danny for
>> pointing this out.
>>
>> Attached is my shot at a careful technical definition of the Controlled
>> Interruption and Controlled Exfiltration options. We need to come to
>> consensus on this before we can further discuss/recommend. The attached
>> is the most conservative technical approach I can think of. This is just a
>> strawman to start the conversation. I'm happy to be wrong on any/all of this.
>> But no more glossing over the details - let's be super specific.
>>
>> I would suggest the Chair(s) "force the issue" and call for consensus on this
>> as quickly as discussion allows. Our lack of fundamental agreement here is
>> blocking progress on this important item.
>>
>> Thx,
>> Jeff
>>
>>
>
> <NCAP Implementation Spec2.pptx>_______________________________________________
> NCAP-Discuss mailing list
> NCAP-Discuss at icann.org
> https://mm.icann.org/mailman/listinfo/ncap-discuss
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/ncap-discuss/attachments/20221109/c20006ad/attachment.html>
More information about the NCAP-Discuss
mailing list