[NCAP-Discuss] Defining CI/CE

Jeff Schmidt jschmidt at jasadvisors.com
Wed Nov 9 22:20:46 UTC 2022 

Cool – yeah, the “Defining CI/CE” deck is more appropriate for the NCAP Study work product as it contains details like port/protocol actions that are not yet defined anywhere (that I’ve seen).

The “Honeypots: A Cost-Benefit Analysis” deck is more appropriate for your document as it’s a comparison of techniques. Let me know what you think of that one.

Thanks,
Jeff


From: NCAP-Discuss <ncap-discuss-bounces at icann.org> On Behalf Of Casey Deccio
Sent: Wednesday, November 9, 2022 3:48 PM
To: ncap-discuss at icann.org
Subject: Re: [NCAP-Discuss] Defining CI/CE

Jeff,

I'm just looking at this now (apparently I missed it back in February).  I think that the issues (happily, but not surprisingly) correlate very well with those in the comparison doc.  In particular:

1. "TCP/!(80 & 443)" [1] -> On SYN return RST" and "UDP/all -> Drop"
    - considered in "User Experience" under "Communication Interruption".  The differences are:
      - the comparison doc doesn't really specify which ports/applications, but rather speaks more generically (because, again, it doesn't seek to define/specify).
      - the comparison doc proposes suggests that UDP is responded to with ICMP port unreachable for "quick response" rather than dropping.

2. "TCP/80"
    - considered in "User Experience" under "Communication Interception" / "Web Browser / HTTP"

3. "TCP/443"
    - considered in "User Experience" under "Communication Interception" / "Web Browser / HTTPS"

4. "Timestamp, IP, sport, dport":
    - considered in "Telemetry".


5. "SSL Certificate Note":
    - There is a whole discussion on this in the "User Experience" section under "Communication Interception" / "Web Browser / HTTPS".


Casey

[1] Should be "!(80 | 443)" :)



On Nov 9, 2022, at 10:38 AM, Jeff Schmidt via NCAP-Discuss <ncap-discuss at icann.org<mailto:ncap-discuss at icann.org>> wrote:

Agreeing with Matt (L) - recall in Feb I sent the below/attached to this list attempting to pin down some pesky technical details on these techniques being promoted. My content is only intended to be a starting point - I would love to see the promoters of these techniques make additions/corrections so at least we're debating from a common frame of reference.

Jeff



-----Original Message-----
From: Jeff Schmidt <jschmidt at jasadvisors.com<mailto:jschmidt at jasadvisors.com>>
Sent: Friday, February 25, 2022 6:28 PM
To: ncap-discuss at icann.org<mailto:ncap-discuss at icann.org>
Subject: Re: [NCAP-Discuss] Defining CI/CE

Sorry, I was too imprecise in my SSL certificate language in the last one.
Please replace with this one.

Thx,
Jeff


On 2/25/22, 6:20 PM, "NCAP-Discuss on behalf of Jeff Schmidt via NCAP-
Discuss" <ncap-discuss-bounces at icann.org<mailto:ncap-discuss-bounces at icann.org> on behalf of ncap-
discuss at icann.org<mailto:discuss at icann.org>> wrote:

   All:

   I think a very important point has come out of this discussion - one of the
reasons for the circular arguments is that we have never carefully defined CE
and therefore we're operating under a number of assumptions which have
vastly different implementation outcomes. Credit to Matt L and Danny for
pointing this out.

   Attached is my shot at a careful technical definition of the Controlled
Interruption and Controlled Exfiltration options. We need to come to
consensus on this before we can further discuss/recommend. The attached
is the most conservative technical approach I can think of. This is just a
strawman to start the conversation. I'm happy to be wrong on any/all of this.
But no more glossing over the details - let's be super specific.

   I would suggest the Chair(s) "force the issue" and call for consensus on this
as quickly as discussion allows. Our lack of fundamental agreement here is
blocking progress on this important item.

   Thx,
   Jeff


<NCAP Implementation Spec2.pptx>_______________________________________________
NCAP-Discuss mailing list
NCAP-Discuss at icann.org<mailto:NCAP-Discuss at icann.org>
https://mm.icann.org/mailman/listinfo/ncap-discuss

_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/ncap-discuss/attachments/20221109/24d79b76/attachment-0001.html>

More information about the NCAP-Discuss mailing list