►
From YouTube: IETF111-OPSEC-20210730-2130
Description
OPSEC meeting session at IETF111
2021/07/30 2130
https://datatracker.ietf.org/meeting/111/proceedings/
A
A
A
And
everyone
who
say
something
at
the
microphone
could
later
take
a
look
and
update
the
minutes.
Thank
you
very
much.
So
I
don't
know.
Probably
I
don't
know
if
ron
is
missed.
Induction,
okay,
let's,
let's
start
with
housekeeping
anyway,
so
welcome
operational
security
capabilities
for
ap
network
infrastructure.
A
A
A
We
haven't
been
meeting
for
a
while,
and
today
we
have
a
quite
a
short
agenda.
We
have
one
presentation.
Actually
sorry,
this
slide
is
not
accurate.
It's
not
kirsty
who
will
be
presenting.
It
will
be
only
and
working
group
business.
Yes,
as
I
said,
we
haven't
admitted
for
a
while,
so
we
have
not
published
anything.
However,
two
drafts
which
been
and
as
a
working
group
business
for
long
time
finally
seem
to
make
a
significant
progress.
A
Operational
security
considerations
for
ipv6
networks
are
currently
with
rfc
editor
sku
already
has
rfc
number
and
so
on
so
stay
tuned
for
it
being
published
and
ipv6
extension
headers
filtering
can.
Transit
routing
is
currently
going
through
isg
evaluation,
and
I
can
see
a
lot
of
array
directors
comments
on
the
draft,
so
hopefully
we
can
finally
publish
this
one
as
well.
A
A
No
one
good
so
ollie
the
floor
is
yours.
Would
you
like
to
use
pressured
slides.
A
C
Lovely
thank
you
very
much
everyone
and
good
morning,
good
afternoon,
good
evening,
wherever
you
are
on
the
planet.
Isn't
this
amazing?
So
thank
you
very
much.
C
My
name
is
ollie
whitehouse
and
I'm
the
group
cto
ncc
group
and
I'm
one
of
the
co-authors
on
on
this
proposal,
with
kirsty
around
indicators
of
compromise
and-
and
we
wanted
the
opportunity
today
to
kind
of
rewind
and
give
you
an
overview
of
the
process
that
we've
been
on
the
purpose
of
the
intent
and
then
ask
a
couple
of
questions
as
we
get
towards
the
the
end
of
the
presentation
in
terms
of
what
next
steps
might
be
so
a
bit
of
history.
C
So
it
was
originally
presented
back
in
sex
dispatch.
Ietf
109
and
we've
now
been
through
several
rounds
of
iterations
taking
on
feedback
at
each
stage,
and
actually
the
authors
also
have
similarly
increased.
So
we've
added
a
in
in
the
last
iteration
another
co-author
in
the
guise
of
james,
and
we
brought
it
to
the
op
tech
mailing
list
for
the
discussion,
and
and
thank
you
to
nancy
and
fernando,
for
they
were.
They
did
a
thorough
review.
C
Shall
we
say
in
zero,
two
and
and
that
led
to
a
lot
of
good
discussion
and
further
building
out
actually
of
the
work
itself?
C
So
really
you
know
the
purpose
of
the
the
motivation
is
and
and
where
kirsty
and
I
come
from,
you
know
we're
defending
networks
on
a
daily
weekly
monthly
basis,
and
it
is
obviously
a
very
challenging
and
ever
scaling
set
of
problems
that
we
face
there,
both
because,
obviously
you
know
technology's
changing
very
rapidly
use
of
maturity.
C
So
there
are
a
number
of
driving
factors
which
complicate
the
art
of
cyber
defense
more
broadly,
and
so
we
wanted
to
provide
a
piece
of
baseline
knowledge
to
protocol
engineers,
specifically
as
to
the
things
to
consider
when,
from
a
cyber
defense
perspective
when
designing
some
protocols
and
and
that
we
felt
that
was
important,
because
you
know,
I
think,
increasingly,
when
we
design
network
protocols,
we
have
a
set
of
design
choices
that
we
that
we
can
enact
as
part
of
that
process,
and
I
think
you
know
we
see
at
times
some
of
those
go
against
some
of
the
opportunities
there
are
to
make
our
own
jobs
easier
in
in
the
provision
of
cyber
defense
and
network
defense.
C
Specifically,
and-
and
so
what
we
also
wanted
to
do
was
bring
kind
of
some
of
the
practitioner
from
our
side
and
and
we're
obviously
a
synthesis
of
a
lot
of
of
knowledge,
both
within
the
uk
and
broader
into
the
itf
and
and
really
try
and,
as
I
said,
kind
of
articulate
the
need
and
the
want.
C
So
the
draft
introduction
really
outlines
that,
in
order
to
get
a
scaling
effect
in
our
in
our
cyber
defense
activities,
we
rely
on
what
we
call
indicators
of
compromise
and-
and
these
are
often
you
know-
ip
addresses,
dns
names,
etc,
etc,
which
can
be
easily
transmitted
and
shared
within
various
trust
forums
in
order
to
detect
and
potentially
disrupt
threat
for
activity
at
relatively
low
cost.
C
There
obviously
come
with
that.
You
know
and
you'll
see
on
one
of
the
last
slides
what
we
consider,
what
we
call
a
pyramid
of
pain.
There
are
varying
degrees
of,
I
guess,
quality
length
of
time
that
they
have
efficacy
for
et
cetera,
et
cetera,
but
they
are
all
important
and
they
have,
at
the
very
least,
an
aggregative
effect
on
on
combined
network
defense
when
we
roll
them
out.
So,
to
give
you
examples,
you
know
we
have
systems
that
pump
them
out
real
time
to
you
know
hundreds
of
networks.
C
They
cannot
procure
certain
services
and
the
like,
but
you
know
what
we
wanted
to
do
and
what
we've
done
is
we've
written.
C
You
know
quite
a
lengthy
piece
of
work
now
in
terms
of
the
role
and
the
importance
of
iocs
in
network
defense,
how
to
think
about
them
and
some
of
the
design
considerations,
how
they're,
effective
and
and
some
work
to
cast
examples
so,
and
this
kind
of
gives
you
the
kind
of
shows
you
the
I
guess,
the
journey
that
we've
been
on
so
on
the
left-hand
side
was
our
was
our
first
stab
as
it
were
at
this
and
then
you
know,
based
on
the
feedback
and-
and
you
know
the
questions
that
we
got
in
and-
and
I
can't
say
you
know
very
constructive
criticism
and
helpful
criticism
and
contributions.
C
You
know
where
we've
kind
of
fleshed
out
more,
so
the
work
now
to
kind
of
provide
a
more
stand-alone
piece
of
work.
So
I
think
you
know
we
fell
into
the
trap
that
I
suspect
we
all
do
at
times
where
we
assumed
a
base
level
of
knowledge
and
we
fell
into
our
own
vernacular
and
we
didn't
do
enough
of
the
base
explanations
and
and
we've
kind
of
gone
through
that
process
now
as
part
of
this
work.
C
So,
as
I've
touched
on,
you
know,
I
asked
iocs
come
in
various
forms,
and
so
obviously
at
one
end
we
have
ip
addresses.
You
know
before
v6
addresses
the
granted
actors
can
change
those,
but
you
know
that
is
still
used
by
by
an
awful
lot.
C
Obviously
we
had,
we
have
dns
domain
names
and
and
and
people
and
for
actors
again
will
similarly
use
that
in
order
to
masquerade
or
otherwise
blend.
In
with
what
would
look
like
legitimate
network
traffic
using
a
variety
of
different
techniques,
but
you
know
suffice
to
say
again,
you
know
it's
a
very
useful
tool
for
us
to
either
look
historically
or
in
terms
of
active
traffic
flows
in
terms
of
identifying
compromises
that
may
be
present
in
an
environment,
obviously
sni
on
tls.
So
the
server
name
indication.
C
Again,
all
very
useful
actors
fall
into
the
same
traps.
You
know,
there's
a
certain
laziness
with
their
operational
security.
They
they
kind
of
get
into
kind
of
muscle,
memory
territory.
You
know
they'll
reuse
things
where
they're
hard
to
procure
and
so,
for
example,
we
see
campaigns,
as
we've
had
to
introduce
code
signing
more
more
aggressively
on
operating
systems.
C
For
example,
threat
actors
have
found
ways
to
buy
either
masqueraded
or
stolen
code
signing
certificates,
but
then
the
the
the
supply
of
those
is
quite
finite,
so
they'll
use
it
potentially
across
multiple
campaigns,
cryptographic
asses
so
of
files
of
other
artifacts,
so
be
it
md5
shell
one
shot
two
five
six
etcetera
and
then
we
start
getting
down
into
kind
of
the
the
more
nitty
gritty.
C
So
you
know
particular
tools
and
bits
of
tradecraft
and
then
real
attack
techniques,
and
so
when
we
put
that
all
together,
what
we
can
is
we
get
our
it's
our
pyramid
of
pain
and
the
the
ones
at
the
top
are
the
less
fragile,
most
precise
harder
to
change
the
bottom
ones
are
the
most
transient
is
where
we
get
yes,.
A
Sorry
for
interrupting,
do
you
want
we
have?
I
reckon
you
do
you
want
to
take
questions
or
comments?
Oh.
C
Please,
yes,
sorry
yeah!
I
I
should.
I
should
have
been
quite
happy
to
take
questions
and
as
we
go
so
eric,
please
please
please
yeah.
D
Can
you
talk
a
little
about
your
threat
model
for
s
I
so
so
I
think
I
mentioned
other
other
locations.
If
the
attacker
controls
the
server,
then
s-
and
I
can't
be
is-
is-
is
unverifiable.
C
If
the
attacker
controls
the
server
and
the
client,
yes,
the
if
the
controls,
so
if
the
attacker
controls
the
server,
the
client
is.
C
Then
s
is
useless.
Yes,
but
often
to
give
you
an
example.
What
we
may
see
is
track
so
where,
where
we
why
we
need
sni
okay,
so
they
will
often
use
content
delivery
networks.
So
we
will
see
a
connection
going
out
to
something
like
cloudflare
and-
or
you
know,
azure
cdn
edge,
et
cetera,
et
cetera,
and
so
the
ip
address
is
responsible
for
potentially
many
tens
of
thousands
of
particular
hosts,
and
so
we
have
no
idea
actually
where
the
connection
is
going
to,
but
obviously
through
sni
in
inspection.
C
We
can
actually
see
that
they're
going
to
that
one
host
that
we're
actually
interested
or
that
one
domain
that
they're
actually
interested
in,
so
that
that
so
we
don't
really
necessarily
have
a
threat
model
for
for
sni,
and
I
think
you
know
I
think
you
would
recognize
all
of
these.
You
have
a
sufficiently
advanced
threat
actor.
They
can
probably
come
up.
You
know
we
see
the
main
fronting
being
used
and
other
so
domain.
Fronting
is
where
a
threat
actor
can
effectively
tunnel
through.
C
They
can
make
us
go
blind,
but
that's
the
one
percent
you
know
a
lot
of
this
stuff
is
is
to
allow
us
to
reduce
the
cost
and
increase
the
efficacy
against
the
99.
Sure.
Thank
you.
Does
that
answer
your
question.
Eric
yeah.
C
So
we
end
up
with
a
period
of
pain,
as
I
said,
you
know
so,
invest
heavily
in
the
top
and
we
get
really
precise,
very
low
fragility
in
terms
of
our
the
techniques,
tactics
and
procedures
which
we
you
know
hopefully
convert
to
ttps
at
the
bottom
end,
we
have
things
which
are
arguably
easy
to
change
commodity
things,
so
changing
a
file
hash,
you
know
getting
disposable
ip
addresses
now
in
2021
is,
is
not
particularly
difficult.
C
Similarly,
acquiring
dns
make
their
domain
names
and,
and
the
like,
so
we've
added
a
piece
of
work
to
this
last
release
and
specifically
around
the
life
cycle
of
iocs,
because
we
felt
it
actually
useful
to
explain
to
them
to
everyone.
You
know
how
does
it
work
in
practice,
and
so
obviously
we
go
through
this.
We
go
through
a
discovery
phase
where
we
find
what
we
think
is
a
suspected
indicator
of
compromise
that
will
then
be
assessed
and
then
we'll
do
some
form
of
sharing.
So
we'll
do
distribution
of
that.
C
We
often
use
things
like
the
traffic
light
protocol,
where
that
can
be
shared
within
certain
trust
groups
for
certain
utility,
because
again
the
fragility
of
some
of
these
iocs
means
we
don't
want
the
fractures
necessarily
always
to
know
that
that
we
have
them
because
we're
using
it
to
at
least
combat
some
of
their
intrusions,
and
then
that
will
lead
to
some
degree
of
deployment
that
then
results
in
ultimately
detection
of
what
were
those
latent
compromises
or
attempts
that
compromise
within
those
environments.
C
And
then
we
end
up
with
a
reaction
which
is
often
a
kind
of
a
cyber
defense
response
to
either
neutralizing
a
threat
blocking
the
threat
or
or
and
often
then,
what
we'll
see
is
that
the
kind
of
the
those
irc
iocs
would
degrade
in
terms
of
their
value
and
another
effect
of
the
end
of
life.
Because
again,
I
think
what
you
would
recognize
is
domains
change,
ownership,
ip
addresses
change
ownership,
and
so
there
is
kind
of
that
there
is
a
certain
finite
length
as
to
that
that
their
their
use
and
utility.
C
So
I
think
you
know
the
questions
and
the
next
steps
we
have
for
you
and
obviously
I'll
quite
happy
to
take
any
further
questions
that
you
might
have.
But
you
know
we
obviously
would
deeply
value
further
feedback
and
comments
from
from
this
group,
because
I
think
you
know
the
the
what
we've
had
so
far
has
been
extremely
useful.
C
I
think
you
know
we
do
have
a
question
is,
is
the
work
that
will
that
we
have
been
dying
done
been
doing
even
in
scope
for
for
obsex
specifically
and
then
would
you
consider
working
group
adoption
and-
and
I
think
you
know
that
that
that
comes
to
the
end
of
my
slides
and
I
hopefully
not
missed
anything
in
the
chat,
but
do
let
me
know
if
there
are
any
other
questions
or
the
like
and
and
sorry
eric?
Do
you
have
another
question?
E
C
Yes,
I
think
that's
a
very
fair.
Well,
yes,
that's
right!
So
you
know
what
what
we're
asking
for
here
is
as
p
as
we
desire
as
the
icf
designs
next
generation
protocols
or
immense
existing
that
these
be
taken
into
consideration,
because
I
think
you're
right,
you
know
the
the
intrinsic
properties
of
the
protocols
will
either
preclude
or
not
preclude
the
the
use
or
the
utility
of
iocs.
Yes,
okay,.
B
E
D
I
I
guess
I,
like
you,
know
I'm
sure,
like
in
terms
of
protocol
design.
I
guess,
like
I
think,
informationally
like
this
is
all
fine,
but
I
mean,
like
you
know
we
now
have
about.
We
had
about
three
separate
documents
that
are
all
like
every
time
you
encrypt
something
that
makes
our
lives
harder
and,
like
you
know,
like
it's
kind
of
like
a
source
of
frustration,
I
think
between
sort
of
different
parts
of
the
idf.
So
I
guess,
like
you,
know,
like
what
outcome
are
you
hoping
for
here.
C
Well,
well,
yeah,
and
I
think
that's
right,
so
I
think
we're
asking
is
for
optionality.
If
I'm
being
honest,
so
I
think
if,
if
I
look,
if
I
look
into
the
world-
and
I
look
at
total
privacy
for
everyone
with
and
I
run
an
enterprise,
I
make
my
job
very
difficult
yeah,
and
so
I
think
it
is
it's
not
asking
for
don't
encrypt
stuff.
C
The
kind
of
the
kind
of
the
sexual
specific
stuff
and
they
can't
effectively
defend
because
you
know
a
whole
host
of
threats
and
you
know,
and
some
would
say
well,
you
just
go
to
the
endpoint
and
you
start
putting
extra
software
on
the
endpoints
to
that
monitoring
and
that's
all
well
and
good,
as
we've
got
commodity
operating
systems
where
we
can
do
that.
But
you
know
I
think,
we'll
all
of
those
around
this
table
will
recognize.
C
We
have
devices
now
that
exist
in
wall
gardens
where
we
can't
run
code
load
low
enough
to
get
the
insight
and
the
telemetry
that
we
need.
And
similarly,
if
we
look
at,
you
know
predictions
and
let
alone
what
we're
living
today
in
terms
of
the
explosion
of
embedded
devices,
which
you
know
you
know
be
damned
if
we
can
get
third
party
code
on
there.
C
Yet
we
are
tasked
with
securing
it
all
monitoring,
all
intersecting
latent
breaches
and
so
yeah
eric
succinctly:
optionality
in
in
some
of
the
security
properties,
because
I
don't
quite
understand
like
optionality,
you
mean
in
this
case,
so
I
mean
like.
D
C
So
you
you
know,
so
if
we
take
a
thousand
rp
is
a
bad
example,
but
it's
an
example.
Nevertheless,
which
is
so.
I
guess
the
the.
How
how
would
you
at
the
moment
we
have
to
turn
doe
off
right
or
organizations
have
to
go
off
if
they
want
to
do
certain
things
with
bns
over
certain
challenges,
but
there
probably
is
there's,
probably
and
smarter
people
to
me.
I
don't
know
the
answers
I'm
making
up
for
off
the
cuff
there.
C
There
were
probably
a
way
of
building
in
a
a
way
to
at
least
do
privacy
preserving
in
inspection,
and
I
think
actually
we
talk
about
it
in
the
draft
right.
So
there
are
now
ways
there
are
ways
to
do
privacy
preserving
introspection
in
some
ways
without
kind
of
knowing
which
websites
I'm
going
to,
but
I
can
check
for
the
presence
of
what
is
what
I'm
looking
for
and
and
it's
building
some
of
that
in
some
of
some
of
some
of
that
in
into
the
future
design.
D
I
mean
be
honest
and
I
I
guess
you
know
I
guess
what
I'm
trying
to
avoid
is
like
we
spent
like
literally
years
arguing
about
like
how
daughter
be
deployed
and
about
people
who
wanted
like
various
kinds
of
strong
statements,
and
we
ended
up
ended
up
with
was
a
working
group
which
was
designed
to
do
mechanism
and
not
policy,
and
so
like
so
like
it'd,
be
very
unfortunate.
D
So
so
I
gotta
say
this
draft
is
bad,
but
I'm
saying
like
we
understand
the
outcome
is
because
the
outcome
is
to
be
like
is
the
recommendations
that
protocols
be
designed
and
we're
different
than
we
then
we're
currently
don't
design
them.
Then
that
is
not
going
to
be
a
neutral
discussion.
C
C
You
know
some
degree
of
of
insured
privacy
yeah.
I
can
still
search
for
for
what
I
want
so
yeah
yeah.
I
I
right
so
I
I
sense
the
tension
and-
and
I'm
not
sure
I
can
so
I
I
would
ask
you
please,
to
to
look
at
the
draft
and
see
what
we've
tried
to
write
and
see
if
it
addresses
your
concerns
and
if
it
doesn't
provide
the
feedback
and
and
we'll
take.
D
It
on
it
I
mean
I've,
read
earlier
versions
of
this,
so
I
I
I
just
didn't
read
this
the
03,
but
I
guess
like
I
guess
I
would
say,
like
I'm
quite
familiar
with
npc
and
like
like
it's
not
solutions,
it's
basically
like
you
would
need.
We
need
radical
changes
to
like
every
cryptographic
protocol
we
now
developed
in
order
to
provide
the
functionality
you're
trying
to
provide.
So
I
don't
think
that's
like
a
plausible
answer.
C
D
I
guess
I
don't
understand,
like
I
mean,
I
think,
like
I
guess,
depending
what
this
is,
but
if
like
what
you're
trying
to
do
is
like
have
a
thing
that
would
be
safe,
for
instance,
where,
where
I
could
prove
my
my
resolutions
were
not
resolving
any
domain
name,
you
do
not
like
that
would
be
like
a
radical,
create
just
every
cryptographic
we've
ever
designed.
So,
like
I
mean
like
I
mean
that
would
be
like
a
multi-year
research
project.
D
It
would
not
be
a
it
would
not
be
a
drop-in,
I'm
not
sure
it's
even
possible
by
the
way,
but
it's
like
certainly
be
very,
very
difficult.
So
so
I
I
guess
I
guess
I
don't.
D
I
think
that,
like
there's,
a
pretty
strong
trade
obviously
made
here
between,
like
what
you
know
what's
available
to
the
monitoring
pieces
of
the
network
and
what's
available
and
in
terms
of
light
and
what's
not-
and
you
know
I
think
most
of
what
we
focused
on,
I
think
is
like
you
know,
trying
to
enable
people
control
the
endpoints
to
disable
those
things
as
opposed
to
you
know:
disabled
disable,
the
things
that
are
making
their
lives
difficult.
D
But
I
think
that
the
I
think
that
the
idea
that
it's
going
to
be
the
case
that,
like
there's
some
protocol,
we
could
design
that
provides
strong
privacy
against
network
against
people
on
the
network.
But
then
wouldn't
that
would
also
allow
people
other
people
in
the
network
to
to
be
able
to
like
see
that
you
weren't
going
to
certain
like
sites.
D
I
just
don't
see,
I
don't
see
that's
going
to
work,
okay,
but
I'll
focus
on
constantly
drafting
like
I
can
see
you
know,
because
if
people
want
to
spend
a
lot
of
time,
like
writing,
a
draft,
that's
sort
of
like
another
draft
that
is
like
encryption
made
us
sad
like
okay,
but
like.
If
it's
going
to
turn
into
like
a
you
know,
if,
if
outcome
is
going
to
be
recommendation
or
protocol
design,
that
seems
like
it's
going
to
be
very,
very
difficult.
C
Yeah-
and
I
don't
think,
that's
our
intent-
I
I
think
you
know
our
intent
again.
Is
you
know?
I
don't
think
we
we
are.
I
don't
think
we're
saying
the
encryption
has
made
us
bad,
because
you
know
we
we're
still
not
encrypting
ip
addresses
right.
So
we
have
tools
right,
but
we
want.
We
want
the
community
to
at
least
be
aware
of
the
plight
and
to
provide
at
least
a
reference
body
of
knowledge,
but
you
know-
and
I
think
that
that's
the
aspiration
in
the
short
term
sure
okay-
well,
I
I
I
am.
A
Okay,
so
no
one
else
in
the
queue.
So
what
I
suggest
looks
like
there
is
some
interest
and
it
looks
like
useful
work
right.
So
I
would
really
like
to
see
more
comments
on
the
list
about
the
draft
and
we'll
figure
out
the
best
place
for
this
work,
because,
as
a
chair,
I
don't
mind
hosting
it,
we
just
need
to
make
sure
we.
Basically
there
is
no
better
place
for
it
right.
So
if
we
don't
find,
if
we,
if
we
don't
find
a
better
place,
we'll
run
adoption
call
here.
A
C
A
A
I
don't
think
it
usually
a
good
reason
to
adopt
a
document,
so
I
would
love
to
see
feedback
on
the
draft
and
then
we'll
go
on
from
there.
Thank
you
for
presenting.