►
From YouTube: IETF111-OPSEC-20210730-2130
Description
OPSEC meeting session at IETF111
2021/07/30 2130
https://datatracker.ietf.org/meeting/111/proceedings/
A
A
A
A
And
everyone
who
say
something
at
the
microphone
could
later
take
a
look
and
update
the
minutes.
Thank
you
very
much.
So
I
don't
know.
Probably
I
don't
know
if
ron
is
missed.
Induction,
okay,
let's,
let's
start
with
housekeeping
anyway,
so
welcome
operational
security
capabilities
for
ap
network
infrastructure.
A
A
A
We
haven't
been
meeting
for
a
while,
and
today
we
have
a
quite
a
short
agenda.
We
have
one
presentation.
Actually
sorry,
this
slide
is
not
accurate.
It's
not
kirsty
who
will
be
presenting.
It
will
be
only
and
working
group
business.
Yes,
as
I
said,
we
haven't
admitted
for
a
while,
so
we
have
not
published
anything.
However,
two
drafts
which
been
and
as
a
working
group
business
for
long
time
finally
seem
to
make
a
significant
progress.
A
Operational
security
considerations
for
ipv6
networks
are
currently
with
rfc
editor
sku
already
has
rfc
number
and
so
on
so
stay
tuned
for
it
being
published
and
ipv6
extension
headers
filtering
can.
Transit
routing
is
currently
going
through
isg
evaluation,
and
I
can
see
a
lot
of
array
directors
comments
on
the
draft,
so
hopefully
we
can
finally
publish
this
one
as
well.
A
A
C
C
So
it
was
originally
presented
back
in
sex
dispatch.
Ietf
109
and
we've
now
been
through
several
rounds
of
iterations
taking
on
feedback
at
each
stage,
and
actually
the
authors
also
have
similarly
increased.
So
we've
added
a
in
in
the
last
iteration
another
co-author
in
the
guise
of
james,
and
we
brought
it
to
the
op
tech
mailing
list
for
the
discussion,
and
and
thank
you
to
nancy
and
fernando,
for
they
were.
They
did
a
thorough
review.
C
There
obviously
come
with
that.
You
know
and
you'll
see
on
one
of
the
last
slides
what
we
consider,
what
we
call
a
pyramid
of
pain.
There
are
varying
degrees
of,
I
guess,
quality
length
of
time
that
they
have
efficacy
for
et
cetera,
et
cetera,
but
they
are
all
important
and
they
have,
at
the
very
least,
an
aggregative
effect
on
on
combined
network
defense
when
we
roll
them
out.
So,
to
give
you
examples,
you
know
we
have
systems
that
pump
them
out
real
time
to
you
know
hundreds
of
networks.
C
You
know
where
we've
kind
of
fleshed
out
more,
so
the
work
now
to
kind
of
provide
a
more
stand-alone
piece
of
work.
So
I
think
you
know
we
fell
into
the
trap
that
I
suspect
we
all
do
at
times
where
we
assumed
a
base
level
of
knowledge
and
we
fell
into
our
own
vernacular
and
we
didn't
do
enough
of
the
base
explanations
and
and
we've
kind
of
gone
through
that
process
now
as
part
of
this
work.
C
C
Obviously
we
had,
we
have
dns
domain
names
and
and
and
people
and
for
actors
again
will
similarly
use
that
in
order
to
masquerade
or
otherwise
blend.
In
with
what
would
look
like
legitimate
network
traffic
using
a
variety
of
different
techniques,
but
you
know
suffice
to
say
again,
you
know
it's
a
very
useful
tool
for
us
to
either
look
historically
or
in
terms
of
active
traffic
flows
in
terms
of
identifying
compromises
that
may
be
present
in
an
environment,
obviously
sni
on
tls.
So
the
server
name
indication.
C
Again,
all
very
useful
actors
fall
into
the
same
traps.
You
know,
there's
a
certain
laziness
with
their
operational
security.
They
they
kind
of
get
into
kind
of
muscle,
memory
territory.
You
know
they'll
reuse
things
where
they're
hard
to
procure
and
so,
for
example,
we
see
campaigns,
as
we've
had
to
introduce
code
signing
more
more
aggressively
on
operating
systems.
A
C
D
C
Then
s
is
useless.
Yes,
but
often
to
give
you
an
example.
What
we
may
see
is
track
so
where,
where
we
why
we
need
sni
okay,
so
they
will
often
use
content
delivery
networks.
So
we
will
see
a
connection
going
out
to
something
like
cloudflare
and-
or
you
know,
azure
cdn
edge,
et
cetera,
et
cetera,
and
so
the
ip
address
is
responsible
for
potentially
many
tens
of
thousands
of
particular
hosts,
and
so
we
have
no
idea
actually
where
the
connection
is
going
to,
but
obviously
through
sni
in
inspection.
C
We
can
actually
see
that
they're
going
to
that
one
host
that
we're
actually
interested
or
that
one
domain
that
they're
actually
interested
in,
so
that
that
so
we
don't
really
necessarily
have
a
threat
model
for
for
sni,
and
I
think
you
know
I
think
you
would
recognize
all
of
these.
You
have
a
sufficiently
advanced
threat
actor.
They
can
probably
come
up.
You
know
we
see
the
main
fronting
being
used
and
other
so
domain.
Fronting
is
where
a
threat
actor
can
effectively
tunnel
through.
C
C
Similarly,
acquiring
dns
make
their
domain
names
and,
and
the
like,
so
we've
added
a
piece
of
work
to
this
last
release
and
specifically
around
the
life
cycle
of
iocs,
because
we
felt
it
actually
useful
to
explain
to
them
to
everyone.
You
know
how
does
it
work
in
practice,
and
so
obviously
we
go
through
this.
We
go
through
a
discovery
phase
where
we
find
what
we
think
is
a
suspected
indicator
of
compromise
that
will
then
be
assessed
and
then
we'll
do
some
form
of
sharing.
So
we'll
do
distribution
of
that.
C
And
then
we
end
up
with
a
reaction
which
is
often
a
kind
of
a
cyber
defense
response
to
either
neutralizing
a
threat
blocking
the
threat
or
or
and
often
then,
what
we'll
see
is
that
the
kind
of
the
those
irc
iocs
would
degrade
in
terms
of
their
value
and
another
effect
of
the
end
of
life.
Because
again,
I
think
what
you
would
recognize
is
domains
change,
ownership,
ip
addresses
change
ownership,
and
so
there
is
kind
of
that
there
is
a
certain
finite
length
as
to
that
that
their
their
use
and
utility.
C
So
I
think
you
know
the
questions
and
the
next
steps
we
have
for
you
and
obviously
I'll
quite
happy
to
take
any
further
questions
that
you
might
have.
But
you
know
we
obviously
would
deeply
value
further
feedback
and
comments
from
from
this
group,
because
I
think
you
know
the
the
what
we've
had
so
far
has
been
extremely
useful.
C
I
think
you
know
we
do
have
a
question
is,
is
the
work
that
will
that
we
have
been
dying
done
been
doing
even
in
scope
for
for
obsex
specifically
and
then
would
you
consider
working
group
adoption
and-
and
I
think
you
know
that
that
that
comes
to
the
end
of
my
slides
and
I
hopefully
not
missed
anything
in
the
chat,
but
do
let
me
know
if
there
are
any
other
questions
or
the
like
and
and
sorry
eric?
Do
you
have
another
question?
E
C
Yes,
I
think
that's
a
very
fair.
Well,
yes,
that's
right!
So
you
know
what
what
we're
asking
for
here
is
as
p
as
we
desire
as
the
icf
designs
next
generation
protocols
or
immense
existing
that
these
be
taken
into
consideration,
because
I
think
you're
right,
you
know
the
the
intrinsic
properties
of
the
protocols
will
either
preclude
or
not
preclude
the
the
use
or
the
utility
of
iocs.
Yes,
okay,.
B
E
A
D
I
I
guess
I,
like
you,
know
I'm
sure,
like
in
terms
of
protocol
design.
I
guess,
like
I
think,
informationally
like
this
is
all
fine,
but
I
mean,
like
you
know
we
now
have
about.
We
had
about
three
separate
documents
that
are
all
like
every
time
you
encrypt
something
that
makes
our
lives
harder
and,
like
you
know,
like
it's
kind
of
like
a
source
of
frustration,
I
think
between
sort
of
different
parts
of
the
idf.
So
I
guess,
like
you,
know,
like
what
outcome
are
you
hoping
for
here.
C
Well,
well,
yeah,
and
I
think
that's
right,
so
I
think
we're
asking
is
for
optionality.
If
I'm
being
honest,
so
I
think
if,
if
I
look,
if
I
look
into
the
world-
and
I
look
at
total
privacy
for
everyone
with
and
I
run
an
enterprise,
I
make
my
job
very
difficult
yeah,
and
so
I
think
it
is
it's
not
asking
for
don't
encrypt
stuff.
C
The
kind
of
the
kind
of
the
sexual
specific
stuff
and
they
can't
effectively
defend
because
you
know
a
whole
host
of
threats
and
you
know,
and
some
would
say
well,
you
just
go
to
the
endpoint
and
you
start
putting
extra
software
on
the
endpoints
to
that
monitoring
and
that's
all
well
and
good,
as
we've
got
commodity
operating
systems
where
we
can
do
that.
But
you
know
I
think,
we'll
all
of
those
around
this
table
will
recognize.
C
We
have
devices
now
that
exist
in
wall
gardens
where
we
can't
run
code
load
low
enough
to
get
the
insight
and
the
telemetry
that
we
need.
And
similarly,
if
we
look
at,
you
know
predictions
and
let
alone
what
we're
living
today
in
terms
of
the
explosion
of
embedded
devices,
which
you
know
you
know
be
damned
if
we
can
get
third
party
code
on
there.
D
C
So
you
you
know,
so
if
we
take
a
thousand
rp
is
a
bad
example,
but
it's
an
example.
Nevertheless,
which
is
so.
I
guess
the
the.
How
how
would
you
at
the
moment
we
have
to
turn
doe
off
right
or
organizations
have
to
go
off
if
they
want
to
do
certain
things
with
bns
over
certain
challenges,
but
there
probably
is
there's,
probably
and
smarter
people
to
me.
I
don't
know
the
answers
I'm
making
up
for
off
the
cuff
there.
C
There
were
probably
a
way
of
building
in
a
a
way
to
at
least
do
privacy
preserving
in
inspection,
and
I
think
actually
we
talk
about
it
in
the
draft
right.
So
there
are
now
ways
there
are
ways
to
do
privacy
preserving
introspection
in
some
ways
without
kind
of
knowing
which
websites
I'm
going
to,
but
I
can
check
for
the
presence
of
what
is
what
I'm
looking
for
and
and
it's
building
some
of
that
in
some
of
some
of
some
of
that
in
into
the
future
design.
D
C
C
You
know
some
degree
of
of
insured
privacy
yeah.
I
can
still
search
for
for
what
I
want
so
yeah
yeah.
I
I
right
so
I
I
sense
the
tension
and-
and
I'm
not
sure
I
can
so
I
I
would
ask
you
please,
to
to
look
at
the
draft
and
see
what
we've
tried
to
write
and
see
if
it
addresses
your
concerns
and
if
it
doesn't
provide
the
feedback
and
and
we'll
take.
D
It
on
it
I
mean
I've,
read
earlier
versions
of
this,
so
I
I
I
just
didn't
read
this
the
03,
but
I
guess
like
I
guess
I
would
say,
like
I'm
quite
familiar
with
npc
and
like
like
it's
not
solutions,
it's
basically
like
you
would
need.
We
need
radical
changes
to
like
every
cryptographic
protocol
we
now
developed
in
order
to
provide
the
functionality
you're
trying
to
provide.
So
I
don't
think
that's
like
a
plausible
answer.
D
I
guess
I
don't
understand,
like
I
mean,
I
think,
like
I
guess,
depending
what
this
is,
but
if
like
what
you're
trying
to
do
is
like
have
a
thing
that
would
be
safe,
for
instance,
where,
where
I
could
prove
my
my
resolutions
were
not
resolving
any
domain
name,
you
do
not
like
that
would
be
like
a
radical,
create
just
every
cryptographic
we've
ever
designed.
So,
like
I
mean
like
I
mean
that
would
be
like
a
multi-year
research
project.
D
D
But
I
think
that
the
I
think
that
the
idea
that
it's
going
to
be
the
case
that,
like
there's
some
protocol,
we
could
design
that
provides
strong
privacy
against
network
against
people
on
the
network.
But
then
wouldn't
that
would
also
allow
people
other
people
in
the
network
to
to
be
able
to
like
see
that
you
weren't
going
to
certain
like
sites.
D
I
just
don't
see,
I
don't
see
that's
going
to
work,
okay,
but
I'll
focus
on
constantly
drafting
like
I
can
see
you
know,
because
if
people
want
to
spend
a
lot
of
time,
like
writing,
a
draft,
that's
sort
of
like
another
draft
that
is
like
encryption
made
us
sad
like
okay,
but
like.
If
it's
going
to
turn
into
like
a
you
know,
if,
if
outcome
is
going
to
be
recommendation
or
protocol
design,
that
seems
like
it's
going
to
be
very,
very
difficult.
C
Yeah-
and
I
don't
think,
that's
our
intent-
I
I
think
you
know
our
intent
again.
Is
you
know?
I
don't
think
we
we
are.
I
don't
think
we're
saying
the
encryption
has
made
us
bad,
because
you
know
we
we're
still
not
encrypting
ip
addresses
right.
So
we
have
tools
right,
but
we
want.
We
want
the
community
to
at
least
be
aware
of
the
plight
and
to
provide
at
least
a
reference
body
of
knowledge,
but
you
know-
and
I
think
that
that's
the
aspiration
in
the
short
term
sure
okay-
well,
I
I
I
am.
A
Okay,
so
no
one
else
in
the
queue.
So
what
I
suggest
looks
like
there
is
some
interest
and
it
looks
like
useful
work
right.
So
I
would
really
like
to
see
more
comments
on
the
list
about
the
draft
and
we'll
figure
out
the
best
place
for
this
work,
because,
as
a
chair,
I
don't
mind
hosting
it,
we
just
need
to
make
sure
we.
Basically
there
is
no
better
place
for
it
right.
So
if
we
don't
find,
if
we,
if
we
don't
find
a
better
place,
we'll
run
adoption
call
here.