Markdown Version | Session Recording

Session Date/Time: 30 Mar 2023 06:00

opsec

Summary

This meeting covered two presentations: one on the implications of IPv6 addressing on security operations, and another on deployment considerations for Encrypted Client Hello (ECH). The IPv6 presentation discussed challenges related to address space, access control lists, blocklists, and network correlation. The ECH presentation focused on the operational impacts of encrypting the Server Name Indication (SNI), particularly in educational, enterprise, and public network environments. Both presentations sparked significant discussion about the practicalities and potential drawbacks of relying on address-based security measures and SNI filtering, respectively.

Key Discussion Points

• IPv6 Addressing and Security Operations: The discussion highlighted the differences in address length and management between IPv4 and IPv6 and their impact on security practices. It was noted that IPv6 provides larger address blocks to end-users, which raises challenges for access control and blocklisting.
• ECH Deployment Considerations: The presentation pointed out the potential disruptions caused by ECH for content filtering, particularly in schools, enterprises, and public networks that rely on SNI inspection.
• Reliability of SNI Filtering: Concerns were raised about the reliability of SNI-based filtering mechanisms, as it's known that the SNI can be spoofed. The discussion explored the contexts in which SNI filtering is deemed necessary despite its limitations.
• Alternative Approaches to Security: Participants discussed the merits of moving towards more reliable indicators and security measures that don't solely rely on IP addresses or SNI. Application-layer security was raised as a better long-term strategy but that simpler and more immediate tools are needed.
• Operational Urgency: It was stated that operational security teams are understaffed and lack proper training so there is a need for practical tools and documentation to aid them, even if not the ideal solutions.

Decisions and Action Items

• IPv6 implications of addresses draft: The working group expressed interest in adopting the draft. The chair will initiate a formal adoption call on the mailing list.
• Encrypted Client Hello (ECH) draft: Further discussion is needed to determine the scope of environments that the draft should focus on to emphasize environments that do not have easy alternative filtering capabilities.
• The presenters will make the Github for the draft public as soon as possible.

Next Steps

• The chairs will send adoption call for the IPv6 implication of addresses draft to the mailing list.
• The authors of the ECH draft will revise the document to incorporate the feedback received during the meeting.
• Both discussions to continue on the mailing lists to further explore solutions and best practices.