Markdown Version | Session Recording

Session Date/Time: 06 Nov 2023 14:30

secdispatch

Summary

The secdispatch session covered three topics: expected signed mail, on-network path validation, and a sub-DDoS architecture. The discussion on path validation raised concerns about the security benefits and appropriate venue for further work, resulting in a need for more discussion and a potential BAF. The presentation on signed mail focused on user experience challenges and potential solutions, with suggestions for lamps, a BAF, and consultation with the ART area. The sub-DDoS architecture presentation received feedback regarding deployment density and the need for clear use cases.

Key Discussion Points

• Expected Signed Mail:
  • The core issue is the poor user experience and lack of clear benefit for end-to-end signing of email.
  • Discussion focused on signaling recipient expectations for signed mail.
  • There was a discussion regarding the relationship to email encryption, user experience, and protocol design.
  • Molestation of emails in transit was raised as a challenge.
• On-Network Path Validation:
  • The presentation explored adding trustworthiness to routing paths.
  • The core gap is the need for a proof of transit mechanism to verify forwarding integrity.
  • Concerns were raised about the applicability and potential security issues if trusted parties are not adjacent or if the "transit" proof is not complete.
  • Preventing spoofing was identified as a potential use case.
  • It was suggested that misconfiguration detection could be more valuable than security aspects.
• Sub-DDoS Architecture:
  • The presentation explored a DDoS architecture leveraging source address validation techniques.
  • A key idea is the incremental deployment of sub-devices and sharing of spoofed source address information.
  • Concerns were raised about the necessary density of deployed sub-devices and attack traffic in those networks for the approach to be effective.
  • The need for clear and realistic use cases was emphasized.
  • It was mentioned that any such system needed to be evaluated whether it constitutes unacceptable pervasive passive monitoring.

Decisions and Action Items

• On-Network Path Validation:
  • Decision: Further discussion is needed before determining a suitable dispatch location. A BAF might be appropriate.
  • Action Item: Presenters will hold a side meeting on Tuesday evening and share the outcome on the sec-dispatch mailing list.
• Expected Signed Mail:
  • Decision: No immediate dispatch decision. Further consultation is needed with the ART area and potential liaison with the MOG.
  • Action Item: Chairs will consult with ART and consider a BAF.
• Sub-DDoS Architecture:
  • Decision: More discussion needed; no dispatch at this stage.
  • Action Item: Presenters will propose a clearly defined use case.

Next Steps

• Continue discussions on the sec-dispatch mailing list.
• Explore potential BAFs for both On-Network Path Validation and Expected Signed Mail.
• Consult with relevant parties (ART, MOG) to determine the best path forward for the discussed topics.