< draft-camwinget-tls-use-cases-04.txt   draft-camwinget-tls-use-cases-05.txt >
Network Working Group F. Andreasen Network Working Group F. Andreasen
Internet-Draft N. Cam-Winget Internet-Draft N. Cam-Winget
Intended status: Informational E. Wang Intended status: Informational E. Wang
Expires: September 11, 2019 Cisco Systems Expires: January 9, 2020 Cisco Systems
March 10, 2019 July 8, 2019
TLS 1.3 Impact on Network-Based Security TLS 1.3 Impact on Network-Based Security
draft-camwinget-tls-use-cases-04 draft-camwinget-tls-use-cases-05
Abstract Abstract
Network-based security solutions are used by enterprises, public Network-based security solutions are used by enterprises, public
sector, and cloud service providers today in order to both complement sector, and cloud service providers today in order to both complement
and enhance host-based security solutions. TLS 1.3 introduces and enhance host-based security solutions. TLS 1.3 introduces
several changes to TLS 1.2 with a goal to improve the overall several changes to TLS 1.2 with a goal to improve the overall
security and privacy provided by TLS. However some of these changes security and privacy provided by TLS. However some of these changes
have a negative impact on network-based security solutions and have a negative impact on network-based security solutions and
deployments that adopt a multi-layered approach to security. While deployments that adopt a multi-layered approach to security. While
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 11, 2019. This Internet-Draft will expire on January 9, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 11, line 24 skipping to change at page 11, line 24
o Lack of ability to install and update endpoint protection o Lack of ability to install and update endpoint protection
software. software.
o Lack of software updates as new vulnerabilities are discovered. o Lack of software updates as new vulnerabilities are discovered.
In short, the security posture of such devices is expected to be In short, the security posture of such devices is expected to be
weak, especially as they get older, and the only way to improve this weak, especially as they get older, and the only way to improve this
posture is to supplement them with a network-based solution. IoT posture is to supplement them with a network-based solution. IoT
deployments are further challenged in that they host a variety of deployments are further challenged in that they host a variety of
these devices, each with different update cycles and often, are very these devices, each with different update cycles and often, are very
slot to update their software or firmware to ensure availability and slow to update their software or firmware to ensure availability and
safe of the environments they operate. This in turn requires network safe of the environments they operate. This in turn requires network
based solutions to afford a consistant security baseline. This based solutions to afford a consistant security baseline. This
solution can range from selective passive monitoring to a full and solution can range from selective passive monitoring to a full and
active MiTM. active MiTM.
4.4. Use Case O4 - Unpatched Endpoints 4.4. Use Case O4 - Unpatched Endpoints
New vulnerabilities appear constantly and in spite of many advances New vulnerabilities appear constantly and in spite of many advances
in recent years in terms of automated software updates, especially in in recent years in terms of automated software updates, especially in
reaction to security vulnerabilities, the reality is that a very reaction to security vulnerabilities, the reality is that a very
skipping to change at page 13, line 12 skipping to change at page 13, line 12
This document does not include IANA considerations. This document does not include IANA considerations.
6. Security Considerations 6. Security Considerations
This document describes existing functionality and use case scenarios This document describes existing functionality and use case scenarios
and as such does not introduce any new security considerations. and as such does not introduce any new security considerations.
7. Acknowledgements 7. Acknowledgements
The authors thank Eric Rescorla and the National Cyber Security The authors thank Eric Rescorla, the National Cyber Security Center
Center who provided several comments on technical accuracy and and Dan Wing who provided several comments on technical accuracy and
middlebox security implications. middlebox security implications.
8. Change Log 8. Change Log
8.1. Version -01 8.1. Version -01
Updates based on comments from Eric Rescorla. Updates based on comments from Eric Rescorla.
8.2. Version -03 8.2. Version -03
 End of changes. 5 change blocks. 
7 lines changed or deleted 7 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/