Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution
Ted Hardie <ted.ietf@gmail.com> Fri, 24 January 2020 20:36 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9BF1120884 for <architecture-discuss@ietfa.amsl.com>; Fri, 24 Jan 2020 12:36:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3UQQ0ijYmVab for <architecture-discuss@ietfa.amsl.com>; Fri, 24 Jan 2020 12:36:21 -0800 (PST)
Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA7F1120090 for <architecture-discuss@ietf.org>; Fri, 24 Jan 2020 12:36:20 -0800 (PST)
Received: by mail-ot1-x32f.google.com with SMTP id 77so2893654oty.6 for <architecture-discuss@ietf.org>; Fri, 24 Jan 2020 12:36:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=szcwpKI+94ZldwtQcSE9NSE712HPSzRQdXfA/6GL+kA=; b=R4CEpB5kV/N0WyzoaKz5Q8IdkHLoQkUsM9WhVfMwizI0PMYRYrQPKFIKVhK2GpBUQe qIsDCVpVCi3lBsTTXtIp8o1mBfmGXJ6gDEl3PXmXrrOSSYnvCvSJYgkTamhsNqMb/dWc 8wba/GKKIbeQkjMUEnzJiWX+XD3yTSGI2ETxfjgnBXTpiFO43GXDc6gl0ISDJKwXrxMV QHVK0i8PYHHN+vNSxA7K6Z3O5PnxbDCQpMw5a4cg2IoG1uuTAeN7fCwqZkc6/jdXbSdu U9YrAa3hxQIqpd/kvA7ub0y57Yq9p8LKCGfUHGo1XjNsN9neus3SZQunbK0d4PRNOz7K /fZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=szcwpKI+94ZldwtQcSE9NSE712HPSzRQdXfA/6GL+kA=; b=NWS3OUpwpq209SZ7Tw7p5/WtEWmH19JBrnM9pTdqD9+U/vUJzkA9paOHAJeEa0pkC1 keKSbgeSDzEYuVZwt99iTqEXKmbvbe5o5mXEkLc84m71vuJaiSRwz8gsI/pNEPagJ8o3 sjagrUXdYRvo0H+/0t5l6uIZ6jHwqcUnbH6/wA5YXhKYLKvscn1+N5fu88dSD0fkOI5u qen4Xbvg7n5Wws/07RBtTlhYNox6J8lybu7+aJcMvb6o1bMi82DCLwi6BZ1lR2mz7xJH 1AnXb41B5KhIyoDJ8NLIOjVsjwHkFw/+96xLBsHGs8YXJQSMMecZVt5eOiTCfbl951c5 +UTQ==
X-Gm-Message-State: APjAAAUOlTX0EILNbetdy4few2MhR4O3zuJPwOUIpKLDfGsjl0w9bFjJ m238ccUbEvYXnCo7QdKuUC9jrk3rAObF/eiSGUY=
X-Google-Smtp-Source: APXvYqzdFTtkp3j04Ycp5SbKGT4j0tUwbP4N/FYWieXOTb758Vd6CbkQog6UonvOpu9fYE4ZjSqqDcbhtCa6/ysfMdk=
X-Received: by 2002:a9d:6f0a:: with SMTP id n10mr4229965otq.54.1579898180165; Fri, 24 Jan 2020 12:36:20 -0800 (PST)
MIME-Version: 1.0
References: <E2D709DC-DD01-4946-B2F1-7EE0E101DEF0@piuha.net> <dff1c31e-44d4-6045-aaeb-03ac1e855200@gmail.com> <CABcZeBOYsP+SBNdLqc-wmyJAs1A+hvWbKud_XfvDgi9zJVMD+w@mail.gmail.com>
In-Reply-To: <CABcZeBOYsP+SBNdLqc-wmyJAs1A+hvWbKud_XfvDgi9zJVMD+w@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Fri, 24 Jan 2020 12:35:54 -0800
Message-ID: <CA+9kkMDFm7nboqQY2OjNvmcWxs_30d_5NtBv8Nd1eLBnWKBaBw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, Jari Arkko <jari.arkko@piuha.net>, architecture-discuss@ietf.org, model-t@iab.org
Content-Type: multipart/alternative; boundary="000000000000cf64ed059ce8b57b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/25y3CP-KOl8Zj5B0PzNnxfZgI1E>
Subject: Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2020 20:36:24 -0000
On Fri, Jan 24, 2020 at 12:03 PM Eric Rescorla <ekr@rtfm.com> wrote: > Brian's comments match my recollection. Specifically, we didn't think we > were *defining* a threat model as much as documenting a consensus model > that already existed. Incidentally, it's not clear to me what a "trust > model" is. This is not a term that appears in 3552 nor is it a real term of > art that I am familiar with. > > Taking a step back, I remain unpersuaded that the 3552 threat model is > really out of data. The two main deficiencies I have heard floated are: > > 1. That it doesn't take into account traffic analysis and pervasive > monitoring. > 2. That the assumption that endpoints are uncompromised is unrealistic. > > I can see some merit in the first point, but this seems to really be more > a matter of emphasis: 3552 already specifies a Dolev-Yao style attacker, > which means that it can observe all communications. > So really what has happened is that we have a clearer picture of just how > realistic that is and what you can do with that kind of access. I can see > some kind of update, but again it's less about threat model than about > modern examples. > One of the changes I'm interested in seeing is a shift away from seeing this in terms of a single communication channel, which I believe is inherent in this text: By contrast, we assume that the attacker has nearly complete control of the communications channel over which the end-systems communicate. This means that the attacker can read any PDU (Protocol Data Unit) on the network and undetectably remove, change, or inject forged packets onto the wire. This includes being able to generate packets that appear to be from a trusted machine. Thus, even if the end-system with which you wish to communicate is itself secure, the Internet environment provides no assurance that packets which claim to be from that system in fact are. One of the biggest shifts in the pervasive surveillance case is that the attacker is both likely to be present on any alternative communication channel and likely has sufficient context over time to cross-correlate communications. We're moving from an omnipotent attacker to one that is also both omnipresent and eternal. While that may have been obvious to those specifying RFC 3552, it is hard to read in the current document for those who were once more naïve. That doesn't really mean RFC 3552 is wrong, just that explaining the implications in the current context may be useful. As far as the second point goes, I think that when you are thinking about > comsec protocols it's still true that you can't do much if you don't trust > the endpoints. I think 3552 could be a bit better about recognizing that > there are malicious actors in the system, though obviously that's implicit > in the discussion of DoS. Anyway, this doesn't seem like much of an update > to the threat model. > > Here, I think the point is really to move the IETF away from thinking in terms of host requirements. I agree with you that there are pieces to this that are very similar whether you think of JS code in a sandboxed tab or about an IoT device or about TOPS-20 device connected to an IMP. But if you assume that the PC running the browser hosting that tab is the unit of analysis, you might have a very bad time. Again, not really a change in the threat model, but a change in the context. This may be a way of saying that I agree with your point below. regards, Ted > What does feel dated in 3552 (at least to me) is the emphasis on a bunch > of very old school protocols and the more or less total elision of the Web. > In particular, if we're talking in terms of threat model, the idea that you > have a lot of different untrusted programs running on your machine (i.e., > in the JS VM) and that you need to secure them from each other really is > new and could use some documenting. It's worth noting, however, that (a) > that's largely about implementation and (b) that that system strives to > achieve the kind of "each endpoint its own isolated unit" ideal that 3552 > asumes. > > -Ekr > > > On Fri, Jan 24, 2020 at 11:47 AM Brian E Carpenter < > brian.e.carpenter@gmail.com> wrote: > >> Hi, >> >> I'm confused. What we have in RFC3552 is very intentionally guidance for >> RFC writers on what they need to cover in their RFCs. Its specific purpose >> was to get rid of "Security considerations are not discussed in this >> memo." >> Its purpose was not primarily to define an abstraction like a "trust >> model" >> or a "threat model" (the draft charter seems a bit vague about which of >> those >> it means). >> >> I really do not want to see the pragmatic purpose of RFC3552 lost in the >> effort to define these abstractions. I don't think that is the intention, >> but the text seems to imply that RFC3552 was mainly a description of a >> generic threat model, which it wasn't. >> >> I am not against an IAB effort to analyse how the threat and trust models >> (plural) have evolved since the security workshop [RFC2316] that >> ultimately >> led to RFC3552. That seems like a good idea. An update of "Guidelines for >> Writing RFC Text on Security Considerations" also seems like a good idea. >> But the draft charter text seems to conflate these two separate lines of >> action. >> >> Incidentally, while writing the above it occurred to me why the phrase >> "IAB program" has always slightly disturbed me. Really the proposal is >> a virtual IAB workshop (whereas RFC2316 came from three days in a room >> together in Murray Hill, NJ). A good idea, but not a program. >> >> Regards >> Brian >> >> On 25-Jan-20 00:49, Jari Arkko wrote: >> > >> > The IAB are considering starting up a programme on Internet >> > trust model evolution as described in the link at the bottom of this >> > email. >> > >> > We'd like to get feedback on that idea and the text. As you may >> > be aware, in 2019 a number of documents were published on >> > this topic and discussions held (on the mailing list, SAAG, side >> > meeting at IETF-106, workshops, etc). There’s also a virtual >> > meeting coming up on February 14th. >> > >> > To be clear, any output from this program would be text offered >> > to the IETF for consideration - it is not within the IAB's remit, nor >> > that of an IAB program, to modify a BCP. Nonetheless, an IAB >> > program offers a good venue for this work, as it perhaps allows >> > for more focus on the evolving architecture aspect within this space. >> > >> > The plan is for the new program to be entirely open for participation, >> > similar to how the current work has already been. That is, the mailing >> > list is open for all interested to join, meetings are open and listed >> > in the public agendas. The IAB will find a chair or chairs for the >> > group to stay organised. >> > >> > There's no specific deadline for this, but the IAB will consider this >> > further in the next few weeks, so if you could take a few minutes >> > to share your thoughts on this that'd be great. >> > >> > >> https://github..com/intarchboard/model-t-charter/blob/master/model-t-charter-00.md >> <https://github.com/intarchboard/model-t-charter/blob/master/model-t-charter-00.md> >> > https://www.iab.org/mailman/listinfo/model-t >> > >> > Stephen & Jari >> > >> > >> > _______________________________________________ >> > Architecture-discuss mailing list >> > Architecture-discuss@ietf.org >> > https://www.ietf.org/mailman/listinfo/architecture-discuss >> > >> >> -- >> Model-t mailing list >> Model-t@iab.org >> https://www.iab.org/mailman/listinfo/model-t >> > -- > Model-t mailing list > Model-t@iab.org > https://www.iab.org/mailman/listinfo/model-t >
- [arch-d] Possible new IAB program on Internet tru… Jari Arkko
- Re: [arch-d] [Model-t] Possible new IAB program o… Joachim Fabini
- Re: [arch-d] Possible new IAB program on Internet… Brian E Carpenter
- Re: [arch-d] [Model-t] Possible new IAB program o… Eric Rescorla
- Re: [arch-d] [Model-t] Possible new IAB program o… Stephen Farrell
- Re: [arch-d] [Model-t] Possible new IAB program o… Eliot Lear
- Re: [arch-d] [Model-t] Possible new IAB program o… Ted Hardie
- Re: [arch-d] [Model-t] Possible new IAB program o… Bernard Aboba
- Re: [arch-d] [Model-t] Possible new IAB program o… Christian Huitema
- Re: [arch-d] [Model-t] Possible new IAB program o… Eliot Lear
- Re: [arch-d] [Model-t] Possible new IAB program o… Eric Rescorla
- Re: [arch-d] [Model-t] Possible new IAB program o… Eliot Lear
- Re: [arch-d] Possible new IAB program on Internet… Guntur Wiseno Putra
- Re: [arch-d] [Model-t] Possible new IAB program o… Vittorio Bertola
- [arch-d] Yes, building blocks ; -) Re: not buildi… Eliot Lear
- Re: [arch-d] [Model-t] Possible new IAB program o… Kathleen Moriarty
- Re: [arch-d] [Model-t] Possible new IAB program o… Joel M. Halpern
- Re: [arch-d] [Model-t] Possible new IAB program o… John C Klensin
- Re: [arch-d] [Model-t] Possible new IAB program o… Kathleen Moriarty
- Re: [arch-d] [Model-t] Possible new IAB program o… Brian E Carpenter
- Re: [arch-d] not building blocks (was: Re: [Model… Toerless Eckert
- Re: [arch-d] [Model-t] Possible new IAB program o… Stephen Farrell
- Re: [arch-d] not building blocks (was: Re: [Model… Eliot Lear
- Re: [arch-d] not building blocks (was: Re: [Model… Stephen Farrell
- Re: [arch-d] not building blocks (was: Re: [Model… Stephen Farrell
- Re: [arch-d] [Model-t] Possible new IAB program o… S Moonesamy
- Re: [arch-d] [Model-t] Possible new IAB program o… Kathleen Moriarty
- Re: [arch-d] [Model-t] Possible new IAB program o… Bernard Aboba
- Re: [arch-d] Possible new IAB program on Internet… Toerless Eckert
- Re: [arch-d] [Model-t] Possible new IAB program o… Watson Ladd
- Re: [arch-d] [Model-t] Possible new IAB program o… Eliot Lear
- Re: [arch-d] Possible new IAB program on Internet… Jari Arkko
- Re: [arch-d] [Model-t] Possible new IAB program o… Jari Arkko
- Re: [arch-d] [Model-t] Possible new IAB program o… Toerless Eckert
- Re: [arch-d] [Model-t] Possible new IAB program o… Robin Wilton
- Re: [arch-d] Possible new IAB program on Internet… Guntur Wiseno Putra
- Re: [arch-d] [Model-t] Possible new IAB program o… Eliot Lear
- Re: [arch-d] Possible new IAB program on Internet… Guntur Wiseno Putra
- Re: [arch-d] Possible new IAB program on Internet… Eric Rescorla
- Re: [arch-d] Possible new IAB program on Internet… Guntur Wiseno Putra