IETF Logo Mail Archive

Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution

Eliot Lear <lear@cisco.com> Sun, 26 January 2020 09:44 UTC

Return-Path: <lear@cisco.com>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FC73120026 for <architecture-discuss@ietfa.amsl.com>; Sun, 26 Jan 2020 01:44:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -12.502
X-Spam-Level:
X-Spam-Status: No, score=-12.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HK_SCAM=1.999, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iC2DrbfWGaTm for <architecture-discuss@ietfa.amsl.com>; Sun, 26 Jan 2020 01:44:09 -0800 (PST)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3CD0120018 for <architecture-discuss@ietf.org>; Sun, 26 Jan 2020 01:44:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12445; q=dns/txt; s=iport; t=1580031848; x=1581241448; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=gVDMRgcq3YygyADpK+ahQPoSuY4H3p2qoJaxNk9vKHY=; b=MmBg+oKzSzmtVjQzKy/y/wVTnowhGNe57oLn+N+yRra1KyW4cU1qIjiZ ocbAFwVwpSQELkmazT6Rzq8ttIctNNktg0LTJex2w33d96F8ElkcuS2Gp jeuGY9lJcW6UzmjSd8RukCY65u4NV/+jY0PE3s1RWcUTDt2VmeyVYz11O g=;
X-Files: signature.asc : 488
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BjAwAkXi1e/xbLJq1lHAEBAQEBBwEBEQEEBAEBgXuDFVQBIBIqhBSJA4g5gQGSLIgLAgcBAQEJAwEBJQoBAYRAAoJGOBMCAw0BAQQBAQECAQUEbYULAQUBJQyFXgEBAQECASNWBQsLDgoqAgJXBhMUBYMNAYJbIA+pB3WBMoQ1AYEUhGgKBoE4gVOIeIFtggCBEScggU5JBy4+gmQBAYE8gzcygiwEhWOIDwuJN4hwjzSCQ4JMgRyDWo51G4JIjCgni2WXRI57gy4CBAYFAhWBaSKBWDMaCBsVZQGCQRMrEhgNjA+DKIRBFxWDO4pSAkADMA2LaIJDAQE
X-IronPort-AV: E=Sophos;i="5.70,365,1574121600"; d="asc'?scan'208,217";a="22534129"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Jan 2020 09:44:06 +0000
Received: from [10.61.171.81] ([10.61.171.81]) by aer-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 00Q9i5dI031990 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 26 Jan 2020 09:44:06 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <96A32815-C313-4C08-90FF-DDAFAD591287@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_CD420CE8-71BB-456B-A0DC-7DED7143036E"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
Date: Sun, 26 Jan 2020 10:44:05 +0100
In-Reply-To: <CABcZeBPKFEEDqQEGXZAD87n5cCsA75+uMGp-brq0JXBoW91LjQ@mail.gmail.com>
Cc: architecture-discuss@ietf.org, model-t@iab.org
To: Eric Rescorla <ekr@rtfm.com>
References: <E2D709DC-DD01-4946-B2F1-7EE0E101DEF0@piuha.net> <dff1c31e-44d4-6045-aaeb-03ac1e855200@gmail.com> <CABcZeBOYsP+SBNdLqc-wmyJAs1A+hvWbKud_XfvDgi9zJVMD+w@mail.gmail.com> <CA+9kkMDFm7nboqQY2OjNvmcWxs_30d_5NtBv8Nd1eLBnWKBaBw@mail.gmail.com> <6a1a019b-8666-269c-56ca-ebae4b69e9e8@huitema.net> <C7FDAD8F-D66A-4618-9F87-B1BB9CEA191B@cisco.com> <CABcZeBPKFEEDqQEGXZAD87n5cCsA75+uMGp-brq0JXBoW91LjQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
X-Outbound-SMTP-Client: 10.61.171.81, [10.61.171.81]
X-Outbound-Node: aer-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/UcJ9yLUB-Mjviuj1ewxUHsTjL70>
Subject: Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jan 2020 09:44:11 -0000

Hi Eric,

I apologize for the length of this missive.  I’ve included examples that are either from real life or plausible to the point of inevitability.

> On 26 Jan 2020, at 08:36, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> It's probably useful to put the text in 3552 in context, which was primarily about designing COMSEC protocols. Our ability to build two party protocols which survive one of the parties being compromised is fairly limited.

Indeed.

> We *do* have some praxis for building N party protocols which gracefully degrade when some of the nodes are compromised (for instance consensus protocols). Of course, the exact properties of those protocols can be difficult to succinctly state.

They are, and they are hard to build, and they have their own failure modes.(*). But I really wasn’t going there, at least not directly.  Let’s look at three specific examples that I’ve mentioned:

1.  Train signaling system needs to be audited both live and retrospectively in the case of accidents.  This has to happen in such a way that the auditor sees precisely what was sent by one endpoint and received by the other.

2.  The case of “parent doesn’t want Internet toy to send video of child”, when the camera is undisclosed (it’s an analog to the privacy analysis on Alexa[1] and the now infamous NEST episode[2]).

3. CPAP machine or an AED/pace maker provide a control interface to the doctor but the patient or his next of kin wants the data.

Each example has a slightly different threat model, in addition to what you stated in 3552. In the first case, we add mistakes on the part of the operator (certainly the most common at this point**), and endpoint compromises.  In the second case, it is the manufacturer themselves that is the threat, for failing to have disclosed what they are doing.

The third case is more difficult.  Let’s say a patient died.  Did the patient die (a) of natural causes, (b) due to a mistake made by the patient or a care giver at home, (c) due to a mistake made by the healthcare professional on the other end, or (d) due to an cyberattack?  It may be impossible for the next of kin to know if there is no network audit capability.  Yes, this is a messy case, which makes it a good one to explore.

The program can explore COMSEC, UX, and higher level issues as well, like economics.  That latter one is actually important because if in the end the use cases above are going to get trumped by economics on the part of manufacturers, what’s the point of specifying mechanism?   This also goes to another point about which the IAB has had concern: concentration and control points.  That can be explored as well here. This does look to relax the assumption you laid down in 3552 about endpoints, but I don’t think it dramatically changes things.

Also, when you wrote 3552, there was really only the theoretical notion of a cyberwar, ruling out attacks with infinite or near infinite resources.  That’s now an every day reality.  In RFC 7958, we sort of ruled them back in, but I think it’s worth exploring a bit more what that means.  A program for that is a very good idea.

> 
> I'm not quite sure I understand what you mean when you say "They are the source of just about all compromise attacks." I'm not saying it's not true, but perhaps you could elaborate.
> 

With apologies, I was shamelessly stating the obvious: the vast source of bugs are on end devices, not because middle boxes are better designed (some are, some aren’t), but because of sheer numbers.  Well, if endpoints are where the problems are, that’s where we need to spend time as a community.

Eliot

(*) My favorite example of a consensus protocol that had “good intentions" was BSD timed.  “It was a dark and stormy night”, when every participant had an unstable ticker in a different way, leading to time storms.
(**) For a very interesting read for anyone interested in IoT, I highly recommend “Famous British Railway Disasters, Ian Allan Pub, 2000.  https://www.amazon.com/British-Railway-Disasters/dp/0711024707
[1] Malkin, et. al., “Privacy Attitudes Toward Smark Speaker Users”, Proceedings of Privacy Enhancing Technologies,  2019.
[2] https://arstechnica.com/gadgets/2019/02/googles-nest-security-system-shipped-with-a-secret-microphone/

v2.23.0 | Report a Bug | By Email