IETF Logo Mail Archive

Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution

Christian Huitema <huitema@huitema.net> Sat, 25 January 2020 01:56 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7EFB120BEE for <architecture-discuss@ietfa.amsl.com>; Fri, 24 Jan 2020 17:56:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id In6tUvTdd4x0 for <architecture-discuss@ietfa.amsl.com>; Fri, 24 Jan 2020 17:56:09 -0800 (PST)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FF00120AAD for <architecture-discuss@ietf.org>; Fri, 24 Jan 2020 17:56:09 -0800 (PST)
Received: from xse155.mail2web.com ([66.113.196.155] helo=xse.mail2web.com) by mx63.antispamcloud.com with esmtp (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1ivAg9-0001Ir-GP for architecture-discuss@ietf.org; Sat, 25 Jan 2020 02:56:07 +0100
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 484JyB3SzjzVp4 for <architecture-discuss@ietf.org>; Fri, 24 Jan 2020 17:56:02 -0800 (PST)
Received: from [10.5.2.31] (helo=xmail09.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1ivAg6-0001Ox-BL for architecture-discuss@ietf.org; Fri, 24 Jan 2020 17:56:02 -0800
Received: (qmail 14932 invoked from network); 25 Jan 2020 01:56:02 -0000
Received: from unknown (HELO [192.168.1.105]) (Authenticated-user:_huitema@huitema.net@[172.58.46.251]) (envelope-sender <huitema@huitema.net>) by xmail09.myhosting.com (qmail-ldap-1.03) with ESMTPA for <architecture-discuss@ietf.org>; 25 Jan 2020 01:56:01 -0000
To: Ted Hardie <ted.ietf@gmail.com>, Eric Rescorla <ekr@rtfm.com>
Cc: model-t@iab.org, Jari Arkko <jari.arkko@piuha.net>, Brian E Carpenter <brian.e.carpenter@gmail.com>, architecture-discuss@ietf.org
References: <E2D709DC-DD01-4946-B2F1-7EE0E101DEF0@piuha.net> <dff1c31e-44d4-6045-aaeb-03ac1e855200@gmail.com> <CABcZeBOYsP+SBNdLqc-wmyJAs1A+hvWbKud_XfvDgi9zJVMD+w@mail.gmail.com> <CA+9kkMDFm7nboqQY2OjNvmcWxs_30d_5NtBv8Nd1eLBnWKBaBw@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mQENBFIRX8gBCAC26usy/Ya38IqaLBSu33vKD6hP5Yw390XsWLaAZTeQR64OJEkoOdXpvcOS HWfMIlD5s5+oHfLe8jjmErFAXYJ8yytPj1fD2OdSKAe1TccUBiOXT8wdVxSr5d0alExVv/LO I/vA2aU1TwOkVHKSapD7j8/HZBrqIWRrXUSj2f5n9tY2nJzG9KRzSG0giaJWBfUFiGb4lvsy IaCaIU0YpfkDDk6PtK5YYzuCeF0B+O7N9LhDu/foUUc4MNq4K3EKDPb2FL1Hrv0XHpkXeMRZ olpH8SUFUJbmi+zYRuUgcXgMZRmZFL1tu6z9h6gY4/KPyF9aYot6zG28Qk/BFQRtj7V1ABEB AAG0J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PokBOQQTAQIAIwUC UhFfyAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEJNDCbJVyA1yhbYH/1ud6x6m VqGIp0JcZUfSQO8w+TjugqxCyGNn+w/6Qb5O/xENxNQ4HaMQ5uSRK9n8WKKDDRSzwZ4syKKf wbkfj05vgFxrjCynVbm1zs2X2aGXh+PxPL/WHUaxzEP7KjYbLtCUZDRzOOrm+0LMktngT/k3 6+EZoLEM52hwwpIAzJoscyEz7QfqMOZtFm6xQnlvDQeIrHx0KUvwo/vgDLK3SuruG1CSHcR0 D24kEEUa044AIUKBS3b0b8AR7f6mP2NcnLpdsibtpabi9BzqAidcY/EjTaoea46HXALk/eJd 6OLkLE6UQe1PPzQC4jB7rErX2BxnSkHDw50xMgLRcl5/b1a5AQ0EUhFfyAEIAKp7Cp8lqKTV CC9QiAf6QTIjW+lie5J44Ad++0k8gRgANZVWubQuCQ71gxDWLtxYfFkEXjG4TXV/MUtnOliG 5rc2E+ih6Dg61Y5PQakm9OwPIsOx+2R+iSW325ngln2UQrVPgloO83QiUoi7mBJPbcHlxkhZ bd3+EjFxSLIQogt29sTcg2oSh4oljUpz5niTt69IOfZx21kf29NfDE+Iw56gfrxI2ywZbu5o G+d0ZSp0lsovygpk4jK04fDTq0vxjEU5HjPcsXC4CSZdq5E2DrF4nOh1UHkHzeaXdYR2Bn1Y wTePfaHBFlvQzI+Li/Q6AD/uxbTM0vIcsUxrv3MNHCUAEQEAAYkCPgQYAQIACQUCUhFfyAIb LgEpCRCTQwmyVcgNcsBdIAQZAQIABgUCUhFfyAAKCRC22tOSFDh1UOlBB/94RsCJepNvmi/c YiNmMnm0mKb6vjv43OsHkqrrCqJSfo95KHyl5Up4JEp8tiJMyYT2mp4IsirZHxz/5lqkw9Az tcGAF3GlFsj++xTyD07DXlNeddwTKlqPRi/b8sppjtWur6Pm+wnAHp0mQ7GidhxHccFCl65w uT7S/ocb1MjrTgnAMiz+x87d48n1UJ7yIdI41Wpg2XFZiA9xPBiDuuoPwFj14/nK0elV5Dvq 4/HVgfurb4+fd74PV/CC/dmd7hg0ZRlgnB5rFUcFO7ywb7/TvICIIaLWcI42OJDSZjZ/MAzz BeXm263lHh+kFxkh2LxEHnQGHCHGpTYyi4Z3dv03HtkH/1SI8joQMQq00Bv+RdEbJXfEExrT u4gtdZAihwvy97OPA2nCdTAHm/phkzryMeOaOztI4PS8u2Ce5lUB6P/HcGtK/038KdX5MYST Fn8KUDt4o29bkv0CUXwDzS3oTzPNtGdryBkRMc9b+yn9+AdwFEH4auhiTQXPMnl0+G3nhKr7 jvzVFJCRif3OAhEm4vmBNDE3uuaXFQnbK56GJrnqVN+KX5Z3M7X3fA8UcVCGOEHXRP/aubiw Ngawj0V9x+43kUapFp+nF69R53UI65YtJ95ec4PTO/Edvap8h1UbdEOc4+TiYwY1TBuIKltY 1cnrjgAWUh/Ucvr++/KbD9tD6C8=
Message-ID: <6a1a019b-8666-269c-56ca-ebae4b69e9e8@huitema.net>
Date: Fri, 24 Jan 2020 17:56:02 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <CA+9kkMDFm7nboqQY2OjNvmcWxs_30d_5NtBv8Nd1eLBnWKBaBw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------2F492A55B3B95B4109930A8F"
Content-Language: en-US
X-Originating-IP: 66.113.196.155
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.155/32
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.155/32@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0Xm17NJf4el5vffImWwWrhCpSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDsYLBcJLyHnVrULITPs15U6ts NHuRxlWqWR9fNqLY1ai4Dcwf+CZK8NXgy3In+fX7cIPTurxi+anoa7d21Zj8H1O05s+oip5EC/YK rMQ9+O9t+TYaqvvx766D6vBkj4PuWgeIrczWdOwnaj/ijHxo0Dy4QU4b3YMjzePcsw0M0R2Oo0r3 6TvtZGZKJo7Ywel+UOUPX0VHiKUyAtskn6r56i8KMZYGrZmgW9KwYivcW5A61Ks3CiInn/dDFS2W PS2yGYffiENaEvSwZ91SD/eSc+7o0ZSfcEjJYb2rnSV2fRCARv6mkfvK/UihTJjyS3/OdDr2WLJq FULjiIcCiyuiCgTQeC2dL1Bxyk8yV+29SYS0kEOL0o9EBIpturfzKMtFD1+RO9x9UH6x/+ZJK1fw q9G5tr1naPLrD+uYvNqtQnWYBq6S+OMHcfXl6o0I271KKTjECb0PwpN4olPuA0AI937kIM09yvSV B0zYhsH8AJv1sZ6A4UiMLncqmlNSYHCjDluApI7WQQfRBNZVOkD17qrHW4mAQpSSPjTGz7eIGToH mFDqewO9xyOqCYO8P1aH7p0Yfjtn1vCWVsHan3G4FeAaplS5yHZ5tN0/4QM1AVRdeu+6D1xe6+c7 Ft92TZYqs8BEt2tFC1DQGhfOMeiY98yfZPNx4cTaQXTBLR6bqlnUPOEBvPSTejL6TXcy6lu6RfCf KaAJdeRTWASHqAEqZRxwEiTVJqDh0qKoKsXx5lkVnK0YS3gd+LN4VG99hjvtkLrbJKXDgkqcbIfE GI9mKNPEFdzaPktprEQ3qb+cP5JBtL9ewJnoHKUNLZpf7DfZZjMv6PN41V03H2/ZNJy1m5Scu7sV encPI85bGjWXuocpzCXI8Q8ncbCRI7u+gO19UCFcnal6WejB4YisLPSIrrdvK/cKOEqlCIPGIfYQ DNJ9yy88fxdoE98JfCUCbwYa
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/Uq7qio6ualy_sMYBA9l6CYLVsjE>
Subject: Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jan 2020 01:56:16 -0000

On 1/24/2020 12:35 PM, Ted Hardie wrote:

>     As far as the second point goes, I think that when you are
>     thinking about comsec protocols it's still true that you can't do
>     much if you don't trust the endpoints. I think 3552 could be a bit
>     better about recognizing that there are malicious actors in the
>     system, though obviously that's implicit in the discussion of DoS.
>     Anyway, this doesn't seem like much of an update to the threat model.
>
>
> Here, I think the point is really to move the IETF away from thinking
> in terms of host requirements. I agree with you that there are pieces
> to this that are very similar whether you think of  JS code in a
> sandboxed tab or about an IoT device or about TOPS-20 device connected
> to an IMP.  But if you assume that the PC running the browser hosting
> that tab is the unit of analysis, you might have a very bad time. 
> Again, not really a change in the threat model, but a change in the
> context.  This may be a way of saying that I agree with your point below.


Phrasing that as "don't trust the endpoints" is probably inappropriate.
My personal worry is the cascading impact of end-point compromise. Take
the example of a large network. Large network means multiple routers. If
the multiple is high enough, we have strong risks that one of those will
be compromised at some point. If we merely "trust the endpoints", then a
single compromise of one of the endpoints means the game is over. But it
does not have to be so. In an ideal world, implementations of the
routing protocol should be able to detect aberrant behavior and isolate
the compromised node. In practice, that's really hard. But there are
still general principles like "least amount of privilege" or "need to
know basis" that could help. I would really like that protocol designers
think about that too, instead of merely asserting trust in the endpoints.

And I would really like to get rid of the assumption about isolated
networks being secure...

-- Christian Huitema

v2.23.0 | Report a Bug | By Email