Re: [arch-d] not building blocks (was: Re: [Model-t] Possible new IAB program on Internet trust model evolution)
Toerless Eckert <tte@cs.fau.de> Tue, 28 January 2020 19:23 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DADC512003E for <architecture-discuss@ietfa.amsl.com>; Tue, 28 Jan 2020 11:23:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.87
X-Spam-Level:
X-Spam-Status: No, score=-0.87 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MDG-jn-sUr9S for <architecture-discuss@ietfa.amsl.com>; Tue, 28 Jan 2020 11:23:11 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD7E1120033 for <architecture-discuss@ietf.org>; Tue, 28 Jan 2020 11:23:11 -0800 (PST)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 2D00454804A; Tue, 28 Jan 2020 20:23:05 +0100 (CET)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 26E0B440059; Tue, 28 Jan 2020 20:23:05 +0100 (CET)
Date: Tue, 28 Jan 2020 20:23:05 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>, Watson Ladd <watsonbladd@gmail.com>, "architecture-discuss@ietf.org" <architecture-discuss@ietf.org>, model-t@iab.org
Message-ID: <20200128192305.GR14549@faui48f.informatik.uni-erlangen.de>
References: <dff1c31e-44d4-6045-aaeb-03ac1e855200@gmail.com> <CABcZeBOYsP+SBNdLqc-wmyJAs1A+hvWbKud_XfvDgi9zJVMD+w@mail.gmail.com> <CA+9kkMDFm7nboqQY2OjNvmcWxs_30d_5NtBv8Nd1eLBnWKBaBw@mail.gmail.com> <6a1a019b-8666-269c-56ca-ebae4b69e9e8@huitema.net> <C7FDAD8F-D66A-4618-9F87-B1BB9CEA191B@cisco.com> <CABcZeBPKFEEDqQEGXZAD87n5cCsA75+uMGp-brq0JXBoW91LjQ@mail.gmail.com> <96A32815-C313-4C08-90FF-DDAFAD591287@cisco.com> <CACsn0ck9PDAOhZrbBZ7e4UVU7eNiSgrfVO7JL9zaYaX3if2WVw@mail.gmail.com> <DCE750AF-6439-4961-A4DA-ED855807F68E@cisco.com> <6efc8e84-90fc-aadc-ce3a-784051a9f6b3@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <6efc8e84-90fc-aadc-ce3a-784051a9f6b3@cs.tcd.ie>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/ZWdjaprQIvCLzbloVONCpVb_tIM>
Subject: Re: [arch-d] not building blocks (was: Re: [Model-t] Possible new IAB program on Internet trust model evolution)
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 19:23:13 -0000
Stephen, I totally do not get how you read Eliots text as being about TLS. I read Eliot/Watsons mails to be in the same direction as what i was pointing out yesterday. Let me try to abstract maybe better: In the past, we have primarily looked at the security implications of individual protocols, communicating mostly between two endpoints and attacks against this communication by observers, MitM, or malicious endpoints. Of course, we went beyond that but not systematically to the point that instead of concentrating only on the communication channels, we would instead concentrate also on the properties of modules whose complete external behavior is defined through a set of interfaces. And then define security properties observing that superset of interfaces. Once you have this model, Watson/Eliots examples are easy translated into propagation properties between these interfaes. My yesterdays mail points was more about the problem of having modules that are small enough or implemented in a way that at least specific properties can be verified instead of just having to trust the module vendor. Or having interfaces that allows another module to verify/control behavior. Of course, the fun difference with this model is that in the most simple of cases, you could try to view a complete router as one of those modules, because vendors of such gear have a great interest to well define and expose all interfaces of such a device, wheras a typical communications endpoint such as an application server in a data-center is more often than not built around a business model where exposure/ definition of all interfaces would expose bad business practices. Hence also political approaches like GDPR to start addressing that problem. Cheers Toerless On Tue, Jan 28, 2020 at 10:02:43AM +0000, Stephen Farrell wrote: > > Hiya, > > On 28/01/2020 06:44, Eliot Lear wrote: > > From an IAB program standpoint, the real question here is this: what > > are the architectural building blocks that are required? > I'm not sure I agree. ISTM you envisage a programme that > tries to establish that existing IETF consensus as to the > use of e2e encryption needs to be changed, which I don't > think is a goal here. Personally, I think of this as a > place to work on whether or not it's possible to extend > (not replace) the 3552 threat model to cater for changes > since 3552 was written. (I do think that's an interesting > question and it's unclear to me if the answer is "yes" or > "would like to, but it's not usefully feasible.") > > Now, it's of course valid to point out that comsec (as > ekr may put it) if applied e2e doesn't by itself meet > all requirements stated in your examples, to which I'd > maybe argue to extend the Internet threat model with > some statement along the lines of: "if an endpoint > does need to see traffic content or significant meta- > data, then you need to design your protocol so that that > endpoint is an endpoint at which relevant cryptographic > mechanisms are validly terminated, according to the > expectations of the cryptographic protocol(s) in use (e.g. > TLS, IPsec). Changing the security properties of widely > deployed cryptographic protocols is not likely to be a > useful approach to attempt, as there are too many > deleterious side-effects of such proposed changes." > > So I don't think, for the purposes of this exercise, > we're considering existing widely deployed protocols as > malleable building blocks, whether that protocol is > TLS or some (deployed) train signalling system. > > Cheers, > S. > pub RSA 4096/7B172BEA 2017-12-22 Stephen Farrell (2017) <stephen.farrell@cs.tcd.ie> > sub RSA 4096/36CB8BB6 2017-12-22 > > _______________________________________________ > Architecture-discuss mailing list > Architecture-discuss@ietf.org > https://www.ietf.org/mailman/listinfo/architecture-discuss -- --- tte@cs.fau.de
- [arch-d] Possible new IAB program on Internet tru… Jari Arkko
- Re: [arch-d] [Model-t] Possible new IAB program o… Joachim Fabini
- Re: [arch-d] Possible new IAB program on Internet… Brian E Carpenter
- Re: [arch-d] [Model-t] Possible new IAB program o… Eric Rescorla
- Re: [arch-d] [Model-t] Possible new IAB program o… Stephen Farrell
- Re: [arch-d] [Model-t] Possible new IAB program o… Eliot Lear
- Re: [arch-d] [Model-t] Possible new IAB program o… Ted Hardie
- Re: [arch-d] [Model-t] Possible new IAB program o… Bernard Aboba
- Re: [arch-d] [Model-t] Possible new IAB program o… Christian Huitema
- Re: [arch-d] [Model-t] Possible new IAB program o… Eliot Lear
- Re: [arch-d] [Model-t] Possible new IAB program o… Eric Rescorla
- Re: [arch-d] [Model-t] Possible new IAB program o… Eliot Lear
- Re: [arch-d] Possible new IAB program on Internet… Guntur Wiseno Putra
- Re: [arch-d] [Model-t] Possible new IAB program o… Vittorio Bertola
- [arch-d] Yes, building blocks ; -) Re: not buildi… Eliot Lear
- Re: [arch-d] [Model-t] Possible new IAB program o… Kathleen Moriarty
- Re: [arch-d] [Model-t] Possible new IAB program o… Joel M. Halpern
- Re: [arch-d] [Model-t] Possible new IAB program o… John C Klensin
- Re: [arch-d] [Model-t] Possible new IAB program o… Kathleen Moriarty
- Re: [arch-d] [Model-t] Possible new IAB program o… Brian E Carpenter
- Re: [arch-d] not building blocks (was: Re: [Model… Toerless Eckert
- Re: [arch-d] [Model-t] Possible new IAB program o… Stephen Farrell
- Re: [arch-d] not building blocks (was: Re: [Model… Eliot Lear
- Re: [arch-d] not building blocks (was: Re: [Model… Stephen Farrell
- Re: [arch-d] not building blocks (was: Re: [Model… Stephen Farrell
- Re: [arch-d] [Model-t] Possible new IAB program o… S Moonesamy
- Re: [arch-d] [Model-t] Possible new IAB program o… Kathleen Moriarty
- Re: [arch-d] [Model-t] Possible new IAB program o… Bernard Aboba
- Re: [arch-d] Possible new IAB program on Internet… Toerless Eckert
- Re: [arch-d] [Model-t] Possible new IAB program o… Watson Ladd
- Re: [arch-d] [Model-t] Possible new IAB program o… Eliot Lear
- Re: [arch-d] Possible new IAB program on Internet… Jari Arkko
- Re: [arch-d] [Model-t] Possible new IAB program o… Jari Arkko
- Re: [arch-d] [Model-t] Possible new IAB program o… Toerless Eckert
- Re: [arch-d] [Model-t] Possible new IAB program o… Robin Wilton
- Re: [arch-d] Possible new IAB program on Internet… Guntur Wiseno Putra
- Re: [arch-d] [Model-t] Possible new IAB program o… Eliot Lear
- Re: [arch-d] Possible new IAB program on Internet… Guntur Wiseno Putra
- Re: [arch-d] Possible new IAB program on Internet… Eric Rescorla
- Re: [arch-d] Possible new IAB program on Internet… Guntur Wiseno Putra