Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution

Eliot --

The examples you describe are difficult to capture within protocol-specific
threat models (RFC 3552) or privacy considerations (RFC 6973).  For
practicality, those analyses need to maintain a narrow focus, yet at the
same time we understand that systemic privacy and security issues can only
be understood when analyzing the system that a protocol is embedded in.  As
a result, even protocols that successfully address the original threat
models can be the source of major systemic vulnerabilities. For example, we
could not have expected the authors of RFC 1945 (HTTP 1.0) to have
anticipated the security and privacy problems arising from today's social
media implementations - some of which were discussed during the Internet
Privacy Workshop summarized in RFC 6462.

However, I do think that you're on to something important that is worth IAB
consideration.

It strikes me that in a number of the examples you cite the "endpoint" is
not acting in the interest of the "end user", at least in the sense
described in draft-iab-for-the-users.  As was noted in Section 4.2:

   In contrast, the Internet of Things (IoT) has not yet seen the
   emergence of a natural role for representing the needs of the end
   user.  Perhaps as a result of this, that ecosystem and its users face
   serious challenges.

For example, consider how some of the IoT behavior you describe might be
handled within a permission model implemented in a browser or a mobile
device:

1. Would a user grant permission to access to camera or microphone?   In
the example of the device that did not advertise that it contained a
microphone, presumably, the answer would be "no" (although the microphone
was not initially enabled so perhaps permission might not have been
requested).
2. Would the user grant permission to access personal information such as
location?  In the example of the device with embedded trackers, again the
user would probably not have granted access to location and other data
(although we know that location can easily be obtained in circumvention of
browser or mobile device protections).

On Mon, Jan 27, 2020 at 10:44 PM Eliot Lear <lear=40cisco.com@dmarc.ietf.org>
wrote:

> Hi Watson,
>
> On 28 Jan 2020, at 02:35, Watson Ladd <watsonbladd@gmail.com> wrote:
>
>
>
> On Sun, Jan 26, 2020 at 1:44 AM Eliot Lear <lear@cisco.com> wrote:
>
>>   Let’s look at three specific examples that I’ve mentioned:
>>
>> 1.  Train signaling system needs to be audited both live and
>> retrospectively in the case of accidents.  This has to happen in such a way
>> that the auditor sees precisely what was sent by one endpoint and received
>> by the other.
>>
>> 2.  The case of “parent doesn’t want Internet toy to send video of
>> child”, when the camera is undisclosed (it’s an analog to the privacy
>> analysis on Alexa[1] and the now infamous NEST episode[2]).
>>
>> 3. CPAP machine or an AED/pace maker provide a control interface to the
>> doctor but the patient or his next of kin wants the data.
>>
>
> I've got a few more examples from real life:
>
> 4: We need to see who is sending pictures of Winnie the Pooh.
>
> 5: We don't want pictures of the inside of our detention centers to appear
> online.
>
> 6: I want to see everyone's credit card number at the coffee shop I run.
>
> Any discussion of tapping network communications because endpoints can't
> be trusted needs to take these cases seriously.
>
>
>
> Absolutely.  What I am suggesting is a relatively new twist on an old
> problem(*).  It’s important to understand the economic and policy aspects
> of how/whether to avoid [4] and [5], how to avoid [6] while at the same
> time addressing use cases I mentioned.
>
> So… today’s new information comes courtesy of the EFF.
>
>
> https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-party-trackers
>
> Here we have yet another IoT device that, from at least one person’s
> perspective is invading home privacy.  And again, it is the device itself
> that is the threat.  In this case, it’s probably a more manageable threat,
> because one can simply not get a NEST.  Try not getting a CPAP machine.
>
> And this brings us around to what layer to solve the problem at.  Some of
> this may need to be dealt with at layer 9 rather than at lower layers.  We
> should have that discussion too.
>
>
>
> Increasingly corporate networks are moving away from network layer access
> controls and using user authentication over TLS, so-called BeyondCorp
> model, including checking endpoint posture through management.
>
>
> I don’t think this solves the railroad case.  Do you?  Just to clarify the
> example:
>
> According to their logs, two separate signals received  “set your lights
> to green” at the same time, causing two trains to crash into each other.
> According to the signal controller’s logs, it sent “set your lights to
> green” to only one signal.  What happened?
>
> All of the cases we are discussing have slightly different flavors of
> threats.  From an IAB program standpoint, the real question here is this:
> what are the architectural building blocks that are required?  Keep in
> mind, some of those blocks could be code and some could be policy.
>
> One goal should be code reuse. It is probably best that the people
> building the train signal *not* reinvent everything, but rather benefit
> as much as they can from the experience and results that you, EKR, and a
> great many other people have brought to society.
>
> Eliot
>
> (*) It’s also important to not fall into old tribal communication
> patterns, while recognizing the realities of the concerns raised by you,
> Watson, and me.
>
> _______________________________________________
> Architecture-discuss mailing list
> Architecture-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/architecture-discuss
>