Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution
Eliot Lear <lear@cisco.com> Sat, 25 January 2020 17:58 UTC
Return-Path: <lear@cisco.com>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7276C12006E for <architecture-discuss@ietfa.amsl.com>; Sat, 25 Jan 2020 09:58:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kQa5f3l6549I for <architecture-discuss@ietfa.amsl.com>; Sat, 25 Jan 2020 09:58:09 -0800 (PST)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77002120048 for <architecture-discuss@ietf.org>; Sat, 25 Jan 2020 09:58:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5232; q=dns/txt; s=iport; t=1579975089; x=1581184689; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=MHVGZLB2YwMloGKtvfsM2b0yls7IiDU5qHSXBdcigm0=; b=YWDUeVzbpPys8BXKky2ityE/3H9sgy0DinSumMyQYrkFDHojhCqn2fjW pHfyVYb5LeyjlwYf8VHatN73UAm45j5iySbPeKXx0jFs3s3nDtRa5vY5O cKAaCDqdJykFx7LlSVO265MCdxkj1kViGE4zbnu0cK1t8HklcObsQ3ZIF 8=;
X-Files: signature.asc : 488
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CRAwD9gCxe/xbLJq1lHAEBAQEBBwEBEQEEBAEBgXuBfYEYVSASKo0XiBIlky2ICwIHAQEBCQMBAS8BAYRAAoJGOBMCAw0BAQQBAQECAQUEbYVDhV4BAQEBAgF5BQsLBBQuVwYTgyYBglsgqiaCJ4VKhGMQgTiBU4h4gW2CAIE4DBSCHi4+iAuCLASNchmJKYhwjzSCQ4JMgRySTxuOcIwMpj+DLgIEBgUCFYFpIoFYMxoIGxVlAYJBPhIYDZQkbwEOjRFAAzCOKgEB
X-IronPort-AV: E=Sophos;i="5.70,362,1574121600"; d="asc'?scan'208,217";a="22509684"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 25 Jan 2020 17:58:05 +0000
Received: from [10.61.171.81] ([10.61.171.81]) by aer-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 00PHw4mK021104 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 25 Jan 2020 17:58:05 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <C7FDAD8F-D66A-4618-9F87-B1BB9CEA191B@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_2E0DD6A3-D239-4CDD-AA6B-D714DD4F25C5"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
Date: Sat, 25 Jan 2020 18:58:04 +0100
In-Reply-To: <6a1a019b-8666-269c-56ca-ebae4b69e9e8@huitema.net>
Cc: Ted Hardie <ted.ietf@gmail.com>, Eric Rescorla <ekr@rtfm.com>, architecture-discuss@ietf.org, model-t@iab.org
To: Christian Huitema <huitema@huitema.net>
References: <E2D709DC-DD01-4946-B2F1-7EE0E101DEF0@piuha.net> <dff1c31e-44d4-6045-aaeb-03ac1e855200@gmail.com> <CABcZeBOYsP+SBNdLqc-wmyJAs1A+hvWbKud_XfvDgi9zJVMD+w@mail.gmail.com> <CA+9kkMDFm7nboqQY2OjNvmcWxs_30d_5NtBv8Nd1eLBnWKBaBw@mail.gmail.com> <6a1a019b-8666-269c-56ca-ebae4b69e9e8@huitema.net>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
X-Outbound-SMTP-Client: 10.61.171.81, [10.61.171.81]
X-Outbound-Node: aer-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/xKscoF7P7p3ilGqBT20MQb0VP0s>
Subject: Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jan 2020 17:58:11 -0000
> On 25 Jan 2020, at 02:56, Christian Huitema <huitema@huitema.net> wrote: > > > Phrasing that as "don't trust the endpoints" is probably inappropriate. > Why? They are the source of just about all compromise attacks. > My personal worry is the cascading impact of end-point compromise. Take the example of a large network. Large network means multiple routers. If the multiple is high enough, we have strong risks that one of those will be compromised at some point. If we merely "trust the endpoints", then a single compromise of one of the endpoints means the game is over. But it does not have to be so. In an ideal world, implementations of the routing protocol should be able to detect aberrant behavior and isolate the compromised node. In practice, that's really hard. > We sell product that does this today. But it is hard, which is why people pay us. Of course, it gets harder with encryption, but we even have product for that. I prefer the other approach: tell us what good behavior looks like (manufacturer usage descriptions). > But there are still general principles like "least amount of privilege" or "need to know basis" that could help. > Indeed. > I would really like that protocol designers think about that too, instead of merely asserting trust in the endpoints. > How much is this the protocol and how much is the application? The protocols most apps are using today are, ermmm, HTTP. Eliot
- [arch-d] Possible new IAB program on Internet tru… Jari Arkko
- Re: [arch-d] [Model-t] Possible new IAB program o… Joachim Fabini
- Re: [arch-d] Possible new IAB program on Internet… Brian E Carpenter
- Re: [arch-d] [Model-t] Possible new IAB program o… Eric Rescorla
- Re: [arch-d] [Model-t] Possible new IAB program o… Stephen Farrell
- Re: [arch-d] [Model-t] Possible new IAB program o… Eliot Lear
- Re: [arch-d] [Model-t] Possible new IAB program o… Ted Hardie
- Re: [arch-d] [Model-t] Possible new IAB program o… Bernard Aboba
- Re: [arch-d] [Model-t] Possible new IAB program o… Christian Huitema
- Re: [arch-d] [Model-t] Possible new IAB program o… Eliot Lear
- Re: [arch-d] [Model-t] Possible new IAB program o… Eric Rescorla
- Re: [arch-d] [Model-t] Possible new IAB program o… Eliot Lear
- Re: [arch-d] Possible new IAB program on Internet… Guntur Wiseno Putra
- Re: [arch-d] [Model-t] Possible new IAB program o… Vittorio Bertola
- [arch-d] Yes, building blocks ; -) Re: not buildi… Eliot Lear
- Re: [arch-d] [Model-t] Possible new IAB program o… Kathleen Moriarty
- Re: [arch-d] [Model-t] Possible new IAB program o… Joel M. Halpern
- Re: [arch-d] [Model-t] Possible new IAB program o… John C Klensin
- Re: [arch-d] [Model-t] Possible new IAB program o… Kathleen Moriarty
- Re: [arch-d] [Model-t] Possible new IAB program o… Brian E Carpenter
- Re: [arch-d] not building blocks (was: Re: [Model… Toerless Eckert
- Re: [arch-d] [Model-t] Possible new IAB program o… Stephen Farrell
- Re: [arch-d] not building blocks (was: Re: [Model… Eliot Lear
- Re: [arch-d] not building blocks (was: Re: [Model… Stephen Farrell
- Re: [arch-d] not building blocks (was: Re: [Model… Stephen Farrell
- Re: [arch-d] [Model-t] Possible new IAB program o… S Moonesamy
- Re: [arch-d] [Model-t] Possible new IAB program o… Kathleen Moriarty
- Re: [arch-d] [Model-t] Possible new IAB program o… Bernard Aboba
- Re: [arch-d] Possible new IAB program on Internet… Toerless Eckert
- Re: [arch-d] [Model-t] Possible new IAB program o… Watson Ladd
- Re: [arch-d] [Model-t] Possible new IAB program o… Eliot Lear
- Re: [arch-d] Possible new IAB program on Internet… Jari Arkko
- Re: [arch-d] [Model-t] Possible new IAB program o… Jari Arkko
- Re: [arch-d] [Model-t] Possible new IAB program o… Toerless Eckert
- Re: [arch-d] [Model-t] Possible new IAB program o… Robin Wilton
- Re: [arch-d] Possible new IAB program on Internet… Guntur Wiseno Putra
- Re: [arch-d] [Model-t] Possible new IAB program o… Eliot Lear
- Re: [arch-d] Possible new IAB program on Internet… Guntur Wiseno Putra
- Re: [arch-d] Possible new IAB program on Internet… Eric Rescorla
- Re: [arch-d] Possible new IAB program on Internet… Guntur Wiseno Putra