IETF Logo Mail Archive

Re: [cicm] Use Cases

"Novikov, Lev" <lnovikov@mitre.org> Thu, 08 September 2011 18:13 UTC

Return-Path: <lnovikov@mitre.org>
X-Original-To: cicm@ietfa.amsl.com
Delivered-To: cicm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B2DC21F8744 for <cicm@ietfa.amsl.com>; Thu, 8 Sep 2011 11:13:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.4
X-Spam-Level:
X-Spam-Status: No, score=-5.4 tagged_above=-999 required=5 tests=[AWL=-1.101, BAYES_00=-2.599, MANGLED_STOP=2.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aEFgIelWOQAp for <cicm@ietfa.amsl.com>; Thu, 8 Sep 2011 11:13:40 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id C27F821F8514 for <cicm@ietf.org>; Thu, 8 Sep 2011 11:13:39 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 5566E21B120E for <cicm@ietf.org>; Thu, 8 Sep 2011 14:15:31 -0400 (EDT)
Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 50EAC21B0168 for <cicm@ietf.org>; Thu, 8 Sep 2011 14:15:31 -0400 (EDT)
Received: from IMCMBX3.MITRE.ORG ([129.83.29.206]) by imchub1.MITRE.ORG ([129.83.29.73]) with mapi; Thu, 8 Sep 2011 14:15:31 -0400
From: "Novikov, Lev" <lnovikov@mitre.org>
To: CICM Discussion List <cicm@ietf.org>
Date: Thu, 08 Sep 2011 14:14:17 -0400
Thread-Topic: [cicm] Use Cases
Thread-Index: AcxkLTeZAvR3bwFMSYqPf+pySxYTSgCJ2nxAAf+VFWA=
Message-ID: <F9AB58FA72BAE7449E7723791F6993ED06310632A4@IMCMBX3.MITRE.ORG>
References: <F9AB58FA72BAE7449E7723791F6993ED0630EDD3B8@IMCMBX3.MITRE.ORG> <7EDDD87A9A1D7F4DB6F78BC55AA4955002085E7C@0461-its-exmb09.us.saic.com>
In-Reply-To: <7EDDD87A9A1D7F4DB6F78BC55AA4955002085E7C@0461-its-exmb09.us.saic.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [cicm] Use Cases
X-BeenThere: cicm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: CICM Discussion List <cicm@ietf.org>
List-Id: CICM Discussion List <cicm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cicm>, <mailto:cicm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cicm>
List-Post: <mailto:cicm@ietf.org>
List-Help: <mailto:cicm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cicm>, <mailto:cicm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2011 18:13:40 -0000

John,

On 2011-08-29 10:27, John Davidson wrote:
> When you refer to "sides" in #4, it may lead us to model the "red side"
> as "considered secure" and the black side as "considered unsecured".
> The secure/unsecured view leads us to think that there is something more
> than isolation that makes the red domain "secure."  That has a "my
> machine; my data vs. their stuff" security policy orientation.
> There is another orientation that may be more applicable for so-called high
> assurance.  That is the Their (the gov's) Top Secret, Their Secret and
> Their Unclassified, where none of the domains are "considered secure"
> from a trustworthy-ness POV.

This is an excellent point. Security domains do not define trust, per se. They
are defined by a security policy which specifies, among other things, how data
moves into/out of that domain. This is the definition we previously used.
For example, see "$ security domain" in
http://tools.ietf.org/html/draft-lanz-cicm-lm-01

Therefore, I'm going to add "multiple levels of security domains" to the list of
use cases. This should cover a broad list of arrangements including Joe Mitola's
use cases (personal data, NDAs, content-based roles).

FYI: By adding this use case, I'm not saying that CICM needs to support Multiple
Levels of Security (MLS) and/or Multiple Independent Levels of Security (MILS),
but I am saying we shouldn't do anything to prevent someone from using it those
configurations, if they so choose.
See http://tools.ietf.org/html/draft-lanz-cicm-lm-01#section-1.4

> I mention this because it the link in #4 implies just 2 "sides" and it
> implies communication between those "sides" that encourages software to
> fail to "stay out of the way" and violate rules by trying to communicate
> from red to black with bypass and such.
>
> While lots of people (HAIPE et al) want to do that, I suggest our models
> stop short of encouraging, suggesting or even enabling it because to do
> so creates an architecture that we don't know how to secure today.  That
> is not what we are about.

The use cases are intentionally broad because we are trying to build a framework
which will facilitate analysis of existing IETF protocols using a domain-centric
approach. Certainly, the classic high assurance cases (1, 3) can be used, but
we're evaluating the impact on existing approaches.

Our current list so far:
1. high assurance data-in-transit (two networks, two domains)
2. traditional data-in-transit or -at-rest (cf. PKCS#11)
3. one network, two domains (cf. network storage; data-in-transit + -at-rest)
4. one machine, two domains in software (via Vincent Roca)
5. secure key exchange (via Kevin Wall)
6. multiple levels of security domains (via John Davidson/Joe Mitola;
  one or more networks, multiple domains)

Any others?

Regards,
Lev

v2.23.0 | Report a Bug | By Email