Re: [Model-t] What are we trying to protect

Thomas Hardjono <hardjono@mit.edu> Wed, 07 August 2019 20:21 UTC

Return-Path: <hardjono@mit.edu>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9276A120103 for <model-t@ietfa.amsl.com>; Wed, 7 Aug 2019 13:21:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EHeEMrObVn5x for <model-t@ietfa.amsl.com>; Wed, 7 Aug 2019 13:21:57 -0700 (PDT)
Received: from outgoing-exchange-3.mit.edu (outgoing-exchange-3.mit.edu [18.9.28.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E52C120059 for <model-t@iab.org>; Wed, 7 Aug 2019 13:21:56 -0700 (PDT)
Received: from w92exedge3.exchange.mit.edu (W92EXEDGE3.EXCHANGE.MIT.EDU [18.7.73.15]) by outgoing-exchange-3.mit.edu (8.14.7/8.12.4) with ESMTP id x77KMS0h020209; Wed, 7 Aug 2019 16:22:37 -0400
Received: from w92expo23.exchange.mit.edu (18.7.74.77) by w92exedge3.exchange.mit.edu (18.7.73.15) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Wed, 7 Aug 2019 16:21:36 -0400
Received: from oc11expo23.exchange.mit.edu (18.9.4.88) by w92expo23.exchange.mit.edu (18.7.74.77) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Wed, 7 Aug 2019 16:21:53 -0400
Received: from oc11expo23.exchange.mit.edu ([18.9.4.88]) by oc11expo23.exchange.mit.edu ([18.9.4.88]) with mapi id 15.00.1365.000; Wed, 7 Aug 2019 16:21:53 -0400
From: Thomas Hardjono <hardjono@mit.edu>
To: Watson Ladd <watsonbladd@gmail.com>
CC: Ira McDonald <blueroofmusic@gmail.com>, "model-t@iab.org" <model-t@iab.org>
Thread-Topic: [Model-t] What are we trying to protect
Thread-Index: AQHVTKARMPvYR1mv10m+AYM7i0MFwqbvF6MAgAACjICAADFGgIAA0Z7h
Date: Wed, 07 Aug 2019 20:21:53 +0000
Message-ID: <380339469241445691fd9caf0d761992@oc11expo23.exchange.mit.edu>
References: <4a2324dfd4ba4780a18bcb3f3db7f7de@oc11expo23.exchange.mit.edu> <CAN40gSsibQDrs8yDUYP59U+ume-MMwUpiQ_q0F6t27vQEOt+qw@mail.gmail.com> <061F959D-CA86-46BD-BFE1-4CF8024E7F8D@mit.edu>, <CACsn0c=HSg98Ed85rQuRgYU+HkgevsN9+xZC3pP8m=1qxAnu=A@mail.gmail.com>
In-Reply-To: <CACsn0c=HSg98Ed85rQuRgYU+HkgevsN9+xZC3pP8m=1qxAnu=A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [73.167.220.69]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/F9s2-Bh944welzjFa0A0uuypzpk>
Subject: Re: [Model-t] What are we trying to protect
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2019 20:22:00 -0000

As far as know, RFC 1520, 4120 and 2743/44 does not support the reporting of the *state* of keys in the KDC, the software-stack of the KDC, etc. etc.

I think my point is non-contentional: the End to End argument in the late 80s and into the 1990s made the inquiry of (reporting of) endpoint security state information out-of-scope for the IETF's work. Its corollary of the end to end principle.

-- thomas --


________________________________________
From: Watson Ladd [watsonbladd@gmail.com]
Sent: Tuesday, August 6, 2019 11:33 PM
To: Thomas Hardjono
Cc: Ira McDonald; model-t@iab.org
Subject: Re: [Model-t] What are we trying to protect

Kerberos and NFS are two notable exceptions.


On Tue, Aug 6, 2019 at 5:38 PM Thomas Hardjono <hardjono@mit.edu> wrote:
>
> Hi Ira,
>
> I’m familiar with NEA — NEA & TNC (and NAP & NAC) are relatively recent.  I’m talking about the majority of RFCs coming out of the Security Area since the mid-1990s.
>
> This was a core part of the End-to-End Principle (e.g. key management and handling of keys at the edges, out side the scope of the IETF).
>
>
>
> /thomas/
>
> ___________________________________
>
> On Aug 6, 2019, at 8:24 PM, Ira McDonald <blueroofmusic@gmail.com> wrote:
>
> Hi,
>
> I disagree with this characterization of the IETF's historic interest.
>
> IETF NEA (built on contributed TCG TNC protocols) is *all* about
> the security and health of endpoints.  And IETF NEA is now being
> leveraged heavily in IETF SACM for that very reason.  SACM is
> of course *mostly* about the security and health of endpoints and
> only incidentally about middleboxes.
>
> Cheers,
> - Ira
>
> Ira McDonald (Musician / Software Architect)
> Co-Chair - TCG Trusted Mobility Solutions WG
> Co-Chair - TCG Metadata Access Protocol SG
> Chair - Linux Foundation Open Printing WG
> Secretary - IEEE-ISTO Printer Working Group
> Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
> IETF Designated Expert - IPP & Printer MIB
> Blue Roof Music / High North Inc
> http://sites.google.com/site/blueroofmusic
> http://sites.google.com/site/highnorthinc
> mailto: blueroofmusic@gmail.com
> PO Box 221  Grand Marais, MI 49839  906-494-2434
>
>
>
> On Tue, Aug 6, 2019 at 5:45 PM Thomas Hardjono <hardjono@mit.edu> wrote:
>>
>>
>> >>> 1) Attacking the system directly.
>>
>> >>> 2) Delivering an attack through a user-initiated session or exfiltrating data through said session
>>
>> >>> 4) Passive monitoring of all traffic
>>
>> >>> 5) Monitoring and tracking all user's traffic inside their session.
>>
>>
>> Historically the IETF has focused on protocols and communications security. This was an explicit choice/decision of the IETF community in the mid-1990s. So, all the protocols we have (ISAKMP, IKE, IPsec, TLS, etc.) have addressed a threat model that was focused on the communications channel. The security of the end-point, such as a Client or device, was out of scope (until now, I guess, depending).
>>
>> If the IETF’s scope is going to be expanded, I’d suggest the IETF developing an abstraction model and terminology that helps discussion. Otherwise we end up boiling the ocean with too many words, use-cases and scenarios.
>>
>> At the Montreal SAAG meeting I mentioned the term end-point “state”.  One way to map the above list of threats would be to express it abstractly in terms of state and the protection of state information/data. So, the above list could be mapped to something like this:
>>
>> (i) Unauthorized modification of end-point state. (i.e. attacking a client OS.).
>>
>> (ii) Unauthorized exfiltration of end-point state information (i.e. exfiltration of data, both system-data and user-data, from a machine).
>>
>> (iii) Malicious substitution of state in transit (i.e. hi-jacking a connection and doing a MITM).
>>
>> (iv) Unhindered reporting of end-point state information (i.e. authentic reporting from a MIB in a device).
>>
>>
>> You get my point. It’s no longer just about protection of the communication channel and transport protocol resiliency.  It’s now about the “stuff” at the end of the channel.
>>
>>
>> — thomas —
>>
>> --
>> Model-t mailing list
>> Model-t@iab.org
>> https://www.iab.org/mailman/listinfo/model-t
>
> --
> Model-t mailing list
> Model-t@iab.org
> https://www.iab.org/mailman/listinfo/model-t



--
"Man is born free, but everywhere he is in chains".
--Rousseau.