IETF Logo Mail Archive

Re: [Model-t] What are we trying to protect

Thomas Hardjono <hardjono@mit.edu> Tue, 06 August 2019 21:45 UTC

Return-Path: <hardjono@mit.edu>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0845120033 for <model-t@ietfa.amsl.com>; Tue, 6 Aug 2019 14:45:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uaOd8-jyLf2g for <model-t@ietfa.amsl.com>; Tue, 6 Aug 2019 14:45:31 -0700 (PDT)
Received: from outgoing-exchange-1.mit.edu (outgoing-exchange-1.mit.edu [18.9.28.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 150DB120025 for <model-t@iab.org>; Tue, 6 Aug 2019 14:45:30 -0700 (PDT)
Received: from oc11exedge2.exchange.mit.edu (OC11EXEDGE2.EXCHANGE.MIT.EDU [18.9.3.18]) by outgoing-exchange-1.mit.edu (8.14.7/8.12.4) with ESMTP id x76Ljkjk004709 for <model-t@iab.org>; Tue, 6 Aug 2019 17:45:51 -0400
Received: from w92expo23.exchange.mit.edu (18.7.74.77) by oc11exedge2.exchange.mit.edu (18.9.3.18) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Tue, 6 Aug 2019 17:45:35 -0400
Received: from oc11expo23.exchange.mit.edu (18.9.4.88) by w92expo23.exchange.mit.edu (18.7.74.77) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Tue, 6 Aug 2019 17:45:23 -0400
Received: from oc11expo23.exchange.mit.edu ([18.9.4.88]) by oc11expo23.exchange.mit.edu ([18.9.4.88]) with mapi id 15.00.1365.000; Tue, 6 Aug 2019 17:45:23 -0400
From: Thomas Hardjono <hardjono@mit.edu>
To: "model-t@iab.org" <model-t@iab.org>
Thread-Topic: [Model-t] What are we trying to protect
Thread-Index: AQHVTKARMPvYR1mv10m+AYM7i0MFwg==
Date: Tue, 06 Aug 2019 21:45:23 +0000
Message-ID: <4a2324dfd4ba4780a18bcb3f3db7f7de@oc11expo23.exchange.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [73.167.220.69]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/GpfCCjBrT86AKqAh4XlQF5BbJ0Q>
Subject: Re: [Model-t] What are we trying to protect
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 21:45:33 -0000

>>> 1) Attacking the system directly.

>>> 2) Delivering an attack through a user-initiated session or exfiltrating data through said session

>>> 4) Passive monitoring of all traffic

>>> 5) Monitoring and tracking all user's traffic inside their session. 


Historically the IETF has focused on protocols and communications security. This was an explicit choice/decision of the IETF community in the mid-1990s. So, all the protocols we have (ISAKMP, IKE, IPsec, TLS, etc.) have addressed a threat model that was focused on the communications channel. The security of the end-point, such as a Client or device, was out of scope (until now, I guess, depending).

If the IETF’s scope is going to be expanded, I’d suggest the IETF developing an abstraction model and terminology that helps discussion. Otherwise we end up boiling the ocean with too many words, use-cases and scenarios.

At the Montreal SAAG meeting I mentioned the term end-point “state”.  One way to map the above list of threats would be to express it abstractly in terms of state and the protection of state information/data. So, the above list could be mapped to something like this:

(i) Unauthorized modification of end-point state. (i.e. attacking a client OS.).

(ii) Unauthorized exfiltration of end-point state information (i.e. exfiltration of data, both system-data and user-data, from a machine).

(iii) Malicious substitution of state in transit (i.e. hi-jacking a connection and doing a MITM).

(iv) Unhindered reporting of end-point state information (i.e. authentic reporting from a MIB in a device).


You get my point. It’s no longer just about protection of the communication channel and transport protocol resiliency.  It’s now about the “stuff” at the end of the channel.


— thomas —

v2.23.0 | Report a Bug | By Email