IETF Logo Mail Archive

Re: [Model-t] Considerations for modern COMSEC protocol design

"Christopher Wood" <caw@heapingbits.net> Tue, 18 February 2020 15:27 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6274120152 for <model-t@ietfa.amsl.com>; Tue, 18 Feb 2020 07:27:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=AJC5bLac; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=RuqkzAdZ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xvWE8T5d24E7 for <model-t@ietfa.amsl.com>; Tue, 18 Feb 2020 07:27:27 -0800 (PST)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 364BA120130 for <model-t@iab.org>; Tue, 18 Feb 2020 07:27:27 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id 7677D747 for <model-t@iab.org>; Tue, 18 Feb 2020 10:27:26 -0500 (EST)
Received: from imap4 ([10.202.2.54]) by compute6.internal (MEProxy); Tue, 18 Feb 2020 10:27:26 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=U6cmMa/DA7sbdTdxKSsX0GM8IEg/l8V +4LvhuaY0fVo=; b=AJC5bLac8eRTEVUgj6QqqcljV3dZDc2Fb6a4CD1Wlvc6QRn gV6aSJ2aLMaFpD5jDOq2LlBK0MgHXcwDABFYQMNAtFBayHHWf3kcrbNgTILhnA9l 1Wp34PMnC5HPSYdzpCIyy2jFY9I5aSF0ukw1KxzyNShHUsX9dwymQdphjMv3aXkV J5a1S8NviVAUauiI/5c1X0e74mSMOlFmjjfmNSMmecNbWmzrtMiz2EVbbp2HPgjC 5KH0Wpivf+j32QZYUq5DFCWjwaIHFsWzo3kfDRSA1ZRy0HghbF4oALdH7byv2eYf zyBfbEzMR/YsDTtsDSZnW++fsGh/c6Xod72w/bg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=U6cmMa /DA7sbdTdxKSsX0GM8IEg/l8V+4LvhuaY0fVo=; b=RuqkzAdZ60rxQZukBB5tB3 vo1QeoYan/qIL0IHSvQFbUCVVf5IS27IfZH9IfkHVFgPAPv4calWCTfwqaBpQDEb aHoddm42rUbQE6beozE64TCRliTL1PEDx+b7LgR1XrsIXAb3q9By5duBe7Qp4XzG tUIzQMlVYMlX1CviQHRY/YosVtJiZT8c4RfrlUfyHlvqf/KsLEIVNxn+podtp7cR iF+P5tLyTuJh/WAjvtqd8QOsSADan6zp8ngdb9bdeX/ZhBFSzdSgrKo4L2kfxP66 hm+fyb9gko5jdERPQBtpjhsezdcD00PySy33Z4zJtovcell8pokvhF3RMXKEDpjQ ==
X-ME-Sender: <xms:XQJMXtDhpenc0IsSKFUH7WycnkEAoPvTgK_uyiiCrEOSOffoMvS34A>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrjeekgdejjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdevhhhrihhsthhophhhvghrucghohhougdfuceotggrfies hhgvrghpihhnghgsihhtshdrnhgvtheqnecuffhomhgrihhnpehirggsrdhorhhgnecuve hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheptggrfieshhgv rghpihhnghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:XQJMXj6OnxVrLFoKM8v_qWafUlm8hRzQKZu-9qDQE_4OIuGfLoytPw> <xmx:XQJMXi2KGhXI8OUnCfM1hSHQYhsjaKW2L1Cl4Bs10aY289EdnM4DnQ> <xmx:XQJMXsVMzFPzFz3BuMTv5nFUdHWHzzzUI4x6eBkmfdSAIgdU_LNq9A> <xmx:XgJMXv8vQ9rhjLqJIYeXcl6sNUyF_vdG_LdTEMIgvV9HPMb2Six5XA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id DC0953C00A1; Tue, 18 Feb 2020 10:27:25 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-802-g7a41c81-fmstable-20200203v1
Mime-Version: 1.0
Message-Id: <c6c19978-7c59-4b7d-af00-e9c7dfe61993@www.fastmail.com>
In-Reply-To: <CABcZeBPzF4=_m5La1JikGWR=4_Q5j68n1kx3Xzozaa+-QhuMHg@mail.gmail.com>
References: <CABcZeBPgvsQGzyWEXK_U2x_wYthuxELCs7r+J+NLyA=knpp8pw@mail.gmail.com> <a9bca34b-c458-f3b9-cf54-6418ef525fa9@tuwien.ac.at> <CABcZeBPzF4=_m5La1JikGWR=4_Q5j68n1kx3Xzozaa+-QhuMHg@mail.gmail.com>
Date: Tue, 18 Feb 2020 07:27:05 -0800
From: Christopher Wood <caw@heapingbits.net>
To: model-t@iab.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/nZMSCwDYjvWg--befuCS6GJcc60>
Subject: Re: [Model-t] Considerations for modern COMSEC protocol design
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2020 15:27:30 -0000


On Tue, Feb 18, 2020, at 6:27 AM, Eric Rescorla wrote:
> 
> 
> On Tue, Feb 18, 2020 at 3:39 AM Joachim Fabini 
> <Joachim.Fabini@tuwien.ac.at> wrote:
> > thanks EKR for the concise summary. Some minor
> >  additions/comments/thoughts on the traffic analysis paragraph and on e2e
> >  aspects below.
> > 
> >  On 2/17/20 6:06 PM, Eric Rescorla wrote:
> >  > As promised...
> >  > 
> >  > -Ekr and Chris
> >  > 
> >  > [...]
> >  >
> >  > TRAFFIC ANALYSIS
> >  > RFC 3552; Section 3.2.1 describes how the absence of TLS or other
> >  > transport-layer encryption may lead to obvious confidentiality
> >  > violations against passive attackers. However, recent trends in
> >  > traffic analysis indicate encryption alone may be insufficient
> >  > protection for some types of application data [1]. Encrypted traffic
> >  > metadata, especially message size, 
> > 
> >  In addition, message timing, -sequence, -patterns are the features most
> >  useful and commonly available whenever attacking encrypted (and
> >  potentially aggregated) protocol traffic. Worth mentioning...
> 
> Yes, I agree with this.

+1, though let's not get carried away. (The list can grow to thousands of features.)

> >  > can leak information about the
> >  > underlying plaintext. DNS queries and responses are particularly
> >  > at risk given their size distributions. Recent protocols account
> >  > for this leakage by supporting padding, either generically in the
> >  > transport protocol (QUIC and TLS), or specifically in the application
> >  > protocol (EDNS(0) padding option for DNS messages).
> > 
> >  Time synchronization protocols can be mentioned here as a use case, too.
> >  Currently none of the existing TS protocols is adequately protected
> >  against timing attacks (assumptions concerning link diversity typically
> >  fail whenever the attacker is well-positioned, e.g., on the majority of
> >  the system's few access links). And timing becomes crucial for many systems.
> > 
> >  Moreover, the accuracy of (today's) network-based timesync depends on
> >  deterministic message patterns, sizes and timing. Consequently (a) any
> >  attempt to secure/obscure these messages impairs on timesync accuracy
> >  and (b) timesync messages can be spotted easily within encrypted traffic
> >  (even including IPsec-tunneled timesync, despite TFC and obscuring
> >  traffic - references on request).
> > 
> >  At least a note could be added that subliminal channels do exist and
> >  should be considered when designing (security) protocols. I'll try to go
> >  into more detail with the malware draft.
> 
> Hmm.... What do you think protocol designers would do with this information?
> Every modern comsec protocol I am familiar with has zillions of bits that can
> be freely chosen, and though there's been a bunch of work on deransomization
> I don't think we're ready to change that.
> 
> >  Finally, somebody mentioned during Friday's telco that "we don't know
> >  who provides security". Imo this is where the threat landscape changed
> >  most since 2003. RFC3552 does not even include the definition of an
> >  endpoint (imo because by the time of writing it was too obvious what's
> >  meant). Security frameworks, containers, virtual guests, clouds, etc.,
> >  changed the rules of the game. They help but their transparency can be
> >  painful in a security context.
> > 
> >  So it boils down to a (again, imo) central question that the CLESS
> >  endpoint taxonomy draft tackles to a certain extent: "what does
> >  end-to-end mean"?
> > 
> >  Is it meaningful/mandatory that future protocol/framework security
> >  specifications are forced to make explicit what their perception or
> >  concept of end-to-end is? Rewording this slightly: Users and
> >  applications should have a right to identify/query which underlying
> >  layers provide (e2e) security, i.e., where e2e security really ends.
> >  And, in addition, which layers/frameworks/etc. (either local or remote)
> >  sit in between and could break end-to-end security without being noticed.
> 
> This seems like a kind of normative statement that 3552 generally strove to
> avoid, and I think should remain out of scope here. I think it would be a good
> idea to explain that the endpoint you are talking to now is probably really
> distributed, but I don't think we should be taking a position on the users
> rights vis-a-vis that.
> 
> -Ekr
> 
> -- 
> Model-t mailing list
> Model-t@iab.org
> https://www.iab.org/mailman/listinfo/model-t
>

v2.23.0 | Report a Bug | By Email