IETF Logo Mail Archive

Re: [Model-t] draft-thomson-tmi

Martin Thomson <mt@lowentropy.net> Tue, 04 August 2020 08:09 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF3633A0C16 for <model-t@ietfa.amsl.com>; Tue, 4 Aug 2020 01:09:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=TcCbNr18; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=jJAJqUfV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3yJ2VrFBzmkQ for <model-t@ietfa.amsl.com>; Tue, 4 Aug 2020 01:09:00 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6530C3A0C17 for <model-t@iab.org>; Tue, 4 Aug 2020 01:09:00 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id B1A445C01FC; Tue, 4 Aug 2020 04:08:59 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute2.internal (MEProxy); Tue, 04 Aug 2020 04:08:59 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type:content-transfer-encoding; s=fm2; bh=ov XuEw1x0rDKDihmw33RwLDAsb1j2vTY9ZbYWuxmdhQ=; b=TcCbNr18cQoAUG+E3B CbzU8c5in8Kdv/1Ri5onrnWMTKa+dM5IxcH4eHG5XM4nWGXkG9C3TY2W3wWf7c/x Yd3IYqa0Bro0Qg34p+/+T8KNFt9hTr6xNP4j0DwvSthpKfCrxcZNGbpBrDeE5dGm LS47a1xDs3NsVsA8ZjEt+9t0CemPm99+1dkf7zZ6FkDFX6yid26kYNKJlSIbVFeD Ri0fVaw3WX1TLTja11lbJzvHgYrpPVpZCkus5KazhegzoHGed8J5YXJ++rB4ohYq C0TMZ7gh//n1/cLjB9ndtWoYgSrF1QYjQxkNla3X0+qBcJBZRuzJ6hUdzcagkHU/ HxoA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=ovXuEw1x0rDKDihmw33RwLDAsb1j2vTY9ZbYWuxmd hQ=; b=jJAJqUfVYtNiurYYaeqahta42oPNy+S7WrNP/UKlklP13I7sZJ0OXLXhq jp8t4MI9G+BEAQy3b/7Vecn+HGQwUSuxRNjgrsUqSiqsC0SSVWkJqsVQNLBCJoGk XTqs//ee6y0Zfno4JPzLgD/qKtKyItZBYkJuQJF+4t5mJGxEtoFJ2bloSY1ZPHZx I7PHLTsVtemQ65DqC7Wk6+wPwBe0dbFG5nl7lNl/wutXzMmmoGO430u24nCiAYQD MjwfUNCaeRJR8zfYXHXXnMrIqZWFnoa9eHMbKsu4dAZZzpFcDiRYFChqJY/w251Q F96z21qjFlhoa3FBBgsrOfUZIvvNQ==
X-ME-Sender: <xms:mxcpXxhlp5X4mXrICq92kgwv2ZetfelKFUJGMzEpWoT4Frv9Q5MXcg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrjeeigddtudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdforghr thhinhcuvfhhohhmshhonhdfuceomhhtsehlohifvghnthhrohhphidrnhgvtheqnecugg ftrfgrthhtvghrnhepgfejueduieffledtgeelheejvdettdejudduhefggeefgfekgfeu ieetgefftddtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:mxcpX2C3L2fIs6Fk_WDcmAZfJGecEskAMWywDOWXm-aI4-z_DAuMZA> <xmx:mxcpXxGs8RHqE86ONZMmn2wiVVxem3dyrvlCcm4F36hX0_0eSKN6dw> <xmx:mxcpX2T1DGdO7kp71-g0th_AfBYzL9mNqiZo5NGrS-6d5bOF1NXMWA> <xmx:mxcpX99aJlMB5L6_IXxT6VdRo-VuWS8nEzItkP8rZquCXnsmgHZctQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 17F8BE00C5; Tue, 4 Aug 2020 04:08:59 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-136-gc39b634-fm-20200803.001-gc39b6340
Mime-Version: 1.0
Message-Id: <480d483c-fddd-4480-ab8b-6368bdb2c5b0@www.fastmail.com>
In-Reply-To: <8CE6F9A3-FD01-4C09-AD10-C5FA5ECCDB9D@piuha.net>
References: <422978b2-028d-48e1-85ed-ddaa36e36052@www.fastmail.com> <8CE6F9A3-FD01-4C09-AD10-C5FA5ECCDB9D@piuha.net>
Date: Tue, 04 Aug 2020 18:08:37 +1000
From: Martin Thomson <mt@lowentropy.net>
To: Jari Arkko <jari.arkko@piuha.net>
Cc: model-t@iab.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/nl2IM7F0CGnAiaObROVuDfC16tE>
Subject: Re: [Model-t] draft-thomson-tmi
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2020 08:09:02 -0000

Hi Jari,

On Fri, Jul 31, 2020, at 02:01, Jari Arkko wrote:
> First off, the draft uses some examples from low-in-the-stack 
> intermediaries, many of which aren’t as relevant today as they were 
> earlier. It would be interesting to consider email services (that don’t 
> support good e2e keying, and at the same time benefit from the analysis 
> of the emails for commercial surveillance), DNS resolvers, and other 
> similar cases with more current relevance.

Yes, email is a great example.  I should find some way to lean on that for material.  There are good reasons for its current architecture, but I tend to think that these would not be good choices for a modern system.

Other than acknowledging their existence, I did specifically try to avoid making strong statements about the other topics that are "live".  Thus, the suggestion to talk about DNS resolvers is something we should keep exploring in ADD contributions (I tend to think that is a poor source of exemplary material here, but you might disagree).
 
> I think Section 2 and the definition of intermediation needs work. 
> Where do we draw the line between functions pass communications from A 
> to B, vs. functions that are used in some form in the communications 
> between A and B? Lets say a translation or discovery service. In either 
> case function may learn things that are private to the communicating 
> parties, it may impact the ability of the communicating parties extend 
> whatever they are doing with new functionality, and so on. Are these 
> intermediaries in the sense of the draft, or not? And why?

Do I consider recommendation engines - the like of which are used by Facebook, Youtube, Twitter, and other social media - intermediaries?  Maybe.  I explicitly identified social networks as intermediaries, but they are not a singular thing, and their role is not always intermediary in nature.

Discovery services - in the general sense - occupy an interesting point in this space.  They have the ability to inject themselves in the eventual communication (DNS and LoST are examples at a lower layer where injection rarely occurs; SIP operates at a higher layer and tends to end up with lots of intermediation).  For DNS, we would regard a resolver as an intermediary of the worst unwanted kind if it decided to provide its own address in place of the real answer and subsequently attempted to intermediate the application protocol. (This is entirely possible for email, incidentally.)

Translation services are more directly intermediaries.  But I'm not sure what you mean exactly there.  Protocol translation is often accomplished by intermediaries anyway.  It's rare to have protocol translation as a pure service, though it could in theory operate differently.  (Human language translation services are different: it offers a way to intermediate that doesn't involve intermediation in any real sense, it's only when you move to real-time interpretation that you introduce an intermediary.)

> Thirdly, I think there’s an issue in the following:
> 
>    Many problems caused by intermediation are the result of
>    intermediaries that are introduced without the involvement of
>    protocol endpoints.
> 
> This conflates the role of protocol endpoint and the role of users, 
> equipment owners, etc. A lot of today’s problems are caused by issues 
> where some piece of service or software or equipment does something 
> that isn’t aligned with my interests as the user. 

Here you have hit on a point I knew you would find troubling.  As I said when I introduced this, I don't see this as addressing the entire problem space here.  The idea is that we might run software that is written with goals that are not entirely congruent with our own, or use services that are motivated to exploit the access they gain for their own ends.  In most of these cases we have very little real choice even, which further enables bad behaviour.

But as the basis for protocol design, at least within the scope of this document, I don't see that as a useful problem to have identified.  This is a document aimed at protocol designers, so it necessarily assumes that actors in the system act rationally and in their own interests as it pertains to the protocol.  While the study of Byzantine systems is a great academic exercise and useful in systems design, we don't get very far when designing protocols that way.  So, like RFC 3552, this assumes that each endpoint represents its own interests.  Those might be nefarious in many ways, but as far as the protocol is concerned, it is reasonable to expect conformance to the contract of the protocol.

That doesn't make this an invalid angle to consider in general.  The question of designing for eventual endpoint compromise in a managed network, or subsystem compromise on a complex host, is a completely different angle.  The question of how we deal with differently aligned incentives of the systems, subsystems, components, and whatnot that we depend on is something else again.  I don't have a good view of where this program is going yet.  I think that we need all of the above, of course, but that seems unmanageable.

v2.23.0 | Report a Bug | By Email