IETF Logo Mail Archive

Re: [Model-t] Fwd: New Version Notification for draft-arkko-farrell-arch-model-t-redux-00.txt

Martin Thomson <mt@lowentropy.net> Thu, 05 November 2020 06:42 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EA253A16FB for <model-t@ietfa.amsl.com>; Wed, 4 Nov 2020 22:42:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=G0hH0brZ; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=hmHHULQk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v6sKi1tBP-7E for <model-t@ietfa.amsl.com>; Wed, 4 Nov 2020 22:42:27 -0800 (PST)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32EBE3A16F6 for <model-t@iab.org>; Wed, 4 Nov 2020 22:42:26 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 24C985C00F0 for <model-t@iab.org>; Thu, 5 Nov 2020 01:42:26 -0500 (EST)
Received: from imap10 ([10.202.2.60]) by compute1.internal (MEProxy); Thu, 05 Nov 2020 01:42:26 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm3; bh=+tBqG QDZ0+0Bn6YBusrXDD/gRgTuNq2vExJh5lQEaSA=; b=G0hH0brZyzcWaByVQNYwI uvQmlZhpax2qMAdRjpPvu80uiQyJ+QLJtFMLQbkqpgJX+s2wzxoptzWCgUmGbzBf rUwxUKrZDoqrG5ELpOEz0fN5Ocj7mBa5UReyMowX7L8OzLU2I90RghV7efvDidMj 9QnoI6gUK3sxhm3GmjwwWRSZg4tYow3iwOqPvviutsbxIGY5cXQV52KTNpPOLrTr L+9Cs+xerRRCm4TEENV9Rs/ZxETqAqIaLYoE5ptg7g1Ez938i24ACSu0dZLEhfGx mKPB4DNt+oTfC6rqmyqLqKwvKwgMx1SPqLV17WZLHPz9IKOefoAz1vbMcjIiFbAe Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=+tBqGQDZ0+0Bn6YBusrXDD/gRgTuNq2vExJh5lQEa SA=; b=hmHHULQkjML6OCDxP3Tje6v74pl/TOM1BD8TEclzGxeOxVwiR0hYOdeyx El9GYDD8+wC7fIxxyj2QxYCLUy3J0gtELVGPBqfM1iYLoe6/Enwqm8Xi2Yt3Llh+ H6tdtS0uKf5Mc2CRwNb1oeMGmsPgrDLHANf4FsHqZPtTZol9LZFD84YMn+PsrPSj 5ARp5/ZOuajhxzefECLUZK9nBrfsfnRd8s9AUOylmo5ErDzbg+Dv4n4CAfLWqVG5 /dfsx/B/kh7p7odzQLf1XZ2E5hSBoAvq15J4qvHHpVDi/40wICPY6NKKPT2ooUFj P2kDlxrUnhXQasTlNEWzQWJJawaWw==
X-ME-Sender: <xms:0Z6jX_ryDR_t2Tec6WHqlTKAerts9OnSSIQnc_a3y1MCbO5_aRqOrQ> <xme:0Z6jX5osq9P_FDHnMewBiu0QqIJ_x153N4pqtV1FNNNPGwNCUb_uLbx1w3AujMtDy pQsMfsgjLIs597876Y>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedruddtiedgleelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtgfesth hqredtreerjeenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehl ohifvghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnhepkeelgfeufeegkeduue ektdfgleeuheffgedtgfffueelleffgeetveethefhffevnecuffhomhgrihhnpehivght fhdrohhrghdpihgrsgdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh epmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:0Z6jX8OxTIuq41DqVJ08rOkPo1Hxz5uW7yw59jroDWRgkImT45d_pA> <xmx:0Z6jXy5OBHZsAWRyvqiWaOUxFvNA8PZNolidHthmBw9LdK6kfVGbnw> <xmx:0Z6jX-5hvlATh4ofDjRe3_9bCiuguU_EXhwtYKKeJtTP8gCOZw657g> <xmx:0p6jXwEDKJtCdb_QJz2wDeH79PFgfB8Ny0jzW6oY4aE4-q87eVdinQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id B91F9203CC; Thu, 5 Nov 2020 01:42:25 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-565-g5179928-fm-20201104.001-g5179928e
Mime-Version: 1.0
Message-Id: <56b80459-e50b-417e-a8b7-6e77b2bd237a@www.fastmail.com>
In-Reply-To: <326D82B0-2FC8-4E64-9B74-7C2676A000FB@piuha.net>
References: <160436038675.20839.161219727924944374@ietfa.amsl.com> <326D82B0-2FC8-4E64-9B74-7C2676A000FB@piuha.net>
Date: Thu, 05 Nov 2020 17:42:05 +1100
From: Martin Thomson <mt@lowentropy.net>
To: model-t@iab.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/tDYBAb8OnKULz4bMf4LKAku9fvA>
Subject: Re: [Model-t] Fwd: New Version Notification for draft-arkko-farrell-arch-model-t-redux-00.txt
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2020 06:42:29 -0000

So this is something of a grab-bag for me, and while I like most of the principles you lay out (especially the ones I gave you :), I'm having a bit of a problem with the level at which this is aimed.

It might even make sense to up-level this and talk about this in terms of systems design.  I took a small step in this direction with -tmi, at the same time trying to keep it grounded in something that has a practical application to protocol design.  In contrast, this seems like this is a grander attempt at documenting systems design principles.

What I see here is several different iterations on the basic idea that system X is a complex system with multiple pieces and varying levels of exposure to different threats.  For instance, the computer you use is massively complex and has to contend with vulnerabilities at multiple levels.  Different components are also produced and maintained (to varying degrees) by different entities with their own independent interests that are sometimes in tension.  The same goes for use of online services of various sorts.

For communications security design, it still remains a useful simplification to treat endpoints as faithfully representing their own interests.  For systems design, this makes no sense at all.  At the system level the principle of least privilege applies.  That's a dramatic change in posture.

Indeed, if I was feeling even a little reductionist, I could say that Section 3 could be replaced in its entirely with "Apply the principle of least privilege".

Separately, I think that this third point isn't just about tracking, it's the nature of information that once release it is hard/impossible to know what is done with that information.

But I think that there is something in here that the IETF might agree to.  In the same way that RFC 8890 articulates an aspiration to adopt a particular stance regarding rights of different constituencies in design, this might introduce some notion that different systems designs are more worthy than others.  That is, we might favour protocols that are produced in support of systems that align with these principles over those that do not.

I'm not sure that this document is in a form where I can see it being useful toward that end just yet.  But there's a glimmer in there.  And that is very much not the evolution of the Internet threat model that was originally envisaged or that this claims might be needed.

Separately, what happened to the work from Chris and Ekr regarding evolution of the design space?  I see no evidence of that input here.  Is that because you believe that to be orthogonal work or something else?

Hope that is useful input,
Martin

On Tue, Nov 3, 2020, at 18:56, Jari Arkko wrote:
> We’ve had discussions about what kinds of documents are reasonable 
> outputs from this group. So far we’ve had kind of a kitchen sink 
> approach, for instance Stephen’s and my earlier document contained a 
> ton of material, e.g., about all possible attacks we could think of, 
> all the guidance we thought could be made, and so on.
> 
> As discussed previously it may make sense to narrow this down a bit. 
> Obviously there’s plenty of work left, but we submitted a very drafty 
> initial document that attempts to list the primary categories of 
> attacks, and discusses architectural principles in  four areas:
> 
>    o  Security of devices, including the user's own devices.
> 
>    o  Security of data at rest, in various parts of the system.
> 
>    o  Tracking and identification of users and their devices.
> 
>    o  Role of intermediaries, and in particular information passing 
> through them.
> 
> The description of the attacks, and some of the principles follows what 
> we’ve had in previous documents, but we’re trying to focus on what the 
> important bits are.
> 
> Comments appreciated.
> 
> Jari
> 
> > Begin forwarded message:
> > 
> > *From: *internet-drafts@ietf.org
> > *Subject: **New Version Notification for draft-arkko-farrell-arch-model-t-redux-00.txt*
> > *Date: *3 November 2020 at 1.39.46 GMT+2
> > *To: *"Jari Arkko" <jari.arkko@piuha.net>, "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
> > 
> > 
> > A new version of I-D, draft-arkko-farrell-arch-model-t-redux-00.txt
> > has been successfully submitted by Jari Arkko and posted to the
> > IETF repository.
> > 
> > Name: draft-arkko-farrell-arch-model-t-redux
> > Revision: 00
> > Title: Internet Threat Model Evolution: Background and Principles
> > Document date: 2020-11-03
> > Group: Individual Submission
> > Pages: 26
> > URL:            https://www.ietf.org/archive/id/draft-arkko-farrell-arch-model-t-redux-00.txt
> > Status:         https://datatracker.ietf.org/doc/draft-arkko-farrell-arch-model-t-redux/
> > Htmlized:       https://datatracker.ietf.org/doc/html/draft-arkko-farrell-arch-model-t-redux
> > Htmlized:       https://tools.ietf.org/html/draft-arkko-farrell-arch-model-t-redux-00
> > 
> > 
> > Abstract:
> >   Communications security has been at the center of many security
> >   improvements in the Internet.  The goal has been to ensure that
> >   communications are protected against outside observers and attackers.
> > 
> >   This memo suggests that the existing RFC 3552 threat model, while
> >   important and still valid, is no longer alone sufficient to cater for
> >   the pressing security and privacy issues seen on the Internet today.
> >   For instance, it is often also necessary to protect against endpoints
> >   that are compromised, malicious, or whose interests simply do not
> >   align with the interests of users.  While such protection is
> >   difficult, there are some measures that can be taken and we argue
> >   that investigation of these issues is warranted.
> > 
> >   It is particularly important to ensure that as we continue to develop
> >   Internet technology, non-communications security related threats, and
> >   privacy issues, are properly understood.
> > 
> > 
> > 
> > 
> > Please note that it may take a couple of minutes from the time of submission
> > until the htmlized version and diff are available at tools.ietf.org.
> > 
> > The IETF Secretariat
> > 
> > 
> 
> -- 
> Model-t mailing list
> Model-t@iab.org
> https://www.iab.org/mailman/listinfo/model-t
>

v2.23.0 | Report a Bug | By Email