IETF Logo Mail Archive

Re: [Model-t] Considerations for modern COMSEC protocol design

Eric Rescorla <ekr@rtfm.com> Tue, 18 February 2020 14:28 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34300120152 for <model-t@ietfa.amsl.com>; Tue, 18 Feb 2020 06:28:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Z3WIHER1CTj for <model-t@ietfa.amsl.com>; Tue, 18 Feb 2020 06:28:14 -0800 (PST)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F176A1201DE for <model-t@iab.org>; Tue, 18 Feb 2020 06:28:13 -0800 (PST)
Received: by mail-lf1-x133.google.com with SMTP id f24so14668000lfh.3 for <model-t@iab.org>; Tue, 18 Feb 2020 06:28:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cGqDHdermo87sJxMp3/CCG7sjnoniPGb7brUmYX1EZU=; b=WJNgEkwU7lI+qtAFw7XFegjO4GHpLP6RNmlZ5GbVgj/M4ksdeVxenlAYa+esMsnUfA WWbsFnAzlXmJCQgtRXreMAwXKIawUtKS+B1oQxrntuBEiBCpTf5YGxWysH8y6bUNV7Zo UffxrAndXeX7U/1edC7748xT5WFBmAsCSzUIDaPnPA8qKP//tBBW8KL8xvMlPDUMN23i 2gX/wDli7ncpd1PiskIwCo+9gKGk20Pza40EoUydNkxy4Okeke1rfRtF5UNnsC7X1guv op7Gx5FV/SONN6s4OpcvztVrOYVXhRFNZVSOEG/MR/bNsnembjxWveJ8qBrtg9F7+YXO QuYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cGqDHdermo87sJxMp3/CCG7sjnoniPGb7brUmYX1EZU=; b=qsGC+N7IEaCltGe3w4K1JQudjKz6HDOTIxf0oa78MOoiqVBF0RKXkHG4gxqZLrpuXb 8CNKdzLfC4pZns+PoSpVPO6vWYkaPOp5fGM1pKbtpRAumwdadJNh3IetbSDr16lqUOT8 bdlyGc516AQyVJMranTAKw5oHztDkjccumJn2LqEj1U+SfrwHUAXwtk1tPMF1yuQHKkB ClDk+A1+4zg1PanH5763nfxs9BpImQyxmd6s4ILtCf34L4mGFvK1a881GQUFVIq7B1OM w6orkxgIUEEzfJdS3y6MBkDNywvyOCCbOtTDwffxCXP36C6gWRyL5wmxioe29WH6TBiv TJKw==
X-Gm-Message-State: APjAAAXUO3D/DZVI1RkEUU9ten4076Noiyl2QDCC/nuO+FEQ1E1NnL2I eT6O6Wa8NhYZgl0Tn/8NOLewRdxk4RSy3cOH3bbxMqlU
X-Google-Smtp-Source: APXvYqyiJ9iT4uJy/u0AiqUPhhyiYMh7oGrTUJ9Wh1/WH+MfWuP4gsePhFsJFi8x8/uShSANg/pPwQ2msH8NTMdKq3c=
X-Received: by 2002:ac2:53b9:: with SMTP id j25mr10436138lfh.140.1582036092239; Tue, 18 Feb 2020 06:28:12 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBPgvsQGzyWEXK_U2x_wYthuxELCs7r+J+NLyA=knpp8pw@mail.gmail.com> <a9bca34b-c458-f3b9-cf54-6418ef525fa9@tuwien.ac.at>
In-Reply-To: <a9bca34b-c458-f3b9-cf54-6418ef525fa9@tuwien.ac.at>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 18 Feb 2020 06:27:35 -0800
Message-ID: <CABcZeBPzF4=_m5La1JikGWR=4_Q5j68n1kx3Xzozaa+-QhuMHg@mail.gmail.com>
To: Joachim Fabini <Joachim.Fabini@tuwien.ac.at>
Cc: model-t@iab.org
Content-Type: multipart/alternative; boundary="0000000000004cd0d5059eda7b8e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/wu3RYe9ovF1elZ7F_McDOPvU8AA>
Subject: Re: [Model-t] Considerations for modern COMSEC protocol design
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2020 14:28:19 -0000

On Tue, Feb 18, 2020 at 3:39 AM Joachim Fabini <Joachim.Fabini@tuwien.ac.at>
wrote:

> thanks EKR for the concise summary. Some minor
> additions/comments/thoughts on the traffic analysis paragraph and on e2e
> aspects below.
>
> On 2/17/20 6:06 PM, Eric Rescorla wrote:
> > As promised...
> >
> > -Ekr and Chris
> >
> > [...]
> >
> > TRAFFIC ANALYSIS
> > RFC 3552; Section 3.2.1 describes how the absence of TLS or other
> > transport-layer encryption may lead to obvious confidentiality
> > violations against passive attackers. However, recent trends in
> > traffic analysis indicate encryption alone may be insufficient
> > protection for some types of application data [1]. Encrypted traffic
> > metadata, especially message size,
>
> In addition, message timing, -sequence, -patterns are the features most
> useful and commonly available whenever attacking encrypted (and
> potentially aggregated) protocol traffic. Worth mentioning...
>

Yes, I agree with this.



> > can leak information about the
> > underlying plaintext. DNS queries and responses are particularly
> > at risk given their size distributions. Recent protocols account
> > for this leakage by supporting padding, either generically in the
> > transport protocol (QUIC and TLS), or specifically in the application
> > protocol (EDNS(0) padding option for DNS messages).
>
> Time synchronization protocols can be mentioned here as a use case, too.
> Currently none of the existing TS protocols is adequately protected
> against timing attacks (assumptions concerning link diversity typically
> fail whenever the attacker is well-positioned, e.g., on the majority of
> the system's few access links). And timing becomes crucial for many
> systems.
>
> Moreover, the accuracy of (today's) network-based timesync depends on
> deterministic message patterns, sizes and timing. Consequently (a) any
> attempt to secure/obscure these messages impairs on timesync accuracy
> and (b) timesync messages can be spotted easily within encrypted traffic
> (even including IPsec-tunneled timesync, despite TFC and obscuring
> traffic - references on request).
>
> At least a note could be added that subliminal channels do exist and
> should be considered when designing (security) protocols. I'll try to go
> into more detail with the malware draft.
>

Hmm.... What do you think protocol designers would do with this information?
Every modern comsec protocol I am familiar with has zillions of bits that
can
be freely chosen, and though there's been a bunch of work on deransomization
I don't think we're ready to change that.



> Finally, somebody mentioned during Friday's telco that "we don't know
> who provides security". Imo this is where the threat landscape changed
> most since 2003. RFC3552 does not even include the definition of an
> endpoint (imo because by the time of writing it was too obvious what's
> meant). Security frameworks, containers, virtual guests, clouds, etc.,
> changed the rules of the game. They help but their transparency can be
> painful in a security context.
>
> So it boils down to a (again, imo) central question that the CLESS
> endpoint taxonomy draft tackles to a certain extent: "what does
> end-to-end mean"?
>
> Is it meaningful/mandatory that future protocol/framework security
> specifications are forced to make explicit what their perception or
> concept of end-to-end is? Rewording this slightly: Users and
> applications should have a right to identify/query which underlying
> layers provide (e2e) security, i.e., where e2e security really ends.
> And, in addition, which layers/frameworks/etc. (either local or remote)
> sit in between and could break end-to-end security without being noticed.


This seems like a kind of normative statement that 3552 generally strove to
avoid, and I think should remain out of scope here. I think it would be a
good
idea to explain that the endpoint you are talking to now is probably really
distributed, but I don't think we should be taking a position on the users
rights vis-a-vis that.

-Ekr

v2.23.0 | Report a Bug | By Email