[NSIS] Security Threats for NSIS : Relevant Communications Models
Tschofenig Hannes <hannes.tschofenig@siemens.com> Thu, 15 April 2004 14:17 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA26318 for <nsis-archive@odin.ietf.org>; Thu, 15 Apr 2004 10:17:27 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BE7Zc-0005pv-Nv for nsis-archive@odin.ietf.org; Thu, 15 Apr 2004 10:10:36 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i3FEAaro022428 for nsis-archive@odin.ietf.org; Thu, 15 Apr 2004 10:10:36 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BE7LW-0004ye-Fw; Thu, 15 Apr 2004 09:56:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BE7Dy-0002gI-Ap for nsis@optimus.ietf.org; Thu, 15 Apr 2004 09:48:14 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA23794 for <nsis@ietf.org>; Thu, 15 Apr 2004 09:48:11 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1BE7Dw-0003tY-00 for nsis@ietf.org; Thu, 15 Apr 2004 09:48:12 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BE7D0-0003oR-00 for nsis@ietf.org; Thu, 15 Apr 2004 09:47:15 -0400
Received: from david.siemens.de ([192.35.17.14]) by ietf-mx with esmtp (Exim 4.12) id 1BE7CF-0003i8-00 for nsis@ietf.org; Thu, 15 Apr 2004 09:46:27 -0400
Received: from mail3.siemens.de (mail3.siemens.de [139.25.208.14]) by david.siemens.de (8.11.7/8.11.7) with ESMTP id i3FDkQn19555 for <nsis@ietf.org>; Thu, 15 Apr 2004 15:46:26 +0200 (MEST)
Received: from mchp9daa.mch.sbs.de (mchp9daa.mch.sbs.de [139.25.137.99]) by mail3.siemens.de (8.11.7/8.11.7) with ESMTP id i3FDkQc07908 for <nsis@ietf.org>; Thu, 15 Apr 2004 15:46:26 +0200 (MEST)
Received: by mchp9daa.mch.sbs.de with Internet Mail Service (5.5.2657.72) id <FF528D4H>; Thu, 15 Apr 2004 15:45:35 +0200
Message-ID: <2A8DB02E3018D411901B009027FD3A3F0468600D@mchp905a.mch.sbs.de>
From: Tschofenig Hannes <hannes.tschofenig@siemens.com>
To: "'nsis@ietf.org'" <nsis@ietf.org>
Date: Thu, 15 Apr 2004 15:45:59 +0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
Content-Type: text/plain; charset="iso-8859-1"
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.60
Subject: [NSIS] Security Threats for NSIS : Relevant Communications Models
Sender: nsis-admin@ietf.org
Errors-To: nsis-admin@ietf.org
X-BeenThere: nsis@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
List-Id: Next Steps in Signaling <nsis.ietf.org>
List-Post: <mailto:nsis@ietf.org>
List-Help: <mailto:nsis-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
hi all, i got a number of comments with regard to section 2 (Relevant Communications Models). fixing this section is a bit more complex than specific security threats: i went through some ietf drafts which consider security threats, trust models and related issues. after this list you will find my conclusion. here is a brief overview: ------------ IPv6 Neighbor Discovery trust models and threats draft-ietf-send-psreq-04 - an informal definition of trust is given - three threat model are presented. ------------ Security Considerations for 6to4 draft-ietf-v6ops-6to4-security-01.txt - no trust model provided. - detailed threat descriptions provided ------------ Threats Introduced by Rserpool and Requirements for Security in response to Threats <draft-ietf-rserpool-threats-02.txt> - no trust model provided. - each section is divided into Threat, Effect and Requirement ------------ Generic Threats to Routing Protocols draft-ietf-rpsec-routing-threats-04 - no trust model provided. - threat definition and different threat sources provided. ------------ DDP/RDMAP Security draft-ietf-rddp-security-01.txt - definition of Partial Trust Taxonomy given. - Attacks and Countermeasures provided. - resources and architecture defined ------------ PANA Threat Analysis and Security Requirements draft-ietf-pana-threats-eval-04.txt - trust relationships described but term trust not defined. - security requirements are attached to each threat ------------ Security Threats and Risks for OPES draft-ietf-opes-threats-03 - discusses threats - no trust, no requirements and no countermeasures. ------------ Mobility Support in IPv6 draft-ietf-mobileip-ipv6-24.txt - attached to the main protocol as part of the security consideration section - discusses threats and their countermeasures - very specific and was (as we all know) provided after the protocol was nearly finished. ------------ Security Framework for Provider Provisioned Virtual Private Networks draft-ietf-l3vpn-security-framework-00.txt - a trust model is not mentioned although a Security Reference Model is provided - discusses threats and Countermeasures - detailed security requirements (for user and for provider) ------------ Securing Block Storage Protocols over IP draft-ietf-ips-security-19.txt - describes security requirements and security protection in detail - security threats are briefly mentioned as part of the security requirements ------------ Threat Analysis of the Domain Name System draft-ietf-dnsext-dns-threats-06.txt - lists known threats against the dns directory. - threats are detailed since they are described on a known protocol ------------ Dynamic Host Configuration Protocol for IPv4 (DHCPv4) Threat Analysis draft-ietf-dhc-v4-threat-analysis-00 - threats are detailed since they are described on a known protocol - security Requirements are discussed. ------------ Security Threat for Content Internetworking draft-ietf-cdi-threat-00.txt - trust model included - threats distinguish between insider and outsider threats ------------ here is my conclusion from browsing through various security drafts: - only a few drafts describe a trust model - the term trust is almost never defined; if it is defined then there is a rather informal non-technical definition of it. - i could not find a place which made a difference between threats and attacks - some drafts are very specific about their threats (since they point to existing protocols; which are already in use for a long time) what can we learn for our work: - we started with our security efforts very early. this has some benefits but also some drawbacks: advantage: we start with security discussions quite early and considered various issues quite early disadvantage: since the focus of our work shifted a bit over the last few years it was difficult to keep the work synchronized. the security threats work is always something behind. we could possibly keep it ongoing until the last protocol is finished - the threats document address the nsis protocol suite. it is generic and cannot cover current activities in the qos nslp, nat/fw nslp and also in the ntlp. these document must provide some additional information about their threats and particuarly about the countermeasures. regarding some issues of these protocols the work is not finished (and hence it would be difficult to have all these issues covered in the threats document already). - it is hard to discuss trust models since they are highly application specific. therefore, they are included in the nat/fw nslp and in the qos nslp. the work there is still ongoing since they are not trivial. the ntlp does not make sense without the nslps (at least from the current gimps draft). hence it is useful to consider the relationship between the ntlp and the nslps together with respect to their trust model and their security properties. i know that the definition of trust raises long philosophical discussions. i have attended several projects which came across this issue. typically the outcome of these discussions is rather disappointing. hence, i would suggest that we do not work on our flavor of trust definition. - we decided not to include * security requirements (since they can be found in the security requirements document) * solution specific aspects (such as countermeasures) in the threats document the main intention with section 2 was to provide an overview of the security work in nsis, to provide some convient names for some communication pattern which are typical (intra-domain, inter-domain, etc.) and to provide the possible trust relationships in a high-level fashion (end-to-middle, middle-to-middle, etc.). it seems that people did not like this approach with regard to section 2. are there some proposals what we could do? i think we should do the following: - we should polish the individual threats (see other mails) - we should not include security requirements - we should not include solutions aspects - we should clearly point the main intention of the document and that additional information is found in the related documents - we should do something with section 2 (i hope to receive some comments) ciao hannes _______________________________________________ nsis mailing list nsis@ietf.org https://www1.ietf.org/mailman/listinfo/nsis
- [NSIS] Security Threats for NSIS : Relevant Commu… Tschofenig Hannes
- RE: [NSIS] Security Threats for NSIS : Relevant C… john.loughney