IETF Logo Mail Archive

[saag] RFC 3552bis Suggested Text/Structure

Michael StJohns <msj@nthpermutation.com> Tue, 29 November 2016 21:49 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0787C129544 for <saag@ietfa.amsl.com>; Tue, 29 Nov 2016 13:49:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gx5ZoW1IAPzM for <saag@ietfa.amsl.com>; Tue, 29 Nov 2016 13:48:56 -0800 (PST)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AD10129C93 for <saag@ietf.org>; Tue, 29 Nov 2016 13:48:56 -0800 (PST)
Received: by mail-qk0-x22a.google.com with SMTP id x190so189971663qkb.0 for <saag@ietf.org>; Tue, 29 Nov 2016 13:48:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=WhvcS/4X5GyCoznkZSQSouX5j7PywZdmdp6cPAKiFbM=; b=Or+58kB3hWCk0EOulxwI3nGolqAivzqKFmo94naylyHcARcy9jbvc2OEelwr9tdtdr d0lsWMWZobZbsoysZqVJ4yrWpDkX2/8ASNgiBnobYbVDsRWZmOo6/3Oxw0e6cLH22i/x ZzUrjyGYb5y/fx/Et7JoXJKRHrmi7KQCurE/SluR+U1OecwgPnPib6SsilKGg19dS7bB QdbFuVCe81wtDy+uqZACcm/S6+bRgwNmqMpBPfdipNwKwS1miMRiM1InFKp5AgiUFjW6 qs3Y/NAWw6hBzfI/hLvzIG0tqKI4NH5G+h8ayC/1xjbgpeZwP0yPiWodtyVcE5QDx5jX sZ7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=WhvcS/4X5GyCoznkZSQSouX5j7PywZdmdp6cPAKiFbM=; b=F6S8qllf7qHGfa8Eh2cMUylpUNwWnDITOaclLHDDLDFLNy/AI/KxxWbzZoIQSmDX5j 2RxE7e2k5z0OoQfCzRMypQCqcTJkrs9Ksvl5OdSxrgJI2eSeDpG5bSuLKPPykPqSyClq rmsJR5qC0Xn+wN117qZd30ZPT2eYHWFu5LhjQ5o43X+BoJ4EbKIin8PIBi0nsd/CnFcG 2v++pp7qDz2Yq4E/4cu0SYuz6HV0k4sc1qPN/DP/B2yLpwTcB2fNVOvnSXBYTlVMITLj GR/BtvIMwU5u3dDTGN80VSGTfvJJBbnV0hCpqVoRrjKpTi2+mUk1M34Ep1hVE5Ticplc fPEA==
X-Gm-Message-State: AKaTC00kC0gGe7YfR0MsGWv15XNCsm4e/6jcAfv6Yzuju4BGPDWXKNiJ8xSYbKS9BD8iRg==
X-Received: by 10.55.123.133 with SMTP id w127mr25094308qkc.298.1480456132791; Tue, 29 Nov 2016 13:48:52 -0800 (PST)
Received: from [192.168.1.118] (c-69-140-116-172.hsd1.md.comcast.net. [69.140.116.172]) by smtp.gmail.com with ESMTPSA id n188sm31749675qkc.30.2016.11.29.13.48.51 for <saag@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 29 Nov 2016 13:48:51 -0800 (PST)
To: saag@ietf.org
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <4a303aa0-1a9a-7bee-f347-94477a7dfa1a@nthpermutation.com>
Date: Tue, 29 Nov 2016 16:48:59 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/NblTHCYQblaaaqSrpNHlHerxb7s>
Subject: [saag] RFC 3552bis Suggested Text/Structure
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2016 21:49:19 -0000

This is in response to Stephen's message of 18 October.

In addition to traditional security considerations sections which focus 
on threats *to* the protocol, it's becoming obvious (especially with IOT 
style devices becoming prevalent)  that we also need to be thinking 
about threats *from* the protocol to the IETF.  So here goes:


Outline:

- Threats to the Internet from protocol choices in this document

   -- Stateless Query Response protocols (e.g., UDP-based protocols)

       UDP based protocols such as ECHO and DNS have the potential to be 
used as Denial of Service amplifiers.....

   -- Data source protocols without adequate rate and congestion 
detection mechanisms

      Protocols where a client can trigger a server to send data without 
throttling  [based on network congestion or other useful techniques] 
have the potential to be used as DOS sources and amplifiers...

   -- Cyber-physical protocols without adequate authentication, 
authorization and confidentiality

       --- Confidentiality

            Sensor data without adequate protection including but not 
limited to environmental measurements and audio and video surveillance 
has both privacy and safety and health considerations.  There may also 
be implicit  real-world (i.e. marketable) value in the data being 
transmitted that needs to be protected.

       --- Authentication & Authorization

            Sensor data without adequate protection on closed-loop 
feedback systems (e.g., temperature measures used to control heating 
systems) can result in triggered real-world actions that may be have 
safety and health considerations.  Specifically, if sourced sensor data 
cannot be verified as authentic (originated by a trusted source, 
unchanged in transmission), making process decisions on such  data is 
problematic.

            Actuator control without adequate protection (e.g., 
decontamination lighting systems, security and locking systems, 
industrial control systems, etc) may have safety and health 
considerations and could result in injury or loss of life.  This is also 
tied to Authorization - the actuator needs both an identity and a 
privilege to be authenticated prior to actuation.

   -- IOT - general

       --- Quantity has a quality all of its own

       IOT systems have the potential to deploy one or more orders of 
magnitude of internet connected entities than current 
applications/services.  Does a protocol designed for use among cluster 
of 1K, 10K or 100K+ systems have sufficient protections to prevent 
wholesale attacks against the system (e.g. does compromise of one or a 
few devices compromise most or all of the devices?).

      Botnets are well understood at DDOS enablers.  Are there other  
new forms of attack coming with IOT scale Botnets?  Can threats from 
distributed intelligence based systems be mitigated against in protocol 
designs for IOT devices?  Are there approaches the backbone can use to 
mitigate?


    --- Near zero cost security

         IOT systems seem to have special sensitivity for any additional 
costs due to the desire to churn out very cheap devices.  Issues with 
software reuse (one bad stack in 30 different designs for example), 
software replacement (is a $5 device really designed for *real* 
management), and lack of a related human (contrast with routers, 
switches, servers, laptops etc which generally have a human that 
"manages" them vs an IOT device that might be thrown out of a plane or 
scattered in a city) have already crept in.  What mitigations can we 
supply that are both cheap and effective?  Are there protocol techniques 
that are especially applicable?  Do we try not to publish protocols 
which can't be made "secure enough"?

    --- Clocks, we don't need no stinking clocks

         IOT systems, related to many of the items above, may not have a 
good sense of real-time.  Do the security techniques propose adequately 
compensate for insecure or missing time?  For sensor systems, are 
anti-replay mechanisms sufficient for the system design goals?


     ___________________

The above is somewhat stream of consciousness - not all of these bullet 
points can be reduced to practice in a security requirements section, 
and there *will* be others that pop up. But this is at least a start for 
a new section for 3552Bis.


Mike

v2.43.4 | Report a Bug | By Email | System Status