Re: [saag] can an on-path attacker drop traffic?

Dan Harkins <dharkins@lounge.org> Thu, 01 October 2020 04:37 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B62F3A0A2C for <saag@ietfa.amsl.com>; Wed, 30 Sep 2020 21:37:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.114
X-Spam-Level:
X-Spam-Status: No, score=-2.114 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.213, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bUdbJSpoiWrZ for <saag@ietfa.amsl.com>; Wed, 30 Sep 2020 21:37:33 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 559AE3A0A2B for <saag@ietf.org>; Wed, 30 Sep 2020 21:37:33 -0700 (PDT)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QHI0KDLTA6L1X@wwwlocal.goatley.com> for saag@ietf.org; Wed, 30 Sep 2020 23:37:33 -0500 (CDT)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QHI00IGRA2VA9@trixy.bergandi.net> for saag@ietf.org; Wed, 30 Sep 2020 21:35:19 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Wed, 30 Sep 2020 21:35:19 -0700
Date: Wed, 30 Sep 2020 21:37:31 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <20200902193300.GW3100@localhost>
To: saag@ietf.org
Message-id: <c43809c9-33fe-2bd8-a3b3-e0fc0d6792b8@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8; format=flowed
Content-language: en-US
Content-transfer-encoding: 8BIT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
References: <4645.1599064072@localhost> <20200902193300.GW3100@localhost>
X-PMAS-Software: PreciseMail V3.3 [200930] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/kN82-HApKlONM7qgrK3ZoV7uDaA>
Subject: Re: [saag] can an on-path attacker drop traffic?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Oct 2020 04:37:34 -0000

   So what is an "active attacker" then? When people talk about protocol
security it is in the presence of a powerful attacker who can schedule
protocol sessions, and also view, modify, drop, and replay packets that
constitute the protocol. I always assumed a MITM was just an "active
attacker" in this sense.

   Seems we should be very careful when saying exactly what capabilities
this "on path attacker" has if it's not the same as a MITM/"active
attacker". And if these capabilities are a subset of the traditional
"active attacker" then what is the point of making the distinction?

   regards,

   Dan.

On 9/2/20 12:33 PM, Nico Williams wrote:
> On Wed, Sep 02, 2020 at 12:27:52PM -0400, Michael Richardson wrote:
>> A firewall or router is a potential on-path attacker, but it can also drop packets.
>> What do we call this?
>> This was historically called a MITM, and it implied all the attributes of
>> on-path.  But it is unclear to me if MITM > on-path, or MITM == on-path.
> To me on-path means physically or logically (e.g., after DNS spoofing or
> route take over) in the path.
>
> MITM is about being in the middle at some higher layer than IP.  For
> example, in TLS, which you can do if you can subvert a CA trusted by the
> client.
>
> You can have an on-path (physically) attacker who nonetheless cannot
> successfully mount an MITM attack on TLS traffic it gets to see and even
> alter.
>
> Nico