Re: [saag] can an on-path attacker drop traffic?
Dan Harkins <dharkins@lounge.org> Thu, 01 October 2020 04:37 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B62F3A0A2C for <saag@ietfa.amsl.com>; Wed, 30 Sep 2020 21:37:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.114
X-Spam-Level:
X-Spam-Status: No, score=-2.114 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.213, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bUdbJSpoiWrZ for <saag@ietfa.amsl.com>; Wed, 30 Sep 2020 21:37:33 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 559AE3A0A2B for <saag@ietf.org>; Wed, 30 Sep 2020 21:37:33 -0700 (PDT)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QHI0KDLTA6L1X@wwwlocal.goatley.com> for saag@ietf.org; Wed, 30 Sep 2020 23:37:33 -0500 (CDT)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QHI00IGRA2VA9@trixy.bergandi.net> for saag@ietf.org; Wed, 30 Sep 2020 21:35:19 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Wed, 30 Sep 2020 21:35:19 -0700
Date: Wed, 30 Sep 2020 21:37:31 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <20200902193300.GW3100@localhost>
To: saag@ietf.org
Message-id: <c43809c9-33fe-2bd8-a3b3-e0fc0d6792b8@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"; format="flowed"
Content-language: en-US
Content-transfer-encoding: 8bit
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
References: <4645.1599064072@localhost> <20200902193300.GW3100@localhost>
X-PMAS-Software: PreciseMail V3.3 [200930] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/kN82-HApKlONM7qgrK3ZoV7uDaA>
Subject: Re: [saag] can an on-path attacker drop traffic?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Oct 2020 04:37:34 -0000
So what is an "active attacker" then? When people talk about protocol security it is in the presence of a powerful attacker who can schedule protocol sessions, and also view, modify, drop, and replay packets that constitute the protocol. I always assumed a MITM was just an "active attacker" in this sense. Seems we should be very careful when saying exactly what capabilities this "on path attacker" has if it's not the same as a MITM/"active attacker". And if these capabilities are a subset of the traditional "active attacker" then what is the point of making the distinction? regards, Dan. On 9/2/20 12:33 PM, Nico Williams wrote: > On Wed, Sep 02, 2020 at 12:27:52PM -0400, Michael Richardson wrote: >> A firewall or router is a potential on-path attacker, but it can also drop packets. >> What do we call this? >> This was historically called a MITM, and it implied all the attributes of >> on-path. But it is unclear to me if MITM > on-path, or MITM == on-path. > To me on-path means physically or logically (e.g., after DNS spoofing or > route take over) in the path. > > MITM is about being in the middle at some higher layer than IP. For > example, in TLS, which you can do if you can subvert a CA trusted by the > client. > > You can have an on-path (physically) attacker who nonetheless cannot > successfully mount an MITM attack on TLS traffic it gets to see and even > alter. > > Nico
- [saag] can an on-path attacker drop traffic? Michael Richardson
- Re: [saag] can an on-path attacker drop traffic? Eric Rescorla
- Re: [saag] can an on-path attacker drop traffic? Christian Huitema
- Re: [saag] can an on-path attacker drop traffic? Behcet Sarikaya
- Re: [saag] can an on-path attacker drop traffic? Eric Rescorla
- Re: [saag] can an on-path attacker drop traffic? Nico Williams
- Re: [saag] can an on-path attacker drop traffic? Carsten Bormann
- Re: [saag] can an on-path attacker drop traffic? Dan Harkins
- Re: [saag] can an on-path attacker drop traffic? Carsten Bormann
- Re: [saag] can an on-path attacker drop traffic? Fernando Gont
- Re: [saag] can an on-path attacker drop traffic? Eric Rescorla
- Re: [saag] can an on-path attacker drop traffic? Dan Harkins
- Re: [saag] can an on-path attacker drop traffic? Michael Richardson
- Re: [saag] can an on-path attacker drop traffic? Eric Rescorla
- Re: [saag] can an on-path attacker drop traffic? Eric Rescorla
- Re: [saag] can an on-path attacker drop traffic? Eric Rescorla
- Re: [saag] can an on-path attacker drop traffic? Peter Gutmann
- Re: [saag] can an on-path attacker drop traffic? Christian Huitema
- Re: [saag] can an on-path attacker drop traffic? Dan Harkins
- Re: [saag] can an on-path attacker drop traffic? Paul Hoffman
- Re: [saag] can an on-path attacker drop traffic? Carsten Bormann
- Re: [saag] can an on-path attacker drop traffic? Alan DeKok
- Re: [saag] can an on-path attacker drop traffic? Dan Harkins
- Re: [saag] can an on-path attacker drop traffic? Michael Richardson
- Re: [saag] can an on-path attacker drop traffic? Nico Williams
- Re: [saag] can an on-path attacker drop traffic? Eric Rescorla
- Re: [saag] can an on-path attacker drop traffic? Eric Rescorla
- Re: [saag] can an on-path attacker drop traffic? Michael Richardson