Re: [saag] can an on-path attacker drop traffic?

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 04 October 2020 20:31 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0409C3A0A1F for <saag@ietfa.amsl.com>; Sun, 4 Oct 2020 13:31:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aMhOM30VycgR for <saag@ietfa.amsl.com>; Sun, 4 Oct 2020 13:31:15 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAC8B3A09EF for <saag@ietf.org>; Sun, 4 Oct 2020 13:31:15 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 57A25389B6 for <saag@ietf.org>; Sun, 4 Oct 2020 16:36:26 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id wSBcvB-aCdd2 for <saag@ietf.org>; Sun, 4 Oct 2020 16:36:25 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id C1189389B5 for <saag@ietf.org>; Sun, 4 Oct 2020 16:36:25 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id F13FE7E for <saag@ietf.org>; Sun, 4 Oct 2020 16:31:12 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: IETF SAAG <saag@ietf.org>
In-Reply-To: <6be61826-6467-ba49-c88e-c20e717a3b41@lounge.org>
References: <4645.1599064072@localhost> <6859c97d-3f0c-0361-5e72-5b82e93568f7@gont.com.ar> <CABcZeBNuBhu8KUoZJsY3VR8LzDa78_n53rRZ-5nMrpCbqh_6KQ@mail.gmail.com> <6be61826-6467-ba49-c88e-c20e717a3b41@lounge.org>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Date: Sun, 04 Oct 2020 16:31:12 -0400
Message-ID: <14455.1601843472@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/qo9jKj3Kg6-6tf-87G93xcIy6NY>
Subject: Re: [saag] can an on-path attacker drop traffic?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Oct 2020 20:31:24 -0000

Dan Harkins <dharkins@lounge.org> wrote:
    >> For capabilities, our basic assumption is what is often called a
    >> Dolev-Yao attacker, in which the attacker has complete control of the
    >> channel (this is what 3552 describes as the Internet Threat model
    >> [0]). However, it's also useful to try to consider more limited
    >> attackers such as those who can only read from the wire and those who
    >> cannot remove packets.

    >   Why? If we want to develop protocols that are secure in the presence
    > of a powerful attacker who has complete control of the medium what
    > value is there in considering a "more limited attacker"?

The utility of the terminology is that it makes it clear what kinds of
threats there are, and what mechanisms defend against which.

There are many cases where we can assume (as a result of a sound L2 protocol)
that there are no Dolev-Yao on-path attackers, but that there may be many
off-path attackers who can send traffic.

At the same time, the existence of nodes which may harbour malware, giving
them access to the L2-media, but not to make on-path attacks, makes
understanding what the layers of defense we might have.


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide