Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02
VENKATRAMAN RAMAKRISHNA <vramakr2@in.ibm.com> Thu, 28 March 2024 14:31 UTC
Return-Path: <vramakr2@in.ibm.com>
X-Original-To: sat@ietfa.amsl.com
Delivered-To: sat@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97F6DC15153F for <sat@ietfa.amsl.com>; Thu, 28 Mar 2024 07:31:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.892
X-Spam-Level:
X-Spam-Status: No, score=-1.892 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ibm.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p-qo7yUD9b0P for <sat@ietfa.amsl.com>; Thu, 28 Mar 2024 07:31:34 -0700 (PDT)
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAD86C14CE2B for <sat@ietf.org>; Thu, 28 Mar 2024 07:31:34 -0700 (PDT)
Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 42SEIVdh014159; Thu, 28 Mar 2024 14:31:34 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=pp1; bh=jJ8p4NaDA5dXZtHlgt+7EYPwyp9X8umbRjutL8Vbem0=; b=B6TUpSc6ci+DE1X2Q7qNiL5klZyls4nyE7iMC/Gk40hBE4WHYtwVrybBVVtheVWdddHx dLdl82Uc44pLUrOLYGgi1Fj0M3mHZ0C/+4s3f/qox6xRHLXeskfoRG/2OiARrzODV6m3 x/ecWvShCLfZy4ObidDe1W4Tm5IjElA64JZtHwnPkv/8hEiENnvx+KV4s4Z40gAMCe6a 5x+KvYPbVwOKFYzjOD0J7KHHKH4nhR4oO1nKLzqjCoTjb3FPKFFX+QhDF8UqDSNKjjkP 27RQJDfQwWythDelrCGbjNoNSCYsckrMPeq04peXKlkH8EYqxD97nQ815qGeccZJJOkK DQ==
Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3x5a6681s6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 28 Mar 2024 14:31:33 +0000
Received: from m0356517.ppops.net (m0356517.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 42SEVXEO005414; Thu, 28 Mar 2024 14:31:33 GMT
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2168.outbound.protection.outlook.com [104.47.55.168]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3x5a6681s4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 28 Mar 2024 14:31:33 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QmwFAtUhSNg5c4/5J+6Hk/iSjCPAP0ELasjO2QxEp1q1FtqzJ3JQOxpwxlc1//EJR6VmNse61Z3a3t9y9ZxKvdpEME5WqpsnnnxQqh+d119MBueEhP3KS0EhPIAa4L1XeB5iMd0iO8em1YnJxTik/WP/b616IxcXbynFHwh6qJBQxHvz7FkwI2sjKqLWSmng3C5G+YI8YqeOjCk2t47rfDIp/kSmCBBvo8mIJ5hvMVU9HhJml+JBN90G3qfS3tgdzTOdnKL5waUkDxD6TSyVpvn4IbHVZosfvmZ2LSvJLsvNaCfY3GPbwHXDnBBkWb8KVdjBijdIKSFqaPzM07omHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=f0sRTqzB8cJSrehwtA8QtYtlPr5V/UMw0cP9+E9cNgA=; b=ZW73ZUsK4ozy/C84AVotocjv7XQwTXcj9u/bD9B9h+bibpLG4rjFCLHwRol0iS6HiffVzT85oNOx4tLkZZxB9cnx5oSsg+ix7LBkJ6RBS9xrkuUhL3LCzaHmOGr66VBuYYbryYr26vtKEkqxx1B7y+/stMNgx1EKgwd0PliJwmkA6QzE+snq6YRHf4D/vTelx/5t/dAYDQcF9MLwReIolYjq5ulXXWBZYqwco5kKWEtRmBY7b9jw9WhK3D0yJ7chkK9lOXrQZJ+8aKjCY9x98/BuhZ6IHZVch0XTipJctjTOAm4OVimreEcuxzOUjKXj74mrXFluX3gaf3ujGK+Sag==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=in.ibm.com; dmarc=pass action=none header.from=in.ibm.com; dkim=pass header.d=in.ibm.com; arc=none
Received: from SJ0PR15MB5132.namprd15.prod.outlook.com (2603:10b6:a03:425::13) by MN6PR15MB6002.namprd15.prod.outlook.com (2603:10b6:208:475::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.33; Thu, 28 Mar 2024 14:31:29 +0000
Received: from SJ0PR15MB5132.namprd15.prod.outlook.com ([fe80::22d7:203d:ce69:9c90]) by SJ0PR15MB5132.namprd15.prod.outlook.com ([fe80::22d7:203d:ce69:9c90%5]) with mapi id 15.20.7409.026; Thu, 28 Mar 2024 14:31:29 +0000
From: VENKATRAMAN RAMAKRISHNA <vramakr2@in.ibm.com>
To: Thomas Hardjono <hardjono@mit.edu>, "ladler2@bellatlantic.net" <ladler2@bellatlantic.net>, "sat@ietf.org" <sat@ietf.org>
Thread-Topic: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02
Thread-Index: AQHadgoiR7DsejFR+02jfKvmwI78mrFNQ7MA
Date: Thu, 28 Mar 2024 14:31:29 +0000
Message-ID: <SJ0PR15MB5132EDBB434888E483E00DEDB83B2@SJ0PR15MB5132.namprd15.prod.outlook.com>
References: <yblbk7nh517.fsf@wx.hardakers.net> <017d01da7498$6c7d8f70$4578ae50$@bellatlantic.net> <SJ0PR15MB513247E0DC4DBCC3EA3AB0DAB82B2@SJ0PR15MB5132.namprd15.prod.outlook.com> <DM6PR01MB439526AD9219E9F0D2806936CB2B2@DM6PR01MB4395.prod.exchangelabs.com> <SJ0PR15MB513284153249CD8875399553B82B2@SJ0PR15MB5132.namprd15.prod.outlook.com> <DM6PR01MB43950A5955A657343A6D4FF9CB2B2@DM6PR01MB4395.prod.exchangelabs.com> <009201da7574$d016eb30$7044c190$@bellatlantic.net> <DM6PR01MB4395A94A70B965BF62C4E3CDCB292@DM6PR01MB4395.prod.exchangelabs.com>
In-Reply-To: <DM6PR01MB4395A94A70B965BF62C4E3CDCB292@DM6PR01MB4395.prod.exchangelabs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR15MB5132:EE_|MN6PR15MB6002:EE_
x-ms-office365-filtering-correlation-id: ac796545-1afe-4d7d-c195-08dc4f33c1e6
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bamhFyQOnDEJ1oOeQElH5KAhN1LOCKhXOybOrh4r4MgKibwSMWA+tfeh3bnKsnmGdO+r0KfFb4kjWGO0Mn/DyDnnBS+fIF4kHGtOvPOdc8PVOl/N3tUe6beIwxNablV8j7G27y1z+hc1krDTK1bsjNbHxjtZX6bDiuCr/GGIHU5soMnuIZfTkJLYLfJiCc37f9QB7loPkRKSeEZAuzZ1qScu66WJazQndQn0C8a4HlY/a3mChmb0fOP5fZnG+QikHCNQNd3GfYh9ALTMpJqpSp9j2PQFh7qvpNQqtHU8IhMAuqA0GbP5sV4PFsu3nMDaaRGh3ecXoM5/qOyPC0hJ+Kz7NN78OvGEho0i7sWsdLrdAfVzWpoClwyJzQ2cSl2WF6KciFXv+luCT2jz/0MQLVt3hhMQviyNmUgEdOj4RsIA0lQWJ0oU5vfY58fdeHN3YighjrX9T2mJwh18n6NxMGQnfiQmHDlvFCp7fcPyGhatCbYZCYxgPouHoBk8LIooB21FEvNmgq4D4IYOz4t1FbjoKiqe/IINf/ZfspNKm6oNBrGGdpBh4Xkj2ojIly/oUzw20hzdhNV4hnhvMwxa5IRpgPpHv86269O9vI/Y/v2z9L8Bp/5W2/LiTlL2FK8+9yIVOFfM5WMBXOWtieQI/6E5XEcTS6R7+BKJNSVDPYE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR15MB5132.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(1800799015)(376005)(366007)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: WAz9EPjcFoh7bepz3BvlPRCdU70cXzpBuf3E0hhpdhNQyaDa9TJZ1UUzdpTZNkp2IdAMYWMvm6FApthSVchrs0NlFmmploMRq+yzgJBJWlVIVo2VsIx1aZ3W+N3eDx8J1Xevyq3LiC5OdOeGwB1cdwK3xfQVK0RPfLE7oTuHLrQ0CbDTCOiBFSRi0WkXOb8MJWLA9l6HVlPuB5/5COsOvXXw9ZHrvys8ddYki/U0htFpEmgZuRcd1ZU2jN7I1cMs8p78mJnMUQSk+qIT/7tZnRmfW+RHSePjUS4soFHc4qcf813VStdyeGFTXEKTiI+bTWKfMNnNMmP7gmj0xp7cUdpUeUAd/FAnltATqsMeDkTda8i6EVSi3bM0+f3XcZwvWN8nFUfNLGP3ATtKDVUuZTW1laXTpyyM1VTXkraWeSrFsw+zP6Coo91nJqMI2tOA45L8p2vQiOCmNKtHyCLb3acSmrsi7tlqn2ung7yIWnQXogn9zcfRn8AmUX0eLcKAWGEjsX/lmuPuSzj+pYrB3y2tHMNZ47FOBT9zRDepBPVBPjAizbXvT8D9ip70UnCVYcuHtkHDCFnGWb5abV5B2dERDMw/ZCmvcuYnhpCXLtnt3/JqFvhqDxRw47Zr+mvfI/l8mlVNn4T7j7FsqqZWSuATGCPhX9ZLjetQE9RHt2pWMhwVAwUzGhL2SL6W7JehdKOhdME04ry8Vupp0OpkUJV8vaChj0I05+r6hmLqTS+2PGMFpyTozXJMfCJ8xpirkijeEadSfS0RTA9R1sgQQAuWJuk40/OMq9E4eXGebg1qP+2Egmdwj/69MIkFWC8joxFWqPnIRjPCopG3/ce+tH7WE6+T2xOCwTTBCr/3i5RlP7bwtINas6k19oxF00H+0feX6vk8YndxgccGKrMUGUVwJNxrKLCFs+qQKRiUW802a2BsilBSyb7cP+HXFnPCC6Vk4bmwu4BhUBMZijmG9h/X6ouxAPQAh9jmYaxk2fMpfRmemrb1YJE5cKlRNoEzaB7EIPQ6ZfAhhOV5DzlyX+WP4/rRtcK+aa0NtcYTXgZLu2dR/91uxOMWLxXvNmkr5EeaVhi+wGKHDZn3vJnR0Puj4GVdhLXS0pd2YnRWJKVE2JYKrhy2ilfkUXawDg2uSlKAe1AQ8oHe9D08hMtoZNCfh594MeodXTMz9AVqEwhGFGeYX4xpOO4l+fK4Bwjnn61NXOeLEEzz3JXLiAL2rrPaeOW0CCyog7oLiVXlksEdVSopXzwhJCOIxjZq35irBbr+EwAi4gq1Hz1iKH7egKlRfZfomKCZLYdGCspLIBfzbWoZh9XqOo22PVaikMjun5VHGgdH+4q9tg90HGpA64iJf9KmD69vVnq81IwrCU/zybdp77x2lkfQcMldeMh5WQyKaKjebrIKEDgeIH4eHCpte342DqFBRYULsvI3l4XNbTg3C9DZ5aN+KLofhIaQAJnVsRHH9wKpGKasaBRGaGSr9RMKNHoMYNLVcihGUi1uDj15kzUeJX1SacT5QNyIoAA/71Q7y1TUj4Q5621nSudhcfiEnDDq6PO33YuvAYQ=
Content-Type: multipart/alternative; boundary="_000_SJ0PR15MB5132EDBB434888E483E00DEDB83B2SJ0PR15MB5132namp_"
X-OriginatorOrg: in.ibm.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR15MB5132.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ac796545-1afe-4d7d-c195-08dc4f33c1e6
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2024 14:31:29.4282 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fcf67057-50c9-4ad4-98f3-ffca64add9e9
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: c/pH3QisyoS4ivvRZyW0ttkTm4Z11FkUR9lcXtLeqltgzKtHDJS0XlezPMIXm0lv9sPUti0k85QjhSce2+KfDg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN6PR15MB6002
X-Proofpoint-GUID: 681K2v-S0rJImTzYod5iWi-promEJ5YT
X-Proofpoint-ORIG-GUID: zmarANVZA2ltnwSsfCq41hnxWlC2ZWid
X-Proofpoint-UnRewURL: 8 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-28_14,2024-03-27_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 suspectscore=0 mlxlogscore=999 mlxscore=0 lowpriorityscore=0 malwarescore=0 phishscore=0 adultscore=0 spamscore=0 impostorscore=0 priorityscore=1501 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2403210000 definitions=main-2403280099
Archived-At: <https://mailarchive.ietf.org/arch/msg/sat/qT73iOHTyuI4eP0GyXBN2AVywYI>
Subject: Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02
X-BeenThere: sat@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "The purpose of this mailing-list is to discuss the secure asset transfer \(SAT\) protocol and related aspects." <sat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sat>, <mailto:sat-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sat/>
List-Post: <mailto:sat@ietf.org>
List-Help: <mailto:sat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sat>, <mailto:sat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2024 14:31:38 -0000
Thomas, I’m reviewing your earlier proposal quite late, but I hope my comments are still useful. The security analysis looks good to me. Perhaps you can state explicitly that confidentiality challenges can be overcome using preexisting standards like TLS, but that integrity and denial-of-service (and resource waste) challenges do arise when either gateway is not compliant with the protocol. We can perhaps categorize the specific vectors of integrity and DoS threats: * G1 allowing G2 to mint an asset without extinguishing its own asset is an integrity violation. You point how this happens in (c). * G1 allowing G2 to reverse a mint decision after processing an allocation (i.e., a rollback) is a DoS attack. You point out how this happens in (a). * G2 forcing a rollback at G1 after making it freeze (lock) an asset is a DoS attack. You point out how this happens in (b). In (b), I’d add how G2 may purposefully fail to send a Lock-Assertion-Receipt (2.4), thereby forcing G1 to trigger an unlock. As a suggestion, or a recommendation, we can say that there exist recovery and failover mechanisms (defined in https://datatracker.ietf.org/doc/draft-belchior-satp-gateway-recovery/) whereby the existence of multiple redundant gateways could mitigate a single gateway’s malicious behavior. If either G1 or G2 fail to comply with the protocol as per your list, backup gateways may, by observing a shared log, resurrect the protocol instance. What do you think? General question: given that this is an architecture document, does this content belong in an appendix or in the main body? Also, considering David’s question about cross-network queries, we can mention that such a feature is desirable though not in scope for the SATP-Core spec, which is concerned purely with an asset transfer session and not with post hoc audit and dispute resolution (a Stage 4, if you will). Rama From: sat <sat-bounces@ietf.org> On Behalf Of Thomas Hardjono Sent: Thursday, March 14, 2024 5:51 PM To: ladler2@bellatlantic.net; sat@ietf.org; Thomas Hardjono <hardjono@mit.edu> Subject: [EXTERNAL] Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02 Thanks David, These are great inputs. >>> I think the appendix Thomas has suggested below belongs >>> in a threat model document. >>> I don’t think RFC 5246 (TLS 1. 2) is a good model. >>> TLS is essentially ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. Report Suspicious <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!1m-vTR6zRvmalYv7WOBlIPq3Vz5GZm47h6JUwaumghV9F4miATUp9FhNmbWrsTzTrAlw1-EOFzHBQQHDpba7pwWzF0rziH-3LB_yYkYpVJf4liIIPQLYEydsJwMaaCviH2i5NA$> ZjQcmQRYFpfptBannerEnd Thanks David, These are great inputs. >>> I think the appendix Thomas has suggested below belongs >>> in a threat model document. >>> I don’t think RFC 5246 (TLS 1.2) is a good model. >>> TLS is essentially a transport protocol not >>> an application protocol. I definitely agree we will need these facilities to make the gateway useful. I think in the past couple of years the group has discussed the need for these gateway-related facilities (services). However, right now we are constrained by the scope of the Charter which limits us to focus on the transfer flows (burn-mint) with ACID properties. Many things need to occur in Stage-0, which is out of scope currently. If/when we expand the Charter, we should include a threats model document IMHO. >>> Is a query facility necessary for one gateway to verify >>> that the other gateway has really performed critical functions? >>> Example: Did Gateway 1 really extinguish the asset >>> when it was supposed to? I believe this this is the facility that Rama is developing in the Views draft. In fact, this question (did the burn occur) should be answerable by any gateway fronting a network NW1 (even if that gateway was not originally involved in the transfer). >>> Is a facility needed so that each Gateway can do its own authentication >>> of the user signed on to the other Gateway? This is part of Stage-0. In practice, gateways would need to call APIs of external identity service providers (IdP) to validate the identity of the user and the attributes of the users (e.g., are the users on the OFAC Sanctions list). This could be another new draft about how a Gateway could interact with an Identity Registry/Issuer (ala W3C Verified Credentials data model). Best --thomas From: sat <sat-bounces@ietf.org<mailto:sat-bounces@ietf.org>> on behalf of ladler2@bellatlantic.net<mailto:ladler2@bellatlantic.net> <ladler2@bellatlantic.net<mailto:ladler2@bellatlantic.net>> Date: Wednesday, March 13, 2024 at 2:32 PM To: sat@ietf.org<mailto:sat@ietf.org> <sat@ietf.org<mailto:sat@ietf.org>> Subject: Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02 Hi: I think the appendix Thomas has suggested below belongs in a threat model document. I don’t think RFC 5246 (TLS 1.2) is a good model. TLS is essentially a transport protocol not an application protocol. I think the architecture document should contain additional systems features such as: 1. Is a query facility necessary for one gateway to verify that the other gateway has really performed critical functions? Example: Did Gateway 1 really extinguish the asset when it was supposed to? 1. Is a facility needed so that each Gateway can do its own authentication of the user signed on to the other Gateway? I am sure there are other facilities necessary to provide security to this process. David Millman From: sat <sat-bounces@ietf.org<mailto:sat-bounces@ietf.org>> On Behalf Of Thomas Hardjono Sent: Tuesday, March 12, 2024 5:32 PM To: VENKATRAMAN RAMAKRISHNA <vramakr2@in.ibm.com<mailto:vramakr2@in.ibm.com>>; ladler2@bellatlantic.net<mailto:ladler2@bellatlantic.net>; sat@ietf.org<mailto:sat@ietf.org>; Thomas Hardjono <hardjono@mit.edu<mailto:hardjono@mit.edu>> Subject: Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02 Folks, How’s about this text for an Appendix in the SATP-Architecture. I’m thinking we should make each paragraph short, kind of like Appendix F in RFC5246. Please feel free to suggest additional bullet points on attack points in the SATP protocol run. --- --- --- --- Appendix A: Security Analysis The SAT protocol utilizes a TLS1.2 (TLS1.3) secure channel that must be establishes between the sender gateway (G1) and the receiver gateway (G2). The two gateways must first establish this secure channel in Stage-0 before they can proceed to execute the SAT protocol. This includes both gateways verifying all the relevant parameters required for their TLS1.2 session (e.g. correct TLS endpoints, certificate validation, identity validation, etc.). Assuming the two gateways have established the secure channel and have proceeded to commence the SAT protocol, there are a number of possible attacks points within the SAT protocol run that may occur if one (or both) of the gateways are dishonest. Alternatively, an attacker may target one (or both) gateways by disrupting the message exchange between gateways G1 and G2. (a) Multiple intentional aborts by the sender gateway G1: A dishonest sender gateway G1 may purposely fail to continue the protocol run at certain crucial points. One such crucial point is in Stage-3, where the gateway G1 is expected to transmit the Commit-Final Assertion message (3.5). If the gateway G1 intentionally fails to transmit this message, gateway G2 may conclude that the message has been lost and may proceed to reverse the temporary hold it has previously created (temporary asset mint in message 3.2). Although this dishonest behavior by G1 does not cause asset damage to G2, it may exhaust computing resources at gateway G2. If network NW2 incurs transaction fees, such a reversal may be costly for gateway G2. (b) Multiple intentional aborts by the receiver gateway G2: In a similar manner, a receiver gateway G2 may also purposely fail to continue the protocol run at certain crucial points. One such point is in the Commit-Ready message (3.3) that it should transmit to G1 after receiving the commit prepare message (3.1) from G1. In this case, gateway G1 may conclude that the message is lost and simply abort the protocol run. (c) Failure to transmit ACK-Final Receipt: Another possible point of attack by a dishonest gateway G2 may occur by the gateway intentionally failing to transmit the ACK-Final-Receipt (3.7) in response to a the Commit-Final Assertion message (3.5) from gateway G1. Here, the senser gateway G1 may conclude that the message is lost and will assume that the transaction has reach finality in network NW2. The sender gateway G1 has retained the previous Lock-Assertion Receipt (2.4) in Stage-2 that was signed by G2, indicating that the gateway G2 has accepted the responsibility of ensuring that the asset-assignment (3.6) by G2 will be correctly executed. Failure by G2 to complete this task becomes a financial and legal liability for the owner of gateway G2. (d) Other? --- --- --- --- --thomas From: VENKATRAMAN RAMAKRISHNA <vramakr2@in.ibm.com<mailto:vramakr2@in.ibm.com>> Date: Tuesday, March 12, 2024 at 2:59 PM To: Thomas Hardjono <hardjono@mit.edu<mailto:hardjono@mit.edu>>, ladler2@bellatlantic.net<mailto:ladler2@bellatlantic.net> <ladler2@bellatlantic.net<mailto:ladler2@bellatlantic.net>>, sat@ietf.org<mailto:sat@ietf.org> <sat@ietf.org<mailto:sat@ietf.org>> Subject: RE: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02 FYI, we did discuss security threats a couple of months ago on this mailing list: https://mailarchive.ietf.org/arch/msg/sat/CPTQfYeEH0acV_5ryeBdCEPAD0c/<https://mailarchive.ietf.org/arch/msg/sat/CPTQfYeEH0acV_5ryeBdCEPAD0c/>. The outcome was that “12. Threat Model Considerations” was added to the architecture draft. Rama From: Thomas Hardjono <hardjono@mit.edu<mailto:hardjono@mit.edu>> Sent: Wednesday, March 13, 2024 12:13 AM To: VENKATRAMAN RAMAKRISHNA <vramakr2@in.ibm.com<mailto:vramakr2@in.ibm.com>>; ladler2@bellatlantic.net<mailto:ladler2@bellatlantic.net>; sat@ietf.org<mailto:sat@ietf.org> Cc: Thomas Hardjono <hardjono@mit.edu<mailto:hardjono@mit.edu>> Subject: [EXTERNAL] Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02 Thanks David and Rama, One useful analogy at the protocol level is to compare the function/purpose of the SATP protocol with the function/purpose TLS1. 2 protocol (RFC5246). The TLS1. 2 spec defines the behavior of the client/server to establish ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. Report Suspicious <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/AdhS1Rd-!-HFV_fb-Xk972ls5DoWgMWW79oH20YfNH8hjCg3JlqiuFsXT2NITBT7QRPylcK8cqNSq3CDVQ6pUL0xR8KH4JB2dmkL9SjtYZgBubMWLl0x9qJWTlFfUIpU1ph2Fp4CrUIPjIw$> ZjQcmQRYFpfptBannerEnd Thanks David and Rama, One useful analogy at the protocol level is to compare the function/purpose of the SATP protocol with the function/purpose TLS1.2 protocol (RFC5246). The TLS1.2 spec defines the behavior of the client/server to establish keys amd secure session etc., but the RFC does not say _how_ to implement a TLS Server. The server could be a standalone box, a microservice in a private cloud, or on a public cloud. In each of these cases, the actual implementation quality and attack-resistance will vary. Similarly, the SATP-Architecture and SATP-Core defines the behavior of gateways (which we call Client/Server in SATP-Core). It does not say how to implement a Gateway in a relatively attack-resistant manner. A useful part of RFC5246 is its Appendix F (Security Analysis), which discusses some of the possible attacks and some strategies to counter them. Even there, the Appendix does not explain how to implement against these attacks. Perhaps SATP-Architecture (or SATP-Core) could be improved by adding an Appendix discussing the Security Threats. What do folks think? Best --thomas From: sat <sat-bounces@ietf.org<mailto:sat-bounces@ietf.org>> on behalf of VENKATRAMAN RAMAKRISHNA <vramakr2@in.ibm.com<mailto:vramakr2@in.ibm.com>> Date: Tuesday, March 12, 2024 at 1:33 PM To: ladler2@bellatlantic.net<mailto:ladler2@bellatlantic.net> <ladler2@bellatlantic.net<mailto:ladler2@bellatlantic.net>>, sat@ietf.org<mailto:sat@ietf.org> <sat@ietf.org<mailto:sat@ietf.org>> Subject: Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02 David, In my opinion, SATP doesn't require "everybody" to be honest, but just requires that each counterparty network be "collectively honest", i.e., maintain internal consistency and have the capacity to thwart insider Byzantine failures. Further, if a gateway acts dishonestly, "honest" counterparty networks will be able to find out through an audit (which is not as satisfactory as a prevention, but it may be the best we can get in a completely decentralized setting.) Your point about SATP coming under intense threat (and scrutiny, if it handles large-valued assets) is very well taken though. We do need to make the security assumptions and caveats crystal clear. IMO the design principle of network opacity as mentioned in Section 3.1 covers the point about collective network honesty as it tells users that, from SATP's perspective, the network is a unitary entity that has delegated asset transfer privileges to a gateway. Rama -----Original Message----- From: sat <sat-bounces@ietf.org<mailto:sat-bounces@ietf.org>> On Behalf Of ladler2@bellatlantic.net<mailto:ladler2@bellatlantic.net> Sent: Tuesday, March 12, 2024 9:45 PM To: sat@ietf.org<mailto:sat@ietf.org> Subject: [EXTERNAL] Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02 Hi: I have a problem with the architecture document because it contains only small sections related to security. The SAT process will come under intense threat from external theft and internal fraud. The architecture document focuses on a clean asset exchange where everyone is honest and uses well tested software. I am not an expert on blockchain or related technologies so the experts in the WG should add to the architecture document the features necessary to deal with the threats. Question: Do we want to revisit the architecture document when the threats to the SAT process are enumerated? David Millman -----Original Message----- From: sat <sat-bounces@ietf.org<mailto:sat-bounces@ietf.org>> On Behalf Of Wes Hardaker Sent: Saturday, March 9, 2024 9:08 AM To: sat@ietf.org<mailto:sat@ietf.org> Subject: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02 Greetings all, The authors have requested that draft-ietf-satp-architecture-02 be placed into WG last call and after a review by the chairs we agree it's ready to progress forward. I have some personal comments that I'll submit during last call, but nothing substantive or process-problematic that should hold up it progressing. Thus, we have changed the document's status to being in WG LC and have set a deadline of 4 weeks from now. Thus, WG LC will end on April 6th, AOE (anywhere on earth). We encourage all participants of the WG to read the document, suggest any changes you feel are needed from simple editorial suggestions to calling out major issues you find with the document. WG participants should also express their opinions about whether or not the document is ready to progress and you support it's publication. All comments should be sent to the mailing list. -- Wes Hardaker USC/ISI -- sat mailing list sat@ietf.org<mailto:sat@ietf.org> https://www.ietf.org/mailman/listinfo/sat<https://www.ietf.org/mailman/listinfo/sat> -- sat mailing list sat@ietf.org<mailto:sat@ietf.org> https://www.ietf.org/mailman/listinfo/sat<https://www.ietf.org/mailman/listinfo/sat> -- sat mailing list sat@ietf.org<mailto:sat@ietf.org> https://www.ietf.org/mailman/listinfo/sat<https://www.ietf.org/mailman/listinfo/sat>
- [Sat] WG Last Call for comments: draft-ietf-satp-… Wes Hardaker
- Re: [Sat] WG Last Call for comments: draft-ietf-s… ladler2
- Re: [Sat] WG Last Call for comments: draft-ietf-s… VENKATRAMAN RAMAKRISHNA
- Re: [Sat] WG Last Call for comments: draft-ietf-s… Thomas Hardjono
- Re: [Sat] WG Last Call for comments: draft-ietf-s… Rafael Belchior
- Re: [Sat] WG Last Call for comments: draft-ietf-s… VENKATRAMAN RAMAKRISHNA
- Re: [Sat] WG Last Call for comments: draft-ietf-s… Thomas Hardjono
- Re: [Sat] WG Last Call for comments: draft-ietf-s… ladler2
- Re: [Sat] WG Last Call for comments: draft-ietf-s… Thomas Hardjono
- Re: [Sat] WG Last Call for comments: draft-ietf-s… Martin Gfeller
- Re: [Sat] WG Last Call for comments: draft-ietf-s… VENKATRAMAN RAMAKRISHNA