Re: [Secdispatch] [Smart] New Version Notification for draft-lazanski-smart-users-internet-00.txt

[Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>]

Hello,

On Sun, Jul 14, 2019 at 6:25 AM Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> Hiya,
>
> On 14/07/2019 03:06, Kathleen Moriarty wrote:
> > It's a good start toward broadening
> > the conversation on the Internet threat model and I do agree that is
> > necessary.
>
> FWIW, I don't agree that this is a good start.
>
> ISTM that this draft is far too opinionated, for example
> claiming that "IETF attendees are privacy-focused", (how
> does the author know?), claiming it "unthinkable" that
> something isn't done, and that "Internet security research
> and technical development must accept the reality of all
> the security issues in the Internet ecosystem" (though
> I'm not sure I can parse that last quote at all).
>

Sure, opinionated text gets cut as a draft progresses, but she makes a
clear case for adding in the endpoint into the threat model.  I had tried
to do a bit of that in my AD reviews as I agree, it's one of the places
systems are left vulnerable and open to attack. When the defenses in the
middle are removed, new ones are needed.  Protocol evolution is eliminating
these middle boxes, so the end point needs to be shored up.  We need first
to better prevent attacks, and then to be able to detect them at end
points.  Some of this could get baked into protocols (I'm not sure how yet,
but perhaps something can be done), requiring research and ensuring the
protocols maintain the existing set of desired properties.

>
> Towards the end we get: "Endpoints have changed over the
> last 10 years, but assumptions about endpoints in the IETF
> hasn't changed in that time" - I don't know how the
> author knows what assumptions may or may not be made
> by IETF participants (not "attendees" of course).
>

Sure, there's a bunch of us that care about end points, but I think outside
perception doesn't show this and those who work solely on end point
security don't feel heard at the moment.  Bake this into a bigger threat
model and we have a more complete picture.  We as a community need to step
back and think about the threat model and impacts to users of the
Internet.  The time to detect an attack has come way down (in most
countries) over the last 2 years.  This isn't spelled out in the draft, but
could be in a comprehensive draft.  The reason for this is that
organizations have deployed tighter controls and are quicker to detect
anomalies on their networks.  Detection devices have also aided in this
reduction with the exchange of indicators of compromise.  We need new ways
to deploy prevention and detection mechanisms and can't ignore that as we
eliminate the methods of detection and prevention used by large numbers of
organizations.

I'd be happy to help flesh out this part of the threat model more.


> And perhaps most oddly, this bold assertion: "Further, it
> is imperative that new conclusions and recommendations
> from a revisited threat model are backed up by research, case
> studies and experience - rather than bold assertions." ;-)
>

PM was backed by lots of information, I agree.  The problem is that the
focus ignored (largely) other security concerns.  I tried to ensure system
integrity came up when important in drafts and also logging, but maybe
there's more that can and should be done.

>
> The list of breaches and botnets is fine, but not much
> use without any analysis of how those happened. We need a
> good bit more work to figure out whether any changes to
> protocols or protocol design are actually warranted or
> useful in the face of these kinds of incident. (Hence
> the oddity of the bold assertion above.)
>

Yes, and these aren't the only types of attacks.  Phishing is accountable
for about 90% of so called APT attacks (I can find the artcile that says
this, just not at the moment).  Better authentication will help (FIDO,
tokbind, HOBA, etc.) , but some of the attacks don't involve
authentication.

>
> Lastly, ISTM important, if any discussion here is to
> be worthwhile, to recognise from the start that existing
> IETF consensus positions in this space are not likely to
> be discarded - those were arrived at after a lot iterations
> of a lot of debate by well-informed IETF participants.
> (Despite what some may claim;-) So I reckon the right
> discussion to have is about how to extend and not discard
> the 3552 threat model. Any other attempted changes would
> seem to me to require a shift in deployments from 2-party
> to multi-party protocols, which is unrealistic, or to
> require magical trust in middleboxes, which would be plain
> silly and seems highly unlikely to be something for which
> IETF consensus would be established.
>

Sure, my full message made the same point. We need to look at the broader
threat model and have a more comprehensive picture.  I do think this helps
make the case for the end point and figuring out if we have options within
protocols to prevent threat with out-of-the-box thinking, research,
security protocol proofing, and testing.

>
> > Also - is this a request to present at SecDispatch?
>
> I hope not. This draft is IMO clearly not ready for that.
> An initial discussion about threat models and how to
> approach this kind of work at saag may be worthwhile (and
> I think Jari has asked the sec ADs for such a slot).
>

She sent it to SecDispatch, so I needed to ask.  I do agree it's better for
SAAG and a larger discussion on threat model, but that's for our ADs to
decide.

>
> Cheers,
> S.
>


-- 

Best regards,
Kathleen