Re: [Secdispatch] [Smart] New Version Notification for draft-lazanski-smart-users-internet-00.txt

Kathleen Moriarty <> Sun, 14 July 2019 11:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C98E61200F4 for <>; Sun, 14 Jul 2019 04:21:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hoENlIxhb7Lp for <>; Sun, 14 Jul 2019 04:21:10 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5F972120105 for <>; Sun, 14 Jul 2019 04:21:10 -0700 (PDT)
Received: by with SMTP id u15so10640439oiv.0 for <>; Sun, 14 Jul 2019 04:21:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Cu0LCxwSqB5MKtKMQZp2e+AnAgoQFs5LfP1Nq4jusDI=; b=j32c4+fPZM1HgtUUmO4xhJiM4tZUTfsjjyx6h+vK2Hfcw4GHEXAdQoXGqiFJFXpfK4 i0UE2fD5I8xEohx+4hgWq7HXedRSGGRrYq9mWXh3trJscIEfSGAP8kT43xNYiyoxhTHA 4qFz20HiBIF/9lfObiD9K8Z32DtH+6dOd1q96zZ4nWdYF5mdfKoeAZTMsUQzLdoJ2uLi ioLf7QNnM7ppUActO7AqFWtEKGcKXtkn0/Dg22DfRSpxaZq0rMzt7a4U/82qiHKU64iE c3+1HnKdiF19LHaYPSX5aETvR0KPZSGDPkglvOqFzKRQbtiaTcF4gnOIcxLeP4LPAi9k juvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Cu0LCxwSqB5MKtKMQZp2e+AnAgoQFs5LfP1Nq4jusDI=; b=UiiMQfAiDI6JV9eyqe8fuk/owfTNauVOTYbAKccyV0B+OawlZ5VfZcbq2VMNiQvd7a BaNFrnW6uTG6r7KNLEWUhHHgg9uEOrIleuBJIHN4oNdD5lRUIZ+ODOvhgFy6x/h2rpYi 6NkJGcMpbDUM49URMrw5RIhUvyFNOPLPDwDk4fkpZ1OlFv0xeL/eoUKv/sSx0ubJ+sWF bzPlTinmwVvniH0x4l9JjPOG0jXXK97G5vZi8skbs85IMVcs7cAg69GK8+ntY/Gk9YW6 1blF96FAfkHnlISJZYHky0f42hgm5Xewnq8PSil/iFQKjKXPPM4Ep0JmUhJ1H5F45OQo HiVA==
X-Gm-Message-State: APjAAAWcJ1wf4Qc3djD3QEEmv3wvsBlYbR5vnm45lhJUI/3q9PiJDLUh EK9z9vx/9C4gzDATQ6Px3H6Vzn+OvEeY0EWK6HI=
X-Google-Smtp-Source: APXvYqx2GiHDWtK8GI/ZmvIHrW7+HGV2Q2M5uw5Aqb6oEEzh74L3wYdI2/NZhayMt6HLPLpglMPoICzuEt6Nhh2W7Lg=
X-Received: by 2002:aca:5308:: with SMTP id h8mr9826835oib.164.1563103269644; Sun, 14 Jul 2019 04:21:09 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Kathleen Moriarty <>
Date: Sun, 14 Jul 2019 07:20:33 -0400
Message-ID: <>
To: Stephen Farrell <>
Cc: Dominique Lazanski <>,, IETF SecDispatch <>
Content-Type: multipart/alternative; boundary="000000000000226e8a058da25780"
Archived-At: <>
Subject: Re: [Secdispatch] [Smart] New Version Notification for draft-lazanski-smart-users-internet-00.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 14 Jul 2019 11:21:14 -0000


On Sun, Jul 14, 2019 at 6:25 AM Stephen Farrell <>

> Hiya,
> On 14/07/2019 03:06, Kathleen Moriarty wrote:
> > It's a good start toward broadening
> > the conversation on the Internet threat model and I do agree that is
> > necessary.
> FWIW, I don't agree that this is a good start.
> ISTM that this draft is far too opinionated, for example
> claiming that "IETF attendees are privacy-focused", (how
> does the author know?), claiming it "unthinkable" that
> something isn't done, and that "Internet security research
> and technical development must accept the reality of all
> the security issues in the Internet ecosystem" (though
> I'm not sure I can parse that last quote at all).

Sure, opinionated text gets cut as a draft progresses, but she makes a
clear case for adding in the endpoint into the threat model.  I had tried
to do a bit of that in my AD reviews as I agree, it's one of the places
systems are left vulnerable and open to attack. When the defenses in the
middle are removed, new ones are needed.  Protocol evolution is eliminating
these middle boxes, so the end point needs to be shored up.  We need first
to better prevent attacks, and then to be able to detect them at end
points.  Some of this could get baked into protocols (I'm not sure how yet,
but perhaps something can be done), requiring research and ensuring the
protocols maintain the existing set of desired properties.

> Towards the end we get: "Endpoints have changed over the
> last 10 years, but assumptions about endpoints in the IETF
> hasn't changed in that time" - I don't know how the
> author knows what assumptions may or may not be made
> by IETF participants (not "attendees" of course).

Sure, there's a bunch of us that care about end points, but I think outside
perception doesn't show this and those who work solely on end point
security don't feel heard at the moment.  Bake this into a bigger threat
model and we have a more complete picture.  We as a community need to step
back and think about the threat model and impacts to users of the
Internet.  The time to detect an attack has come way down (in most
countries) over the last 2 years.  This isn't spelled out in the draft, but
could be in a comprehensive draft.  The reason for this is that
organizations have deployed tighter controls and are quicker to detect
anomalies on their networks.  Detection devices have also aided in this
reduction with the exchange of indicators of compromise.  We need new ways
to deploy prevention and detection mechanisms and can't ignore that as we
eliminate the methods of detection and prevention used by large numbers of

I'd be happy to help flesh out this part of the threat model more.

> And perhaps most oddly, this bold assertion: "Further, it
> is imperative that new conclusions and recommendations
> from a revisited threat model are backed up by research, case
> studies and experience - rather than bold assertions." ;-)

PM was backed by lots of information, I agree.  The problem is that the
focus ignored (largely) other security concerns.  I tried to ensure system
integrity came up when important in drafts and also logging, but maybe
there's more that can and should be done.

> The list of breaches and botnets is fine, but not much
> use without any analysis of how those happened. We need a
> good bit more work to figure out whether any changes to
> protocols or protocol design are actually warranted or
> useful in the face of these kinds of incident. (Hence
> the oddity of the bold assertion above.)

Yes, and these aren't the only types of attacks.  Phishing is accountable
for about 90% of so called APT attacks (I can find the artcile that says
this, just not at the moment).  Better authentication will help (FIDO,
tokbind, HOBA, etc.) , but some of the attacks don't involve

> Lastly, ISTM important, if any discussion here is to
> be worthwhile, to recognise from the start that existing
> IETF consensus positions in this space are not likely to
> be discarded - those were arrived at after a lot iterations
> of a lot of debate by well-informed IETF participants.
> (Despite what some may claim;-) So I reckon the right
> discussion to have is about how to extend and not discard
> the 3552 threat model. Any other attempted changes would
> seem to me to require a shift in deployments from 2-party
> to multi-party protocols, which is unrealistic, or to
> require magical trust in middleboxes, which would be plain
> silly and seems highly unlikely to be something for which
> IETF consensus would be established.

Sure, my full message made the same point. We need to look at the broader
threat model and have a more comprehensive picture.  I do think this helps
make the case for the end point and figuring out if we have options within
protocols to prevent threat with out-of-the-box thinking, research,
security protocol proofing, and testing.

> > Also - is this a request to present at SecDispatch?
> I hope not. This draft is IMO clearly not ready for that.
> An initial discussion about threat models and how to
> approach this kind of work at saag may be worthwhile (and
> I think Jari has asked the sec ADs for such a slot).

She sent it to SecDispatch, so I needed to ask.  I do agree it's better for
SAAG and a larger discussion on threat model, but that's for our ADs to

> Cheers,
> S.


Best regards,