Re: [Secdispatch] [Smart] New Version Notification for draft-lazanski-smart-users-internet-00.txt

Mark O <Mark.O@ncsc.gov.uk> Tue, 23 July 2019 22:32 UTC

Return-Path: <Mark.O@ncsc.gov.uk>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90B28120978 for <secdispatch@ietfa.amsl.com>; Tue, 23 Jul 2019 15:32:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 50TgBJ0Ap25U for <secdispatch@ietfa.amsl.com>; Tue, 23 Jul 2019 15:32:23 -0700 (PDT)
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (mail-eopbgr100128.outbound.protection.outlook.com [40.107.10.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 330E6120352 for <secdispatch@ietf.org>; Tue, 23 Jul 2019 15:32:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WQkNeC8rI2KP+8i+NyGsmkru92b2gMm8SGG23u/+mngBOFjS9XN3p/IhneYJvNnUpBzMIk/vlGtcTZUcWeRh99EYSZSAwLyI/Z7phSdCqgfgWK4BjlIAia/iDCXzRnY+TS4THrtncQcR2h+OW3O08iuOyJXqSsWuVX7s56jd6xr9dzSORKInIDNiNRuKm1jdtqAqUPplLPG4WVyznjqlBcPQfQXyy5wMiUEuYWCXN2Augou6IXw78HMFKd/S9Fgv709ZYjYgStEaWe943LMHtlAtPAIk8XZOJbVWd9LT7mbyoVYfbAOLq7meSmG1gurqoGjGmCIA/G6FU6HSYZwsgg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2lMen621WF/oqoAv3aHIqwQck/8jcxXwVNptyygEMps=; b=eBoUWE47za2oTGN0FpWnGjVBi7onb3hjNq85Bk+zjYm9skiYLviYEz5fseufPe+zUiqMByipnGhRqf4EcFNhRCU8gzPyN8+u48wley5bOM8xVChTVQ9JjTYszCcY05d/QQ8ao+f1RJKuDsMye1m4Jmg8AaD9affj7FrXVLAIHMW8KQ+eI9A8zKwaY8QVJ1cJ0PUXfbd0YVym6nxMtAUY7y9b3oGpe0JggquDY3Ce3NU0NOLgfFiocKA3LlFM242c5FgMOXZeLb6Kjj7Ql9xCLwqUIV/h6i5x3qJIaUdB7O/tdLJAZnRxqBzDXPkNRi50i84hSLr80wqCNjgbI8g4KQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ncsc.gov.uk;dmarc=pass action=none header.from=ncsc.gov.uk;dkim=pass header.d=ncsc.gov.uk;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2lMen621WF/oqoAv3aHIqwQck/8jcxXwVNptyygEMps=; b=GasmMTz0FBd5Cx30FApbYZIsewPRVe0NK1bVvtKkRjB0/a94/33+0ri0NfTJlUAp0R+9KUFyRaf+FwMg7rjUrtfVCTMqhVjxT42ZyVVIw3kRxpS/v8tSw2UIBQeWlT3z8ujZEOPTt/QKd88txKjD95sJH1hqmDyQnTD+UHu6B9Q=
Received: from LNXP123MB2570.GBRP123.PROD.OUTLOOK.COM (20.176.159.147) by LNXP123MB2250.GBRP123.PROD.OUTLOOK.COM (20.176.159.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2094.16; Tue, 23 Jul 2019 22:32:20 +0000
Received: from LNXP123MB2570.GBRP123.PROD.OUTLOOK.COM ([fe80::36:e9a5:cb51:4859]) by LNXP123MB2570.GBRP123.PROD.OUTLOOK.COM ([fe80::36:e9a5:cb51:4859%5]) with mapi id 15.20.2094.013; Tue, 23 Jul 2019 22:32:20 +0000
From: Mark O <Mark.O@ncsc.gov.uk>
To: "smart@irtf.org" <smart@irtf.org>, "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: Re: [Smart] [Secdispatch] New Version Notification for draft-lazanski-smart-users-internet-00.txt
Thread-Index: AdVBpXaIHMgcNuHoTa6WtdnBmIdnnw==
Date: Tue, 23 Jul 2019 22:32:20 +0000
Message-ID: <LNXP123MB257091D6FEE0D59AFD577BE1D3C70@LNXP123MB2570.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Mark.O@ncsc.gov.uk;
x-originating-ip: [51.141.26.231]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b1729b0b-59a7-4433-30d7-08d70fbda01e
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:LNXP123MB2250;
x-ms-traffictypediagnostic: LNXP123MB2250:
x-microsoft-antispam-prvs: <LNXP123MB225025F1656C8D8DD2F25372D3C70@LNXP123MB2250.GBRP123.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-forefront-prvs: 0107098B6C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(136003)(376002)(39850400004)(396003)(346002)(366004)(189003)(199004)(51444003)(54896002)(9686003)(6306002)(53936002)(55016002)(486006)(2420400007)(45080400002)(6116002)(66574012)(3846002)(33656002)(2906002)(478600001)(7736002)(8936002)(26005)(25786009)(74316002)(476003)(81156014)(790700001)(6436002)(15650500001)(71200400001)(8676002)(186003)(66066001)(7110500001)(102836004)(53546011)(71190400001)(55236004)(966005)(99286004)(316002)(110136005)(81166006)(6506007)(14454004)(575854001)(14444005)(256004)(2501003)(6246003)(229853002)(68736007)(30864003)(64756008)(52536014)(66946007)(86362001)(66446008)(66556008)(7696005)(66476007)(5660300002)(76116006); DIR:OUT; SFP:1102; SCL:1; SRVR:LNXP123MB2250; H:LNXP123MB2570.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ncsc.gov.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: uuahvh1gd90dMCwie3n5JfLUl8j7avKSk5BRoI3CKCDfsmYYJ1ysvUxSaVgs/YQqz1u4lowFfJDaYYFTrc+oXdYt0QIga9AzGG8K1UqiHqxBhoc0zM2jfPB7EUKmW304s2VggFTyLED6SSnsSp1GtvaJxNOtRGHVWCni13P9Qkr0kwuTFiEhpsBhdscmtN7QNQjBWDfoh91Xwr8tGhISC15pvtWwTjukcf2bHFHO+TfFcmgUdNmJZSfW5vEkcHjQI4VBtxyVHJafsY2n9BYED2cbaikgjXdsfORdz3bYc4NEPBoJMbt8PX/3tbkgPxleB01YTxkCbaAdbo8hEcuLX9wD+DDCjctHUVUgCoSTcUsaKghWd0TiXbW6KVlIlzgVgUxs/n+2FgTkn5woeDvkAsPuBbNmXBzzEANmu2ZOfEg=
Content-Type: multipart/alternative; boundary="_000_LNXP123MB257091D6FEE0D59AFD577BE1D3C70LNXP123MB2570GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: b1729b0b-59a7-4433-30d7-08d70fbda01e
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2019 22:32:20.5323 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Mark38706@ncsc.gov.uk
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LNXP123MB2250
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/COfQDzzHHImgNCAk87v0F-qyAuY>
Subject: Re: [Secdispatch] [Smart] New Version Notification for draft-lazanski-smart-users-internet-00.txt
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 22:32:33 -0000


Thanks, Dominique, for bringing this draft to the list. It's not a complete survey of all the threats facing users and systems on the Internet but it does highlight some omissions from the current threat model.



I attended the tutorial session on how to write security considerations on 20 July. Something I heard Yoav say was that the IETF mostly focuses on ComSec issues, and as a result there's not usually any discussion in the security considerations of how to protect the host so that private information doesn't leak out; also that the security considerations all too often ignore operational considerations. This reflects what I have seen in Internet drafts but does seem to be ignoring a class of attacks that arguably ought to be in scope.



Checking RFC 3552 to see what's actually in scope for the security considerations, it says (Section 2: The Goals of Security):



   We can loosely divide security goals into those related to protecting

   communications (COMMUNICATION SECURITY, also known as COMSEC) and

   those relating to protecting systems (ADMINISTRATIVE SECURITY or

   SYSTEM SECURITY).  Since communications are carried out by systems

   and access to systems is through communications channels, these goals

   obviously interlock, but they can also be independently provided.



So System Security and the protection of systems is apparently in scope. Section 3 specifies the Internet threat model - and we can classify the attacks here according to whether they are Communications Security or System Security:



3.2.1 Confidentiality violation - COMSEC

3.2.2 Password sniffing - COMSEC

3.2.3 Offline cryptographic attacks - COMSEC (capturing challenge-response); SYSTEM SECURITY (stealing password file)

3.3.1 Replay attacks - COMSEC

3.3.2 Message insertion - COMSEC

3.3.3 Message deletion - COMSEC

3.3.4 Message modification - COMSEC

3.3.5 Man-in-the-middle - COMSEC

3.5 On-path versus off-path - COMSEC

3.6 Link-local - COMSEC



Then Section 5 describes the mandatory components of the security considerations:



   Authors MUST describe



      1.   which attacks are out of scope (and why!)

      2.   which attacks are in-scope

      2.1  and the protocol is susceptible to

      2.2  and the protocol protects against



   At least the following forms of attack MUST be considered:

   eavesdropping, replay, message insertion, deletion, modification, and

   man-in-the-middle.  Potential denial of service attacks MUST be

   identified as well.



So although System Security is recognised as a security goal, there's no specific guidance on what the threats to System Security are and no requirement for them to be addressed in the security considerations section. This may have contributed towards protocol design concentrating more on ComSec than on other aspects of System security. The security considerations section should at least call out the threats that result from the compromise of endpoints, even if no mitigation is possible.



I note that Jari Arkko's draft-arkko-arch-internet-threat-model-01 has been updated and that this makes similar points regarding the need to address security threats other than ComSec. I support the additions to the text of the draft, including this one:



   7.  Treat parties that your equipment connects to with suspicion,

       even if the communications are encrypted.  The other endpoint may

       misuse any information or control opportunity in the

       communication.  Similarly, even parties within your own system

       need to be treated with suspicision, as some nodes may become

       compromised.



I also welcome that Stephen Farrell's draft-farrell-etm-03 recognises additional categories of attacks including supply chain attacks and leaky buckets, as well as the kinds of breaches detailed in Dominique's draft. I do think however that Stephen's suggested change to the wording of RFC 3552:



   OLD: In general, we assume that the end-systems engaging in a

   protocol exchange have not themselves been compromised.



   NEW:



   In general, we assume that one of the protocol engines engaging in a

   protocol exchange has not been compromised at the run-time of the

   exchange.



is restrictive. We use PFS to protect systems against compromises of the endpoint _after_ the protocol exchange has taken place.



The Lazanski, Arkko and Farrell drafts could all make valuable contributions towards an improved Internet threat model.



In response to Eric:

  *   I'd like to try to explore this argument a bit. Specifically, it might
be the case that the IETF has just ignored non-comsec and that if we
had spent more time on it, that would be better. Alternatively, it
could be true that the IETF's focus on comsec has actively harmed
other kinds of security. One gets the sense that this document wants
to argue the latter point, but it doesn't really come out and say it,
let alone substantiate it. That, rather than arguing about the completeness
or appropriateness of RFC 3552, might be a better place to start.



I agree. Research into the effects that the focus on ComSec has had on other forms of security has not been brought to the IETF in a systematic way.



-- Mark









From: Smart <smart-bounces@irtf.org>On Behalf Of Eric Rescorla
Sent: 14 July 2019 17:24
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: smart@irtf.org; Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>om>; Dominique Lazanski <dml@lastpresslabel.com>om>; IETF SecDispatch <Secdispatch@ietf.org>
Subject: Re: [Smart] [Secdispatch] New Version Notification for draft-lazanski-smart-users-internet-00.txt



I more or less agree with Stephen's position.

First, I recognize that this focus on secure endpoints talking to each
other is probably the part of 3552 that people are most unhappy
about. As I was almost certainly the person who wrote that text, it might
be helpful if I laid out some background.

First, RFC 3552 isn't intended to say that endpoint threats aren't
real, but merely that they are out of scope because they are hard
to address. Here's the text in context:

   The Internet environment has a fairly well understood threat model.
   In general, we assume that the end-systems engaging in a protocol
   exchange have not themselves been compromised.  Protecting against an
   attack when one of the end-systems has been compromised is
   extraordinarily difficult.  It is, however, possible to design
   protocols which minimize the extent of the damage done under these
   circumstances.

For a more narrow statement with a similar theme (but extended to
the Web platform, see https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model- and
https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-compromised-infected-machines-in-Chrome-s-threat-model-):

   This is essentially the same situation as with physically-local
   attacks. The attacker's code, when it runs as your user account on
   your machine, can do anything you can do. (See also Microsoft's Ten
   Immutable Laws Of Security.)

However, RFC 3552 is primarily oriented towards what can be
standardized and in particular towards protocols, and generally secure
protocols require some sort of TCB to be effective. Obviously, as
alluded to in 3552, to the extent to which protocols can be designed
to minimize damage, and we routinely attempt to do so. Examples of
this include the use of Forward Secure algorithms and trying to avoid
or mitigate designs with single points of failure (as with Certificate
Transparency).  I know that PHB has some ideas along these lines; I
haven't studied them enough to know what I think, but that sort of
thing is generally in scope as well.

This to some extent goes to Section 2 of draft-lazanski. I certainly
agree that to the extent to which it is possible to design
cryptographic solutions to prevent data breaches, it is useful to do
so, and protocols for doing that would potentially be in scope for
IETF. I say "potentially" because I'm not sure that (a) standards are
necessary in this space beyond the kind of work we are already doing
or (b) that we would have the community to define them, but I don't
see an in principle barrier [0] I certainly would not expect 3552 to
be deployed to preclude that kind of work.

Similarly, I don't think that the kinds of botnet attacks described
in Section 3 are out of scope for 3552, though I see how it could
be read this way. However I think that the idea of a malicious
counterparty is clearly in scope if we assume that the attacker
controls the network. Here too, I wouldn't expect 3552 to be deployed
to preclude that kind of work; we have done plenty of anti-DoS work
in IETF (whether it is good enough is a different story).


Turning now to the document itself, its language seems to be trying
to stake out a very strong position, but I'm not quite sure what that
position is. For instance:

   themselves. These assumptions have led to a focus on communications
   security and the development of protocols that place this kind of
   security above all else. Ironically - or coincidentally - as the
   development of these protocols have taken place over the last
   several decades, there has been and continues to be a sharp rise in
   cyber attacks. The Internet threat model in RFC 3552 does not even
   mention that the greatest threat to the Internet is the growing
   scale and variety of cyber attacks against all types of endpoints
   that is resulting in significant data breaches. This now needs to
   change.

First, I'm not sure that I agree that cyber attacks on endpoints are
the greatest threat to the Internet, but even assuming that's so,
what are the implications of that for work in the IETF? It's one thing
to change the words of 3552, but what work specifically would we
do if those words were different.

Second, I think it's quite likely true that the IETF has focused
on communications security, and this document seems to be trying
to argue that that's to the detriment of other kinds of security,
both here and in other places:

   Internet security research and technical development must accept the
   reality of all the security issues in the Internet ecosystem.
   Decisions being made in the name of privacy are sometimes leading to
   larger inadvertent security and privacy losses.

I'd like to try to explore this argument a bit. Specifically, it might
be the case that the IETF has just ignored non-comsec and that if we
had spent more time on it, that would be better. Alternatively, it
could be true that the IETF's focus on comsec has actively harmed
other kinds of security. One gets the sense that this document wants
to argue the latter point, but it doesn't really come out and say it,
let alone substantiate it. That, rather than arguing about the completeness
or appropriateness of RFC 3552, might be a better place to start.

-Ekr


[0] Indeed, work like token binding is arguably a stab at some of this
stuff.



On Sun, Jul 14, 2019 at 3:26 AM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:

Hiya,

On 14/07/2019 03:06, Kathleen Moriarty wrote:
> It's a good start toward broadening
> the conversation on the Internet threat model and I do agree that is
> necessary.

FWIW, I don't agree that this is a good start.

ISTM that this draft is far too opinionated, for example
claiming that "IETF attendees are privacy-focused", (how
does the author know?), claiming it "unthinkable" that
something isn't done, and that "Internet security research
and technical development must accept the reality of all
the security issues in the Internet ecosystem" (though
I'm not sure I can parse that last quote at all).

Towards the end we get: "Endpoints have changed over the
last 10 years, but assumptions about endpoints in the IETF
hasn't changed in that time" - I don't know how the
author knows what assumptions may or may not be made
by IETF participants (not "attendees" of course).

And perhaps most oddly, this bold assertion: "Further, it
is imperative that new conclusions and recommendations
from a revisited threat model are backed up by research, case
studies and experience - rather than bold assertions." ;-)

The list of breaches and botnets is fine, but not much
use without any analysis of how those happened. We need a
good bit more work to figure out whether any changes to
protocols or protocol design are actually warranted or
useful in the face of these kinds of incident. (Hence
the oddity of the bold assertion above.)

Lastly, ISTM important, if any discussion here is to
be worthwhile, to recognise from the start that existing
IETF consensus positions in this space are not likely to
be discarded - those were arrived at after a lot iterations
of a lot of debate by well-informed IETF participants.
(Despite what some may claim;-) So I reckon the right
discussion to have is about how to extend and not discard
the 3552 threat model. Any other attempted changes would
seem to me to require a shift in deployments from 2-party
to multi-party protocols, which is unrealistic, or to
require magical trust in middleboxes, which would be plain
silly and seems highly unlikely to be something for which
IETF consensus would be established.

> Also - is this a request to present at SecDispatch?

I hope not. This draft is IMO clearly not ready for that.
An initial discussion about threat models and how to
approach this kind of work at saag may be worthwhile (and
I think Jari has asked the sec ADs for such a slot).

Cheers,
S.
_______________________________________________
Secdispatch mailing list
Secdispatch@ietf.org
https://www.ietf.org/mailman/listinfo/secdispatch

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk. All material is UK Crown Copyright (c)