IETF Logo Mail Archive

Re: [Smart] [Secdispatch] New Version Notification for draft-lazanski-smart-users-internet-00.txt

Bret Jordan <jordan.ietf@gmail.com> Mon, 15 July 2019 00:24 UTC

Return-Path: <jordan.ietf@gmail.com>
X-Original-To: smart@ietfa.amsl.com
Delivered-To: smart@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 721EA1202A4 for <smart@ietfa.amsl.com>; Sun, 14 Jul 2019 17:24:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id npLYT8haXHim for <smart@ietfa.amsl.com>; Sun, 14 Jul 2019 17:24:00 -0700 (PDT)
Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4AD51200B7 for <smart@irtf.org>; Sun, 14 Jul 2019 17:24:00 -0700 (PDT)
Received: by mail-pf1-x429.google.com with SMTP id r7so6592370pfl.3 for <smart@irtf.org>; Sun, 14 Jul 2019 17:24:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=y0jbE+k4jT0+OCGVre0LSQAGSM2NOmFLpgf5T5P6RrE=; b=H3UYeEGAPUZSgoRS3oOUR/hwIdMgsYngRNHNMew51WoVLAdiXbQ6RqAmsh55cZCHo7 edR1lpDhZI0CIYzCJYH86Dnn9cLLnObxdwMhlVViVssgkC+BWoM4auGnSUiJ2w614PZ3 WT1QYNfBsb8BAnuFK33PA3lAHDXvVtkgZQbGKLxKg0+bkA+k8gpbPZ0DgecMw8XCTgii 4ZYzhPkmC6twHfYA6Sjq4OlHiIxyXlMmy3OdqUr79uU3tV8XCgjpHB3Y2uUnFvys120B ySw2GBrp87d8x1YzYtfRjKeF6QOVbNcOgyYu3KpeAx5znlWz+E5JFIxJya4CWZx5KMFC kslg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=y0jbE+k4jT0+OCGVre0LSQAGSM2NOmFLpgf5T5P6RrE=; b=U40PGnj29WMIv+gW1fciaPk1Ub4NwTibgj5x4jNUb+L0XndcaNP/r+1UkQbswu8nlI cQi3aw2H6ZilQ1UbfrryAR1TuE4jmcSijeXKUC0kVmIjIjlvflBeD4PJ+9rxXS4Pn+iM Rkf4rS7FnkIPKopsO0iugBOUfAOfgn1itCvOQ0iRrAebXm3NcNMHAbxQp0AS0O9HoME0 gEoHjdDLIg1lgEJG+6CuPM/7JC9QlW/SPYtpLOYrHu5yxOnl2Ze5BWDDoZ9Vsla0J70h jXHLVD5J/ZypjC17PKZw+64XEj3AFdW35v7PuF/DuvkPJmGDZalyoXFa1/80WR23DR4t wnXQ==
X-Gm-Message-State: APjAAAVTpSE8k3lJHeHB9QuffWncw8InCFnX163vmtzRr1sfDsuu5EgC /22zYSs5F6WDW1Fana35KDc=
X-Google-Smtp-Source: APXvYqwThSgYsUu6pZI08G6w4I6GSLF8mM1qPo2glAEMh5R0uUOjg6hsDs8AqSQfDYXkiSZLBvpwuA==
X-Received: by 2002:a63:6110:: with SMTP id v16mr20665239pgb.60.1563150240260; Sun, 14 Jul 2019 17:24:00 -0700 (PDT)
Received: from ?IPv6:2605:a601:a990:4d00:6893:ce36:fd8f:62a0? ([2605:a601:a990:4d00:6893:ce36:fd8f:62a0]) by smtp.gmail.com with ESMTPSA id 143sm23368747pgc.6.2019.07.14.17.23.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 14 Jul 2019 17:23:59 -0700 (PDT)
From: Bret Jordan <jordan.ietf@gmail.com>
Message-Id: <AC7FADF1-A556-46AF-9A5C-F464AA4772B9@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C12D523E-97BA-4FAA-BAB8-C954A0D4E07C"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Sun, 14 Jul 2019 18:23:56 -0600
In-Reply-To: <C2AD999E-2B53-4E17-B033-4B722ADFA677@cisco.com>
Cc: Melinda Shore <melinda.shore@nomountain.net>, secdispatch@ietf.org, smart@irtf.org
To: Eliot Lear <lear@cisco.com>
References: <0A8948DB-F97C-4F68-9173-7E627FB5019C@lastpresslabel.com> <4B10655B-8753-4B10-ACC9-16D7F78AD9F9@gmail.com> <CAMm+Lwh3KW6ZBbMktwmLcKyY8=_ysLYJF_7MsAuiOat6baQ=Kg@mail.gmail.com> <B551EF79-7E6E-4C4E-ADCA-6538F7972222@gmail.com> <CAMm+Lwg+2RFiXK43nJv7pD3OgM8y=ziVYxBkXD3F2kJyz37SxQ@mail.gmail.com> <50E59504-CA00-4792-AA72-FC08051E2486@gmail.com> <CAHbuEH5WUv-a4nKt5YAZosO-vE773Jh3xn1+-hA=4J7RBERc3g@mail.gmail.com> <45cc67f6-3dd4-9788-29e5-4cc82471e6ee@nomountain.net> <9683DFBC-1816-4C0A-8D8A-4CE36318C72C@cisco.com> <d5f05651-849f-4048-3123-8ee17a0c0a96@nomountain.net> <C2AD999E-2B53-4E17-B033-4B722ADFA677@cisco.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/smart/G0PaHPNDfYZuFCLTMu5Qz9hIXFg>
Subject: Re: [Smart] [Secdispatch] New Version Notification for draft-lazanski-smart-users-internet-00.txt
X-BeenThere: smart@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Stopping Malware And Researching Threats <smart.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/smart>, <mailto:smart-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smart/>
List-Post: <mailto:smart@irtf.org>
List-Help: <mailto:smart-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/smart>, <mailto:smart-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 00:24:03 -0000

Hi Elliot.  

There are a few additional questions to consider, that are more relevant, IMO:


> To your point below, there are three questions we can ask:
> 
> Is the device known to be compromised?
> Is the device not known to be compromised?
> Is the device in a known good state?
> 


1) Is the content or content provider that the user is going to compromised and trying to attack the endpoint?
2) Is the content provider that the user is going to a stage 2 delivery site?
3) Is the content provider that the user is going to the location for outbound malicious content (data exfiltration, CnC traffic)
4) Is the content provider that the user is going to adversely tracking and monitoring everything the end client does, aka active surveillance versus passive surveillance?
5) Is the remote site that the user did not go to attack the end point. 

All of this in network based / Internet based.  Protocol designs can help make it much more difficult for threat actors, crime syndicates, and intrusion sets from being as effective. 


Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

v2.23.0 | Report a Bug | By Email