IETF Logo Mail Archive

Re: [Teep] IETF 101 agenda requests

"faibish, sorin" <Faibish.Sorin@dell.com> Tue, 27 March 2018 23:19 UTC

Return-Path: <Faibish.Sorin@dell.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C13012E8AD; Tue, 27 Mar 2018 16:19:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.72
X-Spam-Level:
X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dell.com header.b=trtlQ7ma; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=emc.com header.b=WaukLmcw
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hhN9-pGtLAIY; Tue, 27 Mar 2018 16:19:16 -0700 (PDT)
Received: from esa4.dell-outbound.iphmx.com (esa4.dell-outbound.iphmx.com [68.232.149.214]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B572312E876; Tue, 27 Mar 2018 16:19:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1522192755; x=1553728755; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=EPszruwZ96/zNpD2LHYW7AXVmF8mCT1tYBurtGbCj8Y=; b=trtlQ7macmr7Wf+PR60SNIjPHVm5O0K1eA0z2QsFCqutksIHPD+B2zby 9TPNLmVH70O31L1ldhI6Y243BSoUo/SE9DTeuu9HRJTIiWOa2m08VLz5W DoW+LygXW9MimIphLncuuXKXbEyUUOB99VD8Zd/Sr4O2aThTihEZ8x766 A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2G7BwAV0LpamD+a6ERTCg4OAQEBBAEBCgEBgm8jgQIOcCgKmGeBdHUaklEUgTU6CyMIgWaCcwKEAyE2FgECAQEBAQEBAgECEAEBAQEBCAsLBigjDII4JAEODiMCAhYhCAExAQEBAQEBAQEBAQEBAQEBAQEBFwIlGBMCGAEBAQMBOgYuBAcBBAcEAgEIEQEDAQEBChQJBzIUAwYIAgQBDQUIEQKCdQSBYgMNCAEOrheCd4QbA4E2giEDBYU6BIEUDHqBVECBDIJTNIFBgVIEGYEHCAEBBwQHAQsWBSUMgnmCJIc2kA8IAoVRihCDWIJchFiHJ4gvAgQCBAUCFIElIwg3VHFwT4JDgi+DUIoXOm8BAQGNMgEOGIEIgRcBAQ
X-IPAS-Result: A2G7BwAV0LpamD+a6ERTCg4OAQEBBAEBCgEBgm8jgQIOcCgKmGeBdHUaklEUgTU6CyMIgWaCcwKEAyE2FgECAQEBAQEBAgECEAEBAQEBCAsLBigjDII4JAEODiMCAhYhCAExAQEBAQEBAQEBAQEBAQEBAQEBFwIlGBMCGAEBAQMBOgYuBAcBBAcEAgEIEQEDAQEBChQJBzIUAwYIAgQBDQUIEQKCdQSBYgMNCAEOrheCd4QbA4E2giEDBYU6BIEUDHqBVECBDIJTNIFBgVIEGYEHCAEBBwQHAQsWBSUMgnmCJIc2kA8IAoVRihCDWIJchFiHJ4gvAgQCBAUCFIElIwg3VHFwT4JDgi+DUIoXOm8BAQGNMgEOGIEIgRcBAQ
Received: from esa3.dell-outbound2.iphmx.com ([68.232.154.63]) by esa4.dell-outbound.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Mar 2018 18:19:14 -0500
From: "faibish, sorin" <Faibish.Sorin@dell.com>
Received: from mailuogwdur.emc.com ([128.221.224.79]) by esa3.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Mar 2018 05:15:31 +0600
Received: from maildlpprd52.lss.emc.com (maildlpprd52.lss.emc.com [10.106.48.156]) by mailuogwprd53.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id w2RNJA1m031118 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 27 Mar 2018 19:19:12 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd53.lss.emc.com w2RNJA1m031118
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1522192753; bh=QsmO/ryaMQ5u+Zbc+4QmXNHOpZ8=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=WaukLmcwzik4gbybgBPC8SE71e8R1aa0ZiaWZV5A/jKlvfsQgVYJ6iL1GCzY2y8zJ 0zm4I78Z4nR1wnlIu2mNGU+presZlO63A5t3dERVslfVaz1Kdc7OawkCsY0wEFbZwz QMpyp6HkY2Y48n7C07eq6RIUnP7GScufXFmWDDNE=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd53.lss.emc.com w2RNJA1m031118
Received: from mailusrhubprd03.lss.emc.com (mailusrhubprd03.lss.emc.com [10.253.24.21]) by maildlpprd52.lss.emc.com (RSA Interceptor); Tue, 27 Mar 2018 19:18:51 -0400
Received: from MXHUB320.corp.emc.com (MXHUB320.corp.emc.com [10.146.3.98]) by mailusrhubprd03.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id w2RNImF8024938 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=FAIL); Tue, 27 Mar 2018 19:18:50 -0400
Received: from MX304CL01.corp.emc.com ([fe80::2d21:ebf8:dc15:2b07]) by MXHUB320.corp.emc.com ([10.146.3.98]) with mapi id 14.03.0382.000; Tue, 27 Mar 2018 19:18:48 -0400
To: "Wheeler, David M" <david.m.wheeler@intel.com>, Dave Thaler <dthaler@microsoft.com>, Benjamin Kaduk <kaduk@mit.edu>
CC: teep <teep@ietf.org>, "teep-chairs@ietf.org" <teep-chairs@ietf.org>
Thread-Topic: [Teep] IETF 101 agenda requests
Thread-Index: AdO9Xdcov18dMzNFTtSIcGlRK17eigEYdluQAEF0EYAApIpjUAANWfKAAB23MQAAAb1mgAACOC4AAAM2OuA=
Date: Tue, 27 Mar 2018 23:18:48 +0000
Message-ID: <2313358402DBCC4DB2F2DC03CB08BBFE0101206F@MX304CL01.corp.emc.com>
References: <MWHPR21MB078111616FCDCF87134B0FC0A3D70@MWHPR21MB0781.namprd21.prod.outlook.com> <2313358402DBCC4DB2F2DC03CB08BBFEFF050A@MX304CL01.corp.emc.com> <20180323123925.GD25919@kduck.kaduk.org> <2313358402DBCC4DB2F2DC03CB08BBFE0100C5FE@MX304CL01.corp.emc.com> <20180327013301.GN44086@kduck.kaduk.org> <0627F5240443D2498FAA65332EE46C84367A64B7@CRSMSX102.amr.corp.intel.com> <CY4PR21MB0774D423B19953CE1F8A21ECA3AC0@CY4PR21MB0774.namprd21.prod.outlook.com> <0627F5240443D2498FAA65332EE46C84367A6598@CRSMSX102.amr.corp.intel.com>
In-Reply-To: <0627F5240443D2498FAA65332EE46C84367A6598@CRSMSX102.amr.corp.intel.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.252.42.176]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd03.lss.emc.com
X-RSA-Classifications: public
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/2_NdhYPU2v6V6QLso7JYpou5PRg>
Subject: Re: [Teep] IETF 101 agenda requests
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 23:19:25 -0000

David,

Thank you for your detailed clarifications. I just want to address one point within:

-----Original Message-----
From: Wheeler, David M [mailto:david.m.wheeler@intel.com] 
Sent: Tuesday, March 27, 2018 1:37 PM
To: Dave Thaler <dthaler@microsoft.com>; Benjamin Kaduk <kaduk@mit.edu>; faibish, sorin <faibish_sorin@emc.com>
Cc: teep <teep@ietf.org>; teep-chairs@ietf.org
Subject: RE: [Teep] IETF 101 agenda requests

> For it to not be orthogonal, one would have to argue how/why it affects the OTrP protocol itself.  

OK, let me try to present the argument :)

A TEE application, when provisioned into a device, will require certain resources of the device.
These resources will definitely include storage, RAM, and possibly some measure of CPU time.
OTrP //should// have some policy hooks that allow a device/device user/owner to define what are acceptable limits of resource consumption for a TEE application. For example, as long as a TEE app consumes less than 100MB RAM, it is OK to install (perhaps because I only have 250MB allocated to the TEE, and I don't want ALL the memory consumed by one app).

This policy should be attached to the TEE application at install time, be interpreted by the OTrP Agent, and be evaluated as an intersection of the application characteristics along with the device/platform/TEE policy.

Now, once these simple TEE app characteristics (memory, storage, CPU time) are considered, there are other characteristics that a TEE app might want/need access to. Here are some examples:
- device monotonic counter: some platforms have limits as to how often the MC can be updated, and the entire life of the MC, based on flash wear leveling. Restricting how a TEE app can use a MC is a policy decision for the device/TEE
[sf] The resources used for DDoS potential attacks are not necessarily detected as extremely different as Dave pointed in the other email yet the fact that the execution of the offending code is IMHO already a breach as the secure application was used to activate network traffic that it was trusted to be real data sent to the cloud and yet it is malicious. As Dave mentioned the amount of traffic is not very large but it is sent from many IoT devices. The problem I want to address is the trust that the "safe" application was given and due to the breach the attackers are using to generate the network packets which in my opinion is a breach of trust. There is a valid question though that Dave asks: how do we identify malicious packets not in very large amounts sent by the "trusted" application. In normal situations the application may send packets to the cloud, for example, not legitimate ones. This is the real problem of trust. 

./Sorin  

- secure key store: there may be limits to the number of keys that can be stored within the TEE in a replay protected non-volatile secure storage area. Access to this might be based on a TEE policy

- other trusted HW devices: some devices on the platform may solely be accessible inside the TEE, others might be configurable to be in the TEE or outside. And access to these devices might need to be restricted. For example, access to certain FW flash areas for secure update, access to the Safety Island on certain industrial parts, and of course access to the network, especially in a promiscuous mode.

Additionally, I might configure my device so that //certain// service providers are trusted to a level where they get access to //all// these types of special resources (I trust those service providers) and other service providers do not get any such access, or very limited access. One might argue, how can you enforce this? The TEE manifest that includes the characteristics and requirements could lie - yes, but then they would be found out, because their app is signed, and they would be banned by the TSM.

So, now back to our proposed use case:
For the DDoS application to work, it must be able to get access to the lowest packet level of the network stack, and be able to process packets at line speed. This requirement has significant draws on the capability of the TEE - available access to the network device, amount of memory consumed for packet buffers, amount of processing to keep up with packets, ...

Some TEEs may not even be //able// to provide such services. Other TEEs may restrict it.

OTrP should be able to convey, during install, the rich set of application requirements the TEE app needs to properly run, and this should be able to be interpreted against the policy and capabilities of the TEE as interpreted by the OTrP agent (or equivalent manager in the TEE). 

For this reason, I like this use case, because it represents a non-trivial application (not just an App computing pi), with interesting and complex requirements on the HW, environment, and other policy (like privacy - do I want an app that sees ALL of my network traffic and possibly be able to evaluate my network flows?) 

How should OTrP handle the communication of TEE Application requirements? What policy language is built into the protocol? Does the policy language include some privacy atoms, as well as TEE resource atoms? What other characteristics can be / should be represented by the policy language? What are the limits of policy interpretation by the OTrP agent? These, I believe are valuable questions to consider. Perhaps we get to the point that it is too complex for our first version, but I would like us to have the conversation and consider it. And then, at least, have some insight to where such a descriptive policy language might intersect with the protocol (at some point).

Thanks,
- Dave Wheeler

-----Original Message-----
From: Dave Thaler [mailto:dthaler@microsoft.com]
Sent: Tuesday, March 27, 2018 9:34 AM
To: Wheeler, David M <david.m.wheeler@intel.com>; Benjamin Kaduk <kaduk@mit.edu>; faibish, sorin <Faibish.Sorin@dell.com>
Cc: teep <teep@ietf.org>; teep-chairs@ietf.org
Subject: RE: [Teep] IETF 101 agenda requests

On slide 6 of the "Problem Statement" slides there were three use cases for Trusted Applications (as opposed to use cases for OTrP or TEEP per se), of which one was IoT. 

The Mirai botnet attack used the REE (not a TEE) of devices to conduct attacks against an external entity.  Since TEEP is about TEE provisioning, not REE provisioning, TEEP is not directly applicable to controlling how/whether malware can be installed in the REE.

I think what David's saying is that a provisioned TEE application could have functionality to detect/mitigate something malicious that it detects an REE app is doing.  That's true, just like the TEE application could do anything else (compute pi, etc.) but we shouldn't try to enumerate every operation that a TEE application might try to do, just things that introduce requirements on OTrP.

In the "TEEP Use Cases" slides for IETF 101, these are use cases for OTrP (as opposed to use cases for Trusted Apps in general).
In the discussion around slide 6, we agreed that Rich Apps are largely orthogonal because they don't introduce
new requirements on the OTrP protocol.   I think Ben's saying this is similarly orthogonal.

For it to not be orthogonal, one would have to argue how/why it affects the OTrP protocol itself.  If there is such an argument, that would be a good way to continue this discussion.  If not, or if we don't know if there is, then it's orthogonal until such an argument is provided.

Dave

-----Original Message-----
From: Wheeler, David M <david.m.wheeler@intel.com>
Sent: Tuesday, March 27, 2018 8:44 AM
To: Benjamin Kaduk <kaduk@mit.edu>; faibish, sorin <Faibish.Sorin@dell.com>
Cc: teep <teep@ietf.org>; Dave Thaler <dthaler@microsoft.com>; teep-chairs@ietf.org
Subject: RE: [Teep] IETF 101 agenda requests

Ben,
I agree with you regarding the question of charter, however, I think (please correct if I misunderstand) what Sorin is proposing is to use the DDoS example as a use case to evaluate if OTrP has considered the appropriate relationships and entities within the protocol that would allow the proposed DDoS solution to be implemented.

Our charter does state that "the solution approach must take a wide range of TEE and relevant technologies" and the architecture document includes "relevant use cases." Since the DDoS proposal includes an implementation where a TEE application implements a set of filtering policies, I believe it is relevant.

I think it is a very interesting use case, since it expands beyond a simple Device-User to Service-Provider situation, and creates a more complex interaction for the application - especially the interaction of the trusted application to aspects of the device itself (i.e. filtering outgoing packets). Is our policy for accepting TEE applications rich enough (or at least extensible enough) to enable a device/user to implement controls on what applications are allowed to do, perhaps even based on the service provider installing those applications.

I believe it is in our best interest to evaluate it, and the implications of such TEE applications. We can still come to the conclusion that some aspects of supporting such a use case may be out-of-scope, but it will give us concrete information to point to regarding what is exactly out-of-scope, why it breeches our scope, and perhaps direct future additions/expansions to the protocol.

Thanks,
Dave Wheeler


-----Original Message-----
From: TEEP [mailto:teep-bounces@ietf.org] On Behalf Of Benjamin Kaduk
Sent: Monday, March 26, 2018 6:33 PM
To: faibish, sorin <Faibish.Sorin@dell.com>
Cc: teep <teep@ietf.org>; Dave Thaler <dthaler@microsoft.com>; teep-chairs@ietf.org
Subject: Re: [Teep] IETF 101 agenda requests

On Mon, Mar 26, 2018 at 11:12:37PM +0000, faibish, sorin wrote:
> We discussed the DDoS in Singapore and we had a presentation on the DDoS:
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatat
> racker.ietf.org%2Fmeeting%2F100%2Fmaterials%2Fslides-100-saag-int&data
> =02%7C01%7Cdthaler%40microsoft.com%7C105f96f6b0744e2a276408d593f98cc2%
> 7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636577622384270342&sdata=
> 32qt5mT4aXYjJ9gZW%2BFRegXm4GbM%2FWlOpwh6XmnJ84I%3D&reserved=0
> er-domain-ddos-mitigations-potentials-challenges-and-solutions-min-suk
> -kang/
> 
> So, I would like to include this usecase as a target for the WG. I 
> will write a draft related to this usecase. Thanks

Wanting it to be a target and writing a draft are both orthogonal to the question of whether the work is in-charter.  (Rechartering to include it would of course be possible, through the normal
procedure...)

-Ben

> ../Sorin
> 
> -----Original Message-----
> From: Benjamin Kaduk [mailto:kaduk@mit.edu]
> Sent: Friday, March 23, 2018 8:39 AM
> To: faibish, sorin <faibish_sorin@emc.com>
> Cc: Dave Thaler <dthaler@microsoft.com>; teep <teep@ietf.org>; 
> teep-chairs@ietf.org
> Subject: Re: [Teep] IETF 101 agenda requests
> 
> Hi Sorin,
> 
> On Thu, Mar 22, 2018 at 09:26:22AM +0000, faibish, sorin wrote:
> > New proposed usecase for TEEP WG.
> > 
> > Most recently the frequency and intensity of DDoS attacks from IoT devices increased with attacks almost every day. The reason of the proliferation of DDoS attacks from IoT devices is a result of the lower and maybe inexistent security protection of cheap IoT devices that have no security features implemented as this would increase the cost of such devices using any security HW. In the current charter of TEEP there sre 3 usecases and I would like to add the protectioin against DDoS of IoT as a new usecase:
> 
> On a quick read of the charter, I don't see how this topic would be in scope -- am I missing something that would allow it?
> 
> Thanks,
> 
> Ben
> 
> _______________________________________________
> TEEP mailing list
> TEEP@ietf.org
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.i
> etf.org%2Fmailman%2Flistinfo%2Fteep&data=02%7C01%7Cdthaler%40microsoft
> .com%7C105f96f6b0744e2a276408d593f98cc2%7C72f988bf86f141af91ab2d7cd011
> db47%7C1%7C0%7C636577622384270342&sdata=1F4dZBFAumiRdEl7G4FYn0bO9VSzFy
> k%2BSkxW6cCfesw%3D&reserved=0

_______________________________________________
TEEP mailing list
TEEP@ietf.org
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fteep&data=02%7C01%7Cdthaler%40microsoft.com%7C105f96f6b0744e2a276408d593f98cc2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636577622384270342&sdata=1F4dZBFAumiRdEl7G4FYn0bO9VSzFyk%2BSkxW6cCfesw%3D&reserved=0

v2.23.0 | Report a Bug | By Email