draft-arkko-farrell-arch-model-t-03.txt   draft-arkko-farrell-arch-model-t.txt 
Network Working Group J. Arkko Network Working Group J. Arkko
Internet-Draft Ericsson Internet-Draft Ericsson
Intended status: Informational S. Farrell Intended status: Informational S. Farrell
Expires: September 10, 2020 Trinity College Dublin Expires: 13 January 2022 Trinity College Dublin
March 09, 2020 12 July 2021
Challenges and Changes in the Internet Threat Model Challenges and Changes in the Internet Threat Model
draft-arkko-farrell-arch-model-t-03 draft-arkko-farrell-arch-model-t-04
Abstract Abstract
Communications security has been at the center of many security Communications security has been at the center of many security
improvements in the Internet. The goal has been to ensure that improvements in the Internet. The goal has been to ensure that
communications are protected against outside observers and attackers. communications are protected against outside observers and attackers.
This memo suggests that the existing RFC 3552 threat model, while This memo suggests that the existing RFC 3552 threat model, while
important and still valid, is no longer alone sufficient to cater for important and still valid, is no longer alone sufficient to cater for
the pressing security and privacy issues seen on the Internet today. the pressing security and privacy issues seen on the Internet today.
skipping to change at page 1, line 46 skipping to change at page 1, line 46
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 10, 2020. This Internet-Draft will expire on 13 January 2022.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents (https://trustee.ietf.org/
(https://trustee.ietf.org/license-info) in effect on the date of license-info) in effect on the date of publication of this document.
publication of this document. Please review these documents Please review these documents carefully, as they describe your rights
carefully, as they describe your rights and restrictions with respect and restrictions with respect to this document. Code Components
to this document. Code Components extracted from this document must extracted from this document must include Simplified BSD License text
include Simplified BSD License text as described in Section 4.e of as described in Section 4.e of the Trust Legal Provisions and are
the Trust Legal Provisions and are provided without warranty as provided without warranty as described in the Simplified BSD License.
described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Observations . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Observations . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Communications Security Improvements . . . . . . . . . . 5 2.1. Communications Security Improvements . . . . . . . . . . 5
2.2. Beyond Communications Security . . . . . . . . . . . . . 6 2.2. Beyond Communications Security . . . . . . . . . . . . . 6
2.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.1. Deliberate adversarial behaviour in applications . . 9 2.3.1. Deliberate adversarial behaviour in applications . . 9
2.3.2. Inadvertent adversarial behaviours . . . . . . . . . 15 2.3.2. Inadvertent adversarial behaviours . . . . . . . . . 15
3. Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3. Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1. The Role of End-to-end . . . . . . . . . . . . . . . . . 16 3.1. The Role of End-to-end . . . . . . . . . . . . . . . . . 16
3.2. Trusted networks . . . . . . . . . . . . . . . . . . . . 18 3.2. Trusted networks . . . . . . . . . . . . . . . . . . . . 18
3.2.1. Even closed networks can have compromised nodes . . . 19 3.2.1. Even closed networks can have compromised nodes . . . 19
3.3. Balancing Threats . . . . . . . . . . . . . . . . . . . . 20 3.3. Balancing Threats . . . . . . . . . . . . . . . . . . . . 20
4. Areas requiring more study . . . . . . . . . . . . . . . . . 21 3.4. Checklist for Protocol Designers . . . . . . . . . . . . 20
5. Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . 25 4. Areas requiring more study . . . . . . . . . . . . . . . . . 23
6. Potential changes in BCP 72/RFC 3552 . . . . . . . . . . . . 27 5. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 27
6.1. Simple change . . . . . . . . . . . . . . . . . . . . . . 28 6. Security Considerations . . . . . . . . . . . . . . . . . . . 27
6.2. Additional discussion of compromises . . . . . . . . . . 29 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
6.3. Guidance with regards to communications security . . . . 29 8. Informative References . . . . . . . . . . . . . . . . . . . 27
6.3.1. Limiting time scope of compromise . . . . . . . . . . 29 Appendix A. Changes from previous version . . . . . . . . . . . 37
6.3.2. Forcing active attack . . . . . . . . . . . . . . . . 30 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 37
6.3.3. Traffic analysis . . . . . . . . . . . . . . . . . . 31 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 37
6.3.4. Containing compromise of trust points . . . . . . . . 31 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 38
7. Potential Changes in BCP 188/RFC 7258 . . . . . . . . . . . . 32
8. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 32
9. Informative References . . . . . . . . . . . . . . . . . . . 33
Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 42
Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 42
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 43
1. Introduction 1. Introduction
Communications security has been at the center of many security Communications security has been at the center of many security
improvements in the Internet. The goal has been to ensure that improvements in the Internet. The goal has been to ensure that
communications are protected against outside observers and attackers. communications are protected against outside observers and attackers.
At the IETF, this approach has been formalized in BCP 72 [RFC3552], At the IETF, this approach has been formalized in BCP 72 [RFC3552],
which defined the Internet threat model in 2003. which defined the Internet threat model in 2003.
The purpose of a threat model is to outline what threats exist in The purpose of a threat model is to outline what threats exist in
skipping to change at page 3, line 35 skipping to change at page 3, line 27
By contrast, we assume that the attacker has nearly complete By contrast, we assume that the attacker has nearly complete
control of the communications channel over which the end-systems control of the communications channel over which the end-systems
communicate. This means that the attacker can read any PDU communicate. This means that the attacker can read any PDU
(Protocol Data Unit) on the network and undetectably remove, (Protocol Data Unit) on the network and undetectably remove,
change, or inject forged packets onto the wire. change, or inject forged packets onto the wire.
However, the communications-security -only threat model is becoming However, the communications-security -only threat model is becoming
outdated. Some of the causes for this are: outdated. Some of the causes for this are:
o Success! Advances in protecting most of our communications with * Success! Advances in protecting most of our communications with
strong cryptographic means. This has resulted in much improved strong cryptographic means. This has resulted in much improved
communications security, but also highlights the need for communications security, but also highlights the need for
addressing other, remaining issues. This is not to say that addressing other, remaining issues. This is not to say that
communications security is not important, it still is: communications security is not important, it still is:
improvements are still needed. Not all communications have been improvements are still needed. Not all communications have been
protected, and even out of the already protected communications, protected, and even out of the already protected communications,
not all of their aspects have been fully protected. Fortunately, not all of their aspects have been fully protected. Fortunately,
there are ongoing projects working on improvements. there are ongoing projects working on improvements.
o Adversaries have increased their pressure against other avenues of * Adversaries have increased their pressure against other avenues of
attack, from supply-channel attacks, to compromising devices to attack, from supply-channel attacks, to compromising devices to
legal coercion of centralized endpoints in conversations. legal coercion of centralized endpoints in conversations.
o New adversaries and risks have arisen, e.g., due to creation of * New adversaries and risks have arisen, e.g., due to creation of
large centralized information sources. large centralized information sources.
o While communications-security does seem to be required to protect * While communications-security does seem to be required to protect
privacy, more is needed, especially if endpoints choose to act privacy, more is needed, especially if endpoints choose to act
against the interests of their peers or users. against the interests of their peers or users.
In short, attacks are migrating towards the currently easier targets, In short, attacks are migrating towards the currently easier targets,
which no longer necessarily include direct attacks on traffic flows. which no longer necessarily include direct attacks on traffic flows.
In addition, trading information about users and ability to influence In addition, trading information about users and ability to influence
them has become a common practice for many Internet services, often them has become a common practice for many Internet services, often
without users understanding those practices. without users understanding those practices.
This memo suggests that the existing threat model, while important This memo suggests that the existing threat model, while important
skipping to change at page 5, line 25 skipping to change at page 5, line 14
this memo, or any of the others, would be usefully published as an this memo, or any of the others, would be usefully published as an
RFC. RFC.
The rest of this memo is organized as follows. Section 2 makes some The rest of this memo is organized as follows. Section 2 makes some
observations about the situation, with respect to communications observations about the situation, with respect to communications
security and beyond. The section also provides a number of real- security and beyond. The section also provides a number of real-
world examples. world examples.
Section 3 discusses some high-level implications that can be drawn, Section 3 discusses some high-level implications that can be drawn,
such as the need to consider what the "ends" really are in an "end- such as the need to consider what the "ends" really are in an "end-
to-end" communication. to-end" communication. A checklist for issues that protocol
designers need to consider is also included.
Section 4 lists some areas where additional work is required before Section 4 lists some areas where additional work is required.
we could feel confident in crafting guidelines, whereas Section 5
presents what we think are perhaps already credible potential Possible changes to [RFC3552] are covered in a separate document, see
guidelines - both from the point of view of a system design, as well I-D.arkko-farrell-arch-model-t-3552-additions. Similarly, possible
as from the point of IETF procedures and recommended analysis changes to [RFC7258] are covered in I-D.arkko-farrell-arch-model-
procedures when designing new protocols. Section 6 and Section 7 t-7258-additions.
tentatively suggest some changes to current IETF BCPs in this space.
Comments are solicited on these and other aspects of this document. Comments are solicited on these and other aspects of this document.
The best place for discussion is on the model-t list. The best place for discussion is on the model-t list.
(https://www.ietf.org/mailman/listinfo/model-t) (https://www.ietf.org/mailman/listinfo/model-t)
Finally, Section 8 draws some conclusions for next steps. Finally, Section 5 draws some conclusions for next steps.
2. Observations 2. Observations
2.1. Communications Security Improvements 2.1. Communications Security Improvements
Being able to ask about threat model improvements is due to progress Being able to ask about threat model improvements is due to progress
already made: The fraction of Internet traffic that is already made: The fraction of Internet traffic that is
cryptographically protected has grown tremendously in the last few cryptographically protected has grown tremendously in the last few
years. Several factors have contributed to this change, from Snowden years. Several factors have contributed to this change, from Snowden
revelations to business reasons and to better available technology revelations to business reasons and to better available technology
skipping to change at page 6, line 17 skipping to change at page 6, line 6
traffic being encrypted is no longer something unthinkable but rather traffic being encrypted is no longer something unthinkable but rather
a likely outcome in a few years. a likely outcome in a few years.
At the same time, technology developments and policy choices have At the same time, technology developments and policy choices have
driven the scope of cryptographic protection from protecting only the driven the scope of cryptographic protection from protecting only the
pure payload to protecting much of the rest as well, including far pure payload to protecting much of the rest as well, including far
more header and meta-data information than was protected before. For more header and meta-data information than was protected before. For
instance, efforts are ongoing in the IETF to assist encrypting instance, efforts are ongoing in the IETF to assist encrypting
transport headers [I-D.ietf-quic-transport], server domain name transport headers [I-D.ietf-quic-transport], server domain name
information in TLS [I-D.ietf-tls-esni], and domain name queries information in TLS [I-D.ietf-tls-esni], and domain name queries
[RFC8484]. [RFC7858] [RFC8484].
There have also been improvements to ensure that the security There have also been improvements to ensure that the security
protocols that are in use actually have suitable credentials and that protocols that are in use actually have suitable credentials and that
those credentials have not been compromised, see, for instance, Let's those credentials have not been compromised, see, for instance, Let's
Encrypt [RFC8555], HSTS [RFC6797], HPKP [RFC7469], and Expect-CT Encrypt [RFC8555], HSTS [RFC6797], HPKP [RFC7469], and Expect-CT
[I-D.ietf-httpbis-expect-ct]. [I-D.ietf-httpbis-expect-ct].
This is not to say that all problems in communications security have This is not to say that all problems in communications security have
been resolved - far from it. But the situation is definitely been resolved -- far from it. But the situation is definitely
different from what it was a few years ago. Remaining issues will be different from what it was a few years ago. Remaining issues will be
and are worked on; the fight between defense and attack will also and are worked on; the fight between defense and attack will also
continue. Communications security will stay at the top of the agenda continue. Communications security will stay at the top of the agenda
in any Internet technology development. in any Internet technology development.
2.2. Beyond Communications Security 2.2. Beyond Communications Security
There are, however, significant issues beyond communications security There are, however, significant issues beyond communications security
in the Internet. To begin with, it is not necessarily clear that one in the Internet. To begin with, it is not necessarily clear that one
can trust all the endpoints in any protocol interaction. can trust all the endpoints in any protocol interaction.
skipping to change at page 7, line 17 skipping to change at page 7, line 7
some exceptions, of course, e.g., messaging applications with end-to- some exceptions, of course, e.g., messaging applications with end-to-
end confidentiality protection. end confidentiality protection.
With the growth of trading users' information by many of these third With the growth of trading users' information by many of these third
parties, it becomes necessary to take precautions against endpoints parties, it becomes necessary to take precautions against endpoints
that are compromised, malicious, or whose interests simply do not that are compromised, malicious, or whose interests simply do not
align with the interests of the users. align with the interests of the users.
Specifically, the following issues need attention: Specifically, the following issues need attention:
o Security of users' devices and the ability of the user to control * Security of users' devices and the ability of the user to control
their own equipment. their own equipment.
o Leaks and attacks related to data at rest. * Leaks and attacks related to data at rest.
o Coercion of some endpoints to reveal information to authorities or * Coercion of some endpoints to reveal information to authorities or
surveillance organizations, sometimes even in an extra-territorial surveillance organizations, sometimes even in an extra-territorial
fashion. fashion.
o Application design patterns that result in cleartext information * Application design patterns that result in cleartext information
passing through a third party or the application owner. passing through a third party or the application owner.
o Involvement of entities that have no direct need for involvement * Involvement of entities that have no direct need for involvement
for the sake of providing the service that the user is after. for the sake of providing the service that the user is after.
o Network and application architectures that result in a lot of * Network and application architectures that result in a lot of
information collected in a (logically) central location. information collected in a (logically) central location.
o Leverage and control points outside the hands of the users or end- * Leverage and control points outside the hands of the users or end-
user device owners. user device owners.
For instance, while e-mail transport security [RFC7817] has become For instance, while e-mail transport security [RFC7817] has become
much more widely deployed in recent years, progress in securing much more widely deployed in recent years, progress in securing
e-mail messages between users has been much slower. This has lead to e-mail messages between users has been much slower. This has lead to
a situation where e-mail content is considered a critical resource by a situation where e-mail content is considered a critical resource by
some mail service providers who use the content for machine learning, some mail service providers who use the content for machine learning,
advertisement targeting, and other purposes unrelated to message advertisement targeting, and other purposes unrelated to message
delivery. Equally however, it is unclear how some useful anti-spam delivery. Equally however, it is unclear how some useful anti-spam
techniques could be deployed in an end-to-end encrypted mail universe techniques could be deployed in an end-to-end encrypted mail universe
skipping to change at page 11, line 49 skipping to change at page 11, line 35
may be sufficiently small that, coupled with other data, this yields may be sufficiently small that, coupled with other data, this yields
a unique, per-user identifier. Fingerprinting of this type is more a unique, per-user identifier. Fingerprinting of this type is more
prevalent on systems and platforms where data-set features are prevalent on systems and platforms where data-set features are
flexible, such as desktops, where plugins are more commonly in use. flexible, such as desktops, where plugins are more commonly in use.
Fingerprinting prevention is an active research area; see [Boix2018] Fingerprinting prevention is an active research area; see [Boix2018]
for more information. for more information.
Other types of tracking linked to web tracking Other types of tracking linked to web tracking
Third party web tracking is not the only concern. An obvious Third party web tracking is not the only concern. An obvious
tracking danger exists also in popular ecosystems - such as social tracking danger exists also in popular ecosystems -- such as social
media networks - that house a large part of many users' online media networks -- that house a large part of many users' online
existence. There is no need for a third party to track the user's existence. There is no need for a third party to track the user's
browsing as all actions are performed within a single site, where browsing as all actions are performed within a single site, where
most messaging, viewing, and sharing activities happen. most messaging, viewing, and sharing activities happen.
Browsers themselves or services used by the browser can also become a Browsers themselves or services used by the browser can also become a
potential source of tracking users. For instance, the URL/search bar potential source of tracking users. For instance, the URL/search bar
service may leak information about the user's actions to a search service may leak information about the user's actions to a search
provider via an "autocomplete" feature. [Leith2020] provider via an "autocomplete" feature. [Leith2020]
Tracking through users' IP addresses or DNS queries is also a danger. Tracking through users' IP addresses or DNS queries is also a danger.
skipping to change at page 15, line 38 skipping to change at page 15, line 27
2.3.2. Inadvertent adversarial behaviours 2.3.2. Inadvertent adversarial behaviours
Not all adversarial behaviour by applications is deliberate, some is Not all adversarial behaviour by applications is deliberate, some is
likely due to various levels of carelessness (some quite likely due to various levels of carelessness (some quite
understandable, others not) and/or due to erroneous assumptions about understandable, others not) and/or due to erroneous assumptions about
the environments in which those applications (now) run. the environments in which those applications (now) run.
We very briefly list some such cases: We very briefly list some such cases:
o Application abuse for command and control, for example, use of IRC * Application abuse for command and control, for example, use of IRC
or apache logs for [CommandAndControl] or apache logs for [CommandAndControl]
o Carelessly leaky data stores [LeakyBuckets], for example, lots of * Carelessly leaky data stores [LeakyBuckets], for example, lots of
Amazon S3 leaks showing that careless admins can too easily cause Amazon S3 leaks showing that careless admins can too easily cause
application server data to become available to adversaries application server data to become available to adversaries
o Virtualisation exposing secrets, for example, Meltdown and Spectre * Virtualisation exposing secrets, for example, Meltdown and Spectre
[MeltdownAndSpectre] [Kocher2019] [Lipp2018] and other similar [MeltdownAndSpectre] [Kocher2019] [Lipp2018] and other similar
side-channel attacks. side-channel attacks.
o Compromised badly-maintained web sites, that for example, have led * Compromised badly-maintained web sites, that for example, have led
to massive online [Passwords]. to massive online [Passwords].
o Supply-chain attacks, for example, the [TargetAttack] or malware * Supply-chain attacks, for example, the [TargetAttack] or malware
within pre-installed applications on Android phones [Bloatware]. within pre-installed applications on Android phones [Bloatware].
o Breaches of major service providers, that many of us might have * Breaches of major service providers, that many of us might have
assumed would be sufficiently capable to be the best large-scale assumed would be sufficiently capable to be the best large-scale
"Identity providers", for example: "Identity providers", for example:
* 3 billion accounts: https://www.wired.com/story/yahoo-breach- - 3 billion accounts: https://www.wired.com/story/yahoo-breach-
three-billion-accounts/ three-billion-accounts/
* "up to 600M" account passwords stored in clear: - "up to 600M" account passwords stored in clear:
https://www.pcmag.com/news/367319/facebook-stored-up-to-600m- https://www.pcmag.com/news/367319/facebook-stored-up-to-600m-
user-passwords-in-plain-text user-passwords-in-plain-text
* many millions at risk: https://www.zdnet.com/article/us-telcos- - many millions at risk: https://www.zdnet.com/article/us-telcos-
caught-selling-your-location-data-again-senator-demands-new- caught-selling-your-location-data-again-senator-demands-new-
laws/ laws/
* 50 million accounts: https://www.cnet.com/news/facebook-breach- - 50 million accounts: https://www.cnet.com/news/facebook-breach-
affected-50-million-people/ affected-50-million-people/
* 14 million accounts: https://www.zdnet.com/article/millions- - 14 million accounts: https://www.zdnet.com/article/millions-
verizon-customer-records-israeli-data/ verizon-customer-records-israeli-data/
* "hundreds of thousands" of accounts: - "hundreds of thousands" of accounts:
https://www.wsj.com/articles/google-exposed-user-data-feared- https://www.wsj.com/articles/google-exposed-user-data-feared-
repercussions-of-disclosing-to-public-1539017194 repercussions-of-disclosing-to-public-1539017194
* unknown numbers, some email content exposed: - unknown numbers, some email content exposed:
https://motherboard.vice.com/en_us/article/ywyz3x/hackers- https://motherboard.vice.com/en_us/article/ywyz3x/hackers-
could-read-your-hotmail-msn-outlook-microsoft-customer-support could-read-your-hotmail-msn-outlook-microsoft-customer-support
o Breaches of smaller service providers: Too many to enumerate, * Breaches of smaller service providers: Too many to enumerate,
sadly sadly
3. Analysis 3. Analysis
3.1. The Role of End-to-end 3.1. The Role of End-to-end
[RFC1958] notes that "end-to-end functions can best be realised by [RFC1958] notes that "end-to-end functions can best be realised by
end-to-end protocols": end-to-end protocols":
The basic argument is that, as a first principle, certain required The basic argument is that, as a first principle, certain required
skipping to change at page 20, line 40 skipping to change at page 20, line 27
the security of many interesting real-world systems now commonly the security of many interesting real-world systems now commonly
needs to include cross-component attacks, e.g., the use of car radios needs to include cross-component attacks, e.g., the use of car radios
and other externally communicating devices as part of attacks and other externally communicating devices as part of attacks
launched against the control components such as brakes in a car launched against the control components such as brakes in a car
[Savage]. [Savage].
3.3. Balancing Threats 3.3. Balancing Threats
Note that not all information needs to be protected, and not all Note that not all information needs to be protected, and not all
threats can be protected against. But it is important that the main threats can be protected against. But it is important that the main
threats are understood and protected against. threats are understood and protected against. Nothing is this
document should be taken as a blanket reason to provide no
information to anyone, or (impractically) insist on encrypting
everything, or other extreme measures. But designers should be
informed about the trade-offs they make.
Sometimes there are higher-level mechanisms that provide safeguards Sometimes there are higher-level mechanisms that provide safeguards
for failures. For instance, it is very difficult in general to for failures. For instance, it is very difficult in general to
protect against denial-of-service against compromised nodes on a protect against denial-of-service against compromised nodes on a
communications path. However, it may be possible to detect that a communications path. However, it may be possible to detect that a
service has failed. service has failed.
Another example is from packet-carrying networks. Payload traffic Another example is from packet-carrying networks. Payload traffic
that has been properly protected with encryption does not provide that has been properly protected with encryption does not provide
much value to an attacker. For instance, it does not always make much value to an attacker. For instance, it does not always make
sense to encrypt every packet transmission in a packet-carrying sense to encrypt every packet transmission in a packet-carrying
system where the traffic is already encrypted at other layers. But system where the traffic is already encrypted at other layers. But
it almost always makes sense to protect control communications and to it almost always makes sense to protect control communications and to
understand the impacts of compromised nodes, particularly control understand the impacts of compromised nodes, particularly control
nodes. nodes.
3.4. Checklist for Protocol Designers
The following topics are thought to be generally important for
protocol designers to take into account:
1. Consider first principles in protecting information and systems,
rather than following a specific pattern such as protecting
information in a particular way or only at a particular protocol
layer. It is necessary to understand what assets there are, what
components can be compromised, where interests may or may not be
aligned, and what parties have a legitimate role in being a party
to a specific information or a control task.
2. Once you have an asset, do not pass it onto others without
serious consideration. In other words, minimize information
passed to others to guard against the potential compromise of
that party. As recommended in [RFC6973] data minimisation and
additional encryption can be helpful - if applications don't ever
see data, or a cleartext form of data, then they should have a
harder time misbehaving. Similarly, not defining new long-term
identifiers, and not exposing existing ones, help in minimising
risk.
3. Consider avoiding centralized resources. While centralized
components, resources, and functions are often simplest
deployment models, there can be issues associated with them, for
example meta-data leakage. Consider also how you depend on
infrastructure, such as DNS or BGP, and analyse potential
outcomes in the event that the relevant infrastructure has been
compromised (see, e.g., [DeepDive]). Similarly, minimize passing
of control functions to others. Designers should balance the
benefits of centralized resources or control points against the
threats arising. If it is not possible to avoid, find a way to
allow the centralized resources to be selectable, depending on
context and user settings. As [RFC3935] says: " We embrace
technical concepts such as decentralized control, edge-user
empowerment and sharing of resources, because those concepts
resonate with the core values of the IETF community."
4. Consider treating parties with which your protocol endpoints
interact with suspicion, even if the communications are
encrypted. Other endpoints may misuse any information or control
opportunity in the communication. Similarly, even endpoints
within your own system need to be treated with suspicion, as some
may become compromised. For instance, consider performing end-
to-end protection via other parties: Information passed via
another party who does not intrinsically need the information to
perform its function should be protected end-to-end to its
intended recipient. This holds equally for sending TCP/IP
packets, TLS connections, or application-layer interactions. As
[RFC8546] notes, it is a useful design rule to avoid "accidental
invariance" (the deployment of on-path devices that over-time
start to make assumptions about protocols). However, it is also
a necessary security design rule to avoid "accidental disclosure"
where information originally thought to be benign and untapped
over-time becomes a significant information leak. This guideline
can also be applied for different aspects of security, e.g.,
confidentiality and integrity protection, depending on what the
specific need for information is in the other parties. Of
course, depending on the situation end-to-end protection may have
key management implications; this may not be possible in all
situations.
5. Consider abuse-cases. Protocol developers are typically most
interested in a few specific use-cases for which they need
solutions. Expanding the threat model to consider adversarial
behaviours [AbuseCases] calls for significant attention to be
paid to potential abuses of whatever new or re-purposed
technology is being considered.
6. Consider recovery from compromise or attack during protocol
design - all widely used protocols will at some time be subject
to successful attack, whether that is due to deployment or
implementation error, or, less commonly, due to protocol design
flaws. For example, recent work on multiparty messaging security
primitives [I-D.ietf-mls-architecture] considers "post-compromise
security" as an inherent part of the design of that protocol.
7. Consider linkability. As discussed in [RFC6973] the ability to
link or correlate different protocol messages with one another,
or with external sources of information (e.g. public or private
databases) can create privacy or security issues. As an example,
re-use of TLS session tickets can enable an observer to associate
multiple TLS sessions regardless of changes in source or
destination addressing, which may reduce privacy or help a bad
actor in targeting an attack. The same effects may result
regardless of how protocol exchanges can be linked to one
another. Protocol designs that aim to prevent such linkage may
produce have fewer unexpected or unwanted side-effects when
deployed.
8. Consider the nature of modern protocol implementations. Protocol
endpoints are commonly no longer executed on what used be
understood as a host system. [StackEvo] The web and Javascript
model clearly differs from traditional host models, but so do
many server-side deployments, thanks to virtualisation. At
protocol design time assume that all endpoints will be run in
virtualised environments where co-tenants and (sometimes)
hypervisors are adversaries, and then analyse such scenarios.
4. Areas requiring more study 4. Areas requiring more study
In addition to the guidelines in (Section 5), we suggest there may be There may be value in further study on the topics below, with the
value in further study on the topics below, with the goal of goal of producing new tools to counter attacks and provide additional
producing more concrete guidelines. guidance for protocol designers.
1. Isolation: Sophisticated users can sometimes deal with 1. Update the BCP for threat models and security considerations It
may be time for the IETF to extend [RFC3552] to cover additional
issues. See also I-D.arkko-farrell-arch-model-t-3552-additions.
2. Update the BCP about pervasive monitoring It may be time for the
IETF to extend [RFC7258] to cover additional issues. See also
I-D.arkko-farrell-arch-model-t-7258-additions.
3. Develop a BCP for privacy considerations: It may be time for the
IETF to develop a BCP for privacy considerations, possibly
starting from [RFC6973].
4. Isolation: Sophisticated users can sometimes deal with
adversarial behaviours in applications by using different adversarial behaviours in applications by using different
instances of those applications, for example, differently instances of those applications, for example, differently
configured web browsers for use in different contexts. configured web browsers for use in different contexts.
Applications (including web browsers) and operating systems are Applications (including web browsers) and operating systems are
also building in isolation via use of different processes or also building in isolation via use of different processes or
sandboxing. Protocol artefacts that relate to uses of such sandboxing. Protocol artefacts that relate to uses of such
isolation mechanisms might be worth considering. To an extent, isolation mechanisms might be worth considering. To an extent,
the IETF has in practice already recognised some of these issues the IETF has in practice already recognised some of these issues
as being in-scope, e.g. when considering the linkability issues as being in-scope, e.g. when considering the linkability issues
with mechanisms such as TLS session tickets, or QUIC connection with mechanisms such as TLS session tickets, or QUIC connection
identifiers. identifiers.
2. Controlling Tracking: Web browsers have a central role in terms 5. Controlling Tracking: Web browsers have a central role in terms
of the deployment of anti-tracking technologies. A number of of the deployment of anti-tracking technologies. A number of
browsers have started adding these technologies [Mozilla2019] browsers have started adding these technologies [Mozilla2019]
but this is a rapidly moving field, so is difficult to fully but this is a rapidly moving field, so is difficult to fully
characterize in this memo. The mechanisms used can be as simple characterize in this memo. The mechanisms used can be as simple
as blocking communication with known trackers, or more complex, as blocking communication with known trackers, or more complex,
such identifying trackers and suppressing their ability to store such identifying trackers and suppressing their ability to store
and access cookies and other state. Browsers may also treat and access cookies and other state. Browsers may also treat
each third party load on different first party sites as a each third party load on different first party sites as a
different context, thereby isolating cookies and other state, different context, thereby isolating cookies and other state,
such as TLS layer information (this technique is called "Double such as TLS layer information (this technique is called "Double
Keying" [DoubleKey]). The further development of browser-based Keying" [DoubleKey]). The further development of browser-based
anti-tracking technology is important, but it is also important anti-tracking technology is important, but it is also important
to ensure that browsers themselves do not themselves enable new to ensure that browsers themselves do not themselves enable new
data collection points, e.g., via search, DNS, or other data collection points, e.g., via search, DNS, or other
functions. functions.
3. Transparency: Certificate transparency (CT) [RFC6962] has been 6. Transparency: Certificate transparency (CT) [RFC6962] has been
an effective countermeasure for X.509 certificate mis-issuance, an effective countermeasure for X.509 certificate mis-issuance,
which used be a known application layer misbehaviour in the which used be a known application layer misbehaviour in the
public web PKI. CT can also help with post-facto detection of public web PKI. CT can also help with post-facto detection of
some infrastructure attacks where BGP or DNS weaknesses have some infrastructure attacks where BGP or DNS weaknesses have
been leveraged so that some certification authority is tricked been leveraged so that some certification authority is tricked
into issuing a certificate for the wrong entity. While the into issuing a certificate for the wrong entity. While the
context in which CT operates is very constrained (essentially to context in which CT operates is very constrained (essentially to
the public CAs trusted by web browsers), similar approaches the public CAs trusted by web browsers), similar approaches
could perhaps be useful for other protocols or technologies. In could perhaps be useful for other protocols or technologies. In
addition, legislative requirements such as those imposed by the addition, legislative requirements such as those imposed by the
GDPR [GDPRAccess] could lead to a desire to handle internal data GDPR [GDPRAccess] could lead to a desire to handle internal data
structures and databases in ways that are reminiscent of CT, structures and databases in ways that are reminiscent of CT,
though clearly with significant authorisation being required and though clearly with significant authorisation being required and
without the append-only nature of a CT log. without the append-only nature of a CT log.
4. Same-Origin Policy: The Same-Origin Policy (SOP) [RFC6454] 7. Same-Origin Policy: The Same-Origin Policy (SOP) [RFC6454]
perhaps already provides an example of how going beyond the RFC perhaps already provides an example of how going beyond the RFC
3552 threat model can be useful. Arguably, the existence of the 3552 threat model can be useful. Arguably, the existence of the
SOP demonstrates that at least web browsers already consider the SOP demonstrates that at least web browsers already consider the
3552 model as being too limited. (Clearly, differentiating 3552 model as being too limited. (Clearly, differentiating
between same and not-same origins implicitly assumes that some between same and not-same origins implicitly assumes that some
origins are not as trustworthy as others.) origins are not as trustworthy as others.)
5. Greasing: The TLS protocol [RFC8446] now supports the use of 8. Greasing: The TLS protocol [RFC8446] now supports the use of
GREASE [I-D.ietf-tls-grease] as a way to mitigate on-path GREASE [I-D.ietf-tls-grease] as a way to mitigate on-path
ossification. While this technique is not likely to prevent any ossification. While this technique is not likely to prevent any
deliberate misbehaviours, it may provide a proof-of-concept that deliberate misbehaviours, it may provide a proof-of-concept that
network protocol mechanisms can have impact in this space, if we network protocol mechanisms can have impact in this space, if we
spend the time to try analyse the incentives of the various spend the time to try analyse the incentives of the various
parties. parties.
6. Generalise OAuth Threat Model: The OAuth threat model [RFC6819] 9. Generalise OAuth Threat Model: The OAuth threat model [RFC6819]
provides an extensive list of threats and security provides an extensive list of threats and security
considerations for those implementing and deploying OAuth considerations for those implementing and deploying OAuth
version 2.0 [RFC6749]. It could be useful to attempt to derive version 2.0 [RFC6749]. It could be useful to attempt to derive
a more abstract threat model from that RFC that considers a more abstract threat model from that RFC that considers
threats in more generic multi-party contexts. That document is threats in more generic multi-party contexts. That document is
perhaps too detailed to serve as useful generic guidance but perhaps too detailed to serve as useful generic guidance but
does go beyond the Internet threat model from RFC3552, for does go beyond the Internet threat model from RFC3552, for
example it says: example it says:
two of the three parties involved in the OAuth protocol may two of the three parties involved in the OAuth protocol may
collude to mount an attack against the 3rd party. For collude to mount an attack against the 3rd party. For
example, the client and authorization server may be under example, the client and authorization server may be under
control of an attacker and collude to trick a user to gain control of an attacker and collude to trick a user to gain
access to resources. access to resources.
7. Look again at how well we're securing infrastructure: Some 10. Look again at how well we're securing infrastructure: Some
attacks (e.g. against DNS or routing infrastructure) appear to attacks (e.g. against DNS or routing infrastructure) appear to
benefit from current infrastructure mechanisms not being benefit from current infrastructure mechanisms not being
deployed, e.g. DNSSEC, RPKI. In the case of DNSSEC, deployment deployed, e.g. DNSSEC, RPKI. In the case of DNSSEC, deployment
is still minimal despite much time having elapsed. This is still minimal despite much time having elapsed. This
suggests a number of different possible avenues for suggests a number of different possible avenues for
investigation: investigation:
* For any protocol dependent on infrastructure like DNS or BGP, * For any protocol dependent on infrastructure like DNS or BGP,
we ought analyse potential outcomes in the event the relevant we ought analyse potential outcomes in the event the relevant
infrastructure has been compromised infrastructure has been compromised
* Protocol designers perhaps ought consider post-facto * Protocol designers perhaps ought consider post-facto
detection compromise mechanisms in the event that it is detection compromise mechanisms in the event that it is
infeasible to mitigate attacks on infrastructure that is not infeasible to mitigate attacks on infrastructure that is not
under local control under local control
* Despite the sunk costs, it may be worth re-considering * Despite the sunk costs, it may be worth re-considering
infrastructure security mechanisms that have not been infrastructure security mechanisms that have not been
deployed, and hence are ineffective. deployed, and hence are ineffective.
8. Trusted Computing: Various trusted computing mechanisms allow 11. Trusted Computing: Various trusted computing mechanisms allow
placing some additional trust on a particular endpoint. This placing some additional trust on a particular endpoint. This
can be useful to address some of the issues in this memo: can be useful to address some of the issues in this memo:
* A network manager of a set of devices may be assured that the * A network manager of a set of devices may be assured that the
devices have not been compromised. devices have not been compromised.
* An outside party may be assured that someone who runs a * An outside party may be assured that someone who runs a
device employs a particular software installation in that device employs a particular software installation in that
device, and that the software runs in a protected device, and that the software runs in a protected
environment. environment.
skipping to change at page 23, line 47 skipping to change at page 26, line 7
[I-D.taddei-smart-cless-introduction] [I-D.taddei-smart-cless-introduction]
[I-D.mcfadden-smart-endpoint-taxonomy-for-cless]). And of [I-D.mcfadden-smart-endpoint-taxonomy-for-cless]). And of
course, a trusted computing may be set up and controlled by a course, a trusted computing may be set up and controlled by a
party that itself is not trusted; a client that contacts a party that itself is not trusted; a client that contacts a
server that the server's owner runs in a trusted computing server that the server's owner runs in a trusted computing
setting does not change the fact that the client and the setting does not change the fact that the client and the
server's owner may have different interests. As a result, there server's owner may have different interests. As a result, there
is a need to prepare for the possibility that another party in a is a need to prepare for the possibility that another party in a
communication is not entirely trusted. communication is not entirely trusted.
9. Trust Boundaries: Traditional forms of communication equipment 12. Trust Boundaries: Traditional forms of communication equipment
have morphed into today's virtualized environments, where new have morphed into today's virtualized environments, where new
trust boundaries exist, e.g., between different virtualisation trust boundaries exist, e.g., between different virtualisation
layers. And an application might consider itself trusted while layers. And an application might consider itself trusted while
not entirely trusting the underlying operating system. A not entirely trusting the underlying operating system. A
browser application wants to protect itself against Javascript browser application wants to protect itself against Javascript
loaded from a website, while the website considers itself and loaded from a website, while the website considers itself and
the Javascript an application that it wants to protect from the the Javascript an application that it wants to protect from the
browser. In general, there are multiple parties even in a browser. In general, there are multiple parties even in a
single device, with differing interests, including some that single device, with differing interests, including some that
have (or claim to) the interest of the human user in mind. have (or claim to) the interest of the human user in mind.
10. Develop a BCP for privacy considerations: It may be time for the 13. Re-consider protocol design "lore": It could be that this
IETF to develop a BCP for privacy considerations, possibly
starting from [RFC6973].
11. Re-consider protocol design "lore": It could be that this
discussion demonstrates that it is timely to reconsider some discussion demonstrates that it is timely to reconsider some
protocol design "lore" as for example is done in protocol design "lore" as for example is done in
[I-D.iab-protocol-maintenance]. More specifically, protocol [I-D.iab-protocol-maintenance]. More specifically, protocol
extensibility mechanisms may inadvertently create vectors for extensibility mechanisms may inadvertently create vectors for
abuse-cases, given that designers cannot fully analyse their abuse-cases, given that designers cannot fully analyse their
impact at the time a new protocol is defined or standardised. impact at the time a new protocol is defined or standardised.
One might conclude that a lack of extensibility could be a One might conclude that a lack of extensibility could be a
virtue for some new protocols, in contrast to earlier virtue for some new protocols, in contrast to earlier
assumptions. As pointed out by one commenter though, people can assumptions. As pointed out by one commenter though, people can
find ways to extend things regardless, if they feel the need. find ways to extend things regardless, if they feel the need.
12. Consider the user perspective: [I-D.nottingham-for-the-users] 14. Consider the potentially different defences against commercial
data collection and surveillance. There are similarities in
these activities. Tracking for commercial information
collection may also have an indirect impact on making accidental
data leaks or surveillance more feasible, given the data that
exists about users. However, the defences are likely still
different, given that the defending and attacking parties are
different.
15. Consider the user perspective: [I-D.nottingham-for-the-users]
argues that, in relevant cases where there are conflicting argues that, in relevant cases where there are conflicting
requirements, the "IETF considers end users as its highest requirements, the "IETF considers end users as its highest
priority concern." Doing so seems consistent with the expanded priority concern." Doing so seems consistent with the expanded
threat model being argued for here, so may indicate that a BCP threat model being argued for here, so may indicate that a BCP
in that space could also be useful. in that space could also be useful.
13. Have explicit agreements: When users and their devices provide 16. Explicit agreements: When users and their devices provide
information to network entities, it would be beneficial to have information to network entities, it would perhaps be beneficial
an opportunity for the users to state their requirements to have an opportunity for the users to state their requirements
regarding the use of the information provided in this way. regarding the use of the information provided in this way.
While the actual use of such requirements and the willingness of While the actual use of such requirements and the willingness of
network entities to agree to them remains to be seen, at the network entities to agree to them remains to be seen, at the
moment even the technical means of doing this are limited. For moment even the technical means of doing this are limited. For
instance, it would be beneficial to be able to embed usage instance, it would be beneficial to be able to embed usage
requirements within popular data formats. requirements within popular data formats.
As appropriate, users should be made aware of the choices made As appropriate, users could be made aware of the choices and
in a particular design, and avoid designs or products that policies offered.
protect against some threats but are wide open to other serious
issues. (SF doesn't know what that last bit means;-)
14. Perform end-to-end protection via other parties: Information
passed via another party who does not intrinsically need the
information to perform its function should be protected end-to-
end to its intended recipient. This guideline is general, and
holds equally for sending TCP/IP packets, TLS connections, or
application-layer interactions. As [RFC8546] notes, it is a
useful design rule to avoid "accidental invariance" (the
deployment of on-path devices that over-time start to make
assumptions about protocols). However, it is also a necessary
security design rule to avoid "accidental disclosure" where
information originally thought to be benign and untapped over-
time becomes a significant information leak. This guideline can
also be applied for different aspects of security, e.g.,
confidentiality and integrity protection, depending on what the
specific need for information is in the other parties.
The main reason that further study is needed here is that the
key management consequences can be significant here - once one
enters into a multi-party world, securely managing keys for all
entities can be so burdonsome that deployment just doesn't
happen.
5. Guidelines
As [RFC3935] says:
We embrace technical concepts such as decentralized control, edge-
user empowerment and sharing of resources, because those concepts
resonate with the core values of the IETF community.
To be more specific, this memo suggests the following guidelines for
protocol designers:
1. Consider first principles in protecting information and systems,
rather than following a specific pattern such as protecting
information in a particular way or only at a particular protocol
layer. It is necessary to understand what components can be
compromised, where interests may or may not be aligned, and what
parties have a legitimate role in being a party to a specific
information or a control task.
2. Consider how you depend on infrastructure. For any protocol
directly or indirectly dependent on infrastructure like DNS or
BGP, analyse potential outcomes in the event that the relevant
infrastructure has been compromised. Such attacks occur in the
wild. [DeepDive]
3. Protocol endpoints are commonly no longer executed on what used
be understood as a host system. [StackEvo] The web and
Javascript model clearly differs from traditional host models,
but so do many server-side deployments, thanks to
virtualisation. At protocol design time assume that all
endpoints will be run in virtualised environments where co-
tenants and (sometimes) hypervisors are adversaries, and then
analyse such scenarios.
4. Once you have something, do not pass it onto others without
serious consideration. In other words, minimize information
passed to others to guard against the potential compromise of
that party. As recommended in [RFC6973] data minimisation and
additional encryption can be helpful - if applications don't
ever see data, or a cleartext form of data, then they should
have a harder time misbehaving. Similarly, not defining new
long-term identifiers, and not exposing existing ones, help in
minimising risk.
5. Minimize passing of control functions to others. Any passing of
control functions to other parties should be minimized to guard
against the potential misuse of those control functions. This
applies to both technical (e.g., nodes that assign resources)
and process control functions (e.g., the ability to allocate
number or develop extensions). Control functions of all kinds
can become a matter of contention and power struggle, even in
cases where their actual function is minimal, as we saw with the
IANA transition debates.
6. Where possible, avoid centralized resources. While centralized
components, resources, and functions are often simpler, there
can be grave issues associated with them, for example meta-data
leakage. Designers should balance the benefits of centralized
resources or control points against the threats arising. If it
is not possible to avoid, find a way to allow the centralized
resources to be selectable, depending on context and user
settings.
7. Treat parties with which your protocol endpoints interact with
suspicion, even if the communications are encrypted. Other
endpoints may misuse any information or control opportunity in
the communication. Similarly, even endpoints within your own
system need to be treated with suspicion, as some may become
compromised.
8. Consider abuse-cases. Protocol developers are typically most
interested in a few specific use-cases for which they need
solutions. Expanding the threat model to consider adversarial
behaviours [AbuseCases] calls for significant attention to be
paid to potential abuses of whatever new or re-purposed
technology is being considered.
9. Consider recovery from compromse or attack during protocol
design - all widely used protocols will at some time be subject
to successful attack, whether that is due to deployment or
implementation error, or, less commonly, due to protocol design
flaws. For example, recent work on multiparty messaging
security primitives [I-D.ietf-mls-architecture] considers "post-
compromise security" as an inherent part of the design of that
protocol.
10. Consider linkability. As discussed in [RFC6973] the ability to
link or correlate different protocol messages with one another,
or with external sources of information (e.g. public or private
databases) can create privacy or security issues. As an
example, re-use of TLS session tickets can enable an observer to
associate multiple TLS sessions regardless of changes in source
or destination addressing, which may reduce privacy or help a
bad actor in targeting an attack. The same effects may result
regardless of how protocol exchanges can be linked to one
another. Protocol designs that aim to prevent such linkage may
produce have fewer unexpected or unwanted side-effects when
deployed.
But when applying these guidelines, don't take this as blanket reason
to provide no information to anyone, or (impractically) insist on
encrypting everything, or other extreme measures. Designers need to
be aware of the different threats facing their system, and deal with
the most serious ones (of which there are typically many) within
their applicable resource constraints.
6. Potential changes in BCP 72/RFC 3552
BCP 72/RFC 3553 [RFC3552] defines an "Internet Threat Model" and
provides guidance on writing Security Considerations sections in
other RFCs.
[RFC3552] also provided a description of classic issues for the
development of communications security protocols. However, in the
nearly 20 years since the publication of RFC 3552, the practice of
protocol design has moved on to a fair extent.
It is important to note that BCP 72 is (or should be:-) used by all
IETF participants when developing protocols. Potential changes to
RFC 3552 therefore need to be brief - IETF participants cannot in
general be expected to devote huge amounts of time to developing
their security considerations text. Potential changes also need to
be easily understood as IETF participants from all backgrounds need
to be able to use BCP 72.
In this section we provide a few initial suggested changes to BCP 72
that will need to be further developed as part of this work. (For
example, it may be possible to include some of the guidelines from
Section 5 as those are further developed.)
There are a range of possible updates. We could propose adding a
simple observation (Section 6.1), or additionally propose further
discussion about endpoint compromises and the need for system-level
security analysis (Section 6.2).
Another possibility would be to add more guidance covering areas of
concern, and recommendations of broadly-applicable techniques to use.
One suggestion (due to others) for such material is provided in
Section 6.3.
The authors of this memo believe that any updates to RFC 3552 should
be relatively high-level and short. Additional documents may be
needed to provide further detail.
6.1. Simple change
This is the simple addition we are suggesting. As evidenced in the
OAuth quote in Section 4 - it can be useful to consider the effect of
compromised endpoints on those that are not compromised. It may
therefore be interesting to consider the consequences that would
follow from a change to [RFC3552] that recognises how the landscape
has changed since 2003.
One initial, draft proposal for such a change could be:
OLD:
In general, we assume that the end-systems engaging in a protocol
exchange have not themselves been compromised. Protecting against
an attack when one of the end-systems has been compromised is
extraordinarily difficult. It is, however, possible to design
protocols which minimize the extent of the damage done under these
circumstances.
NEW:
In general, we assume that the end-system engaging in a protocol
exchange has not itself been compromised. Protecting against an
attack of a protocol implementation itself is extraordinarily
difficult. It is, however, possible to design protocols which
minimize the extent of the damage done when the other parties in a
protocol become compromised or do not act in the best interests
the end-system implementing a protocol.
6.2. Additional discussion of compromises
The following new section could be added to discuss the capabilities
required to mount an attack:
NEW:
3.x. Other endpoint compromise
In this attack, the other endpoints in the protocol become
compromised. As a result, they can, for instance, misuse any
information that the end-system implementing a protocol has sent
to the compromised endpoint.
System and architecture aspects definitely also need more attention
from Internet technology developers and standards organizations.
Here is one possible addition:
NEW:
The design of any Internet technology should start from an
understanding of the participants in a system, their roles, and
the extent to which they should have access to information and
ability to control other participants.
6.3. Guidance with regards to communications security
The following discusses some of the aspects that should be considered
when designing a communications security protocol that are not
covered in detail in RFC 3552.
6.3.1. Limiting time scope of compromise
[RFC3552] Section 3 says:
The Internet environment has a fairly well understood threat
model. In general, we assume that the end-systems engaging in a
protocol exchange have not themselves been compromised.
Protecting against an attack when one of the end-systems has been
compromised is extraordinarily difficult. It is, however,
possible to design protocols which minimize the extent of the
damage done under these circumstances.
Although this text is technically correct, modern protocol designs
such as TLS 1.3 and MLS often try to provide a fair amount of defense
against various kinds of temporary compromise. Specifically:
NEW:
Forward Security: Many protocols are designed so that compromise
of an endpoint at time T does not lead to compromise of data
transmitted prior to some time T' < T. For instance, if a
protocol is based on Diffie-Hellman key establishment, then
compromise of the long-term keys does not lead to compromise of
traffic sent prior to compromise if the DH ephemerals and traffic
keys have been deleted.
Post-Compromise Security: Conversely, if an endpoint is
compromised at time T, it is often desirable to have the protocol
"self-heal" so that a purely passive adversary cannot access
traffic after a certain time T' > T. MLS, for instance, is
designed with this property.
Containing Partial Authentication Key Compromise: If an endpoint
is stolen and its authentication secret is stolen, then an
attacker can impersonate that endpoint. However, there a number
of scenarios in which an attacker can obtain use of an
authentication key but not the secret itself (see, for instance
[Jager2015]). It is often desirable to limit the impact of such
compromises (for instance, by avoiding unlimited delegation from
such keys).
Short-lived keys: Typical TLS certificates last for months or
years. There is a trend towards shorter certificate lifetimes so
as to minimize risk of exposure in the event of key compromise.
Relatedly, delegated credentials are short-lived keys the
certificate's owner has delegated for use in TLS. These help
reduce private key lifetimes without compromising or sacrificing
reliability.
6.3.2. Forcing active attack
[RFC3552] Section 3.2 notes that it is important to consider passive
attacks. This is still valid, but needs further elaboration:
NEW:
In general, it is much harder to mount an active attack, both in
terms of the capabilities required and the chance of being
detected. A theme in recent IETF protocols design is to build
systems which might have limited defense against active attackers
but are strong against passive attackers, thus forcing the
attacker to go active.
Examples include DTLS-SRTP and the trend towards opportunistic
security. However, ideally protocols are built with strong defenses
against active attackers. One prominent example is QUIC, which takes
steps to ensure that off-path connection resets are intractable in
practice.
6.3.3. Traffic analysis
[RFC3552] Section 3.2.1 describes how the absence of TLS or other
transport-layer encryption may lead to obvious confidentiality
violations against passive attackers. This too is still valid, but
does not take into account additional aspects:
NEW:
However, recent trends in traffic analysis indicate encryption
alone may be insufficient protection for some types of application
data [I-D.wood-pearg-website-fingerprinting]. Encrypted traffic
metadata, especially message size, can leak information about the
underlying plaintext. DNS queries and responses are particularly
at risk given their size distributions. Recent protocols account
for this leakage by supporting padding.
Some examples of recent work in this area include support for padding
either generically in the transport protocol (QUIC
[I-D.ietf-quic-transport] and TLS [RFC8446]), or specifically in the
application protocol (EDNS(0) padding option for DNS messages
[RFC7830]).
6.3.4. Containing compromise of trust points
Many protocols are designed to depend on trusted third parties (the
WebPKI is perhaps the canonical example); if those trust points
misbehave, the security of the protocol can be completely
compromised.
Some additional guidance in RFC 3552 might be needed to remind
protocol readers of this.
NEW:
A number of recent protocols have attempted to reduce the power of
trust points that the protocol or application depends on. For
instance, Certificate Transparency attempts to ensure that a CA
cannot issue valid certificates without publishing them, allowing
third parties to detect certain classes of misbehavior by those
CA. Similarly, Key Transparency attempts to ensure that (public)
keys associated with a given entity are publicly visible and
auditable in tamper-proof logs. This allows users of these keys
to check them for correctness.
In the realm of software, Reproducible Builds and Binary Transparency
are intended to allow a user to determine that they have received a
valid copy of the binary that matches the auditable source code.
Blockchain protocols such as Bitcoin and Ethereum also employ this
principle of transparency and are intended to detect misbehavior by
members of the network.
7. Potential Changes in BCP 188/RFC 7258
Other additional guidelines may be necessary also in BCP 188/RFC
7258[RFC7258], which specifies how IETF work should take into account
pervasive monitoring.
An initial, draft suggestion for starting point of those changes
could be adding the following paragraph after the 2nd paragraph in
Section 2:
NEW:
PM attacks include those cases where information collected by a
legitimate protocol participant is misused for PM purposes. The
attacks also include those cases where a protocol or network
architecture results in centralized data storage or control
functions relating to many users, raising the risk of said misuse.
8. Conclusions
At this stage we don't think it appropriate to claim that any strong 5. Conclusions
conclusion can be reached based on the above. We do however, claim
that the is a topic that could be worth discussion and more work.
To start with, Internet technology developers need to be better aware There are few hard rules in dealing with the evolving threats
of the issues beyond communications security, and consider them in discussed in this document. However, we believe that Internet
design. At the IETF it would be beneficial to include some of these technology developers need to be aware of the issues beyond
considerations in the usual systematic security analysis of communications security, and consider them in design. At the IETF it
technologies under development. would be beneficial to include some of these considerations in the
usual systematic security analysis of technologies under development.
In particular, when the IETF develops infrastructure technology for In particular, when the IETF develops infrastructure technology for
the Internet (such as routing or naming systems), considering the the Internet (such as routing or naming systems), considering the
impacts of data generated by those technologies is important. impacts of data generated by those technologies is important.
Minimising data collection from users, minimising the parties who get Minimising data collection from users, minimising the parties who get
exposed to user data, and protecting data that is relayed or stored exposed to user data, and protecting data that is relayed or stored
in systems should be a priority. in systems should be a priority.
A key focus area at the IETF has been the security of transport A key focus area at the IETF has been the security of transport
protocols, and how transport layer security can be best used to protocols, and how transport layer security can be best used to
provide the right security for various applications. However, more provide the right security for various applications. However, more
work is needed in equivalently broadly deployed tools for minimising work is needed in equivalently broadly deployed tools for minimising
or obfuscating information provided by users to other entities, and or obfuscating information provided by users to other entities, and
the use of end-to-end security through entities that are involved in the use of end-to-end security through entities that are involved in
the protocol exchange but who do not need to know everything that is the protocol exchange but who do not need to know everything that is
being passed through them. being passed through them.
Comments on the issues discussed in this memo are gladly taken either 6. Security Considerations
privately or on the model-t mailing list
(https://www.ietf.org/mailman/listinfo/Model-t).
Some further work includes items listed in Section 5 and Section 4, The entire memo covers the security considerations.
as well as compiling categories of vulnerabilities that need to be
addressed, examples of specific attacks, and continuing the analysis
of the situation and possible new remedies.
It is also necessary find suitable use cases that the IETF can 7. IANA Considerations
address by further work in this space. A completely adversial
situation is not really workable, but there are situations where some
parties are trustworthy, and wish to co-operate to show to each other
that this is really the case. In these situations data minimisation
can be beneficial to both, attestation can provide additional trust,
detection of incidents can alert the parties to action, and so on.
9. Informative References There are no IANA considerations in this work.
8. Informative References
[AbuseCases] [AbuseCases]
McDermott, J. and C. Fox, "Using abuse case models for McDermott, J. and C. Fox, "Using abuse case models for
security requirements analysis", IEEE Annual Computer security requirements analysis", IEEE Annual Computer
Security Applications Conference (ACSAC'99), Security Applications Conference (ACSAC'99),
https://www.acsac.org/1999/papers/wed-b-1030-john.pdf , https://www.acsac.org/1999/papers/wed-b-1030-john.pdf ,
1999. 1999.
[AmIUnique] [AmIUnique]
INRIA, ., "Am I Unique?", https://amiunique.org , 2020. INRIA, ., "Am I Unique?", https://amiunique.org , 2020.
[Attitude] [Attitude] "User Perceptions of Sharing, Advertising, and Tracking",
"User Perceptions of Sharing, Advertising, and Tracking",
Symposium on Usable Privacy and Security (SOUPS), Symposium on Usable Privacy and Security (SOUPS),
https://www.usenix.org/conference/soups2015/proceedings/ https://www.usenix.org/conference/soups2015/proceedings/
presentation/chanchary , 2015. presentation/chanchary , 2015.
[avleak] Cox, J., "Leaked Documents Expose the Secretive Market for [avleak] Cox, J., "Leaked Documents Expose the Secretive Market for
Your Web Browsing Data", Your Web Browsing Data",
https://www.vice.com/en_us/article/qjdkq7/ https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-
avast-antivirus-sells-user-browsing-data-investigation , sells-user-browsing-data-investigation , 2020.
2020.
[BgpHijack] [BgpHijack]
Sermpezis, P., Kotronis, V., Dainotti, A., and X. Sermpezis, P., Kotronis, V., Dainotti, A., and X.
Dimitropoulos, "A survey among network operators on BGP Dimitropoulos, "A survey among network operators on BGP
prefix hijacking", ACM SIGCOMM Computer Communication prefix hijacking", ACM SIGCOMM Computer Communication
Review 48, no. 1 (2018): 64-69, Review 48, no. 1 (2018): 64-69,
https://arxiv.org/pdf/1801.02918.pdf , 2018. https://arxiv.org/pdf/1801.02918.pdf , 2018.
[Bloatware] [Bloatware]
Gamba, G., Rashed, M., Razaghpanah, A., Tapiado, J., and Gamba, G., Rashed, M., Razaghpanah, A., Tapiado, J., and
N. Vallina, "An Analysis of Pre-installed Android N. Vallina, "An Analysis of Pre-installed Android
Software", arXiv preprint arXiv:1905.02713 (2019) , 2019. Software", arXiv preprint arXiv:1905.02713 (2019) , 2019.
[Boix2018] [Boix2018] Gómez-Boix, A., Laperdrix, P., and B. Baudry, "Hiding in
Gomez-Boix, A., Laperdrix, P., and B. Baudry, "Hiding in
the crowd: an analysis of the effectiveness of browser the crowd: an analysis of the effectiveness of browser
fingerprinting at large scale", Proceedings of the 2018 fingerprinting at large scale", Proceedings of the 2018
world wide web conference , 2018. world wide web conference , 2018.
[Cambridge] [Cambridge]
Isaak, J. and M. Hanna, "User Data Privacy: Facebook, Isaak, J. and M. Hanna, "User Data Privacy: Facebook,
Cambridge Analytica, and Privacy Protection", Computer Cambridge Analytica, and Privacy Protection", Computer
51.8 (2018): 56-59, https://ieeexplore.ieee.org/stamp/ 51.8 (2018): 56-59, https://ieeexplore.ieee.org/stamp/
stamp.jsp?arnumber=8436400 , 2018. stamp.jsp?arnumber=8436400 , 2018.
skipping to change at page 34, line 43 skipping to change at page 29, line 9
creating-botnet-cc-server-what-architecture-should-i-use- creating-botnet-cc-server-what-architecture-should-i-use-
irc-http , 2014. irc-http , 2014.
[Curated] Hammad, M., Garcia, J., and S. MaleK, "A large-scale [Curated] Hammad, M., Garcia, J., and S. MaleK, "A large-scale
empirical study on the effects of code obfuscations on empirical study on the effects of code obfuscations on
Android apps and anti-malware products", ACM International Android apps and anti-malware products", ACM International
Conference on Software Engineering 2018, Conference on Software Engineering 2018,
https://www.ics.uci.edu/~seal/ https://www.ics.uci.edu/~seal/
publications/2018ICSE_Hammad.pdf , 2018. publications/2018ICSE_Hammad.pdf , 2018.
[DeepDive] [DeepDive] Krebs on Security, ., "A Deep Dive on the Recent
Krebs on Security, ., "A Deep Dive on the Recent
Widespread DNS Hijacking Attacks", krebsonsecurity.com Widespread DNS Hijacking Attacks", krebsonsecurity.com
blog, https://krebsonsecurity.com/2019/02/a-deep-dive-on- blog, https://krebsonsecurity.com/2019/02/a-deep-dive-on-
the-recent-widespread-dns-hijacking-attacks/ , 2019. the-recent-widespread-dns-hijacking-attacks/ , 2019.
[DoubleKey] [DoubleKey]
Witte, D., "Thirdparty", Witte, D., "Thirdparty",
https://wiki.mozilla.org/Thirdparty , June 2010. https://wiki.mozilla.org/Thirdparty , June 2010.
[DynDDoS] York, K., "Dyn's Statement on the 10/21/2016 DNS DDoS [DynDDoS] York, K., "Dyn's Statement on the 10/21/2016 DNS DDoS
Attack", Company statement: https://dyn.com/blog/ Attack", Company statement: https://dyn.com/blog/dyn-
dyn-statement-on-10212016-ddos-attack/ , 2016. statement-on-10212016-ddos-attack/ , 2016.
[GDPRAccess] [GDPRAccess]
EU, ., "Right of access by the data subject", Article 15, EU, ., "Right of access by the data subject", Article 15,
GDPR, https://gdpr-info.eu/art-15-gdpr/ , n.d.. GDPR, https://gdpr-info.eu/art-15-gdpr/ , n.d..
[HijackDet] [HijackDet]
Schlamp, J., Holz, R., Gasser, O., Korste, A., Jacquemart, Schlamp, J., Holz, R., Gasser, O., Korste, A., Jacquemart,
Q., Carle, G., and E. Biersack, "Investigating the nature Q., Carle, G., and E. Biersack, "Investigating the nature
of routing anomalies: Closing in on subprefix hijacking of routing anomalies: Closing in on subprefix hijacking
attacks", International Workshop on Traffic Monitoring and attacks", International Workshop on Traffic Monitoring and
Analysis, pp. 173-187. Springer, Cham, Analysis, pp. 173-187. Springer, Cham,
https://www.net.in.tum.de/fileadmin/bibtex/publications/ https://www.net.in.tum.de/fileadmin/bibtex/publications/
papers/schlamp_TMA_1_2015.pdf , 2015. papers/schlamp_TMA_1_2015.pdf , 2015.
[Home] Nthala, N. and I. Flechais, "Rethinking home network [Home] Nthala, N. and I. Flechais, "Rethinking home network
security", European Workshop on Usable Security security", European Workshop on Usable Security
(EuroUSEC), https://ora.ox.ac.uk/objects/ (EuroUSEC), https://ora.ox.ac.uk/objects/uuid:e2460f50-
uuid:e2460f50-579b-451b-b14e-b7be2decc3e1/download_file?sa 579b-451b-b14e-b7be2decc3e1/download_file?safe_filename=ba
fe_filename=bare_conf_EuroUSEC2018.pdf&file_format=applica re_conf_EuroUSEC2018.pdf&file_format=application%2Fpdf&typ
tion%2Fpdf&type_of_work=Conference+item , 2018. e_of_work=Conference+item , 2018.
[I-D.arkko-arch-dedr-report] [I-D.arkko-arch-dedr-report]
Arkko, J. and T. Hardie, "Report from the IAB workshop on Arkko, J. and T. Hardie, "Report from the IAB workshop on
Design Expectations vs. Deployment Reality in Protocol Design Expectations vs. Deployment Reality in Protocol
Development", draft-arkko-arch-dedr-report-00 (work in Development", Work in Progress, Internet-Draft, draft-
progress), November 2019. arkko-arch-dedr-report-00, 4 November 2019,
<https://www.ietf.org/archive/id/draft-arkko-arch-dedr-
report-00.txt>.
[I-D.arkko-arch-infrastructure-centralisation] [I-D.arkko-arch-infrastructure-centralisation]
Arkko, J., "Centralised Architectures in Internet Arkko, J., "Centralised Architectures in Internet
Infrastructure", draft-arkko-arch-infrastructure- Infrastructure", Work in Progress, Internet-Draft, draft-
centralisation-00 (work in progress), November 2019. arkko-arch-infrastructure-centralisation-00, 4 November
2019, <https://www.ietf.org/archive/id/draft-arkko-arch-
infrastructure-centralisation-00.txt>.
[I-D.arkko-arch-internet-threat-model] [I-D.arkko-arch-internet-threat-model]
Arkko, J., "Changes in the Internet Threat Model", draft- Arkko, J., "Changes in the Internet Threat Model", Work in
arkko-arch-internet-threat-model-01 (work in progress), Progress, Internet-Draft, draft-arkko-arch-internet-
July 2019. threat-model-01, 8 July 2019,
<https://www.ietf.org/archive/id/draft-arkko-arch-
internet-threat-model-01.txt>.
[I-D.farrell-etm] [I-D.farrell-etm]
Farrell, S., "We're gonna need a bigger threat model", Farrell, S., "We're gonna need a bigger threat model",
draft-farrell-etm-03 (work in progress), July 2019. Work in Progress, Internet-Draft, draft-farrell-etm-03, 6
July 2019, <https://www.ietf.org/archive/id/draft-farrell-
etm-03.txt>.
[I-D.iab-protocol-maintenance] [I-D.iab-protocol-maintenance]
Thomson, M., "The Harmful Consequences of the Robustness Thomson, M., "The Harmful Consequences of the Robustness
Principle", draft-iab-protocol-maintenance-04 (work in Principle", Work in Progress, Internet-Draft, draft-iab-
progress), November 2019. protocol-maintenance-04, 3 November 2019,
<https://www.ietf.org/archive/id/draft-iab-protocol-
maintenance-04.txt>.
[I-D.ietf-httpbis-expect-ct] [I-D.ietf-httpbis-expect-ct]
estark@google.com, e., "Expect-CT Extension for HTTP", Stark, E., "Expect-CT Extension for HTTP", Work in
draft-ietf-httpbis-expect-ct-08 (work in progress), Progress, Internet-Draft, draft-ietf-httpbis-expect-ct-08,
December 2018. 9 December 2018, <https://www.ietf.org/archive/id/draft-
ietf-httpbis-expect-ct-08.txt>.
[I-D.ietf-mls-architecture] [I-D.ietf-mls-architecture]
Omara, E., Beurdouche, B., Rescorla, E., Inguva, S., Kwon, Omara, E., Beurdouche, B., Rescorla, E., Inguva, S., Kwon,
A., and A. Duric, "The Messaging Layer Security (MLS) A., and A. Duric, "The Messaging Layer Security (MLS)
Architecture", draft-ietf-mls-architecture-04 (work in Architecture", Work in Progress, Internet-Draft, draft-
progress), January 2020. ietf-mls-architecture-06, 8 March 2021,
<https://www.ietf.org/archive/id/draft-ietf-mls-
architecture-06.txt>.
[I-D.ietf-quic-transport] [I-D.ietf-quic-transport]
Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed
and Secure Transport", draft-ietf-quic-transport-27 (work and Secure Transport", Work in Progress, Internet-Draft,
in progress), February 2020. draft-ietf-quic-transport-34, 14 January 2021,
<https://www.ietf.org/archive/id/draft-ietf-quic-
transport-34.txt>.
[I-D.ietf-rats-eat] [I-D.ietf-rats-eat]
Mandyam, G., Lundblade, L., Ballesteros, M., and J. Mandyam, G., Lundblade, L., Ballesteros, M., and J.
O'Donoghue, "The Entity Attestation Token (EAT)", draft-
ietf-rats-eat-03 (work in progress), February 2020. O'Donoghue, "The Entity Attestation Token (EAT)", Work in
Progress, Internet-Draft, draft-ietf-rats-eat-10, 7 June
2021, <https://www.ietf.org/archive/id/draft-ietf-rats-
eat-10.txt>.
[I-D.ietf-teep-architecture] [I-D.ietf-teep-architecture]
Pei, M., Tschofenig, H., Thaler, D., and D. Wheeler, Pei, M., Tschofenig, H., Thaler, D., and D. Wheeler,
"Trusted Execution Environment Provisioning (TEEP) "Trusted Execution Environment Provisioning (TEEP)
Architecture", draft-ietf-teep-architecture-07 (work in Architecture", Work in Progress, Internet-Draft, draft-
progress), March 2020. ietf-teep-architecture-14, 22 February 2021,
<https://www.ietf.org/archive/id/draft-ietf-teep-
architecture-14.txt>.
[I-D.ietf-teep-protocol] [I-D.ietf-teep-protocol]
Tschofenig, H., Pei, M., Wheeler, D., and D. Thaler, Tschofenig, H., Pei, M., Wheeler, D., Thaler, D., and A.
"Trusted Execution Environment Provisioning (TEEP) Tsukamoto, "Trusted Execution Environment Provisioning
Protocol", draft-ietf-teep-protocol-00 (work in progress), (TEEP) Protocol", Work in Progress, Internet-Draft, draft-
December 2019. ietf-teep-protocol-05, 22 February 2021,
<https://www.ietf.org/archive/id/draft-ietf-teep-protocol-
05.txt>.
[I-D.ietf-tls-esni] [I-D.ietf-tls-esni]
Rescorla, E., Oku, K., Sullivan, N., and C. Wood, Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS
"Encrypted Server Name Indication for TLS 1.3", draft- Encrypted Client Hello", Work in Progress, Internet-Draft,
ietf-tls-esni-05 (work in progress), November 2019. draft-ietf-tls-esni-12, 7 July 2021,
<https://www.ietf.org/archive/id/draft-ietf-tls-esni-
12.txt>.
[I-D.ietf-tls-grease] [I-D.ietf-tls-grease]
Benjamin, D., "Applying GREASE to TLS Extensibility", Benjamin, D., "Applying Generate Random Extensions And
draft-ietf-tls-grease-04 (work in progress), August 2019. Sustain Extensibility (GREASE) to TLS Extensibility", Work
in Progress, Internet-Draft, draft-ietf-tls-grease-04, 22
August 2019, <https://www.ietf.org/archive/id/draft-ietf-
tls-grease-04.txt>.
[I-D.lazanski-smart-users-internet] [I-D.lazanski-smart-users-internet]
Lazanski, D., "An Internet for Users Again", draft- Lazanski, D., "An Internet for Users Again", Work in
lazanski-smart-users-internet-00 (work in progress), July Progress, Internet-Draft, draft-lazanski-smart-users-
2019. internet-00, 8 July 2019,
<https://www.ietf.org/archive/id/draft-lazanski-smart-
users-internet-00.txt>.
[I-D.mcfadden-smart-endpoint-taxonomy-for-cless] [I-D.mcfadden-smart-endpoint-taxonomy-for-cless]
McFadden, M., "Endpoint Taxonomy for CLESS", draft- McFadden, M., "Endpoint Taxonomy for CLESS", Work in
mcfadden-smart-endpoint-taxonomy-for-cless-01 (work in Progress, Internet-Draft, draft-mcfadden-smart-endpoint-
progress), February 2020. taxonomy-for-cless-02, 13 July 2020,
<https://www.ietf.org/archive/id/draft-mcfadden-smart-
endpoint-taxonomy-for-cless-02.txt>.
[I-D.nottingham-for-the-users] [I-D.nottingham-for-the-users]
Nottingham, M., "The Internet is for End Users", draft- Nottingham, M., "The Internet is for End Users", Work in
nottingham-for-the-users-09 (work in progress), July 2019. Progress, Internet-Draft, draft-nottingham-for-the-users-
09, 22 July 2019, <https://www.ietf.org/archive/id/draft-
nottingham-for-the-users-09.txt>.
[I-D.taddei-smart-cless-introduction] [I-D.taddei-smart-cless-introduction]
Taddei, A., Wueest, C., Roundy, K., and D. Lazanski, Taddei, A., Wueest, C., Roundy, K. A., and D. Lazanski,
"Capabilities and Limitations of an Endpoint-only Security "Capabilities and Limitations of an Endpoint-only Security
Solution", draft-taddei-smart-cless-introduction-02 (work Solution", Work in Progress, Internet-Draft, draft-taddei-
in progress), January 2020. smart-cless-introduction-03, 13 July 2020,
<https://www.ietf.org/archive/id/draft-taddei-smart-cless-
introduction-03.txt>.
[I-D.wood-pearg-website-fingerprinting] [I-D.wood-pearg-website-fingerprinting]
Goldberg, I., Wang, T., and C. Wood, "Network-Based Goldberg, I., Wang, T., and C. A. Wood, "Network-Based
Website Fingerprinting", draft-wood-pearg-website- Website Fingerprinting", Work in Progress, Internet-Draft,
fingerprinting-00 (work in progress), November 2019. draft-wood-pearg-website-fingerprinting-00, 4 November
2019, <https://www.ietf.org/archive/id/draft-wood-pearg-
website-fingerprinting-00.txt>.
[Jager2015] [Jager2015]
Jager, T., Schwenk, J., and J. Somorovsky, "On the Jager, T., Schwenk, J., and J. Somorovsky, "On the
Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1
v1.5 Encryption", Proceedings of ACM CCS 2015, DOI v1.5 Encryption", Proceedings of ACM CCS 2015, DOI
10.1145/2810103.2813657, https://www.nds.rub.de/media/nds/ 10.1145/2810103.2813657, https://www.nds.rub.de/media/nds/
veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf , veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf ,
October 2015. October 2015.
[Kocher2019] [Kocher2019]
Kocher, P., Horn, J., Fogh, A., Genkin, D., Gruss, D., Kocher, P., Horn, J., Fogh, A., Genkin, D., Gruss, D.,
Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher,
T., Schwarz, M., and Y. Yarom, "Spectre Attacks: T., Schwarz, M., and Y. Yarom, "Spectre Attacks:
Exploiting Speculative Execution", 40th IEEE Symposium on Exploiting Speculative Execution", 40th IEEE Symposium on
Security and Privacy (S&P'19) , 2019. Security and Privacy (S&P'19) , 2019.
[LeakyBuckets] [LeakyBuckets]
Chickowski, E., "Leaky Buckets: 10 Worst Amazon S3 Chickowski, E., "Leaky Buckets: 10 Worst Amazon S3
Breaches", Bitdefender blog, Breaches", Bitdefender blog,
https://businessinsights.bitdefender.com/ https://businessinsights.bitdefender.com/worst-amazon-
worst-amazon-breaches , 2018. breaches , 2018.
[Leith2020] [Leith2020]
Leith, D., "Web Browser Privacy: What Do Browsers Say When Leith, D., "Web Browser Privacy: What Do Browsers Say When
They Phone Home?", In submission, They Phone Home?", In submission,
https://www.scss.tcd.ie/Doug.Leith/pubs/ https://www.scss.tcd.ie/Doug.Leith/pubs/
browser_privacy.pdf , March 2020. browser_privacy.pdf , March 2020.
[Lipp2018] [Lipp2018] Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W.,
Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W.,
Fogh, A., Horn, J., Mangard, S., Kocher, P., Genkin, D., Fogh, A., Horn, J., Mangard, S., Kocher, P., Genkin, D.,
Yarom, Y., and M. Hamburg, "Meltdown: Reading Kernel Yarom, Y., and M. Hamburg, "Meltdown: Reading Kernel
Memory from User Space", 27th USENIX Security Symposium Memory from User Space", 27th USENIX Security Symposium
(USENIX Security 18) , 2018. (USENIX Security 18) , 2018.
[Mailbug] Englehardt, S., Han, J., and A. Narayanan, "I never signed [Mailbug] Englehardt, S., Han, J., and A. Narayanan, "I never signed
up for this! Privacy implications of email tracking", up for this! Privacy implications of email tracking",
Proceedings on Privacy Enhancing Technologies 2018.1 Proceedings on Privacy Enhancing Technologies 2018.1
(2018): 109-126, https://www.degruyter.com/downloadpdf/j/ (2018): 109-126, https://www.degruyter.com/downloadpdf/j/
popets.2018.2018.issue-1/popets-2018-0006/ popets.2018.2018.issue-1/popets-2018-0006/popets-
popets-2018-0006.pdf , 2018. 2018-0006.pdf , 2018.
[MeltdownAndSpectre] [MeltdownAndSpectre]
CISA, ., "Meltdown and Spectre Side-Channel Vulnerability CISA, ., "Meltdown and Spectre Side-Channel Vulnerability
Guidance", Alert (TA18-004A), Guidance", Alert (TA18-004A),
https://www.us-cert.gov/ncas/alerts/TA18-004A , 2018. https://www.us-cert.gov/ncas/alerts/TA18-004A , 2018.
[Mozilla2019] [Mozilla2019]
Camp, D., "Firefox Now Available with Enhanced Tracking Camp, D., "Firefox Now Available with Enhanced Tracking
Protection by Default Plus Updates to Facebook Container, Protection by Default Plus Updates to Facebook Container,
Firefox Monitor and Lockwise", The Mozilla Blog, Firefox Monitor and Lockwise", The Mozilla Blog,
skipping to change at page 38, line 49 skipping to change at page 33, line 48
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
Text on Security Considerations", BCP 72, RFC 3552, Text on Security Considerations", BCP 72, RFC 3552,
DOI 10.17487/RFC3552, July 2003, DOI 10.17487/RFC3552, July 2003,
<https://www.rfc-editor.org/info/rfc3552>. <https://www.rfc-editor.org/info/rfc3552>.
[RFC3935] Alvestrand, H., "A Mission Statement for the IETF", [RFC3935] Alvestrand, H., "A Mission Statement for the IETF",
BCP 95, RFC 3935, DOI 10.17487/RFC3935, October 2004, BCP 95, RFC 3935, DOI 10.17487/RFC3935, October 2004,
<https://www.rfc-editor.org/info/rfc3935>. <https://www.rfc-editor.org/info/rfc3935>.
[RFC4655] Farrel, A., Vasseur, J., and J. Ash, "A Path Computation [RFC4655] Farrel, A., Vasseur, J.-P., and J. Ash, "A Path
Element (PCE)-Based Architecture", RFC 4655, Computation Element (PCE)-Based Architecture", RFC 4655,
DOI 10.17487/RFC4655, August 2006, DOI 10.17487/RFC4655, August 2006,
<https://www.rfc-editor.org/info/rfc4655>. <https://www.rfc-editor.org/info/rfc4655>.
[RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
DOI 10.17487/RFC6265, April 2011, DOI 10.17487/RFC6265, April 2011,
<https://www.rfc-editor.org/info/rfc6265>. <https://www.rfc-editor.org/info/rfc6265>.
[RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454,
DOI 10.17487/RFC6454, December 2011, DOI 10.17487/RFC6454, December 2011,
<https://www.rfc-editor.org/info/rfc6454>. <https://www.rfc-editor.org/info/rfc6454>.
skipping to change at page 40, line 19 skipping to change at page 35, line 19
[RFC7817] Melnikov, A., "Updated Transport Layer Security (TLS) [RFC7817] Melnikov, A., "Updated Transport Layer Security (TLS)
Server Identity Check Procedure for Email-Related Server Identity Check Procedure for Email-Related
Protocols", RFC 7817, DOI 10.17487/RFC7817, March 2016, Protocols", RFC 7817, DOI 10.17487/RFC7817, March 2016,
<https://www.rfc-editor.org/info/rfc7817>. <https://www.rfc-editor.org/info/rfc7817>.
[RFC7830] Mayrhofer, A., "The EDNS(0) Padding Option", RFC 7830, [RFC7830] Mayrhofer, A., "The EDNS(0) Padding Option", RFC 7830,
DOI 10.17487/RFC7830, May 2016, DOI 10.17487/RFC7830, May 2016,
<https://www.rfc-editor.org/info/rfc7830>. <https://www.rfc-editor.org/info/rfc7830>.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
and P. Hoffman, "Specification for DNS over Transport
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
2016, <https://www.rfc-editor.org/info/rfc7858>.
[RFC8240] Tschofenig, H. and S. Farrell, "Report from the Internet [RFC8240] Tschofenig, H. and S. Farrell, "Report from the Internet
of Things Software Update (IoTSU) Workshop 2016", of Things Software Update (IoTSU) Workshop 2016",
RFC 8240, DOI 10.17487/RFC8240, September 2017, RFC 8240, DOI 10.17487/RFC8240, September 2017,
<https://www.rfc-editor.org/info/rfc8240>. <https://www.rfc-editor.org/info/rfc8240>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
skipping to change at page 40, line 41 skipping to change at page 35, line 46
[RFC8546] Trammell, B. and M. Kuehlewind, "The Wire Image of a [RFC8546] Trammell, B. and M. Kuehlewind, "The Wire Image of a
Network Protocol", RFC 8546, DOI 10.17487/RFC8546, April Network Protocol", RFC 8546, DOI 10.17487/RFC8546, April
2019, <https://www.rfc-editor.org/info/rfc8546>. 2019, <https://www.rfc-editor.org/info/rfc8546>.
[RFC8555] Barnes, R., Hoffman-Andrews, J., McCarney, D., and J. [RFC8555] Barnes, R., Hoffman-Andrews, J., McCarney, D., and J.
Kasten, "Automatic Certificate Management Environment Kasten, "Automatic Certificate Management Environment
(ACME)", RFC 8555, DOI 10.17487/RFC8555, March 2019, (ACME)", RFC 8555, DOI 10.17487/RFC8555, March 2019,
<https://www.rfc-editor.org/info/rfc8555>. <https://www.rfc-editor.org/info/rfc8555>.
[Saltzer] Saltzer, J., Reed, D., and D. Clark, "End-To-End Arguments [Saltzer] Saltzer, J.H., Reed, D.P., and D.D. Clark, "End-To-End
in System Design", ACM TOCS, Vol 2, Number 4, pp 277-288 , Arguments in System Design", ACM TOCS, Vol 2, Number 4, pp
November 1984. 277-288 , November 1984.
[Savage] Savage, S., "Modern Automotive Vulnerabilities: Causes, [Savage] Savage, S., "Modern Automotive Vulnerabilities: Causes,
Disclosures, and Outcomes", USENIX , 2016. Disclosures, and Outcomes", USENIX , 2016.
[SmartTV] Malkin, N., Bernd, J., Johnson, M., and S. Egelman, "What [SmartTV] Malkin, N., Bernd, J., Johnson, M., and S. Egelman, "What
Can't Data Be Used For? Privacy Expectations about Smart Can't Data Be Used For? Privacy Expectations about Smart
TVs in the U.S.", European Workshop on Usable Security TVs in the U.S.", European Workshop on Usable Security
(Euro USEC), https://www.ndss-symposium.org/wp- (Euro USEC), https://www.ndss-symposium.org/wp-
content/uploads/2018/06/ content/uploads/2018/06/
eurousec2018_16_Malkin_paper.pdf" , 2018. eurousec2018_16_Malkin_paper.pdf" , 2018.
[StackEvo] [StackEvo] Trammell, B., Thomson, M., Howard, L., and T. Hardie,
Trammell, B., Thomson, M., Howard, L., and T. Hardie,
"What Is an Endpoint?", Unpublished work, "What Is an Endpoint?", Unpublished work,
https://github.com/stackevo/endpoint-draft/blob/master/ https://github.com/stackevo/endpoint-draft/blob/master/
draft-trammell-whats-an-endpoint.md , 2017. draft-trammell-whats-an-endpoint.md , 2017.
[Sybil] Viswanath, B., Post, A., Gummadi, K., and A. Mislove, "An [Sybil] Viswanath, B., Post, A., Gummadi, K., and A. Mislove, "An
analysis of social network-based sybil defenses", ACM analysis of social network-based sybil defenses", ACM
SIGCOMM Computer Communication Review 41(4), 363-374, SIGCOMM Computer Communication Review 41(4), 363-374,
https://conferences.sigcomm.org/sigcomm/2010/papers/ https://conferences.sigcomm.org/sigcomm/2010/papers/
sigcomm/p363.pdf , 2011. sigcomm/p363.pdf , 2011.
skipping to change at page 41, line 35 skipping to change at page 36, line 34
Osborne, C., "How hackers stole millions of credit card Osborne, C., "How hackers stole millions of credit card
records from Target", ZDNET, records from Target", ZDNET,
https://www.zdnet.com/article/how-hackers-stole-millions- https://www.zdnet.com/article/how-hackers-stole-millions-
of-credit-card-records-from-target/ , 2014. of-credit-card-records-from-target/ , 2014.
[Toys] Chu, G., Apthorpe, N., and N. Feamster, "Security and [Toys] Chu, G., Apthorpe, N., and N. Feamster, "Security and
Privacy Analyses of Internet of Things Childrens' Toys", Privacy Analyses of Internet of Things Childrens' Toys",
IEEE Internet of Things Journal 6.1 (2019): 978-985, IEEE Internet of Things Journal 6.1 (2019): 978-985,
https://arxiv.org/pdf/1805.02751.pdf , 2019. https://arxiv.org/pdf/1805.02751.pdf , 2019.
[Tracking] [Tracking] Ermakova, T., Fabian, B., Bender, B., and K. Klimek, "Web
Ermakova, T., Fabian, B., Bender, B., and K. Klimek, "Web
Tracking-A Literature Review on the State of Research", Tracking-A Literature Review on the State of Research",
Proceedings of the 51st Hawaii International Conference on Proceedings of the 51st Hawaii International Conference on
System Sciences, https://scholarspace.manoa.hawaii.edu/ System Sciences, https://scholarspace.manoa.hawaii.edu/
bitstream/10125/50485/paper0598.pdf , 2018. bitstream/10125/50485/paper0598.pdf , 2018.
[Troll] Stewart, L., Arif, A., and K. Starbird, "Examining trolls [Troll] Stewart, L., Arif, A., and K. Starbird, "Examining trolls
and polarization with a retweet network", ACM Workshop on and polarization with a retweet network", ACM Workshop on
Misinformation and Misbehavior Mining on the Web, Misinformation and Misbehavior Mining on the Web,
https://faculty.washington.edu/kstarbi/ https://faculty.washington.edu/kstarbi/examining-trolls-
examining-trolls-polarization.pdf , 2018. polarization.pdf , 2018.
[Unread] Obar, J. and A. Oeldorf, "The biggest lie on the [Unread] Obar, J. and A. Oeldorf, "The biggest lie on the
internet{:} Ignoring the privacy policies and terms of internet{:} Ignoring the privacy policies and terms of
service policies of social networking services", service policies of social networking services",
Information, Communication and Society (2018): 1-20 , Information, Communication and Society (2018): 1-20 ,
2018. 2018.
[Vpns] Khan, M., DeBlasio, J., Voelker, G., Snoeren, A., Kanich, [Vpns] Khan, M., DeBlasio, J., Voelker, G., Snoeren, A., Kanich,
C., and N. Vallina, "An empirical analysis of the C., and N. Vallina, "An empirical analysis of the
commercial VPN ecosystem", ACM Internet Measurement commercial VPN ecosystem", ACM Internet Measurement
Conference 2018 (pp. 443-456), Conference 2018 (pp. 443-456),
https://eprints.networks.imdea.org/1886/1/ https://eprints.networks.imdea.org/1886/1/
imc18-final198.pdf , 2018. imc18-final198.pdf , 2018.
Appendix A. Contributors Appendix A. Changes from previous version
The -04 version of the draft made the following changes:
* Split the RFC 3552 and RFC 7258 changes to separate documents.
* Added a discussion of assets.
* Shortened the guidelines and converted it to a "designer's
checklist" list.
* Moved the end-to-end security via third parties study item to the
checklist, and added a discussion about key management to it.
* Added a discussion of differences between commercial data
collection and surveillance.
* Shortened the conclusions, while avoiding making overly strong
claims.
Appendix B. Contributors
Eric Rescorla and Chris Wood provided much of the text in Eric Rescorla and Chris Wood provided much of the text in
Section 2.3.1.4, item 2 of Section 4 and Section 6.3. Section 2.3.1.4 and item 2 of Section 4.
Appendix B. Acknowledgements Appendix C. Acknowledgements
The authors would like to thank the IAB: The authors would like to thank the IAB:
Alissa Cooper, Wes Hardaker, Ted Hardie, Christian Huitema, Zhenbin Alissa Cooper, Wes Hardaker, Ted Hardie, Christian Huitema, Zhenbin
Li, Erik Nordmark, Mark Nottingham, Melinda Shore, Jeff Tantsura, Li, Erik Nordmark, Mark Nottingham, Melinda Shore, Jeff Tantsura,
Martin Thomson, Brian Trammel, Mirja Kuhlewind, and Colin Perkins. Martin Thomson, Brian Trammel, Mirja Kuhlewind, and Colin Perkins.
The authors would also like to thank the participants of the IETF The authors would also like to thank the participants of the IETF
SAAG meeting where this topic was discussed: SAAG meeting where this topic was discussed:
skipping to change at page 43, line 15 skipping to change at page 38, line 35
Thanks for specific comments on this text to: Ronald van der Pol. Thanks for specific comments on this text to: Ronald van der Pol.
Finally, the authors would like to thank numerous other people for Finally, the authors would like to thank numerous other people for
insightful comments and discussions in this space. insightful comments and discussions in this space.
Authors' Addresses Authors' Addresses
Jari Arkko Jari Arkko
Ericsson Ericsson
Valitie 1B Valitie 1B
Kauniainen FI- Kauniainen
Finland Finland
Email: jari.arkko@piuha.net Email: jari.arkko@piuha.net
Stephen Farrell Stephen Farrell
Trinity College Dublin Trinity College Dublin
College Green College Green
Dublin Dublin
Ireland Ireland
 End of changes. 98 change blocks. 
565 lines changed or deleted 355 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/