Security Considerations for Protocol Designers
draft-lazanski-protocol-sec-design-model-t-00

Document Type Active Internet-Draft (individual)
Last updated 2020-03-09
Stream (None)
Intended RFC status (None)
Formats plain text pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
IAB Programme                                               D. Lazanski
Internet Draft                                         Last Press Label
Intended status: Informational                            March 8, 2020
Expires: September 9, 2020

              Security Considerations for Protocol Designers
                draft-lazanski-protocol-sec-design-model-t-00.txt

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time.  It is inappropriate to use Internet-Drafts as
   reference material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   This Internet-Draft will expire on September 8, 2020.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document. Code Components extracted from this

Lazanski              Expires September 8, 2020                [Page 1]
Internet-Draft Security Considerations for Protocol Designers March 2020

   document must include Simplified BSD License text as described in
   Section 4.e of the Trust Legal Provisions and are provided without
   warranty as described in the Simplified BSD License.

Abstract

  This document is a non-exhaustive set of considerations for protocol
  designers and implementers with regards to attack defence. These
  considerations can be used as an aid to analyse protocol design
  choice and in turn to help combat threats and defend users of these
  protocols and systems against malicious attacks.

  First, we list well-known classes of attacks that pose threats, with
  relevant case studies and descriptions. Next, we give a list of
  defence measures against these attacks to be considered when
  designing and deploying protocols. Naturally, deployments of
  protocols vary greatly between use cases; therefore, some attacks and
  defensive measures outlined may require more consideration than
  others, dependent on use case.

  This RFC can be used by protocol designers to write the Security
  Considerations section in an RFC. The impact on attack defence of a
  protocol should be considered in multiple use cases across the
  multiple layers of the internet in its this section. Defence against
  malicious attacks can be improved and it can be weakened by design
  features of protocols. Designers should acknowledge the role of
  protocols in attack prevention, detection and mitigation; this
  document aims to be a useful guide in doing so.

Table of Contents

   1. Introduction...................................................3
   2. Attacks........................................................4
      2.1. Endpoint Compromise.......................................5
      2.2. Network Compromise........................................6
      2.3. Denial of Service (DoS) and Distributed DoS (DDoS)........7
      2.4. Phishing..................................................8
      2.5. Malware Infection.........................................9
      2.6. Insider Threat...........................................10
      2.7. Hijacking Traffic........................................11
      2.8. Web-based Attacks........................................11

Lazanski              Expires September 8, 2020                [Page 2]
Internet-Draft Security Considerations for Protocol Designers March 2020

      2.9. Malware-free Attacks.....................................12
      2.10. Real-world effects......................................12
         2.10.1. Data Exfiltration..................................13
         2.10.2. Identity Theft.....................................14
      2.11. Table of Attacks........................................14
   3. Defensive Measures............................................14
      3.1. Response to Attacks......................................15
      3.2. Recovery from Attacks....................................15
      3.3. Reporting of Attacks.....................................16
Show full document text