Independent Submission M. McFadden
Internet Draft internet policy advisors
Intended status: Informational Jim Reid
Expires: April 22, 2023 RTFM, llp
October 23, 2022
Internet Threat Model - A Reconsideration
draft-mcfadden-threat-model-00.txt
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on April 22, 2023.
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
McFadden, Reid Expires April 22, 2023 [Page 1]
Internet-Draft Internet Threat Model - A Reconsideration October 2022
Abstract
RFC3552/BCP72 describes an Internet Threat model that has been used
in Internet protocol design. More than twenty years have passed
since RFC3552 was written and the structure and topology of the
Internet have changed dramatically. With those changes comes a
question: has the Internet Threat Model changed? Or, is the model
described in RFC3552 still mostly accurate? This draft attempts to
describe a non-exhaustive list of the most likely updates and
changes in the current threat environment. This paper has the goal
of suggesting a way forward for describing the contemporary threat
model and how it might inform security aspects of protocol design.
Table of Contents
1.Introduction....................................................2
1.1.Scope......................................................2
2.The Established Model in BCP72..................................3
2.1.BCP72 Passive Attacks......................................3
2.2.BCP72 Active Attacks.......................................3
3.Changes to the Attack Landscape.................................4
3.1.Quantifiable Changes.......................................4
3.2.Qualitative Changes........................................5
3.3.Data at Rest and Intermediaries............................6
3.4.The Evolution of Endpoints and Applications................7
4.Path Forward....................................................7
5.Security Considerations.........................................8
6.Privacy Considerations..........................................8
7.IANA Considerations.............................................8
8.References......................................................9
8.1.Informative References.....................................9
9.Acknowledgments.................................................9
1.Introduction
[RFC3552] describes an Internet threat model. According to that RFC,
the threat model "describes the capabilities that an attacker is
assumed to be able to deploy against a resource. It should contain
such information as the resources available to an attacker in terms
of information, computing capability, and control of a system."
Has the Internet Threat Model really changed; or, is the model
described in RFC3552 still mostly accurate?
1.1.Scope
The purpose of this draft is to examine the threat landscape of the
contemporary Internet and answer those questions. If the answer is
McFadden, Reid Expires April 22, 2023 [Page 2]
Internet-Draft Internet Threat Model - A Reconsideration October 2022
clearly that the threat model has changed, then the draft will
suggest a way forward toward documenting those changes.
Reconsideration of the guidelines for writing Security
Considerations sections of RFCs is not in scope for this memo.
2.The Established Model in BCP72
BCP72's threat model divides attacks based on the capabilities
required to mount the attack. In particular, it divides attacks
into two groups: passive attacks where an attacker has only limited,
or read-only, access to the network; and active attacks where the
attacker has the resources available to write to the network. BCP72
is careful not to locate the attack. The attacks can come from
arbitrary endpoints. Dividing the threat model in this way also
allows for the model to incorporate attacks that come from resources
not at endpoints. In fact, an entire subsection of the BCP discusses
on-path versus off-path attacks.
2.1.BCP72 Passive Attacks
BCP72 describes passive attacks as those in which an attacker "reads
packets off the network but does not write them." It then gives
some specific examples including password sniffing, attacks on
routing infrastructure, and unprotected wireless channels.
The description in BCP72 tacitly assumes that the attacker is in
control of a single resource. For example, the first type of
passive attack considered is one in which an attacker uses read-only
access to packets to extract otherwise private information. BCP72
discusses the problems encountered when packets are transported
without some form of transport or application layer security.
BCP72 also describes offline cryptographic attacks in which an
attacker has made offline copies of packets that have been read off
the network. The attacker then mounts a cryptographic attack on
those packets in order to extract confidential information from them
offline.
2.2.BCP72 Active Attacks
BCP72 says, "when an attack involves writing data to the network, we
refer to this as an active attack." In this case, the BCP discusses
spoofing packet replay attacks, message insertion, deletion and
insertion, man-in-the-middle, as well as a Denial-of-Service attack.
In each of these cases, the BCP suggests either mitigations or
descriptions of what technologies could have been used to avoid the
weakness.
McFadden, Reid Expires April 22, 2023 [Page 3]
Internet-Draft Internet Threat Model - A Reconsideration October 2022
3.Changes to the Attack Landscape
3.1.Quantifiable Changes
In the period since 2003, one dramatic change is the number of
attacks seen. Published studies show orders of magnitude increases
in the number of devices compromised, scale of privacy breach, and
the number of attacks taking place. Recent studies show that the
vast majority of attacks come from attackers using automated,
distributed tools. This makes a threat model that is built around
the notion of a single attacker inapplicable in the current
Internet. BCP72 does reference the concept of distributed denial of
service (DDoS), however its focus is on single attackers either on
or off-path.
Studies also show that certain well-known ports [IANA-WKP] are the
primary targets for this large jump in automated attacks. Ports
445, 22, 23, 53 and 1433 make up 99% of the targets.
The growth in the attacks has in part resulted from endpoints that
are not capable of supporting endpoint protection software, lack
effective encryption, or proper authentication. These have
proliferated on the public Internet. That many of these devices do
not have facilities for either self-protection or protecting
against becoming a threat on their own has been documented in an IAB
Workshop [IAB-IOT]. The greater number of improperly protected
devices has the potential to amplify attacks that use them as
sources for attacks on the rest of the Internet ecosystem.
Since 2003, there have been a variety of studies examining the
growth in the number of devices connected to the Internet. At the
time of writing, one estimate is that the difference between the
number of devices connected in 2003 and 2021 is in the region of 22
billion. The sheer quantity of devices means that the Internet's
attack surface is significantly expanded. Quantitative surveys also
indicate that the greatest growth is in so-called enterprise IoT and
household automation. The security properties of these endpoints
are substantially different from hosts that made up the majority of
the Internet in 2003.
Another important quantitative change to the structure of the
Internet is the consolidation of its infrastructure. While BCP72 is
certainly correct in its focus on the technologies and protocols
that can be exploited by attackers, it is hard to ignore the fact
that the threat landscape has been affected by the emergence of
consolidation. One example of this would be commercial or
governmental surveillance capabilities. In an environment where
there are a small number of very large entities that control the
fabric of connectivity and content, the threat landscape is affected
McFadden, Reid Expires April 22, 2023 [Page 4]
Internet-Draft Internet Threat Model - A Reconsideration October 2022
by the fact that it may be easier to exert control and implement
attacks on a small number of organizations.
3.2.Qualitative Changes
The Internet in 2003 had a relatively small number of types of
hosts. The client/server model of computing was dominant at that
time and endpoints were relatively homogeneous.
The diversity of deployment is an important part of the contemporary
Internet landscape. Not only is there a measurable and huge
increase in the number of endpoints (greatly increasing the attack
surface), but there is a rich diversity in the capacity and purpose
of those endpoints. As a result, while the number of protocols may
not have increased exponentially, the kinds and quantities of
devices that can be sources or targets of exploits has increased
significantly.
The threat landscape is also affected by the balance between
convenience versus protection from threats. Applications and
services fight for market and mind share by being the easiest to
adopt, install and use. Many users treat security and protection in
the same way that they treat personal health - they ignore it until
there is a serious problem and then expect the problem to be
mitigated quickly. There are also market incentives which discourage
the deployment and adoption of security features, for instance
support costs, ease of use, hardware constraints, key management,
algorthim agility and so on.
The class of attackers has changed as well. In 2003, advanced
persistent attacks hadn't yet been given that name and the estimated
monetary loss to attackers was estimated to be less than $1 billion
USD. The emergence of scripted and other automated tools has
changed the landscape dramatically. In 2019, one estimate of losses
due to network-based attacks was in excess of $315 billion. This is
the direct result of the speed, financing and flexibility of those
doing the attacking.
It is true that, since BCP 72 was published there have been
significant improvements to communications security. This includes
securing the transport layer through protocols such as TLS 1.3,
HTTP/2 and secure SMTP. However, secure transport does not prevent
rogue applications from executing attacks, even when secure
transport is in place. An example of this happens when VPNs
themselves examine or exploit traffic rather than do what they are
advertised to do.
Recent experience tells us that the Internet has evolved from
primarily supporting unidirectional, two-party data flows to
supporting both two-party and multi-endpoint communications. This
trend is especially seen in the move toward large-scale, work from
McFadden, Reid Expires April 22, 2023 [Page 5]
Internet-Draft Internet Threat Model - A Reconsideration October 2022
home models where multiparty communication is taken as a fundamental
use case. The implications of this evolution on the threat model
should be a part of any reconsideration of BCP72.
One of the other crucial changes to the Internet is the rise of the
application. Apps do everything for themselves that they can so they
do, for example, DoH [RFC8484], encrypt on their own and make
changes to the way the application interfaces with the Internet. It
used to be that applications simply relied on lower layers of the
stack for their services. This is no longer always the case, and the
implications of this on the threat model may be that the nature and
platforms for attacks has significantly changed.
3.3.Data at Rest and Intermediaries
The Internet Threat model in BCP72 primarily speaks to data being
transmitted, transited or received over the network. More recent
approaches to providing services over the Internet involve
intermediate nodes that may redirect, manipulate or store traffic.
While technologies such as exchange points may be seen to simply
part of the fabric between senders and receivers, the insertion of
content networks, caches and traffic analyzers has become
ubiquitous.
These middleboxes play an important role in content provision,
analysis and security in today's Internet. They were in limited use
when BCP72 was published. The importance of middleboxes is such
that, when protocols are developed that effectively route around
them, operators and content providers sometimes object.
One view of these intermediaries is that they are on the path
between source and destination and receive and forward information
for the benefit of one (or, both) of the endpoints. This is
different from network resources that facilitate on connection, such
as shared recursive DNS servers.
A helpful example of an intermediary has been provided by Martin
Thomson. He says, "in WebRTC there are signaling servers, who
intermediate the signaling stuff (control plane if you will), but do
not intermediate the media (data plane). Media is intermediated in
different ways by selective forwarding units (SFUs) or bridges or
mixers or focuses (there are lots of names for these and lots of
ways to build them). There are also relays, which are intermediaries
that help with NAT and sometimes firewall traversal."
It is important to see that intermediaries, and their security
properties are also a matter of perspective. Support for end-to-end,
human-to-human communications is one aspect of the threat model.
Today's internet also supports large-scale deployment of objects and
"things" which have different intermediaries - and different threat
models.
McFadden, Reid Expires April 22, 2023 [Page 6]
Internet-Draft Internet Threat Model - A Reconsideration October 2022
Any contemporary Internet threat model must go beyond the threats to
traffic as it moves from Alice to Bob. Beyond intermediaries, the
more personal digital devices there are, the more difficult it is to
control and protect them. The threat model should also include
attacks that take place when the data is at rest or being
manipulated for operational reasons. Observations
It seems that there are significant changes in the architecture and
service model of the Internet. Those significant changes suggest the
threat model documented in RFC3552 may need to be reassessed.
3.4.The Evolution of Endpoints and Applications
BCP72's concentration on the communication channel fails to account
for two of the central developments of the Internet in the last ten
years: the rise of the application as the endpoint and the diversity
of endpoints that are publicly connected.
It might also be observed that there have already been limited
attempts to reconsider BCP72's threat model. As an example, the
Same-Origin Policy detailed in [RFC6454] shows how an application-
layer protocol can protect itself against certain kinds of attacks
based on the concept of origin (the determination and use of an
origin URI).
Another change is the emergence of state-sponsored attacks on both
endpoints and infrastructure. These attacks are quite different in
both capability and intensity compared to the threats seen in 2003.
Finally, protection from phishing attacks in the presence of certain
implementations of IDNA means that applications themselves are
implementing their own protections against certain types of attacks.
This is another example of how the application layer imposes
controls on an otherwise secure communication channel.
These are intended as only examples of how the landscape has
changed. It seems clear that many more changes exist and need to be
researched and documented.
4.Path Forward
BCP72 is an accurate reflection of the security threat landscape at
the time which it was written. It is also clear that protocol work
since the development of BCP72 has not been impacted by the fact
that there has been no update to that RFC.
Still, it seems clear that the existing model does not reflect
current operational reality. The IETF could choose to continue to
not update BCP72. This memo accepts that is a possible option.
McFadden, Reid Expires April 22, 2023 [Page 7]
Internet-Draft Internet Threat Model - A Reconsideration October 2022
However, this memo suggests that a fresh approach to documenting the
Internet's threat model would be valuable to protocol designers,
network operators and application implementers. This memo does not
suggest replacing BCP72. Instead, it suggests supplementing that RFC
with new, more current information. It's worth emphasizing that this
work is clearly in the remit of the IETF.
BCP72 represents a too narrow view of the Internet's threat
landscape as it exists today. It should be complimented by a new
document that would:
- Reflect the diversity of endpoint deployment on the Internet;
- Document the impact of application-based security on the more
narrow communication channel model (possibly: consideration of
data in use in addition to data in motion);
- Account for data at rest as part of the model as well as data
in motion;
- Reflect on the how the growth of the number of devices
connected affects the attack surface for the Internet at large;
- Research how a new, contemporary threat model might be
described and communicated to protocol designers and others;
and,
- Make constructive suggestions for an approach (or, methodology)
for the IETF to supplement the threat model BCP72.
5.Security Considerations
This document is entirely about security on the Internet. An earlier
version of this draft was intended as input into the IAB's Model-T
activity which has since closed.
6.Privacy Considerations
This document does not discuss how RFC3552 might be revised or
replaced with an additional emphasis on privacy or trust issues.
Taking on privacy and trust seems out of scope for a discussion that
is focused on the Internet's treat model.
This memo is not intended to address privacy or related issues in
relation to protocol design.
7.IANA Considerations
This memo contains no instructions or requests for IANA.
McFadden, Reid Expires April 22, 2023 [Page 8]
Internet-Draft Internet Threat Model - A Reconsideration October 2022
8. References
8.1.Informative References
[RFC3552] Rescorla E., Korver, B., IAB, Guidelines for Writing RFC
Text on Security Considerations, BCP 72, RFC 3552,
https://tools.ietf.org/html/rfc3552
[RFC6454] Barth, A., "The Web Origin Concept," ISSN: 2070-1721, RFC
6454, https://tools.ietf.org/html/rfc6454
[RFC8484] Hoffman, P., McManus, P., "DNS Queries over HTTPS (DoH),"
ISSN: 2070-1721, RFC 8484, https://tools.ietf.org/html/rfc8484
[IAB-IOT] Jimenez, J., Tschofenig, H., Thaler, D., "Report from the
Internet of Things (IoT) Semantic Interoperability (IOTSI) Workshop
2016," https://tools.ietf.org/html/draft-iab-iotsi-workshop-02 (work
in progress), July 2018.
[IANA-WKP] "Service Name and Transport Protocol Port Number
Registry," https://www.iana.org/assignments/service-names-port-
numbers/service-names-port-numbers.xhtml
9.Acknowledgments
This document was prepared using 2-Word-v2.0.template.dot.
The authors are happy to acknowledge the comments of participants in
the IAB's Model-T program. In particular, the comments of Martin
Thomson, Dominique Lazanski and Jari Arkko have been helpful in
building a first version of this draft.
McFadden, Reid Expires April 22, 2023 [Page 9]
Internet-Draft Internet Threat Model - A Reconsideration October 2022
Authors' Addresses
Mark McFadden
Internet policy advisors llc
513 Elmside Blvd
Madison WI 53704 US
Phone: +1 608 504 7776
Email: mark@internetpolicyadvisors.com
Jim Reid
RTFM llp
395 Hillington Road
Glasgow G51 4BL
Scotland
Email: jim@rfc1035.com
McFadden, Reid Expires April 22, 2023 [Page 10]