Internet-Draft Data Minimization in Internet Architectu March 2022
Arkko Expires 7 September 2022 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-arkko-iab-data-minimization-principle-01
Published:
Intended Status:
Informational
Expires:
Author:
J. Arkko
Ericsson

Data minimization

Abstract

Communications security has been at the center of many security improvements in the Internet. The goal has been to ensure that communications are protected against outside observers and attackers. This document recommends that this is no longer alone sufficient to cater for the security and privacy issues seen on the Internet today. For instance, it is often also necessary to protect against endpoints that are compromised, malicious, or whose interests simply do not align with the interests of users. While such protection is difficult, there are some measures that can be taken. It is important to consider the role of data passed to various parties - including the primary protocol participants - and balance the information given to them considering their roles and possible compromise of the information.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 2 September 2022.

Table of Contents

1. Introduction

Communications security has been at the center of many security improvements on the Internet. The goal has been to ensure that communications are protected against outside observers and attackers.

This has been exemplified in many aspects of IETF efforts, in the threat models [RFC3552], concerns about surveillance [RFC7258], IAB statements [Confidentiality], and the introduction of encryption in many protocols [RFC9000], [RFC7858], [RFC8484]. This has been very successful. Advances in protecting most of our communications with strong cryptographic has resulted in much improved security. Work on these advances continues to be a key part of IETF's security effort.

This document recommends that further action is needed, however. For instance, the possibility that endpoints are compromised, malicious, or have interests that do not align with the interests of users. Given the advances in communication seceurity, adversaries have had to increase their pressure against new avenues of attack. New adversaries and risks have also arisen, e.g., due to increasing amount of information stored in various Internet services.

While such protection is difficult, there are some measures that can be taken. This document focuses on the specific question of data passed to various parties - including the primary protocol participants. What information given to any other party needs to depend on the role of that party, with the possibility of a compromised access to the information kept in mind. This consideration is important particularly when designing new technology or planning new deployments.

Careful control of information is also necessary from the perspective of technology evolution. For instance, allowing a participant to unnecessarily collect or receive information may lead to a similar effect as described in [RFC8546] for protocols: over time, unnecessary information will get used with all the associated downsides, regardless of what deployment expectations there were during protocol design. This may also lead to ossification, as systems start to expect they have access to the information.

2. Recommendations

The Principle of Least Privilege [PoLP] is applicable:

"Every program and every user of the system should operate
 using the least set of privileges necessary to complete the
 job."

In this context, it is recommended that the protocol participants minimize the information they share. I.e., they should provide only the information to each other that is necessary for the function that is expected to be performed by the other party.

This recommendation is of course very similar to the current approach to communications security. As with communication security, we try to avoid providing too much information as it may be misused or leak through attacks. The same principle applies not just to routers and potential attackers on path, but also many other services in the Internet, including servers that provide some function.

Of course, participants may provide more information to each after careful consideration, e.g., information provided in exchange of some benefit, or to parties that are trusted by the participant.

3. Discussion

Information disclosure may relate to different types of protocol exchanges:

It is also important to observe that information disclosure can appear in several ways. It can be explicitly carried information, e.g., a data item in a message sent to a protocol participant. But it can also be indirectly inferred information, such as message arrival times or patterns in the traffic flow. Information may also be obtained from fingerprinting the protocol participants, in an effort to identify unique endpoints or users. Finally, information gathered from a collaboration among several parties, e.g., websites and social media systems collaborating to identify visiting users [WP2021].

3.1. Dealing with compromise

Even with careful exposure of information, compromises may occur. It is important to build defenses to protect information, even when some component in a system is or becomes compromised. This may involve designs where no single party has all information such as with Oblivious DNS, cryptographic designs where a service such as with the recent IETF PPM effort, service side encryption of data at rest, confidential computing, and other mechanisms.

Protocols can ensure that forward secrecy is provided, so that the damage resulting from a compromise of keying material has limited impact.

On the client side, the client may trust that another party handles information appropriately, but take steps to ensure or verify that this is the case. For instance, as discussed above, the client can encrypt a message only to the actual final recipient, even if the server holds our message before it is delivered.

A corollary of the recommendation is that information should not be disclosed, stored, or routed in cleartext through services that do not need to have that information for the function they perform.

For instance, a transport connection between two components of a system is not an end-to-end connection even if it encompasses all the protocol layers up to the application layer. It is not end-to-end, if the information or control function it carries extends beyond those components. For instance, just because an e-mail server can read the contents of an e-mail message do not make it a legitimate recipient of the e-mail.

The general topic of ensuring that protocol mechanisms stays evolvable and workable is covered in [I-D.iab-use-it-or-lose-it]. But the associated methods for reducing fingerprinting possibilities probably deserve further study. [I-D.wood-pearg-website-fingerprinting] discusses one aspect of this.

4. Acknowledgements

The author would like to thank the members of the IAB, and the participants of IETF SAAG WG, Model-T IAB program, and the 2019 IAB DEDR workshop that all discussed some aspects of these issues. The author would like to acknowledge the significant contributions of Martin Thomson, Stephen Farrell, Mark McFadden, John Mattsson, Chris Wood, Dominique Lazanski, Eric Rescorla, Russ Housley, Robin Wilton, Mirja Kuehlewind, Tommy Pauly, Jaime Jimenez and Christian Huitema in discussions around this general problem area.

5. Informative References

[AmIUnique]
INRIA, ., "Am I Unique?", https://amiunique.org , .
[Confidentiality]
The Internet Architecture Board, ., "IAB Statement on Internet Confidentiality", https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/ , .
[Fingerprinting]
Laperdrix, P., Bielova, N., Baudry, B., and G. Avoine, "Browser Fingerprinting: A survey", arXiv:1905.01051v2 [cs.CR] 4 Nov 2019 , .
[I-D.arkko-arch-internet-threat-model-guidance]
Arkko, J. and S. Farrell, "Internet Threat Model Guidance", Work in Progress, Internet-Draft, draft-arkko-arch-internet-threat-model-guidance-00, , <https://www.ietf.org/archive/id/draft-arkko-arch-internet-threat-model-guidance-00.txt>.
[I-D.farrell-etm]
Farrell, S., "We're gonna need a bigger threat model", Work in Progress, Internet-Draft, draft-farrell-etm-03, , <https://www.ietf.org/archive/id/draft-farrell-etm-03.txt>.
[I-D.iab-path-signals-collaboration]
Arkko, J., Hardie, T., Pauly, T., and M. Kühlewind, "Considerations on Application - Network Collaboration Using Path Signals", Work in Progress, Internet-Draft, draft-iab-path-signals-collaboration-00, , <https://www.ietf.org/archive/id/draft-iab-path-signals-collaboration-00.txt>.
[I-D.iab-use-it-or-lose-it]
Thomson, M. and T. Pauly, "Long-Term Viability of Protocol Extension Mechanisms", Work in Progress, Internet-Draft, draft-iab-use-it-or-lose-it-04, , <https://www.ietf.org/archive/id/draft-iab-use-it-or-lose-it-04.txt>.
[I-D.lazanski-smart-users-internet]
Lazanski, D., "An Internet for Users Again", Work in Progress, Internet-Draft, draft-lazanski-smart-users-internet-00, , <https://www.ietf.org/archive/id/draft-lazanski-smart-users-internet-00.txt>.
[I-D.thomson-tmi]
Thomson, M., "Principles for the Involvement of Intermediaries in Internet Protocols", Work in Progress, Internet-Draft, draft-thomson-tmi-02, , <https://www.ietf.org/archive/id/draft-thomson-tmi-02.txt>.
[I-D.wood-pearg-website-fingerprinting]
Goldberg, I., Wang, T., and C. A. Wood, "Network-Based Website Fingerprinting", Work in Progress, Internet-Draft, draft-wood-pearg-website-fingerprinting-00, , <https://www.ietf.org/archive/id/draft-wood-pearg-website-fingerprinting-00.txt>.
[PoLP]
Saltzer, J. and M. Schroader, "The Protection of Information in Computer Systems", Fourth ACM Symposium on Operating System Principles , .
[RFC3552]
Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, , <https://www.rfc-editor.org/info/rfc3552>.
[RFC7258]
Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, , <https://www.rfc-editor.org/info/rfc7258>.
[RFC7858]
Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., and P. Hoffman, "Specification for DNS over Transport Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, , <https://www.rfc-editor.org/info/rfc7858>.
[RFC8484]
Hoffman, P. and P. McManus, "DNS Queries over HTTPS (DoH)", RFC 8484, DOI 10.17487/RFC8484, , <https://www.rfc-editor.org/info/rfc8484>.
[RFC8546]
Trammell, B. and M. Kuehlewind, "The Wire Image of a Network Protocol", RFC 8546, DOI 10.17487/RFC8546, , <https://www.rfc-editor.org/info/rfc8546>.
[RFC8558]
Hardie, T., Ed., "Transport Protocol Path Signals", RFC 8558, DOI 10.17487/RFC8558, , <https://www.rfc-editor.org/info/rfc8558>.
[RFC8980]
Arkko, J. and T. Hardie, "Report from the IAB Workshop on Design Expectations vs. Deployment Reality in Protocol Development", RFC 8980, DOI 10.17487/RFC8980, , <https://www.rfc-editor.org/info/rfc8980>.
[RFC9000]
Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based Multiplexed and Secure Transport", RFC 9000, DOI 10.17487/RFC9000, , <https://www.rfc-editor.org/info/rfc9000>.
[WP2021]
Fowler, Geoffrey A., "There’s no escape from Facebook, even if you don’t use it", Washington Post , .

Author's Address

Jari Arkko
Ericsson
Valitie 1B
FI- Kauniainen
Finland