hi all,
here are the minutes of the call.
Due to conflict in time, some people were not able to call.
regards
abbie
Call on Monday 8/16/2002. Below are notes for the call.
Issues and/or questions on which input from the larger
CDI group is sought is indicated with "Q:". But of course
any other input would be usefull.
Callers:
Abbie Barbir
Oscar Batuner
Kobus van der Merwe
About scope of this work:
Is limited to developing a threat model for CDI
(not providing solutions).
Q: Is the threat model limited to CDI or should we
also cover theats related to CDNs in general?
Might be difficult to understand the additional
threats posed by CDI without understanding
the threat model for CDNs.
Things specifically considered out of scope:
- Gaurantees regarding content integrity in case
of content transformations in the network.
- The security of CDN such as surrogates (i.e. can not improve
on the security of the original system)
Threats fall in two categories namely,
network level threats and content level threats.
Within both of these the distinction can be made between
threats from outsiders (parties not taking part
in the content peering arrangement) and from insiders
(those taking part in content peering).
This breakdown covers both intentional threats (i.e.
malicious attacks) as well as unintentional threats
(i.e. those due to system malfunction, programming error,
configuration error etc).
Threats from outsiders can be mitigated by using strong
authentication and encryption.
Q: Is this sufficient protection?
Q: Do we want to make strong authentication and encryption
a requirement?
Q: Is both IPSec and TLS appropriate/scalable?
Q: Should we (at this point) decide/debate above point?
Threats from insiders are harder to deal with because
of the trust relationship required for content internetworking.
- Treatment of malformed messages: following the BGP model
it is suggested that receival of a malformed message result
in termination of peering relationship with the gateway
involved. Malformed message could be as result of gateway
being compromised, buggy implementation etc. Since it is
impossible to tell the difference terminating this peer-to-peer
relationship appears to be the only safe way to handle this.
--- point the difference between "termination of
peering relationship with the gateway involved" and terminating
peer-to-peer relationship with the CDN involved.
- A peer can always (intentionally or unintentionally)
send incorrect advertisements which might lead to incorrect
selections being made. E.g. a CDN might incorrectly advertise low load,
low cost and good coverage and therefore attract a large
proportion of traffic. This problem can be somewhat mitigated
through filtering of advertisements and local policies but
ultimately comes down to a trust relationship between
peers.
Migration of policy (might be generic CDN issue not CDI):
If there is a certain trust relationship between content
provider and consumer this relationship should be maintained
when content is distributed via a CDN. (example from CDI arch
draft).
- This relationship should also be preserved when content moves
between peering CDNs (policy migration).
Authoritative:
Q: Do we need a mechanism to allow a CDN to prove that it
is authoritative to distribute content?
Q: What does it mean to be authorized to distribute content?
Things discussed somewhat outside the scope of threat model:
- Might be a need for monitoring capability to allow some
verification of the real time performance of a particular
CDN
- Was suggested that multiple gateways could be used to improve
the robustness of the system
--- Multiple gateways and monitoring are just a suggested
solutions. This document should point to the underlying threats:
- as the trust relationship is static by nature it can not be
relied upon in dynamitic threats situations (attack, local
malfunctioning or overloading). Usually CDN has a specific
(proprietary) methods to deal with this problem, CDI has to
provide protection at the internetworking level;
- peering agreements may be vital for CDN functionality. This makes
peering reliability a security issue: easy disintegration caused by
attack on (or malfunctioning of) a single point of failure may
result in global DoS.