draft-iab-privsec-confidentiality-threat-06.txt   draft-iab-privsec-confidentiality-threat-07.txt 
Network Working Group R. Barnes Network Working Group R. Barnes
Internet-Draft Internet-Draft
Intended status: Informational B. Schneier Intended status: Informational B. Schneier
Expires: November 12, 2015 Expires: November 29, 2015
C. Jennings C. Jennings
T. Hardie T. Hardie
B. Trammell B. Trammell
C. Huitema C. Huitema
D. Borkmann D. Borkmann
May 11, 2015
May 28, 2015
Confidentiality in the Face of Pervasive Surveillance: A Threat Model Confidentiality in the Face of Pervasive Surveillance: A Threat Model
and Problem Statement and Problem Statement
draft-iab-privsec-confidentiality-threat-06 draft-iab-privsec-confidentiality-threat-07
Abstract Abstract
Since the initial revelations of pervasive surveillance in 2013, Since the initial revelations of pervasive surveillance in 2013,
several classes of attacks on Internet communications have been several classes of attacks on Internet communications have been
discovered. In this document we develop a threat model that discovered. In this document we develop a threat model that
describes these attacks on Internet confidentiality. We assume an describes these attacks on Internet confidentiality. We assume an
attacker that is interested in undetected, indiscriminate attacker that is interested in undetected, indiscriminate
eavesdropping. The threat model is based on published, verified eavesdropping. The threat model is based on published, verified
attacks. attacks.
skipping to change at page 1, line 47 skipping to change at page 1, line 48
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 12, 2015. This Internet-Draft will expire on November 29, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. An Idealized Passive Pervasive Attacker . . . . . . . . . . . 5
3.1. Information subject to direct observation . . . . . . . . 6
3.2. Information useful for inference . . . . . . . . . . . . 6
3.3. An illustration of an ideal passive pervasive attack . . 7
3.3.1. Analysis of IP headers . . . . . . . . . . . . . . . 7
3.3.2. Correlation of IP addresses to user identities . . . 8
3.3.3. Monitoring messaging clients for IP address
correlation . . . . . . . . . . . . . . . . . . . . . 8
3.3.4. Retrieving IP addresses from mail headers . . . . . . 9
3.3.5. Tracking address usage with web cookies . . . . . . . 9
3.3.6. Graph-based approaches to address correlation . . . . 10
3.3.7. Tracking of Link Layer Identifiers . . . . . . . . . 10
4. Reported Instances of Large-Scale Attacks . . . . . . . . . . 11
5. Threat Model . . . . . . . . . . . . . . . . . . . . . . . . 13
5.1. Attacker Capabilities . . . . . . . . . . . . . . . . . . 14
5.2. Attacker Costs . . . . . . . . . . . . . . . . . . . . . 17
6. Security Considerations . . . . . . . . . . . . . . . . . . . 19
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
8. IAB Members at the Time of Approval . . . . . . . . . . . . . 20
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 20
10.1. Normative References . . . . . . . . . . . . . . . . . . 20
10.2. Informative References . . . . . . . . . . . . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction 1. Introduction
Starting in June 2013, documents released to the press by Edward Starting in June 2013, documents released to the press by Edward
Snowden have revealed several operations undertaken by intelligence Snowden have revealed several operations undertaken by intelligence
agencies to exploit Internet communications for intelligence agencies to exploit Internet communications for intelligence
purposes. These attacks were largely based on protocol purposes. These attacks were largely based on protocol
vulnerabilities that were already known to exist. The attacks were vulnerabilities that were already known to exist. The attacks were
nonetheless striking in their pervasive nature, both in terms of the nonetheless striking in their pervasive nature, both in terms of the
amount of Internet communications targeted, and in terms of the volume of Internet traffic targeted, and in terms of the diversity of
diversity of attack techniques employed. attack techniques employed.
To ensure that the Internet can be trusted by users, it is necessary To ensure that the Internet can be trusted by users, it is necessary
for the Internet technical community to address the vulnerabilities for the Internet technical community to address the vulnerabilities
exploited in these attacks [RFC7258]. The goal of this document is exploited in these attacks [RFC7258]. The goal of this document is
to describe more precisely the threats posed by these pervasive to describe more precisely the threats posed by these pervasive
attacks, and based on those threats, lay out the problems that need attacks, and based on those threats, lay out the problems that need
to be solved in order to secure the Internet in the face of those to be solved in order to secure the Internet in the face of those
threats. threats.
The remainder of this document is structured as follows. In The remainder of this document is structured as follows. In
skipping to change at page 3, line 25 skipping to change at page 4, line 7
any attack that accesses a flow but does not modify it, while an any attack that accesses a flow but does not modify it, while an
"active attack" is any attack that modifies a flow. Some passive "active attack" is any attack that modifies a flow. Some passive
attacks involve active interception and modifications of devices, attacks involve active interception and modifications of devices,
rather than simple access to the medium. The introduced terms are: rather than simple access to the medium. The introduced terms are:
Pervasive Attack: An attack on Internet communications that makes Pervasive Attack: An attack on Internet communications that makes
use of access at a large number of points in the network, or use of access at a large number of points in the network, or
otherwise provides the attacker with access to a large amount of otherwise provides the attacker with access to a large amount of
Internet traffic; see [RFC7258]. Internet traffic; see [RFC7258].
Passive Pervasive Attack: An eavesdropping attack undertaken by a Passive Pervasive Attack: An eavesdropping attack undertaken by a
pervasive attacker, in which the packets in a traffic stream pervasive attacker, in which the packets in a traffic stream
between two endpoints are intercepted, but in which the attacker between two endpoints are intercepted, but in which the attacker
does not modify the packets in the traffic stream between two does not modify the packets in the traffic stream between two
endpoints, modify the treatment of packets in the traffic stream endpoints, modify the treatment of packets in the traffic stream
(e.g. delay, routing), or add or remove packets in the traffic (e.g. delay, routing), or add or remove packets in the traffic
stream. Passive pervasive attacks are undetectable from the stream. Passive pervasive attacks are undetectable from the
endpoints. Equivalent to passive wiretapping as defined in endpoints. Equivalent to passive wiretapping as defined in
[RFC4949]; we use an alternate term here since the methods [RFC4949]; we use an alternate term here since the methods
employed are wider than those implied by the word "wiretapping", employed are wider than those implied by the word "wiretapping",
including the active compromise of intermediate systems. including the active compromise of intermediate systems.
skipping to change at page 4, line 5 skipping to change at page 4, line 34
more capabilities to the attacker at the risk of possible more capabilities to the attacker at the risk of possible
detection at the endpoints. Equivalent to active wiretapping as detection at the endpoints. Equivalent to active wiretapping as
defined in [RFC4949]. defined in [RFC4949].
Observation: Information collected directly from communications by Observation: Information collected directly from communications by
an eavesdropper or observer. For example, the knowledge that an eavesdropper or observer. For example, the knowledge that
<alice@example.com> sent a message to <bob@example.com> via SMTP <alice@example.com> sent a message to <bob@example.com> via SMTP
taken from the headers of an observed SMTP message would be an taken from the headers of an observed SMTP message would be an
observation. observation.
Inference: Information extracted from analysis of information Inference: Information derived from analysis of information
collected directly from communications by an eavesdropper or collected directly from communications by an eavesdropper or
observer. For example, the knowledge that a given web page was observer. For example, the knowledge that a given web page was
accessed by a given IP address, by comparing the size in octets of accessed by a given IP address, by comparing the size in octets of
measured network flow records to fingerprints derived from known measured network flow records to fingerprints derived from known
sizes of linked resources on the web servers involved, would be an sizes of linked resources on the web servers involved, would be an
inference. inference.
Collaborator: An entity that is a legitimate participant in a Collaborator: An entity that is a legitimate participant in a
communication, but who deliberately provides information about communication, and provides information about that communication
that interaction to an attacker. to an attacker. Collaborators may either deliberately or
unwittingly cooperate with the attacker, in the latter case
Unwitting Collaborator: An entity that is a legitimate participant because the attacker has subverted the collaborator through
in a communication, and who is the source of information obtained technical, social, or other means.
by the attacker without the entity's consent or intention, because
the attacker has exploited some technology used by the entity.
Key Exfiltration: The transmission of cryptographic keying material Key Exfiltration: The transmission of cryptographic keying material
for an encrypted communication from a collaborator, deliberately for an encrypted communication from a collaborator, deliberately
or unwittingly, to an attacker. or unwittingly, to an attacker.
Content Exfiltration: The transmission of the content of a Content Exfiltration: The transmission of the content of a
communication from a collaborator, deliberately or unwittingly, to communication from a collaborator, deliberately or unwittingly, to
an attacker an attacker
3. An Idealized Passive Pervasive Attacker 3. An Idealized Passive Pervasive Attacker
skipping to change at page 6, line 15 skipping to change at page 6, line 44
is the observation of DNS queries and answers from and to a source is the observation of DNS queries and answers from and to a source
and correlating those with IP addresses with which that source and correlating those with IP addresses with which that source
communicates. This can give access to information otherwise not communicates. This can give access to information otherwise not
available from encrypted application payloads (e.g., the Host: available from encrypted application payloads (e.g., the Host:
HTTP/1.1 request header when HTTP is used with TLS). HTTP/1.1 request header when HTTP is used with TLS).
Protocols which encrypt their payload using an application- or Protocols which encrypt their payload using an application- or
transport-layer encryption scheme (e.g. TLS) still expose all the transport-layer encryption scheme (e.g. TLS) still expose all the
information in their network and transport layer headers to the information in their network and transport layer headers to the
attacker, including source and destination addresses and ports. attacker, including source and destination addresses and ports.
IPsec ESP[RFC4303] further encrypts the transport-layer headers, but IPsec ESP [RFC4303] further encrypts the transport-layer headers, but
still leaves IP address information unencrypted; in tunnel mode, still leaves IP address information unencrypted; in tunnel mode,
these addresses correspond to the tunnel endpoints. Features of the these addresses correspond to the tunnel endpoints. Features of the
security protocols themselves, e.g. the TLS session identifier, may security protocols themselves, e.g. the TLS session identifier, may
leak information that can be used for correlation and inference. leak information that can be used for correlation and inference.
While this information is much less semantically rich than the While this information is much less semantically rich than the
application payload, it can still be useful for the inferring an application payload, it can still be useful for the inferring an
individual's activities. individual's activities.
Inference can also leverage information obtained from sources other Inference can also leverage information obtained from sources other
than direct traffic observation. Geolocation databases, for example, than direct traffic observation. Geolocation databases, for example,
skipping to change at page 7, line 30 skipping to change at page 8, line 8
Internet traffic can be monitored by tapping Internet links, or by Internet traffic can be monitored by tapping Internet links, or by
installing monitoring tools in Internet routers. Of course, a single installing monitoring tools in Internet routers. Of course, a single
link or a single router only provides access to a fraction of the link or a single router only provides access to a fraction of the
global Internet traffic. However, monitoring a number of high global Internet traffic. However, monitoring a number of high
capacity links or a set of routers placed at strategic locations capacity links or a set of routers placed at strategic locations
provides access to a good sampling of Internet traffic. provides access to a good sampling of Internet traffic.
Tools like IPFIX [RFC7011] allow administrators to acquire statistics Tools like IPFIX [RFC7011] allow administrators to acquire statistics
about sequences of packets with some common properties that pass about sequences of packets with some common properties that pass
through a network device. The most common set of properties used in through a network device. The most common set of properties used in
flow measurement is the "five-tuple"of source and destination flow measurement is the "five-tuple" of source and destination
addresses, protocol type, and source and destination ports. These addresses, protocol type, and source and destination ports. These
statistics are commonly used for network engineering, but could statistics are commonly used for network engineering, but could
certainly be used for other purposes. certainly be used for other purposes.
Let's assume for a moment that IP addresses can be correlated to Let's assume for a moment that IP addresses can be correlated to
specific services or specific users. Analysis of the sequences of specific services or specific users. Analysis of the sequences of
packets will quickly reveal which users use what services, and also packets will quickly reveal which users use what services, and also
which users engage in peer-to-peer connections with other users. which users engage in peer-to-peer connections with other users.
Analysis of traffic variations over time can be used to detect Analysis of traffic variations over time can be used to detect
increased activity by particular users, or in the case of peer-to- increased activity by particular users, or in the case of peer-to-
skipping to change at page 10, line 51 skipping to change at page 11, line 25
4. Reported Instances of Large-Scale Attacks 4. Reported Instances of Large-Scale Attacks
The situation in reality is more bleak than that suggested by an The situation in reality is more bleak than that suggested by an
analysis of our idealized attacker. Through revelations of sensitive analysis of our idealized attacker. Through revelations of sensitive
documents in several media outlets, the Internet community has been documents in several media outlets, the Internet community has been
made aware of several intelligence activities conducted by US and UK made aware of several intelligence activities conducted by US and UK
national intelligence agencies, particularly the US National Security national intelligence agencies, particularly the US National Security
Agency (NSA) and the UK Government Communications Headquarters Agency (NSA) and the UK Government Communications Headquarters
(GCHQ). These documents have revealed methods that these agencies (GCHQ). These documents have revealed methods that these agencies
use to attack Internet applications and obtain sensitive user use to attack Internet applications and obtain sensitive user
information. We note that these reports are primarily useful as an information. There is little reason to suppose that only the US or
illustration of the types of capabilities fielded by pervasive UK governments are involved in these sorts of activities; the
attackers as of the date of the Snowden leaks in 2013. examples are just ones that were disclosed. We note that these
reports are primarily useful as an illustration of the types of
capabilities fielded by pervasive attackers as of the date of the
Snowden leaks in 2013.
First, they confirm the deployment of large-scale passive collection First, they confirm the deployment of large-scale passive collection
of Internet traffic, which confirms the existence of pervasive of Internet traffic, which confirms the existence of pervasive
passive attackers with at least the capabilities of our idealized passive attackers with at least the capabilities of our idealized
attacker. For example [pass1][pass2][pass3][pass4]: attacker. For example [pass1][pass2][pass3][pass4]:
o NSA's XKEYSCORE system accesses data from multiple access points o NSA's XKEYSCORE system accesses data from multiple access points
and searches for "selectors" such as email addresses, at the scale and searches for "selectors" such as email addresses, at the scale
of tens of terabytes of data per day. of tens of terabytes of data per day.
skipping to change at page 12, line 36 skipping to change at page 13, line 14
are designed to indiscriminately gather as much data as possible and are designed to indiscriminately gather as much data as possible and
to apply selective analysis on targets after the fact. This means to apply selective analysis on targets after the fact. This means
that all, or nearly all, Internet communications are targets for that all, or nearly all, Internet communications are targets for
these attacks. To achieve this scale, the attacks are physically these attacks. To achieve this scale, the attacks are physically
pervasive; they affect a large number of Internet communications. pervasive; they affect a large number of Internet communications.
They are pervasive in content, consuming and exploiting any They are pervasive in content, consuming and exploiting any
information revealed by the protocol. And they are pervasive in information revealed by the protocol. And they are pervasive in
technology, exploiting many different vulnerabilities in many technology, exploiting many different vulnerabilities in many
different protocols. different protocols.
It's important to note that although the attacks mentioned above were Again, it's important to note that, although the attacks mentioned
executed by NSA and GCHQ, there are many other organizations that can above were executed by NSA and GCHQ, there are many other
mount pervasive surveillance attacks. Because of the resources organizations that can mount pervasive surveillance attacks. Because
required to achieve pervasive scale, these attacks are most commonly of the resources required to achieve pervasive scale, these attacks
undertaken by nation-state actors. For example, the Chinese Internet are most commonly undertaken by nation-state actors. For example,
filtering system known as the "Great Firewall of China" uses several the Chinese Internet filtering system known as the "Great Firewall of
techniques that are similar to the QUANTUM program, and which have a China" uses several techniques that are similar to the QUANTUM
high degree of pervasiveness with regard to the Internet in China. program, and which have a high degree of pervasiveness with regard to
the Internet in China. Therefore, legal restrictions in any one
jurisdiction on pervasive monitoring activities cannot eliminate the
risk of pervasive attack to the Internet as a whole.
5. Threat Model 5. Threat Model
Given these disclosures, we must consider a broader threat model. Given these disclosures, we must consider a broader threat model.
Pervasive surveillance aims to collect information across a large Pervasive surveillance aims to collect information across a large
number of Internet communications, analyzing the collected number of Internet communications, analyzing the collected
communications to identify information of interest within individual communications to identify information of interest within individual
communications, or inferring information from correlated communications, or inferring information from correlated
communications. This analysis sometimes benefits from decryption of communications. This analysis sometimes benefits from decryption of
skipping to change at page 17, line 15 skipping to change at page 17, line 51
noticing increased attenuation in the fiber or a change in switch noticing increased attenuation in the fiber or a change in switch
configuration. Of course, passive pervasive attacks may be configuration. Of course, passive pervasive attacks may be
accomplished with the cooperation of the network operator, in which accomplished with the cooperation of the network operator, in which
case there is a risk that the attacker's interactions with the case there is a risk that the attacker's interactions with the
network operator will be exposed. network operator will be exposed.
In many ways, the costs and risks for an active pervasive attack are In many ways, the costs and risks for an active pervasive attack are
similar to those for a passive pervasive attack, with a few similar to those for a passive pervasive attack, with a few
additions. An active attacker requires more robust network access additions. An active attacker requires more robust network access
than a passive attacker, since for example they will often need to than a passive attacker, since for example they will often need to
transmit data as well as receiving it. In the wireless example transmit data as well as receive it. In the wireless example above,
above, the attacker would need to act as an transmitter as well as the attacker would need to act as an transmitter as well as receiver,
receiver, greatly increasing the probability the attacker will be greatly increasing the probability the attacker will be discovered
discovered (e.g., using direction-finding technology). Active (e.g., using direction-finding technology). Active attacks are also
attacks are also much more observable at higher layers of the much more observable at higher layers of the network. For example,
network. For example, an active attacker that attempts to use a mis- an active attacker that attempts to use a mis-issued certificate
issued certificate could be detected via Certificate Transparency could be detected via Certificate Transparency [RFC6962].
[RFC6962].
In terms of raw implementation complexity, passive pervasive attacks In terms of raw implementation complexity, passive pervasive attacks
require only enough processing to extract information from the require only enough processing to extract information from the
network and store it. Active pervasive attacks, by contrast, often network and store it. Active pervasive attacks, by contrast, often
depend on winning race conditions to inject packets into active depend on winning race conditions to inject packets into active
connections. So active pervasive attacks in the core of the network connections. So active pervasive attacks in the core of the network
require processing hardware to that can operate at line speed require processing hardware to that can operate at line speed
(roughly 100Gbps to 1Tbps in the core) to identify opportunities for (roughly 100Gbps to 1Tbps in the core) to identify opportunities for
attack and insert attack traffic in a high-volume traffic. Key attack and insert attack traffic in a high-volume traffic. Key
exfiltration attacks rely on passive pervasive attack for access to exfiltration attacks rely on passive pervasive attack for access to
skipping to change at page 19, line 17 skipping to change at page 20, line 5
6. Security Considerations 6. Security Considerations
This document describes a threat model for pervasive surveillance This document describes a threat model for pervasive surveillance
attacks. Mitigations are to be given in a future document. attacks. Mitigations are to be given in a future document.
7. IANA Considerations 7. IANA Considerations
This document has no actions for IANA. This document has no actions for IANA.
8. Acknowledgements 8. IAB Members at the Time of Approval
Jari Arkko (IETF Chair)
Mary Barnes
Marc Blanchet
Ralph Droms
Ted Hardie
Joe Hildebrand
Russ Housley
Erik Nordmark
Robert Sparks
Andrew Sullivan
Dave Thaler
Brian Trammell
Suzanne Woolf
9. Acknowledgements
Thanks to Dave Thaler for the list of attacks and taxonomy; to Thanks to Dave Thaler for the list of attacks and taxonomy; to
Security Area Directors Stephen Farrell, Sean Turner, and Kathleen Security Area Directors Stephen Farrell, Sean Turner, and Kathleen
Moriarty for starting and managing the IETF's discussion on pervasive Moriarty for starting and managing the IETF's discussion on pervasive
attack; and to Stephan Neuhaus, Mark Townsley, Chris Inacio, attack; and to Stephan Neuhaus, Mark Townsley, Chris Inacio,
Evangelos Halepilidis, Bjoern Hoehrmann, Aziz Mohaisen, Russ Housley, Evangelos Halepilidis, Bjoern Hoehrmann, Aziz Mohaisen, Russ Housley,
and the IAB Privacy and Security Program for their input. Joe Hall, Andrew Sullivan, the IEEE 802 Privacy Executive Committee
SG, and the IAB Privacy and Security Program for their input.
9. References 10. References
9.1. Normative References 10.1. Normative References
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, July Considerations for Internet Protocols", RFC 6973, July
2013. 2013.
9.2. Informative References 10.2. Informative References
[pass1] The Guardian, "How the NSA is still harvesting your online [pass1] The Guardian, "How the NSA is still harvesting your online
data", 2013, data", 2013,
<http://www.theguardian.com/world/2013/jun/27/ <http://www.theguardian.com/world/2013/jun/27/
nsa-online-metadata-collection>. nsa-online-metadata-collection>.
[pass2] The Guardian, "NSA's Prism surveillance program: how it [pass2] The Guardian, "NSA's Prism surveillance program: how it
works and what it can do", 2013, works and what it can do", 2013,
<http://www.theguardian.com/world/2013/jun/08/ <http://www.theguardian.com/world/2013/jun/08/
nsa-prism-server-collection-facebook-google>. nsa-prism-server-collection-facebook-google>.
skipping to change at page 20, line 24 skipping to change at page 21, line 29
[dec2] The Guardian, "Project Bullrun - classification guide to [dec2] The Guardian, "Project Bullrun - classification guide to
the NSA's decryption program", 2013, the NSA's decryption program", 2013,
<http://www.theguardian.com/world/interactive/2013/sep/05/ <http://www.theguardian.com/world/interactive/2013/sep/05/
nsa-project-bullrun-classification-guide>. nsa-project-bullrun-classification-guide>.
[dec3] The Guardian, "Revealed: how US and UK spy agencies defeat [dec3] The Guardian, "Revealed: how US and UK spy agencies defeat
internet privacy and security", 2013, internet privacy and security", 2013,
<http://www.theguardian.com/world/2013/sep/05/ <http://www.theguardian.com/world/2013/sep/05/
nsa-gchq-encryption-codes-security>. nsa-gchq-encryption-codes-security>.
[TOR] The Tor Project, "Tor", 2013,
<https://www.torproject.org/>.
[TOR1] Schneier, B., "How the NSA Attacks Tor/Firefox Users With [TOR1] Schneier, B., "How the NSA Attacks Tor/Firefox Users With
QUANTUM and FOXACID", 2013, QUANTUM and FOXACID", 2013,
<https://www.schneier.com/blog/archives/2013/10/ <https://www.schneier.com/blog/archives/2013/10/
how_the_nsa_att.html>. how_the_nsa_att.html>.
[TOR2] The Guardian, "'Tor Stinks' presentation - read the full [TOR2] The Guardian, "'Tor Stinks' presentation - read the full
document", 2013, document", 2013,
<http://www.theguardian.com/world/interactive/2013/oct/04/ <http://www.theguardian.com/world/interactive/2013/oct/04/
tor-stinks-nsa-presentation-document>. tor-stinks-nsa-presentation-document>.
skipping to change at page 21, line 5 skipping to change at page 22, line 5
[dir2] The Guardian, "NSA Prism program taps in to user data of [dir2] The Guardian, "NSA Prism program taps in to user data of
Apple, Google and others", 2013, Apple, Google and others", 2013,
<http://www.theguardian.com/world/2013/jun/06/ <http://www.theguardian.com/world/2013/jun/06/
us-tech-giants-nsa-data>. us-tech-giants-nsa-data>.
[dir3] The Guardian, "Sigint - how the NSA collaborates with [dir3] The Guardian, "Sigint - how the NSA collaborates with
technology companies", 2013, technology companies", 2013,
<http://www.theguardian.com/world/interactive/2013/sep/05/ <http://www.theguardian.com/world/interactive/2013/sep/05/
sigint-nsa-collaborates-technology-companies>. sigint-nsa-collaborates-technology-companies>.
[secure] Schneier, B., "NSA surveillance: A guide to staying
secure", 2013,
<http://www.theguardian.com/world/2013/sep/05/
nsa-how-to-remain-secure-surveillance>.
[snowden] Technology Review, "NSA Leak Leaves Crypto-Math Intact but
Highlights Known Workarounds", 2013,
<http://www.technologyreview.com/news/519171/nsa-leak-
leaves-crypto-math-intact-but-highlights-known-
workarounds/>.
[spiegel1] [spiegel1]
C Stocker, ., "NSA's Secret Toolbox: Unit Offers Spy C Stocker, ., "NSA's Secret Toolbox: Unit Offers Spy
Gadgets for Every Need", December 2013, Gadgets for Every Need", December 2013,
<http://www.spiegel.de/international/world/nsa-secret- <http://www.spiegel.de/international/world/nsa-secret-
toolbox-ant-unit-offers-spy-gadgets-for-every-need- toolbox-ant-unit-offers-spy-gadgets-for-every-need-
a-941006.html>. a-941006.html>.
[spiegel3] [spiegel3]
H Schmundt, ., "The Digital Arms Race: NSA Preps America H Schmundt, ., "The Digital Arms Race: NSA Preps America
for Future Battle", January 2014, for Future Battle", January 2014,
<http://www.spiegel.de/international/world/new-snowden- <http://www.spiegel.de/international/world/new-snowden-
docs-indicate-scope-of-nsa-preparations-for-cyber-battle- docs-indicate-scope-of-nsa-preparations-for-cyber-battle-
a-1013409.html>. a-1013409.html>.
[key-recovery]
Golle, P., "The Design and Implementation of Protocol-
Based Hidden Key Recovery", 2003,
<http://crypto.stanford.edu/~pgolle/papers/escrow.pdf>.
[great-cannon] [great-cannon]
Paxson, V., "China's Great Cannon", 2015, Paxson, V., "China's Great Cannon", 2015,
<https://citizenlab.org/2015/04/chinas-great-cannon/>. <https://citizenlab.org/2015/04/chinas-great-cannon/>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets", BCP E. Lear, "Address Allocation for Private Internets", BCP
5, RFC 1918, February 1996. 5, RFC 1918, February 1996.
[RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3",
STD 53, RFC 1939, May 1996. STD 53, RFC 1939, May 1996.
[RFC2015] Elkins, M., "MIME Security with Pretty Good Privacy
(PGP)", RFC 2015, October 1996.
[RFC2821] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
April 2001.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002. June 2002.
[RFC3365] Schiller, J., "Strong Security Requirements for Internet [RFC3365] Schiller, J., "Strong Security Requirements for Internet
Engineering Task Force Standard Protocols", BCP 61, RFC Engineering Task Force Standard Protocols", BCP 61, RFC
3365, August 2002. 3365, August 2002.
[RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
4rev1", RFC 3501, March 2003. 4rev1", RFC 3501, March 2003.
[RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail
Extensions (S/MIME) Version 3.1 Message Specification",
RFC 3851, July 2004.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", RFC Rose, "DNS Security Introduction and Requirements", RFC
4033, March 2005. 4033, March 2005.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC
4303, December 2005. 4303, December 2005.
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC
4306, December 2005.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC
4949, August 2007. 4949, August 2007.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
October 2008. October 2008.
[RFC5655] Trammell, B., Boschi, E., Mark, L., Zseby, T., and A.
Wagner, "Specification of the IP Flow Information Export
(IPFIX) File Format", RFC 5655, October 2009.
[RFC5750] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
Mail Extensions (S/MIME) Version 3.2 Certificate
Handling", RFC 5750, January 2010.
[RFC6120] Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 6120, March 2011.
[RFC6962] Laurie, B., Langley, A., and E. Kasper, "Certificate [RFC6962] Laurie, B., Langley, A., and E. Kasper, "Certificate
Transparency", RFC 6962, June 2013. Transparency", RFC 6962, June 2013.
[RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
of Named Entities (DANE) Transport Layer Security (TLS)
Protocol: TLSA", RFC 6698, August 2012.
[RFC7011] Claise, B., Trammell, B., and P. Aitken, "Specification of [RFC7011] Claise, B., Trammell, B., and P. Aitken, "Specification of
the IP Flow Information Export (IPFIX) Protocol for the the IP Flow Information Export (IPFIX) Protocol for the
Exchange of Flow Information", STD 77, RFC 7011, September Exchange of Flow Information", STD 77, RFC 7011, September
2013. 2013.
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
Attack", BCP 188, RFC 7258, May 2014. Attack", BCP 188, RFC 7258, May 2014.
[I-D.ietf-dprive-problem-statement] [I-D.ietf-dprive-problem-statement]
Bortzmeyer, S., "DNS privacy considerations", draft-ietf- Bortzmeyer, S., "DNS privacy considerations", draft-ietf-
dprive-problem-statement-02 (work in progress), February dprive-problem-statement-05 (work in progress), May 2015.
2015.
Authors' Addresses Authors' Addresses
Richard Barnes Richard Barnes
Email: rlb@ipv.sx Email: rlb@ipv.sx
Bruce Schneier Bruce Schneier
Email: schneier@schneier.com Email: schneier@schneier.com
 End of changes. 29 change blocks. 
93 lines changed or deleted 92 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/