Security Area Working Group M. Richardson Internet-Draft Sandelman Software Works Updates: 4949 (if approved) J. Hoyland Intended status: Informational Cloudflare Ltd. Expires: 16 June 2025 13 December 2024 A taxonomy of eavesdropping attacks draft-richardson-saag-onpath-attacker-04 Abstract The terms on-path attacker and MITM Attack have been used in a variety of ways, sometimes interchangeably, and sometimes meaning different things. Increasingly people have become uncomfortable with the gendered term "Man" in the middle and have sought alternatives. This document offers an update on terminology for network attacks, retaining some acronyms terms while redefining the expansion, and clarifying the different kinds of attacks. Consistent terminology is important in describing what kinds of attacks a particular protocol defends against, and which kinds the protocol does not. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 16 June 2025. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. Richardson & Hoyland Expires 16 June 2025 [Page 1] Internet-Draft MITM December 2024 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Three kinds of attack . . . . . . . . . . . . . . . . . . . . 3 2.1. Active On-Path Attacker, or Meddler in the Middle (MITM) . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Passive On-Path attack . . . . . . . . . . . . . . . . . 4 2.3. Passive On-Path attack with bypass . . . . . . . . . . . 5 2.4. Passive Off-path attacker . . . . . . . . . . . . . . . . 5 3. Existing uses of the terms . . . . . . . . . . . . . . . . . 6 3.1. IETF QUIC terms . . . . . . . . . . . . . . . . . . . . . 6 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 7. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 6 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 8.2. Informative References . . . . . . . . . . . . . . . . . 6 Appendix A. Monster in the Middle . . . . . . . . . . . . . . . 7 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 1. Introduction A number of terms have been used to describe attacks against networks. In the [dolevyao] paper, the attacker is assumed to be able to: * view messages as they are transmitted * selectively delete messages * selectively insert or modify messages Some authors refer to such an attacker as an "on-path" attacker [reference], or a "Man-in-the-Middle" [reference]. Richardson & Hoyland Expires 16 June 2025 [Page 2] Internet-Draft MITM December 2024 Despite a broad consensus on what is meant by a MITM attack, there is less agreement on the how to describe its variants. The term "passive attacker" has been used in many cases to describe situations where the attacker can only observe messages, but can not intercept, modify or delete any messages. Another variant is the case where an eavesdropper is not on the network path between the actual correspondants, and thus cannot drop messages, they may be able to inject packets faster than the correspondants, and thus beat legitimate packets in a race. As summarised, there are three broad variations of the MITM attacker: 1. An on-path attacker that can view, delete and modify messages. This is the Dolev-Yao attack. 2. An off-path attacker that can view messages and insert new messages. 3. An off-path attacker that can only view messages. 2. Three kinds of attack The attacks are numbered in this section as no consensus on naming the attacks yet. In the diagrams below, the sender is named "Alice", and the recipient is named "Bob", as is typical in many cryptographic protocols [alicebob], as first introduced by [digisign]. Alice and Bob were named as expansions of "A" and "B", which would otherwise be very abstract concepts of the two end points. The attacker has historically been named "Mallory", but this document proposes that the expansion be named "Meddler" (Artwork only available as ASCII-ART: see https://www.ietf.org/archive/id/draft-richardson-saag-onpath- attacker-04.html) Figure 1: Alice communicating with Bob 2.1. Active On-Path Attacker, or Meddler in the Middle (MITM) In this attack, the attacker is involved with the forwarding of the packets. A firewall or network router is ideally placed for this attack. Richardson & Hoyland Expires 16 June 2025 [Page 3] Internet-Draft MITM December 2024 .-------. ╭─────────╮ .-----. | Alice |──────│ Meddler │─────>| Bob | '-------' ╰─────────╯ '-----' Figure 2: On Path Attacker In this case the Meddler can: * view all packets * selectively forward or drop any packet * modify any packets that is forwarded * insert additional packets 2.2. Passive On-Path attack In this attack, the attacker is not involved with the forwarding of the packets. The attacker receives a copy of packets that are sent along the path. This could be from, for instance, a mirror port or SPAN [span]. Alternatively, a copy of traffic may be obtained via passive (optical) tap [fibertap]. This kind of attack is often associated with Pervasive Monitoring [RFC7258]. .-------. .-----. | Alice |──────────────────────>| Bob | '-------' | '-----' | v ╭─────────╮ │ Meddler │ ╰─────────╯ Figure 3: Passive On-Path attack In this the meddler can: * view all packets Note that they have no way to inject new packets, and this attack may occur seconds to decades after the data was exchanged. Richardson & Hoyland Expires 16 June 2025 [Page 4] Internet-Draft MITM December 2024 2.3. Passive On-Path attack with bypass In some cases, the Meddler is be able to send messages to Bob via another route. Due to some other factor (such as shorter or higher cost routing), these messages arrive at Bob prior to the original message from Alice. .-------. ╭──╮ .-----. | Alice |──────────────╮ │ │ ╭──>| Bob | '-------' | │ │ │ │ '-----' | │ │ ╰───╯ ^ v │ │ │ ╭─────────╮ ╰──╯ │ │ Meddler │────────────────────╯ ╰─────────╯ Figure 4: Passive On-Path attack with bypass In that the Meddler can: * view all packets * insert additional/copied packets into the stream But the Meddler is unable to drop or modify the original packets. Bob however, may be unable to distinguish packets from Alice vs packets sent from the Meddler that purport to be from Alice. To be effective or useful, this type of attack needs to occur in real time. 2.4. Passive Off-path attacker The third kind of attack is one in which the Meddler can not see any packets from Alice. This is usually what is meant by an "off-path" attack. The meddler can forge packets purporting to be from Alice, but can never see Alice's actual packets. .-------. .-----. | Alice |──────────────────────────>| Bob | '-------' '-----' ^ │ ╭─────────╮ │ │ Meddler │───────────────────╯ ╰─────────╯ Figure 5: Passive Off-path attacker Richardson & Hoyland Expires 16 June 2025 [Page 5] Internet-Draft MITM December 2024 In this the Meddler can: * insert additional packets 3. Existing uses of the terms 3.1. IETF QUIC terms [quic] ended up the following taxonomy: on-path: [Dolev-Yao] MITM, Active On-Path attacker Limited on-path (cannot delete): Active Off-Path attacker Off-path: Passive Off-Path attacker 4. Security Considerations This document introduces a set of terminology that will be used in many Security Considerations sections. 5. IANA Considerations This document makes no IANA requests. 6. Acknowledgements The SAAG mailing list. 7. Changelog 8. References 8.1. Normative References [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, . 8.2. Informative References [alicebob] "Alice and Bob", 2020, . [alliteration] "Council of Attackers", 2020, . Richardson & Hoyland Expires 16 June 2025 [Page 6] Internet-Draft MITM December 2024 [digisign] Rivest, R. L., Shamir, A., and L. Adleman, "A method for obtaining digital signatures and public-key cryptosystems", February 1978, . [dolevyao] "On the Security of Public Key Protocols", 1983, . [fibertap] "Fiber Tap", 2020, . [malory] "Man-in-the-Middle", 2020, . [quic] "QUIC terms for attacks", 2020, . [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May 2014, . [span] "Port Mirroring", 2020, . Appendix A. Monster in the Middle As a special case for the MITM, if the Meddler steals cookies (whether they are HTTP Cookies, IKE nonces, or TCP SYN Cookies), then this kind of attack is a Monster in The Middle. This is otherwise known as a: nom-nom-nom-nom attack. Richardson & Hoyland Expires 16 June 2025 [Page 7] Internet-Draft MITM December 2024 .---. .---. : : o : me want cookie! _..-: o : :-.._ / .-'' ' `---' `---' " ``-. .' " ' " . " . ' " `. : '.---.,,.,...,.,.,.,..---. ' ; `. " `. .' " .' `. '`. .' ' .' `. `-._ _.-' " .' .----. `. " '"--...--"' . ' .' .' o `. .'`-._' " . " _.-'`. : o : jgs .' ```--.....--''' ' `:_ o : .' " ' " " ; `.;";";";' ; ' " ' . ; .' ; ; ; ; ' ' ' " .' .-' ' " " ' " " _.-' Contributors Eric Rescola Email: ekr@rtfm.com Lou Berger Email: lberger@labn.net Alan DeKok Email: aland@deployingradius.com Christian Huitema Email: huitema@huitema.net Authors' Addresses Michael Richardson Sandelman Software Works Email: mcr+ietf@sandelman.ca Jonathan Hoyland Cloudflare Ltd. Email: jhoyland@cloudflare.com Richardson & Hoyland Expires 16 June 2025 [Page 8]