[LINK] IAB/W3C workshop: pervasive monitoring represents an attack on the Internet

[Robin Whittle]

>From the IETF mailing list - further fallout from Edward Snowden's
revelations.  I have provided an acronym decoder at the end.

 - Robin


W3C/IAB workshop on Strengthening the Internet
Against Pervasive Monitoring (STRINT)
======================================

   http://www.w3.org/2014/strint/

The Vancouver IETF plenary concluded that pervasive monitoring
represents an attack on the Internet, and the IETF has begun to
carry out various of the more obvious actions [1] required to
try to handle this attack. However, there are additional much
more complex questions arising that need further consideration
before any additional concrete plans can be made.

The W3C and IAB will therefore host a one-day workshop on the
topic of "Strengthening the Internet Against Pervasive
Monitoring" before IETF-89 in London in March 2014, with support
from the EU FP7 STREWS [2] project.

Pervasive monitoring targets protocol data that we also need for
network manageability and security. This data is captured and
correlated with other data. There is an open problem as to how
to enhance protocols so as to maintain network manageability and
security but still limit data capture and correlation.

The overall goal of the workshop is to steer IETF and W3C work
so as to be able to improve or "strengthen" the Internet in the
face of pervasive monitoring.  A workshop report in the form of
an IAB RFC will be produced after the event.

Technical questions for the workshop include:

- What are the pervasive monitoring threat models, and what is
  their effect on web and Internet protocol security and privacy?

- What is needed so that web developers can better consider the
  pervasive monitoring context?

- How are WebRTC and IoT impacted, and how can they be better
  protected? Are other key Internet and web technologies
  potentially impacted?

- What gaps exist in current tool sets and operational best
  practices that could address some of these potential impacts?

- What trade-offs exist between strengthening measures, (e.g.
  more encryption) and performance, operational or network
  management issues?

- How do we guard against pervasive monitoring while maintaining
  network manageability?

- Can lower layer changes (e.g., to IPv6, LISP, MPLS) or
  additions to overlay networks help?

- How realistic is it to not be fingerprintable on the web and
  Internet?

- How can W3C, the IETF and the IRTF better deal with new
  cryptographic algorithm proposals in future?

- What are the practical benefits and limits of "opportunistic
  encryption"?

- Can we deploy end-to-end crypto for email, SIP, the web, all
  TCP applications or other applications so that we mitigate
  pervasive monitoring usefully?

- How might pervasive monitoring take form or be addressed in
  embedded systems or different industrial verticals?

- How do we reconcile caching, proxies and other intermediaries
  with end-to-end encryption?

- Can we obfuscate metadata with less overhead than TOR?

- Considering meta-data: are there relevant differences between
  protocol artefacts, message sizes and patterns and payloads?

Position papers (maximum of 5 pages using 10pt font or any
length Internet-Drafts) from academia, industry and others that
focus on the broader picture and that warrant the kind of
extended discussion that a full day workshop offers are the most
welcome. Papers that reflect experience based on running code
and deployed services are also very welcome. Papers that are
proposals for point-solutions are less useful in this context,
and can simply be submitted as Internet-Drafts and discussed on
relevant IETF or W3C lists, e.g. the IETF perpass list. [3]

The workshop will be by invitation only. Those wishing to attend
should submit a position paper or Internet-Draft.  All inputs
submitted and considered relevant will be published on the
workshop web page. The organisers (STREWS project participants,
IAB and W3C staff) will decide whom to invite based on the
submissions received.  Sessions will be organized according to
content, and not every accepted submission or invited attendee
will have an opportunity to present as the intent is to foster
discussion and not simply to have a sequence of presentations.

[1] http://down.dsg.cs.tcd.ie/misc/perpass.txt
[2] http://www.strews.eu/
[3] https://www.ietf.org/mailman/listinfo/perpass


============================


  IETF = Internet Engineering Task Force http://www.ietf.org
  IRTF = Internet Research Task Force http://www.irtf.org
  IAB = Internet Architecture Board http://www.iab.org
  W3C = World Wide Web Consortium http://www.w3.org/

  WebRTC = Web Real-Time Communications - an Application
           Programming Interface for "browser-to-browser
           applications for voice-calling, video-chat and
           peer-to-peer (P2P) file sharing without plugins."
           http://en.wikipedia.org/wiki/WebRTC

  IoT = Internet of Things - devices connecting to other devices
        with little or now human involvement.
        http://en.wikipedia.org/wiki/Internet_of_Things

  LISP = An attempt to achieve scalable routing - large numbers
         of networks with their own IP addresses without causing
         the problem, which this would cause at present, of
         overburdening the control plane of the interdomain
         routing system.  Also, achieving mobility of devices
         which retain their IP address as they change their
         physical connections.  Not in use except for experiments.
         http://en.wikipedia.org/wiki/Locator/Identifier_Separation_Protocol
         Critique and alternative: http://www.firstpr.com.au/ip/ivip/

  MPLS = Multiprotocol Label Switching - enables streams of
         data in various other protocols to be encapsulated and
         sent along pre-defined paths through MPLS routers based
         on a short label at the start of each packet.  Used by
         telco/ISP networks, not by end-users.
         http://en.wikipedia.org/wiki/MPLS

  IPv6 = A separate, mid-to-late 1990s little-used 128 bit
         addressing Internet from the main IPv4 32 bit Internet.
         A few protocols such as SMTP (email) interwork, but
         otherwise computers with addresses on only one cannot
         communicate with computers with addresses on only the other.

  SIP =  For setting up Voice over Internet Protocol calls.
         http://en.wikipedia.org/wiki/Session_Initiation_Protocol

  TCP =  Transmission Control Protocol.  In this context, means
         the basic protocols for all Internet (IPv4 and IPv6)
         communications.

  Embedded systems = devices with a computer built in, but where
         the functionality is pretty much predetermined - that is
         it is not a general purpose system with the ability to
         load application programs or have the user manage the
         device.  For example GPS systems, washing machine control
         microcontrollers, probably chips in credit cards, automotive
         control systems, digital cameras etc. etc.

  Industrial verticals.  They seem to have made this one up.

  Metadata = various "data about data" meanings.

  TOR = The Onion Router. Global network to support anonymised
        communications.
        http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29

  Running code = Computer software (AKA code) which actually works.