Internet Threat Model


Internet Threat Model is described in BCP 72 as a fairly well understood Threat Model.

In general, we assume that the end-systems engaging in a protocol exchange have not themselves been compromised. Protecting against an attack when one of the end-systems has been compromised is extraordinarily difficult. It is, however, possible to design protocols which minimize the extent of the damage done under these circumstances.

By contrast, we assume that the attacker has nearly complete control of the communications channel over which the end-systems communicate.

This means that the attacker can read any Protocol Data Unit (PDU) on the network and undetectably remove, change, or inject forged packets onto the wire. This includes being able to generate packets that appear to be from a trusted machine. Thus, even if the end-system with which you wish to communicate is itself secure, the Internet environment provides no assurance that packets which claim to be from that system in fact are.

It's important to realize that the meaning of a Protocol Data Unit is different at different levels. At the IP level, a PDU means an IP packet. At the TCP level, it means a TCP segment. At the Application Layer, PDU means some kind of application PDU.

For instance, at the level of Email, it might either mean an RFC-822 message or a single SMTP command. At the HTTP level, it might mean a request or response.

More Information#

There might be more information for this subject on one of the following: