IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: New Version Notification for draft-pauly-add-resolver-discovery-01.txt

tirumal reddy <kondtir@gmail.com> Fri, 31 July 2020 06:21 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B65B3A0F18 for <add@ietfa.amsl.com>; Thu, 30 Jul 2020 23:21:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c_eCVY8rj67u for <add@ietfa.amsl.com>; Thu, 30 Jul 2020 23:21:00 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D01703A0F1B for <add@ietf.org>; Thu, 30 Jul 2020 23:20:59 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id k23so30621747iom.10 for <add@ietf.org>; Thu, 30 Jul 2020 23:20:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=/S/KLgUp6z3rm6jBV9Qin+gK2Ib+1GmgLPgbtG6YEU0=; b=PWRzzA/KR0j73mUw6UVq1B9yFl0f6dDLAYuWE+kTVpsquS1C7+4Rx+jZCgTtv0Sprs +9vkCgbriOUtxb3EkJfP1Kp4xUntRu+n4BFv69NBmpgurLkyIYyIaX0H4GksNzftyBSx 1EKlViISLfnfbnDxD9NCINq0Dd2nBn39EeJNbLJRXrsIDVegEktAPLC4pJHW3madVgwO MAwXrvAyCDkKTTifQ8MzAoPOr1mPa/ay1A5GeqE4nJ8oEWejKyhFyNGK9Q6cL2EnP8/s nNlPaIQXI4YYta0ziLpD6U/tTcfE531a2sMqrFaf6rcKeafbrVj07erSMeEEdCmy+zJn LRnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=/S/KLgUp6z3rm6jBV9Qin+gK2Ib+1GmgLPgbtG6YEU0=; b=Ppi/x2d3T8PjqFrbJnLso1h0wXF78H4mQ0LSuc2Kg2lJSrYqpMxk8I8RKJQtA3vAI+ 8GbBGwfgQrGHueaa76aTVyv118e3gFbcvpzsd8EciMTVPQZCpByPqupSpJXxCaCJhmF/ NSNvItaHmZGv+dTNBkpB597LZQzRoX/GVRxAdRnBQtr3HA3gbfd3mxg1zTydBCjqhllh Pcma1hhqfzk9KQM/BoH3FDHjKMTBEajGSfzeLvTFv2fxC3vwrgwIJTaI25IjiTK39gPt a2XWikaiUD2x0Jpws6eI8/GdpHk7kKc1LbgAT++ary3+2FZDWs9yHDOWFzQV30Slga4K gM+g==
X-Gm-Message-State: AOAM530ETdgkzCBJYTZ0lUW9mkEppbn7R8uaRi4FI7V3LoKL2KLSju9k kBX35WWD+g7HTvnUAAdto9whZ0cYeECoyQr5maQ=
X-Google-Smtp-Source: ABdhPJxwzW1UqnzuYTMQ4kbhqMYKwLc8L+0YptiN/TAlP0x3TeOuYIabI5Sw5JuudCuaFbFw7fgDhZsNtBu0NMfwPsU=
X-Received: by 2002:a6b:f014:: with SMTP id w20mr2195378ioc.21.1596176458204; Thu, 30 Jul 2020 23:20:58 -0700 (PDT)
MIME-Version: 1.0
References: <3954080.qUnaP1aulD@linux-9daj> <8E7D3BAE-13C2-4DC8-9D23-3138DC2F4DE4@fugue.com> <1054325087.2835.1595936001612@appsuite-gw2.open-xchange.com> <Mailbird-f5c0c75a-a605-4089-b5e4-7db89115f37c@scramworks.net> <CAOb=54Sa5z7ARD3gMxwYWtUmn_kPYARyERvzPdL3DvDUVwzxZA@mail.gmail.com> <CWXP265MB0566B8EE78D37F2A7C4BA655C2700@CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM> <DM6PR00MB0781A104B33E7B69920D4667FA700@DM6PR00MB0781.namprd00.prod.outlook.com> <CACJ6M15WSivqf33-UNAORJV9SRWVbYi66CA-rX4=y3A0meOB2g@mail.gmail.com> <CAChr6Sz6uWWniuKpwW2cUV0oCW7HKxCK1cnQxTpr44ksBCiCtA@mail.gmail.com> <6CDFB1BB-9AEB-411B-B338-CCBC1BA54C03@fugue.com> <CAChr6SwvAaLjDUjJfBt-H9=97mLJcM1264p63ZHVoPUfnef1OA@mail.gmail.com> <EB22CB7C-B69C-44E7-AC42-448C32514E23@fugue.com> <CAFpG3gd6yBQqMWV50tMY-Q5y+zHEJ=+b+VCzc4ae2FKArNBogA@mail.gmail.com> <CAChr6Sx6=teqbtHW4+swjc14zjwSJti0b7m7u3LvwN0K0JOU=w@mail.gmail.com> <CAFpG3gfgTjiM0bmru-hKEMLZDw+VVd=KYP+KohwwpwghsUih1g@mail.gmail.com> <CAChr6Sy4+NkzDHBb0AE+gqjFcPA_Yj9hM8i+GzyjsojvoWfwhA@mail.gmail.com> <CAFpG3gf8P61ViKzKqpusthTZf4z+RzQVJUOtOwA5_zJkxWm8Kw@mail.gmail.com> <CACJ6M1529TnShk81S-Wdeqhoo6Mc5medktSB5DYWVhuWAqt0tQ@mail.gmail.com> <CAFpG3gftnqAFtBpqZuNddEKJdB1EDCEPANLKqDex9yZ2ZM0EcQ@mail.gmail.com> <20200730132857.6MGkL%steffen@sdaoden.eu>
In-Reply-To: <20200730132857.6MGkL%steffen@sdaoden.eu>
From: tirumal reddy <kondtir@gmail.com>
Date: Fri, 31 Jul 2020 06:20:46 +0000
Message-ID: <CAFpG3gehFJ8muZOFp7RrWA_9tNv43+9zWjA_P8On3c_M_o5SMg@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>, "Chris Box (BT)" <chris.box.ietf@gmail.com>, Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>, Andrew Campling <andrew.campling@419.consulting>, ADD Mailing list <add@ietf.org>, Ted Lemon <mellon@fugue.com>, Rob Sayre <sayrer@gmail.com>, Steffen Nurpmeso <steffen@sdaoden.eu>
Content-Type: multipart/alternative; boundary="000000000000ca4c8c05abb6ca9e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/CaxymJ2vCAdGg1eP8V2EEml54rE>
Subject: Re: [Add] [EXTERNAL] Re: New Version Notification for draft-pauly-add-resolver-discovery-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 06:21:03 -0000

On Thu, 30 Jul 2020 at 13:28, Steffen Nurpmeso <steffen@sdaoden.eu> wrote:

> tirumal reddy wrote in
>  <CAFpG3gftnqAFtBpqZuNddEKJdB1EDCEPANLKqDex9yZ2ZM0EcQ@mail.gmail.com>:
>  |Hi Chris,
>  |
>  |Good points, please see inline
>  |
>  |On Thu, 30 Jul 2020 at 06:00, Chris Box (BT) <chris.box.ietf@gmail.com>
>  |wrote:
>  |
>  |> Rob you appear to be saying you don’t need such features to secure a
> home
>  |> network, but I would certainly appreciate having Tiru’s (a) to (e) \
>  |> deployed
>  |> in my house. I don’t want the smart TV equipped with microphone and \
>  |> webcam
>  |> to be remotely compromised, nor any other device. Without such
>  |> network-level control, enabled by standards, my only defence is to
>  |> physically unplug the TV from the network when not in use.
>  |>
>  |
>  |> Following Eva’s talk in HRPC, I’ll put myself in the shoes of a
> dissident
>  |> in a hostile regime. In such a case I would feel even greater need \
>  |> for such
>  |> security. Of course I would choose my security supplier carefully, \
>  |> and not
>  |> one aligned to the regime. I then need one or two devices that route
>  |> through Tor.
>  |>
>  |> I fully agree the challenge is to distinguish legitimate network
> signals
>  |> from those of an attacker. Robustly identifying who they came from is
>  |> non-trivial, but hopefully not impossible?
>  |>
>  |
>  |Yes, identifying the trustworthiness of the peer is discussed in RATS WG
>  |(see https://datatracker.ietf.org/wg/rats/about/). Remote attestation
>  |procedures (RATS) enable relying parties to establish a level of
> confidence
>  |in the trustworthiness of remote system components through the creation
> of
>  |attestation evidence by remote system components and a processing
>  |chain towards the relying party. A relying party can then decide whether
>  |to consider a remote system component trustworthy or not.
>  |
>  |The claims used as evidence and attestation for DNS server is discussed
> in
>  |https://tools.ietf.org/html/draft-reddy-add-server-policy-selection-04.
>
> I personally do not get what yet another line of authorities
> transported via JSON encoded structures fetched via another DNS
> record that just exposes that JSON structure gives the world anew.
>

RATS allows the attestation to be represented in JSON or CBOR (see
https://tools.ietf.org/html/draft-ietf-rats-eat-03#section-1.1).  The PAT
object is retrieved using RESINFO RRtype (
https://tools.ietf.org/html/draft-pp-add-resinfo-01) and it uses JSON to
return the resolver information.


>
> Indirection may make everything possible, but, i mean, to me the
> key point of RFC 8572 for example is the
>
>   3.3 Ownership Voucher
>   [this] artifact is used to securely identify a device's owner,
>   as it is known to the manufacturer.  The ownership voucher is
>   signed by the device's manufacturer.
>
> _If_ i can find my way home i can securely update myself, where
> securely means manufacturer here.  Great that standard CMS is
> used.
>

https://tools.ietf.org/html/rfc8572 is specific to zero-touch provisioning
of networking devices and IoT devices in Enterprise networks. The owner
certificate can be used to validate the PAT signature (see the last
paragraph
https://tools.ietf.org/html/draft-reddy-add-server-policy-selection-04#section-10
).



>
>   Even if DNSSEC [RFC6698] is used to authenticate the various DNS
>   resource records [.] the device cannot be sure that the domain
>   returned to it, e.g., from a DHCP server, belongs to its
>   rightful owner.
>
> It then refers back to RFC 6763, DNS-based service discovery.
> Which has really nice, easy to parse content, and does not use
> JSON only to represent key/value pairs.  (Why not a fixed CBOR
> thing instead, they are talking maps at the moment, for example.
> And can easily be converted back and forth to JSON while still
> being parsed directly, as it is binary.)  What is so wrong with
> this service discovery thing, i think it could very well serve
> additional things.  But especially so if another registry is
> introduced for the concept.  RFC 8572 also says
>
>   Using a DHCP server may be a compelling option for deployments
>   having existing DHCP infrastructure, as it enables a touchless
>   bootstrapping option that does not entail utilizing an
>   Internet-based resource hosted by a third party.
>
>   A DHCP server is an untrusted source of bootstrapping data.
>   Thus, the information stored on the DHCP server either MUST be
>   signed or MUST be information that can be processed
>   provisionally (e.g., unsigned redirect information).
>
> I do not know (people can agree here), but if that could improve.
> Also being x-rayed yesterday (untreated bike accident last
> November) my pictures are now at healthdataspace.org even without
> me agreeing with that, they have a German data security seal of
> approval, but then it is just a QR-code and/or an access code
> (alphanumeric and length of 10 or 12, iirc).
>
> It is not an option for a light bulb, but that thing surely
> belongs behind a household router, and easy usable routers with
> why not ample-style use cases would be great, imho.  With a short
> fingerprint printed on a device that shows up on that router, just
> like for Bluetooth pairing.  I could imagine people could get used
> to that.  (Especially with some kind of those terrible apps on
> their smart phones which are linked to the "router" of the
> household, then, so they get informed of that event.  I think DHCP
> even allows ident strings to be emitted from DHCP client to
> server.)
>

There are several mechanisms to securely bootstrap IoT devices, you may
want to look into the recently adopted draft
https://tools.ietf.org/html/draft-sarikaya-t2trg-sbootstrapping-08 by T2TRG
and
within the scope of IETF is BRSKI and SZTP.

Cheers,
-Tiru

>
> Sorry, i do not seem to understand.
>
> --steffen
> |
> |Der Kragenbaer,                The moon bear,
> |der holt sich munter           he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)
>

v2.23.0 | Report a Bug | By Email