Re: [Anima-bootstrap] Can the proxy add information during bootstrap?

Toerless Eckert <eckert@cisco.com> Wed, 13 April 2016 00:48 UTC

Return-Path: <eckert@cisco.com>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD0FC12DA85 for <anima-bootstrap@ietfa.amsl.com>; Tue, 12 Apr 2016 17:48:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.517
X-Spam-Level:
X-Spam-Status: No, score=-15.517 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PwdBCMrqj-M8 for <anima-bootstrap@ietfa.amsl.com>; Tue, 12 Apr 2016 17:48:14 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24DD712DA67 for <anima-bootstrap@ietf.org>; Tue, 12 Apr 2016 17:48:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2734; q=dns/txt; s=iport; t=1460508494; x=1461718094; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=eaF75OogqkxECssbmLMa3cgWdSyby8Wx6ZJ+B3rMeIs=; b=HNL+9lvteVLrz6iAtfWvzdT4jN+TdN66rmABM+M+9eoxp3I2Kk4SgvMf NlyqAXgbnEGX3xP4hWBIy1THuBp3hrKJJU0lZxqPXUiCZ9/uyWjc8wY5U brHiUgdoPK2oQ4ei/qfuEdREmhJvDwBTTc1ctbrHKe7PHoNcDDLYUSnax Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0D1AQAMlg1X/4MNJK1VCYM3U326aQENg?= =?us-ascii?q?XYXC4I8gzACgUE4FAEBAQEBAQFlJ4RCAQEEAQEBNzQLBQsLGAklDwUTNhOIKA7?= =?us-ascii?q?CKgEBAQEBAQEBAQEBAQEBAQEBAQEBAREEimyEFhGFbgWNUHSJRI4DCo8QjyceA?= =?us-ascii?q?QFChAccMIoFAQEB?=
X-IronPort-AV: E=Sophos;i="5.24,477,1454976000"; d="scan'208";a="259870706"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 13 Apr 2016 00:48:13 +0000
Received: from mcast-linux1.cisco.com (mcast-linux1.cisco.com [172.27.244.121]) by alln-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id u3D0mC91020102 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 13 Apr 2016 00:48:13 GMT
Received: from mcast-linux1.cisco.com (localhost.cisco.com [127.0.0.1]) by mcast-linux1.cisco.com (8.13.8/8.13.8) with ESMTP id u3D0mCEB025683; Tue, 12 Apr 2016 17:48:12 -0700
Received: (from eckert@localhost) by mcast-linux1.cisco.com (8.13.8/8.13.8/Submit) id u3D0mCbj025680; Tue, 12 Apr 2016 17:48:12 -0700
Date: Tue, 12 Apr 2016 17:48:12 -0700
From: Toerless Eckert <eckert@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Message-ID: <20160413004812.GG21173@cisco.com>
References: <5c12b5d6940d4970bd3c0ad4c94b4696@XCH-RCD-006.cisco.com> <14252.1460506458@obiwan.sandelman.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <14252.1460506458@obiwan.sandelman.ca>
User-Agent: Mutt/1.4.2.2i
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima-bootstrap/-q8-B5Cnn_VXDfuGqrJPfjcBa6Q>
Cc: "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>
Subject: Re: [Anima-bootstrap] Can the proxy add information during bootstrap?
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2016 00:48:15 -0000

Michael:

As MichaelB mentioned, it is quite normal that backend devices
try to match up new devices to some port on the connecting device,
eg: When a client connects to a switch and sends a DHCP request,
the switch adds into the request a DHCP option 82 with the name
of the switch port to which the client is connected. That triggers
on the DHCP server some policies built against the location that
client connects to.

I agree that we can not have the proxy break into the TLS connection,
but Max was mentioning that there is some data that clients add
in some initial TLS setup packet to help a proxy determine which
TLS server to connect to (connect-server ??). So there seemingly are
parts of the initial connection setup where information can be
added in the clear. So why could we not also use this trick and have
the proxy add an "option 82" type information piece to the setup packet
it sends to the registrar ? The proxy can ensure that it overrides/fixes
up any such option 82 if it receives it from the client, and the
registrar can trust the option 82 because it receives it via the
ACP.

Imagine the proxy switch has links to totally different client-side
locations.  It would be a perfect policy to reject enrollment if the device
was mixed up and sent to the wrong location.

Cheers
    toerless

On Tue, Apr 12, 2016 at 08:14:18PM -0400, Michael Richardson wrote:
> 
> Michael Behringer (mbehring) <mbehring@cisco.com> wrote:
>     > When a new device enrols, an operator will want to know WHERE this
>     > device is connecting. This includes the proxy identity, plus the
>     > interface on the proxy. (Potentially more)
> 
>     > The proxy identity can be figured out by looking at the source address
>     > of the incoming packets; but the interface information needs to be
>     > added explicitly, somehow.
> 
> Yes, source address of encapsulating packet, and since it's an ACP, and since
> the proxy negotiated via GRASP with the registrar, the registrar already
> knows everything.
> 
> I don't see the problem.
> 
>     > Can our enrolment process as described today support such proxy
>     > options? If not, I think we need to re-think...
> 
> I think it's a MITM attack for the proxy to add any information to the secure part.
> Any information not under the security enclosure may be untrustworthy.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
>  -= IPv6 IoT consulting =-
> 
> 
> 



> _______________________________________________
> Anima-bootstrap mailing list
> Anima-bootstrap@ietf.org
> https://www.ietf.org/mailman/listinfo/anima-bootstrap


-- 
---
Toerless Eckert, eckert@cisco.com