Re: [Anima] Ownership Concept

[Michael Richardson <mcr+ietf@sandelman.ca>]

Max Pritikin (pritikin) <pritikin@cisco.com> wrote:
    > I don’t understand how one can expect the backend to be totally
    > “optional” since the device doesn’t know if it should be optional or
    > not. The best I think we can do is make the backend “no decision” and
    > “air gap compliant”. But if the device itself is willing to make the
    > back end optional thats like saying that the end device has a trivial
    > downgrade attack.

I have read this thread.
Unfortunately, I missed the discussion at the session, as I had to present in
6lo at that time.

I don't see a conflict between MASA and no-MASA.  Both are valid, legitimate
security models, and business models.

In the certificate based ownership mechanism (I hesitate to call it a
protocol), that I envision, the MASA function defends against certain kinds
of attacks, and enables other kinds of attacks.

A MASA may be operated by either a vendor or their supply chain delegate.
As such, it is subject to various attacks: National Security letters,
takeovers (friendly and hostile), etc.  The existence of the MASA provides
a way to detect, or prevent, transfers from one owner to another.  Some
device claim mechanisms may include knowledge of a pre-shared (symmetric)
key (such as might come from a QRcode on the packaging).  That key, if
disclosed in the supply chain, can enable logical device theft.

A MASA could also in some cases be operated by a sophisticated end user.
How the trust relationship to do so is setup depends upon some details that
need to be worked out, but not here.

Solutions without a MASA have the advantage that MASA do not need to be
available.  This isn't just about network "availability", but also about
business continuity.  A device that sits in a warehouse for 20 years should
not have to depend the company that made it still existing at the same
address. (I saw a closet full of Nortel Meridian spare parts last week...)

Solutions without a MASA enable the end owner to decide how/when to
resell/transfer the device to another owner. This is a transaction that the
MASA can prevent.  (Reselling things is business as usual for some, and theft
to other vendors)  The solution I describe at:
  https://mailarchive.ietf.org/arch/msg/6tisch-security/2kObJLkLlhuI-HU9s5yqfRm0n00

has a potential flaw: a previous owner, and any supplier in the supply chain
could assert their ownership certificate again, and steal the device "back"
From the end user.  This happens if either you do not replace the 802.1AR
certificates with locally significant certificates.  (If you merely augment
the 1AR with a LDevID, then the originally UDevID may be still useable)
This may be a "feature" --- it means that you can call up the guy who sold
you the device, and get their help to "reset your password".

In the scenario that I describe above, using 1AR certificates with an
extension like I describe at
          http://datatracker.ietf.org/doc/draft-richardson-6tisch-idevid-cert/

one can operate this online or offline. The certificate could be shipped
with the device when you buy it.  It could also be generated online from a
MASA-type device based upon a one-time token that you provide to the MASA
device (along with the public key you want to have bound).
It could be that the work in ACME applies as well here.

I suggest that a virtual interim meeting would be appropriate soon.

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [