IETF Logo Mail Archive

Re: [Anima] verification of manufacturer in BRSKI

"Anoop Kumar Pandey" <anoop@cdac.in> Fri, 23 February 2018 07:09 UTC

Return-Path: <anoop@cdac.in>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5808A1243FE for <anima@ietfa.amsl.com>; Thu, 22 Feb 2018 23:09:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tIx0iLZXhJPU for <anima@ietfa.amsl.com>; Thu, 22 Feb 2018 23:09:12 -0800 (PST)
Received: from mailsender.cdac.in (mailsender.cdac.in [196.1.113.117]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2264124234 for <anima@ietf.org>; Thu, 22 Feb 2018 23:09:10 -0800 (PST)
Received: from ims.pune.cdac.in (ims.pune.cdac.in [10.208.1.15]) by mailsender.cdac.in (8.14.2/8.14.2) with ESMTP id w1N78Udo006139 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 23 Feb 2018 12:38:31 +0530
Received: from mailgw.pune.cdac.in ([10.208.1.4]) by ims.pune.cdac.in (8.14.4/8.14.4) with ESMTP id w1N77wMu022534; Fri, 23 Feb 2018 12:37:58 +0530
X-AuthUser: anoop
Received: from CERTINPC ([223.31.121.163]) (authenticated bits=0) by mailgw.pune.cdac.in (8.14.2/8.13.8) with ESMTP id w1N77oT0027718; Fri, 23 Feb 2018 12:37:52 +0530
From: Anoop Kumar Pandey <anoop@cdac.in>
To: 'Michael Richardson' <mcr+ietf@sandelman.ca>
Cc: 'Brian E Carpenter' <brian.e.carpenter@gmail.com>, anima@ietf.org, 'Toerless Eckert' <tte@cs.fau.de>
References: <003101d3a570$32e4c510$98ae4f30$@cdac.in> <22127.1519000017@obiwan.sandelman.ca> <005b01d3a95e$f0ba5680$d22f0380$@cdac.in> <18734556-d4a9-560f-724c-09287d4e0f20@gmail.com> <003501d3aa07$a37f0560$ea7d1020$@cdac.in> <3963.1519350905@obiwan.sandelman.ca>
In-Reply-To: <3963.1519350905@obiwan.sandelman.ca>
Date: Fri, 23 Feb 2018 12:37:47 +0530
Message-ID: <013e01d3ac75$0773ff70$165bfe50$@cdac.in>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_013F_01D3ACA3.212F48B0"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQE2I/joFI0/xQRcLlXQFy4X95wT3AJMjcXyAfHjFIQBMe5HLwJpWVH6AVGG/r+kozTpYA==
Content-Language: en-in
X-CDAC-PUNE-MailScanner-ID: w1N77wMu022534
X-CDAC-PUNE-MailScanner: Found to be clean, Found to be clean
X-CDAC-PUNE-MailScanner-MCPCheck-IMS: MCP-Clean, MCP-Checker (score=0, required 1)
X-CDAC-PUNE-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-0.198, required 6, autolearn=disabled, ALL_TRUSTED -1.00, BAYES_50 0.80, HTML_MESSAGE 0.00, URIBL_BLOCKED 0.00), not spam, SpamAssassin (not cached, score=-1.984, required 6, autolearn=disabled, ALL_TRUSTED -1.80, BAYES_40 -0.18, HTML_MESSAGE 0.00)
X-CDAC-PUNE-MailScanner-Information: Please contact npsfhelp@cdac.in/mailadmin@cdac.in for more information
X-MailScanner-ID: w1N78Udo006139
X-CDAC-PUNE-MailScanner-From: anoop@cdac.in
X-CDAC-MailScanner-Spam-Status: No
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/BzLmTVw0JJJLmng1qk3jT_-I3HU>
Subject: Re: [Anima] verification of manufacturer in BRSKI
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Feb 2018 07:09:14 -0000

Anoop> Pledge verifying the

Anoop> domain is anyway overrated.

Michael>So, I think you are saying that you do not subscribe to the problem statement.

 

I think that is not necessary. When a pledge/device is bought, it is manually added to a network of buyer [usually intranet], where it can discover a JRC.  Therefore it is not the choice/privilege of pledge to verify the domain. On the other side, JRC should validate if the pledge has come from genuine manufacturer and is clean.

 

Alternatively, If a pledge is put on internet, then considering there may be countless number of JRCs on internet, and trying to connect to each JRC until the pledge finds actual owner is practically impossible; the pledge will have to be configured to discover a particular JRC while buying. So again the pledge doesn’t have much choice.

 

 

Also Quoting Toer advocating pledge requiring to verify JRC: “. If you are a buyer of large number of pledges and do not need any protection against theft,  misassignment of pledges to other networks or intrusions into pledges that intend to impact your network later, then sure - you may be happy with pledges not requiring vouchers to get enrolled.”

 

In a parallel mail, you have mentioned that BRSKI is one time process and need to be deliberately re-run/started. So once BRSKI is completed and pledge is enrolled; intrude in it or steal and put it in some other network, it won’t matter. 

 

But the case where BRSKI runs automatically if pledge is disconnected and added to anywhere else, at least theft won’t work because pledge won’t work without re-verifying the voucher with new network/JRC.  I think this can be made mandatory in pledge to re-run BRSKI if it detects network change.

 

 

Anoop> Besides, it can also be done by verifying

Anoop> the certificate of JRC during enrolment.

Michael>Please explain.

Michael>It would be great to simplify the protocol.

 

I still believe that Pledge need not verify JRC, But if necessary, the easy way will be following:

 

When pledge verifies a JRC, these steps are there [your first mail to me]:

1.       Pledge issues voucher request to JRC

2.       JRC passes voucher request to MASA. 

3.       MASA verifies request and issues voucher to JRC

4.       JRC passes voucher to Pledge

5.       Pledge verifies the voucher and send voucher status telemetry and trusts JRC. 

 

These steps require MASA to be online, else they will fail.

 

What I propose is, when we buy the device, MI can issue a digitally signed invoice issued to domain/JRC.

 

Now when a pledge wants to validate the JRC, he simply needs to verify the signature of MI on the invoice. No communication with MASA or even MASA itself is not required. 

It is just like the way, JRC verifies the pledge using the IDevID certificate issued by MI.

 

 

Anoop> I would also like to quote/remind following lines from Section 1.3

Anoop> [Scope of Solution] of the RFC:

Anoop> “But this solution is not exclusive to the large, it is intended to

Anoop> scale to thousands of devices located in hostile environments, such as

Anoop> ISP provided CPE devices which are drop-shipped to the end user. The

Anoop> situation where an order is fulfilled from distributed warehouse from

Anoop> a common stock and shipped directly to the target location at the

Anoop> request of the domain owner is explicitly supported. That stock

Anoop> ("SKU") could be provided to a number of potential domain owners, and

Anoop> the eventual domain owner will not know a-priori which device will go

Anoop> to which location.”

Michael>Yes, it's designed exactly to deal with situation.

Michael>Are you saying that it fails in some way?

 

You said “We assume that in a managed network that the JRC *can* know all the legitimate manufacturers.”. 

Brian said “ANIMA is scoped to support professionally managed networks. So it seems reasonable to assume that they have procurement procedures in place to buy from known sources and not to buy kit "off the back of a lorry" to use a British idiom.”

 

Basically you have known manufacturers and you are buying from known source. Therefore there is no hostility. Further it’s not a cloud environment where you don’t know, where your device is placed. Installation of pledge will be manual [barely any chance of error, until you consider humans are hostile].

 

If there were hostility, like unknown manufacturer which could give you malicious pledge, BRSKI anyway can’t detect that, since it simply checks IDevID  which is anyway signed by unknown manufacturer and will check out. You mentioned in earlier mail also that manual intervention is required for such case. [You quoted “if the JRC does see a MI that it does not know, then it can ask a human.”]

 

There are hostile networks and pledges, but you have only whitelist of manufacturers [your assumption only “the JRC *can* know all the legitimate manufacturers”] which only talks about known manufacturers. But it doesn’t provide security in case of unknown or known turned rogue MI/pledge. For that manual intervention is required.

 

 

Regards,

Anoop

 

 

 

 

 

 

 

 

-----Original Message-----
From: Michael Richardson [mailto:mcr+ietf@sandelman.ca] 
Sent: 23 February 2018 07:25
To: Anoop Kumar Pandey <anoop@cdac.in>
Cc: 'Brian E Carpenter' <brian.e.carpenter@gmail.com>; anima@ietf.org
Subject: Re: [Anima] verification of manufacturer in BRSKI

 

 

Anoop Kumar Pandey < <mailto:anoop@cdac.in> anoop@cdac.in> wrote:

 

    > Besides, it can also be done by verifying

    > the certificate of JRC during enrolment.

 

Please explain.

It would be great to simplify the protocol.

 

 

    > I would also like to quote/remind following lines from Section 1.3

    > [Scope of Solution] of the RFC:

 

    > “But this solution is not exclusive to the large, it is intended to

    > scale to thousands of devices located in hostile environments, such as

    > ISP provided CPE devices which are drop-shipped to the end user. The

    > situation where an order is fulfilled from distributed warehouse from

    > a common stock and shipped directly to the target location at the

    > request of the domain owner is explicitly supported. That stock

    > ("SKU") could be provided to a number of potential domain owners, and

    > the eventual domain owner will not know a-priori which device will go

    > to which location.”

 

Yes, it's designed exactly to deal with situation.

Are you saying that it fails in some way?

 

--

Michael Richardson < <mailto:mcr+IETF@sandelman.ca> mcr+IETF@sandelman.ca>, Sandelman Software Works  -= IPv6 IoT consulting =-

 

 

 


-------------------------------------------------------------------------------------------------------------------------------
[ C-DAC is on Social-Media too. Kindly follow us at:
Facebook: https://www.facebook.com/CDACINDIA & Twitter: @cdacindia ]

This e-mail is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If you are not the
intended recipient, please contact the sender by reply e-mail and destroy
all copies and the original message. Any unauthorized review, use,
disclosure, dissemination, forwarding, printing or copying of this email
is strictly prohibited and appropriate legal action will be taken.
-------------------------------------------------------------------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email