Re: [Anima] Alissa Cooper's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 11 July 2019 02:56 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6E70120098; Wed, 10 Jul 2019 19:56:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id utxry8mvJDd4; Wed, 10 Jul 2019 19:56:28 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 510E3120019; Wed, 10 Jul 2019 19:56:27 -0700 (PDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id E3A853818F; Wed, 10 Jul 2019 22:54:21 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 31598A8A; Wed, 10 Jul 2019 22:56:26 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Alissa Cooper <alissa@cooperw.in>
cc: The IESG <iesg@ietf.org>, draft-ietf-anima-bootstrapping-keyinfra@ietf.org, Toerless Eckert <tte+ietf@cs.fau.de>, anima-chairs@ietf.org, anima@ietf.org
In-Reply-To: <156279135063.15552.18154602951583265728.idtracker@ietfa.amsl.com>
References: <156279135063.15552.18154602951583265728.idtracker@ietfa.amsl.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 10 Jul 2019 22:56:26 -0400
Message-ID: <406.1562813786@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/OBG4VMPTBM2_CeshlKFRQIWQtp8>
Subject: Re: [Anima] Alissa Cooper's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 02:56:32 -0000
Alissa Cooper via Datatracker <noreply@ietf.org> wrote: > I apologize if I'm misunderstanding how this works, but I didn't see much > discussion in the document about the implications of the manufacturer going out > of business. Specifically, it seems like if a device ships with BRSKI as its > only available mechanism for bootstrapping and the manufacturer goes Section 7 provides some detail on a number of mechanisms that a manufacturer could chose to include that would permit a device to be onboarded with reduces levels of trust. Section 7.2 specifically mentions onboarding via serial-console. (This situation is really no different from buying an iPhone 4 and then complaining that you can't make it work because Apple won't give you software that is secure, and since it's insecure, they won't onboard you, except that you get a serial-console) > = Section 1.3.1 = > "But this solution is not exclusive to large equipment: it is intended > to scale to thousands of devices located in hostile environments, > such as ISP provided CPE devices which are drop-shipped to the end > user." > I don't quite understand how this squares with the scope limitation described > in Section 1 and Section 9. If the whole network is professionally managed by > the ISP, what part would be the "hostile environment"? The thousands of CPE devices (cable modems, VDSL modems, ISP provided home routers) can be taken apart by the home owner. If such devices have IDevID in a TPM module, then enrollment can be done securely. > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > I think this document would benefit from two concise lists, with notes about > which items in each list are defined in this document and which ones are not > defined: (1) what is operationally required of a manufacturer to support BRSKI, > and (2) what is operationally required of a domain owner to support > BRSKI. We did start this document describing the protocol from the point of view of each party (Pledge, Proxy, Registrar and MASA). This would be the way that each instrument in an orchestra receives their music. We found that readers found it very difficult to understand the big picture, so we now describe the protocol in time-sequence, the way that the script for a play would be described. But, you are asking for Operational requirements, not protocol requirements. I agree that this would be useful, and it's something that I'd like to write. I would consider it more of a BCP, and I don't think we have the experience to write this down yet. > = Section 2.3.1 = > What precisely is meant by "TPM identification"? Could a citation be provided? I don't have a reference, I hope Max can provide one. I imagine it would point to a TCG document. It's a SubjectAltName extension that is in a TPM contained certificate that tells relying parties what TPM device it is. > = Section 10.1 = > "The domain can maintain some privacy since it has not necessarily been > authenticated and is not authoritatively bound to the supply chain." > What does this mean? That the domain can expect the manufacturer not to trust > the domainID because it hasn't been authenticated? The MASA has a list of devices, and for each device, it has a list of current and previous owners. This is the audit log. The MASA will disclose this to current and previous owners, if they can present a voucher-request that was From the device. (section 5.8) It's hard to understand what kind of attack there is, but imagine that xyz.example.net goes under, sells a huge stack of example.com 48-port 100G BFRs to other ISPs. (The manufacturer, example.com is still alive and well, and is happy to take 10% support contracts from 30 new customers as it authorizes the resale) Someone gets the Registrar database from xyz. They can now discover who ownes all these BFRs... and(?)...profit. Perhaps this needs to be coordinated with resale of some other device. That can be done as, although the audit log does not list the actual customer, it lists them by SHA-1 hash of public key. So the sentence above notes that it's not like the Registrar told the manufacturer who it was, if it didn't authenticate. As such, either xyz.example.net or the new owners could generate a new domainID, and register each device uniquely. (They want to use some kind of ONION routing to obfuscate their IP address too, but that's instantly defeated if they authenticate with TLS 1.2 using a ClientCertificate) I'm sure that we could improve this examplanation, but I'm not exactly sure how yet. > = Section 10.2 = > "The above situation is to be distinguished from a residential/ > individual person who registers a device from a manufacturer: that an > enterprise/ISP purchases routing products is hardly worth mentioning. > Deviations would, however, be notable." > What does the last sentence mean? A residential ISP that buys 10,000 Linksys CPE routers is unremarkable. When the same ISP buys 10,000 Internet connectable sex toys as well, that might represent some kind of change in business plans. Would a PC vendor be interested if some Enterprise customer suddenly bought only tablets? The BRSKI-MASA connection does not reveal what is bought, but it does reveal who is doing business with whom, and it may also reveal volume. This is just traffic analysis. Christian Hopps has a nice document on defeating that, btw. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Anima] Alissa Cooper's Discuss on draft-ietf-ani… Alissa Cooper via Datatracker
- Re: [Anima] Alissa Cooper's Discuss on draft-ietf… Michael Richardson
- Re: [Anima] Alissa Cooper's Discuss on draft-ietf… Brian E Carpenter
- Re: [Anima] Alissa Cooper's Discuss on draft-ietf… Alissa Cooper
- Re: [Anima] Alissa Cooper's Discuss on draft-ietf… Toerless Eckert
- Re: [Anima] Alissa Cooper's Discuss on draft-ietf… Toerless Eckert
- Re: [Anima] Alissa Cooper's Discuss on draft-ietf… Michael Richardson