Re: [Anima] Constrained BRSKI - discovery of Registrar as a security risk ?
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 19 May 2022 13:13 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01132C1594AF for <anima@ietfa.amsl.com>; Thu, 19 May 2022 06:13:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uZONb-Bbm-aR for <anima@ietfa.amsl.com>; Thu, 19 May 2022 06:13:44 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E71B3C15948D for <anima@ietf.org>; Thu, 19 May 2022 06:13:43 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [5.148.108.162]) by relay.sandelman.ca (Postfix) with ESMTPS id 98DCB1F479; Thu, 19 May 2022 13:13:41 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 39C5C1A01EE; Thu, 19 May 2022 09:13:39 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Esko Dijk <esko.dijk@iotconsultancy.nl>, "anima@ietf.org" <anima@ietf.org>
In-reply-to: <DU0P190MB1978A42976EFD31C5B925EFDFDD19@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
References: <DU0P190MB1978A42976EFD31C5B925EFDFDD19@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
Comments: In-reply-to Esko Dijk <esko.dijk@iotconsultancy.nl> message dated "Wed, 18 May 2022 08:49:24 -0000."
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 19 May 2022 09:13:39 -0400
Message-ID: <727361.1652966019@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/VN8D3T_LBMz6LDCLo7T2mv5NNNc>
Subject: Re: [Anima] Constrained BRSKI - discovery of Registrar as a security risk ?
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 May 2022 13:13:45 -0000
Esko Dijk <esko.dijk@iotconsultancy.nl> wrote: > There is one particular security aspect for Constrained BRSKI that I > think has not been discussed so far. It is the following: a device that > needs to locate the Registrar may do this using discovery. > 1. Join Proxy discovers the Registrar > 2. Already-enrolled device discovers the Registrar > Now there are various discovery protocols that could be used by a > client, but most of these are not secured i.e. it lacks authentication > that a discovered Registrar is actually a real, authentic > Registrar. Any on-network (or on-link, in case of link-local discovery) > attacker node could claim to be a Registrar. Just to be clear those reading: such a device as to be within the L2 domain. It's not just any drive-by device. The attacker can't park outside the factory and do this, they have to at least go through an onboarding process. They have to be let in. (Of course, the fastest way "in" may be via some phishing attack against a desktop computer) > For case 2 above the > client can easily authenticate the Registrar once doing its DTLS > connection to it. > If it doesn’t check out, the client can try the next > Registrar in the list. Agreed. Should we say something about doing this? > But for case 1 the Join Proxy doesn’t > authenticate the Registrar – that would be a task of the Pledge. So > the Join Proxy might just pick a ‘malicious’ Registrar instead of the > real one. The Join Proxy *could* validate the Registrar in the same was as for case (2). > For BRSKI + GRASP I understand the risk of a ‘malicious’ Registrar is > reduced by operation on the autonomic control plane, separate from the > user plane traffic. Every device that onboards there is > authenticated. But for Constrained BRSKI use cases where the 6LoWPAN > Border Routers do *not* join an autonomic control plane, and/or the > mesh network also doesn’t provide a separated control plane, this risk > may be non-neglible as I understand it. For example if a small-site > network uses unprotected Ethernet an attacker could just plug in a > fake-Registrar device. Yes, agreed. > For case 1 if the Join Proxy selects the ‘wrong’ Registrar this can > then result in a DoS situation, in which the Pledge cannot onboard. So > it would need to select a new, other Join Proxy with a high risk of > running into the same problem again. This only causes DoS for the > Pledge. Also the Pledge will provisionally accept any Registrar > (authentication only happens afterwards when it receives the Voucher). > So in case that the MASA server is applying a TOFU (Trust On First Use) > policy for Domains it doesn’t know, the Pledge may then become > onboarded into the wrong (malicious) domain. Agreed. > Doing that would lead to a “Pledge hijack” risk. So how should this be > addressed? > 1. Make Registrar discovery more secure in some way so that only > authentic Registrars are discovered? Assuming that the Join Proxy has joined the domain, so has the /cacerts, and the Registrar's anchor can be validated by this trust anchor (highly recommended, but I don't know if we actually mandate that anywhere), then the Join Proxy could connect to the Registrar and just validate. Should we standardize an "echo" method? CoAP already has that. The Join Proxy could do a HEAD /cacerts in HTTPS perhaps. > 2. Require that a Registrar can > authenticate in some way to the MASA server ? (Stronger than > “RECOMMENDED” as now in 8995) This falls into whether or not we do TOFU Manufacturers, and I would say no. > 3. Enforce operation of Constrained > BRSKI only on some separate, secured control plane? (E.g. require > Border Routers to use BRSKI to onboard into an autonomic control plane) I think that it might be reasonable to suggest that border routers should not be plugged into an open/easily accessible network. Pascal might have some things to say about 6BBR and DETNET here. But, this could be a Security Consideration only. > 4. We add a note to the Constrained BRSKI security considerations on > this and leave it up to the implementer? Let's describe the problem. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Anima] Constrained BRSKI - discovery of Registra… Esko Dijk
- Re: [Anima] Constrained BRSKI - discovery of Regi… Michael Richardson
- Re: [Anima] Constrained BRSKI - discovery of Regi… Esko Dijk