IETF Logo Mail Archive

Re: [Anima] Alissa Cooper's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

Alissa Cooper <alissa@cooperw.in> Thu, 11 July 2019 13:46 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23941120077; Thu, 11 Jul 2019 06:46:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cooperw.in header.b=E80BtrEa; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=yqUGb0Vw
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vXtQDInuXQSY; Thu, 11 Jul 2019 06:45:58 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 593161200A3; Thu, 11 Jul 2019 06:45:58 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id 150144C8; Thu, 11 Jul 2019 09:45:57 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute7.internal (MEProxy); Thu, 11 Jul 2019 09:45:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cooperw.in; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm3; bh=e UD2DA6Z8sZLoGgLvM+9JhJ4GMj6qkIp4AByzwnvEd8=; b=E80BtrEav2fWC8JBU MeTMJd62AIN1iATY+uTtMXz3rxdXnrDKkQh7BzvJAG5XMTAoEEjvxU5DPMAc3tfR t9giM2gcszDfBdmyDVk9yHi7NpPQL4rKbxpDXUC5srUwd7EBbFjvQ6Wh4UKyl0I/ xTaaOYUrc3wJx2zlLu27ByrjPWSQymLVQ3ZsGOAeoSrwAZGWnhA2j1eW4mEhb/xV CyYs0RGZh5L6MfQbc+tqgHlwnW8FAb4OFY4rHbw+ylT2E7BQamfvfbhG6Scl8WaG IcRwo676bW+pa/P4pPDKLSSlizEYiLNoH2ZAZccPZXJ3WX1LparvF/Vlb8p/d4kI ExETg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=eUD2DA6Z8sZLoGgLvM+9JhJ4GMj6qkIp4AByzwnvE d8=; b=yqUGb0Vwrb5XhMNj1XFBd/ykpvdE3uvYUk4fE1mznIwVLg7vNcG3g63U8 skkXsyZXMBpzhvquIS9RD+ZjQ03AhMyxnvn3C+MXGZSqqpY9kufUiHXem0n23wiS IWOGVx+FpFd6NACPt3egK3/C+wVGEBNxiNIwc7FSZUgiVVOyqnPgHo+JZ18ayrAv V55v6CDNgqUI+BphjP4v/6qWPjoPViCiwfkNRrt6NHuUHGaCB/g9TXWH0ugmriGj OstGNCjLHDCVAxR5cIyRiK2a7xhyKrLoZ6H7TBxQOIejoYxay7msqFafYu2fSZ0M SB1e+Gq3sQCuyeOMwPStEUIO9L7kw==
X-ME-Sender: <xms:lD0nXcRu7bLp1SY9tG_FxPVeFehAoGbbxUPWuS591DuX7zQJSFniwg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrgeekgdeilecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurheptggguffhjgffgffkfhfvofesthhqmh dthhdtjeenucfhrhhomheptehlihhsshgrucevohhophgvrhcuoegrlhhishhsrgestgho ohhpvghrfidrihhnqeenucffohhmrghinhepvgigrghmphhlvgdrnhgvthdpvgigrghmph hlvgdrtghomhenucfkphepudejfedrfeekrdduudejrdeludenucfrrghrrghmpehmrghi lhhfrhhomheprghlihhsshgrsegtohhophgvrhifrdhinhenucevlhhushhtvghrufhiii gvpedt
X-ME-Proxy: <xmx:lD0nXZcW1MvFWCN6AsezVMfAhD_znB42I119y7UeezV_ZAfgM4Gg5Q> <xmx:lD0nXUqOp239bVrrREb3SMy4eDPmDfcoBnBNqVwGAhTKWkt2qLtDuQ> <xmx:lD0nXSfNtrDG7sLuouYOxH0d239L96Q4Fyg-frS_SoKqQskhCDowrw> <xmx:lD0nXZ2SYfrMwNkT99OVSnMgtrMSEb5PqzDsZK8ruiuIhTHwxMNIcQ>
Received: from rtp-alcoop-nitro2.cisco.com (unknown [173.38.117.91]) by mail.messagingengine.com (Postfix) with ESMTPA id A99178005C; Thu, 11 Jul 2019 09:45:55 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <406.1562813786@localhost>
Date: Thu, 11 Jul 2019 09:45:55 -0400
Cc: IESG <iesg@ietf.org>, draft-ietf-anima-bootstrapping-keyinfra@ietf.org, Toerless Eckert <tte+ietf@cs.fau.de>, anima-chairs@ietf.org, anima@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <5BC8F1BD-C039-4066-8323-6E82D3AC4F1D@cooperw.in>
References: <156279135063.15552.18154602951583265728.idtracker@ietfa.amsl.com> <406.1562813786@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/YGJplICOag0E1MAfu2dT0oVt7rs>
Subject: Re: [Anima] Alissa Cooper's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 13:46:04 -0000


> On Jul 10, 2019, at 10:56 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> 
> Alissa Cooper via Datatracker <noreply@ietf.org> wrote:
>> I apologize if I'm misunderstanding how this works, but I didn't see much
>> discussion in the document about the implications of the manufacturer going out
>> of business. Specifically, it seems like if a device ships with BRSKI as its
>> only available mechanism for bootstrapping and the manufacturer goes
> 
> Section 7 provides some detail on a number of mechanisms that a manufacturer
> could chose to include that would permit a device to be onboarded with
> reduces levels of trust.
> Section 7.2 specifically mentions onboarding via serial-console.

Yes, but section 7 is non-normative (maybe? per Roman’s DISCUSS). So is the conclusion a reader is supposed to draw that it’s ok for manufacturers to ship devices with BRSKI as the exclusive onboarding mechanism? The fact that this may already happen today with other protocols doesn’t seem like a reason to perpetuate it.

> 
> (This situation is really no different from buying an iPhone 4 and then
> complaining that you can't make it work because Apple won't give you
> software that is secure, and since it's insecure, they won't onboard you,
> except that you get a serial-console)
> 
>> = Section 1.3.1 =
> 
>> "But this solution is not exclusive to large equipment: it is intended
>> to scale to thousands of devices located in hostile environments,
>> such as ISP provided CPE devices which are drop-shipped to the end
>> user."
> 
>> I don't quite understand how this squares with the scope limitation described
>> in Section 1 and Section 9. If the whole network is professionally managed by
>> the ISP, what part would be the "hostile environment"?
> 
> The thousands of CPE devices (cable modems, VDSL modems, ISP provided home
> routers) can be taken apart by the home owner.  If such devices have IDevID
> in a TPM module, then enrollment can be done securely.

So a consumer user’s home network, including the user’s CPE, is considered to be part of the ISP’s “professionally managed” network? And if the consumer needs to fallback to some non-BRSKI mechanism he is expected to bootstrap the device via serial console himself? Trying to see if I understand the scope limitations explained in Section 9.

Thanks,
Alissa

> 
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
> 
>> I think this document would benefit from two concise lists, with notes about
>> which items in each list are defined in this document and which ones are not
>> defined: (1) what is operationally required of a manufacturer to support BRSKI,
>> and (2) what is operationally required of a domain owner to support
>> BRSKI.
> 
> We did start this document describing the protocol from the point of view of
> each party (Pledge, Proxy, Registrar and MASA).  This would be the way that
> each instrument in an orchestra receives their music.
> 
> We found that readers found it very difficult to understand the big picture,
> so we now describe the protocol in time-sequence, the way that the script for
> a play would be described.
> 
> But, you are asking for Operational requirements, not protocol requirements.
> I agree that this would be useful, and it's something that I'd like to write.
> I would consider it more of a BCP, and I don't think we have the experience
> to write this down yet.
> 
>> = Section 2.3.1 =
> 
>> What precisely is meant by "TPM identification"? Could a citation be provided?
> 
> I don't have a reference, I hope Max can provide one.
> I imagine it would point to a TCG document.
> 
> It's a SubjectAltName extension that is in a TPM contained certificate that
> tells relying parties what TPM device it is.
> 
>> = Section 10.1 =
> 
>> "The domain can maintain some privacy since it has not necessarily been
>> authenticated and is not authoritatively bound to the supply chain."
> 
>> What does this mean? That the domain can expect the manufacturer not to trust
>> the domainID because it hasn't been authenticated?
> 
> The MASA has a list of devices, and for each device, it has a list of current
> and previous owners.  This is the audit log.  The MASA will disclose this to
> current and previous owners, if they can present a voucher-request that was
> From the device.   (section 5.8)
> 
> It's hard to understand what kind of attack there is, but imagine that xyz.example.net
> goes under, sells a huge stack of example.com 48-port 100G BFRs to other
> ISPs.  (The manufacturer, example.com is still alive and well, and is happy
> to take 10% support contracts from 30 new customers as it authorizes the
> resale)
> 
> Someone gets the Registrar database from xyz.  They can now discover who
> ownes all these BFRs... and(?)...profit.
> Perhaps this needs to be coordinated with resale of some other device.
> That can be done as, although the audit log does not list the actual
> customer, it lists them by SHA-1 hash of public key.
> 
> So the sentence above notes that it's not like the Registrar told the
> manufacturer who it was, if it didn't authenticate.  As such, either
> xyz.example.net or the new owners could generate a new domainID, and
> register each device uniquely.
> (They want to use some kind of ONION routing to obfuscate their IP address
> too, but that's instantly defeated if they authenticate with TLS 1.2
> using a ClientCertificate)
> 
> I'm sure that we could improve this examplanation, but I'm not exactly sure
> how yet.
> 
>> = Section 10.2 =
> 
>> "The above situation is to be distinguished from a residential/
>> individual person who registers a device from a manufacturer: that an
>> enterprise/ISP purchases routing products is hardly worth mentioning.
>> Deviations would, however, be notable."
> 
>> What does the last sentence mean?
> 
> A residential ISP that buys 10,000 Linksys CPE routers is unremarkable.
> When the same ISP buys 10,000 Internet connectable sex toys as well, that
> might represent some kind of change in business plans.
> Would a PC vendor be interested if some Enterprise customer suddenly bought
> only tablets?
> 
> The BRSKI-MASA connection does not reveal what is bought, but it does reveal
> who is doing business with whom, and it may also reveal volume.  This is
> just traffic analysis. Christian Hopps has a nice document on defeating that, btw.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email