IETF Logo Mail Archive

[Anima] Constrained BRSKI - discovery of Registrar as a security risk ?

Esko Dijk <esko.dijk@iotconsultancy.nl> Wed, 18 May 2022 08:49 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B957C14F737 for <anima@ietfa.amsl.com>; Wed, 18 May 2022 01:49:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Level:
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wgdl3uYFW8Fp for <anima@ietfa.amsl.com>; Wed, 18 May 2022 01:49:32 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2071e.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1a::71e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35632C14F6E7 for <anima@ietf.org>; Wed, 18 May 2022 01:49:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=knZCpfjoWr5Hr4hqzNqfl0ufCaTVex5QDs11nJPDJwGdhUK2VEIwq7zDsFSfChC4fk1Bm2lfv4+DUxz55eXqMVdHLdNk+C/eUX/uGLHPZyeBY2IV2usuuOfeqfnYrfkmwGf1aWxhU8+cVpUrcwDPczveUME+aa3ON/s54zvJXzv9gaVhL2xp8FsEgTsdUUsPM32ReEhGch9hW3sqMj3nhyTaauexYdDd19triKDw5RQK8S3Mtefs9Cs+2/oeLbUK20NBkMn1z3sH4fg9TY0HDqvyr0KYF4iRPlI5njph83D2eg7rT1s/xM8E06or0oPRvQB4Id1lR2P8D+7U8QX4WA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rMZa+Pa/2Ua3YR9bJbh+EmX+/km3Gtx2/3VOT040uVM=; b=VCWn/4XvNKUEzOZLwU92hpD54cws0O69JvxmMv3CwSQ3dx9QT8zDlqQxjzt63NHm4VYhW30ljzl4Sh60tMRoYoCW8y3TLwOQS0dze4qX7HBOHgH1dkOtU0iwwUaMxFsMLPZMZuPI9F8dYkBcheKC2mTooRUjMfUDIAQSkR4pU3HF5amoNdMwBdPsI2STzcbbbifjljJueoGBxhgFZCyuo0JThyZqitFDUPgdEttyDa7VZSLUTG/5Le/YvEB09TShq9f+jEfq64lJVADh9muARl2y8a7X6S6WlAKqiHkY+U6MQm0HEt6jxI3TM1Lg7n847g+5VwhZKLF4XJdHS0qHHg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rMZa+Pa/2Ua3YR9bJbh+EmX+/km3Gtx2/3VOT040uVM=; b=kzzZUdD2iyfyqQ9R+0P3cR0T4IEYDTkpqC89Z4sl6TMB8JZUMWbvRh5xS48aruHUpLK3DFVT5BFZjl8Je8OoIShE96njgQ4y32RopeS37xTj20z+pBhUV9UhsebiDkZnTTRd16HieBXuvt42j+8pYTnVFZ7DsOlIZyftwju8T1Q=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by VI1P190MB0077.EURP190.PROD.OUTLOOK.COM (2603:10a6:800:a0::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5250.14; Wed, 18 May 2022 08:49:26 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::d19a:a24c:bd5c:95da]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::d19a:a24c:bd5c:95da%9]) with mapi id 15.20.5273.014; Wed, 18 May 2022 08:49:25 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: "anima@ietf.org" <anima@ietf.org>
Thread-Topic: Constrained BRSKI - discovery of Registrar as a security risk ?
Thread-Index: AdhqlCx438umMbH/QVyA+557VFsk6A==
Date: Wed, 18 May 2022 08:49:24 +0000
Message-ID: <DU0P190MB1978A42976EFD31C5B925EFDFDD19@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9251e57f-c926-4cef-978e-08da38ab4f74
x-ms-traffictypediagnostic: VI1P190MB0077:EE_
x-microsoft-antispam-prvs: <VI1P190MB007755C060397151C5E976FBFDD19@VI1P190MB0077.EURP190.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: diT4GoCv8oFnFh+xM6zRvGEjGwinSEjZWSdai4weU/fCL5QyFwYTxf5LWxkTCbjBseTQXoNXLou2ASR7pj0HoWxBr5O2B+TGpW26NNzPV0S7k/UQwo9hLxhXMnns2REZX/yjjniGFbiHsaDz7onwkf7NbbUqGCG/m2rTMUOH31c/1/QNGHi9YOmQDyubgo/pjSyzWwQkTYMfpz7tzzxbBvdXXoTQPj/LXkX9huUADyItxdG6CU3RftU5sWedTLKopr3yP+XQczPb/W2OoKQ2LCkTgSgIuVxV/Sv5tlXoBLYwZqdP8qYQXodQ83qnd2dp+tAndWLndeMh9H9WKorf/vy2dBNLklHLgZ7vgND5BwnwiD0ucjx4ycpyUIGkHRDEan85THvWT+0ZpG9tBD8iGvubhgM377gY2NkW2VShJE5Stabb2LKy/q62Pb2+zrjkbn7zfUwJtDvtQzgn+0pk9yb0PgPn/ui+CXKTsEJYi1Fpp6ecm2k7t5I64DksdIfNFOXMpoqGmprkSzGUIa96YOGNhQsMKRzkj72IPLRdR5Ynpz1dt4K+meKzD91eRVZeeeauD3w7fD4skxWi03oZA1AuIMJ6WAXgtVyCFvVG/qclxN8DWIGcUDkZA1nLbVkcP5dD7YVoDoa1Ih3NDdJrujA9UAWFl3IS21rEqLI8AvK2oqzTP1mJoScdX7i7SqsDVHgA9Dt+6FWu1PQmqMYnuGBdqZZOJn/oeDrvB1D/2dN6FaO/dgxBgd4gQWntPN1BIJAXQ4THg1CtpSfGRIwqvIunWxrO2PTN8OXRpbXdcN8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(346002)(136003)(396003)(366004)(39830400003)(376002)(76116006)(8676002)(55016003)(166002)(64756008)(66446008)(186003)(6916009)(38100700002)(122000001)(38070700005)(86362001)(15650500001)(52536014)(83380400001)(9686003)(7696005)(44832011)(6506007)(33656002)(2906002)(5660300002)(9326002)(71200400001)(66476007)(316002)(8936002)(66556008)(66946007)(41300700001)(508600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 2
x-ms-exchange-antispam-messagedata-0: xmg/3CyTUjzHM4DFCfhIWvPOiWBJXfQuHLwo0zHzObeThHhuoREsNeeuYKvsG13TgtG3ANfNzwL35rJqIVqxX43vWMbAPka1uMC3a2lffnzVpqXqwHXaIpv/XGunJV2yfXIKIBPEqOlmz5GDvHeZakt7wxqk3M+XQmlpp8SR3MBBHylziaXg5dZ6f7PlPKVJ3RgMRGq4uP605jeO2L9bJF7GpGlTJZcAU9cFZkXLeVmx6/FprEwy2urFFM/3JweyvM2QRdrPF6LKq2Rsxo1evyDB0WYqs5szr6R4+53Sz+TS1JNjpY3+sQR4HBAXRKpDwHOj4eB9ME4SfJDhl0p80ynM8wOkCfs2k3ewAa4E8yIQNIiwkE4zuWmag+e/yL11dn7XagG9Nqh+x5au98PeLDWP9gbNalyFwFw5xQ11Xg/2xe68Z1Xk4P/YlIctqrQ7D8/0TbZgogA4MrOKwkFxrfGc6W3R9JOXNWNspLke56HPSN0orjWX+xvvhARjD1CAnRfTdWbbVb9ceV8wXc8JJ+cjyGU2xxs9Ke56qaOcv/jWmlAFQn9PZTmnuVapDIE42MJMX+8ekrqivu2YeMKBoDIHx+CKOLEj16xUub2xH1s9/DgL9Zyz01gtsxtOLfQLw9sxhNebBCqlIlwjW+kT7Blml95WseY8KwxGIQN2Qv9PHJOQidx0sybcuCsZMzqxcHmXJqAfOi0DptIxL9vFicU4SL0txqMAlfe8MEFM+vtzh850ZY/v5Ch3nSvh+9Fbng3CNNujYv8Ze8LCS1ZdBG6l1mWcMLp09W5vQMqB5r4N0wDsp2OqbWA0ByUtsJXgzP91AAd1Cbg+sZio9hZvPGal3NtP10325hsHdpUjyFMnHqmZtmRhaeRGrSKT2uoR1frigvFCBsskAhQ15ZdzSVXgNPVvqvBAYAWz7ihvzeq8X9Kt5znrGpwZfodevyIdkBc4sfAHSRNuX8ZVe6jShQtPi5ytdzz2ErNescTC+6e0kHzFOmF1RYSklMztKYaeMFOx3cqj03ogCd2RpUi3XmjsCicQ9pSO0RnxirtQec+2hEUHHcONVDzlSxDdGHnwhQGFLevygwz7QQ/MmxctKoXbZH5L860vnj8HteQXqGnu7cRUpMTspMIkZqtZVl2n6EOkTGWXbGZxejIEoE3mLG/rzFz/RnXACCc564K0k1niWyr9UJF9P+4MN0uwUW4HYWEuvHkUDUOuTEke1AJBvTcX//G++srBvMF0fKOLEV+SduWipR8RyfgX626nyTBXMQp4s/UE2Dp7bQnCpEYbLoxGHGnX64hVYxM9iLtEcq6FDCrvDh2M/ktX9064ZrOMtUoTNuf6tRp0QqplUkIn9jmxIjXzbJUkGv1xiwBzdjXs91P8zcN4gjSvObfMX83njTn+mEH6YViqScsLaZKngxWTU6QwEz02JjsU4q+zJbxG+4mfpFRSWpoozrdgL7MWRL0/J/jcf6f6ixffnW29Mvoza9oBtWYVKAuhR2jbZOcK63SvoUBkUcD8WkjtgdkvQR2X4yKzmwIMUy96CZ7orcnoZU2ZT42GM38I6pByoaab47j81Z7lSZuF8Yq2mgKVDiDYHfoKOSIi/t/P0EmAB+hTBDzp26tXwyRCvO8qXXA/fl4PqIckb6RsDD1Taccz2LJiPKLWwYYscvMTPB3NfuSLo2S9MUMumPkPWUI00NLSpd7CR+u0E4/mvZH1/6aVuWZGtzkLvvyq5vdq4RhOwI95zFVTrKKSC/jhl5UUhWaYTDhtygJe0F7S+Jl/SOpGKmzVD9Ew
x-ms-exchange-antispam-messagedata-1: IBDajL/BdWPd9TOaX8zOIbCqMQmyNtasPMo=
Content-Type: multipart/alternative; boundary="_000_DU0P190MB1978A42976EFD31C5B925EFDFDD19DU0P190MB1978EURP_"
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 9251e57f-c926-4cef-978e-08da38ab4f74
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 May 2022 08:49:24.9325 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /0fh18px+SDLl3xqJxJFCru7//EeT5rXaSBF4SgK7xLXiHSG13PX17XG09dcfal+IsPmrw+qbnzdsH+GZs+Zb3CDxVqPRbvFw3jesZwmkTY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P190MB0077
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/yVfpI_rIKsapVDuabCUZaNkZkbM>
Subject: [Anima] Constrained BRSKI - discovery of Registrar as a security risk ?
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 May 2022 08:49:36 -0000

Hello,

There is one particular security aspect for Constrained BRSKI that I think has not been discussed so far. It is the following: a device that needs to locate the Registrar may do this using discovery. Particular cases:

  1.  Join Proxy discovers the Registrar  (to which to relay DTLS records from a Pledge)
  2.  Already-enrolled device discovers the Registrar (to renew its certificate using EST, e.g. if it is about to expire)

Now there are various discovery protocols that could be used by a client, but most of these are not secured i.e. it lacks authentication that a discovered Registrar is actually a real, authentic Registrar. Any on-network (or on-link, in case of link-local discovery) attacker node could claim to be a Registrar.
For case 2 above the client can easily authenticate the Registrar once doing its DTLS connection to it. If it doesn’t check out, the client can try the next Registrar in the list.
But for case 1 the Join Proxy doesn’t authenticate the Registrar – that would be a task of the Pledge.  So the Join Proxy might just pick a ‘malicious’ Registrar instead of the real one.

For BRSKI + GRASP I understand the risk of a ‘malicious’ Registrar is reduced by operation on the autonomic control plane, separate from the user plane traffic. Every device that onboards there is authenticated. But for Constrained BRSKI use cases where the 6LoWPAN Border Routers do *not* join an autonomic control plane, and/or the mesh network also doesn’t provide a separated control plane,  this risk may be non-neglible as I understand it. For example if a small-site network uses unprotected Ethernet an attacker could just plug in a fake-Registrar device.

For case 1 if the Join Proxy selects the ‘wrong’ Registrar this can then result in a DoS situation, in which the Pledge cannot onboard. So it would need to select a new, other Join Proxy with a high risk of running into the same problem again. This only causes DoS for the Pledge.
Also the Pledge will provisionally accept any Registrar (authentication only happens afterwards when it receives the Voucher).  So in case that the MASA server is applying a TOFU (Trust On First Use) policy for Domains it doesn’t know, the Pledge may then become onboarded into the wrong (malicious) domain.

For reference, BRSKI RFC 8995 writes:


   A MASA without any supply-chain integration can simply accept

   registrars without any authentication or on a blind TOFU basis as

   described in Section 7.4.2<https://datatracker.ietf.org/doc/html/rfc8995#section-7.4.2>.

   ...

   A MASA has the option of not verifying ownership before responding

   with a voucher.  This is expected to be a common operational model

Doing that would lead to a “Pledge hijack” risk. So how should this be addressed?

  1.  Make Registrar discovery more secure in some way so that only authentic Registrars are discovered?
  2.  Require that a Registrar can authenticate in some way to the MASA server ?   (Stronger than “RECOMMENDED” as now in 8995)
  3.  Enforce operation of Constrained BRSKI only on some separate, secured control plane? (E.g. require Border Routers to use BRSKI to onboard into an autonomic control plane)
  4.  We add a note to the Constrained BRSKI security considerations on this and leave it up to the implementer?

Regards
Esko

IoTconsultancy.nl  |  Email/Teams: esko.dijk@iotconsultancy.nl<mailto:esko.dijk@iotconsultancy.nl>    |   +31 6 2385 8339

v2.23.0 | Report a Bug | By Email