Re: [Cacao] playbooks for ending-quarantines of residential IoT devices
Bret Jordan <jordan.ietf@gmail.com> Thu, 04 April 2019 18:19 UTC
Return-Path: <jordan.ietf@gmail.com>
X-Original-To: cacao@ietfa.amsl.com
Delivered-To: cacao@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF3C512014B for <cacao@ietfa.amsl.com>; Thu, 4 Apr 2019 11:19:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yeGeT1rUMcn5 for <cacao@ietfa.amsl.com>; Thu, 4 Apr 2019 11:19:37 -0700 (PDT)
Received: from mail-it1-x142.google.com (mail-it1-x142.google.com [IPv6:2607:f8b0:4864:20::142]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35B281200A4 for <cacao@ietf.org>; Thu, 4 Apr 2019 11:19:37 -0700 (PDT)
Received: by mail-it1-x142.google.com with SMTP id w15so5311491itc.0 for <cacao@ietf.org>; Thu, 04 Apr 2019 11:19:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=DRAlLW95GdnN2PGNcZQ0zegTBoSn88Tp+MNkLEUdbJQ=; b=jaEhzycHv/rt1yIJYTwgRAznj+6DoxxMnd77FpkZvMxwR1uk2kf6J6mFs/Nn5VXxGX uXbbXBE3kNheSXy0lFr0ZhVg/F3e9UVuXCl8FWLE21Si54/eV0QDik70rO/9f5EVuyGA tMRSADcIe4kTnfraVB2PqUYwtcdPOP64RJqhOkvccBuulQAlrvL3sVDsQiFZX0JfPWZw q/ooy6OekMHwJP4y8RlfAAijVN4Z7nbqa6uOqLAg6Qqn8N467l1h5S+5dWsa+ObWVTL3 kg3GCLMOUZrzstjSgrkApbnAZSh/KqiV0UqQzHGuCgD5q3IqiWi+Xza3M+LErXHCCqdA rakQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=DRAlLW95GdnN2PGNcZQ0zegTBoSn88Tp+MNkLEUdbJQ=; b=G7D9oqvCKPqr2SVK8qGrGdveE86ZIEY5bvq5PEeMTXIT5WvVfBolSbpIJ2kCml6igu khxhLG74QYl14a+7Aym3gSlQqt+/P9sUvH3F++s6YshOOEGQNvFDDTv330u8iPeZZFLs GcbtHJeAKlTpxymeBJreCQN/RX3+eiovt0zfhoHZzDvFwONzcq3p1GW+rLaluXpCx8pc 09UusbYcSiGwKO29mebmLae/to+FRZXeqgqc89vwx+NaiXuNk5nLeBWo0NhbgzcQhtAz L9xt5fe5ouh4U+sPnfc47lDgTg3K9K/7f7nJ0z+7SFiaK6OY6rtLK+JxorNStpY1n6hq PFwQ==
X-Gm-Message-State: APjAAAVIqrDgGjU72M9oLwTIAdB3lZYU9jPf/WMRxLcWxYLxMuzoWOBn M6nnI0Gzx2VsYjPhcOgIwlA=
X-Google-Smtp-Source: APXvYqw9W6PsvRnJIiZ+NgBxE488ukxuxnY3hW1B9vJNB18jb0QP7kKJWkiadXJlkW46B1hosiCwhA==
X-Received: by 2002:a02:8508:: with SMTP id g8mr6227093jai.68.1554401976343; Thu, 04 Apr 2019 11:19:36 -0700 (PDT)
Received: from ?IPv6:2605:a601:a990:4d00:f833:9828:34e7:91c3? ([2605:a601:a990:4d00:f833:9828:34e7:91c3]) by smtp.gmail.com with ESMTPSA id t2sm3947207itb.37.2019.04.04.11.19.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 04 Apr 2019 11:19:35 -0700 (PDT)
From: Bret Jordan <jordan.ietf@gmail.com>
Message-Id: <91F9CB79-6B01-4B93-BECC-12D191C4CFA5@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7F16EB57-BDAA-406B-9A08-21ED7FF4BD2B"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Date: Thu, 04 Apr 2019 12:19:33 -0600
In-Reply-To: <CAOgPGoB=i6ndONKMZ-X5_+R+hvcGDUVBmo2PZtihz9pRbKa7+w@mail.gmail.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, cacao@ietf.org
To: Joseph Salowey <joe@salowey.net>
References: <11776.1553995012@dooku.sandelman.ca> <CAOgPGoB=i6ndONKMZ-X5_+R+hvcGDUVBmo2PZtihz9pRbKa7+w@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cacao/vf2CTnuZZVcux2wT_lp33R_P_us>
Subject: Re: [Cacao] playbooks for ending-quarantines of residential IoT devices
X-BeenThere: cacao@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Collaborative Automated Course of Action Operations <cacao.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cacao>, <mailto:cacao-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cacao/>
List-Post: <mailto:cacao@ietf.org>
List-Help: <mailto:cacao-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cacao>, <mailto:cacao-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 18:19:41 -0000
Inline.. Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." > On Apr 4, 2019, at 9:56 AM, Joseph Salowey <joe@salowey.net> wrote: > > > > On Sat, Mar 30, 2019 at 6:16 PM Michael Richardson <mcr+ietf@sandelman.ca <mailto:mcr%2Bietf@sandelman.ca>> wrote: > > I came to the CACOA BOF because I think going to BOFs is a good way to find > out if the work is relevant to me. I didn't think it was going to > be... until... > > In the SecureHomeGateway (SHG) work at CIRALabs with MUD-based firewalling, > we came across a proceedural problem: once we have identified a device as > contravening the policy, and we quarantee it, then what? I know now that > what I'm lacking is a playbook that can be executed typical residential user > (which for sexist and agist reasons seems to always be someone's grandmother). > > Feedback that the Canadian Multistakeholder effort > https://iotsecurity2018.ca/ <https://iotsecurity2018.ca/> got was that ISPs suspected that they were going > to be on the hook to take the support calls. The SHG effort is partially > about helping ISPs defend against being responsible for finding all the > attack vectors. Helping ISPs redirect the support calls seemed like a good > thing. (Redirect to where...? Still TBD) > > I wrote https://datatracker.ietf..org/doc/draft-richardson-shg-un-quarantine/ <https://datatracker.ietf.org/doc/draft-richardson-shg-un-quarantine/>, > with the idea of bringing this forward in the RIPE IoT WG. I like writing > in Markdown, and so it's on the IETF DT because RIPE has no equivalent. > > It's clear to me now that I'm writing a playbook! > My playbook is clearly not in scope for CACOA since CACOA is about playbook > technology, not playbooks themselves. > Still part of my original goal in the document was to identify the parts > that could be automated either through existing or developing protocols (INCH/MILE > and DOTS are big on that list), or perhaps through other not-yet-developed > protocols for things that clearly could be automated. > > I would welcome unicast feedback on how to make my document into a proper playbook. > > A question to the CACOA BOF is whether doing gap analysis is in scope. > My feeling is that it is not, that it would attempt to boil oceans. > > Yet, if CACAO wants to be able to describe and sign operations, it behoves it > to know what kind of things need to be done, with enough detail that we can > describe the inputs to those operations. So specifically, I'm thinking that > we need to have a some kind of parametric interface to the signed snippets, > rather like SQL ?-parameters. > > > [Joe] It seems to me that we will need parameters. If you are addressing an issue with a specific host, that host needs to be identified to the systems or users running the playbooks.. Another example, might be "move to quarantine VLAN". I wouldn't expect the exact VLAN ID to be input to a CACAO run book, but rather the component taking action would know how to resolve the Quarantine VLAN to a VLAN ID. > [Jordan] Some playbooks that are shared across the internet, either openly and free, or behind some sort of trust group wall, will probably just say for example “Windows 10” and “Quarantine VLAN”. But when that Playbook comes into a specific organization, they will enhance it and add extra detail / specificity. Like “Windows 10 SP3” or “Windows System at x.x.x.x” or “Windows System Asset ID 1234”. On the VLAN side, they may still say “Quarantine VLAN” or “Sandbox VLAN”. They may also say “Sandbox VLAN 300”. Remember that Playbooks will be shared and collaborated on across the Internet, across trust groups, across business units, across enclaves, and across teams within an organization. Bret > I think this will have some influence on the question of scoping CACAO. > > Joe > > > -- > ] Never tell me the odds! | ipv6 mesh networks [ > ] Michael Richardson, Sandelman Software Works | network architect [ > ] mcr@sandelman.ca <mailto:mcr@sandelman.ca> http://www.sandelman.ca/ <http://www.sandelman.ca/> | ruby on rails [ > > > > > -- > Cacao mailing list > Cacao@ietf.org <mailto:Cacao@ietf.org> > https://www.ietf.org/mailman/listinfo/cacao <https://www.ietf.org/mailman/listinfo/cacao> > -- > Cacao mailing list > Cacao@ietf.org > https://www.ietf.org/mailman/listinfo/cacao
- [Cacao] playbooks for ending-quarantines of resid… Michael Richardson
- Re: [Cacao] playbooks for ending-quarantines of r… Joseph Salowey
- Re: [Cacao] playbooks for ending-quarantines of r… Bret Jordan
- Re: [Cacao] playbooks for ending-quarantines of r… Michael Richardson
- Re: [Cacao] playbooks for ending-quarantines of r… Michael Richardson
- Re: [Cacao] playbooks for ending-quarantines of r… Jason Keirstead
- Re: [Cacao] playbooks for ending-quarantines of r… Michael Richardson
- Re: [Cacao] playbooks for ending-quarantines of r… Bret Jordan