Re: [core] comments on CORECONF drafts in WGLC
Ivaylo Petrov <ivaylo@ackl.io> Tue, 14 April 2020 06:20 UTC
Return-Path: <ivaylo@ackl.io>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAFCA3A0D85 for <core@ietfa.amsl.com>; Mon, 13 Apr 2020 23:20:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ackl-io.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Mxcf9-bbCeQ for <core@ietfa.amsl.com>; Mon, 13 Apr 2020 23:20:46 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 869873A0D84 for <core@ietf.org>; Mon, 13 Apr 2020 23:20:46 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id u13so12444512wrp.3 for <core@ietf.org>; Mon, 13 Apr 2020 23:20:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ackl-io.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rC6lzck/p/0rm/YeSmhXegL/32Cj5/GyiwXa37Dfr20=; b=NlxlNIPfPyd/qwAj4Trjodb277e8ew7aIwK6Fl6enxJkzr/8GLQxwhhiH4nI84evl9 g9GsfW0PhNHGmaog55NTR79DIA2mqbAI4ldgo96MLBDasqAIMBc9XtllX5uPAy65S5nY W7ozIU7YtN0xBgNEFBsqxFT38qaCDFbd7dzyLDw3wPY1ty+6fhYTGDjdrD1GHDRFr47q U6KOBANKFgs36xlT4q+WCES7QnbUZwIbiuLpyseppTkxJZosq1CZoOrPpRnlInSg14gY cwPLj57o6n2Kw/c8NwgQTHIJz/sRf3QeydzTcBZ1SsqG99MnJ9uTaW4q4WzhMxwp3FEb Y34g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rC6lzck/p/0rm/YeSmhXegL/32Cj5/GyiwXa37Dfr20=; b=r0xehlQCwACCj9wswypinhspPat9DgOUDKQ238MF57P/98WjX1zZFHixMqpTQRu2R2 ztB9oIeEg2rnbWURFNZgrMopkOnFilueWU5adr7KN9VHqCWpPk2fLrm6HTJwej0ptPJM ekE4fRQ8a9abiHdb/nkUojGEbHdnRZHDKxUinOOFRqauPbSO6L7erOOxLJag7kz/XyEz Yn0G5RrvhaU/bVmhlh84GdqvPtJI19ktSFov0omLz4SEs2spLH5TTUj5Xk3Q1rr1g9pB 6EUxqx6llr/NV5Vv0UQ9HAYjaKBb1jKaylNwCVaYA95uOtk6wHHkIxrdshWYgoVG/o/d 56Ng==
X-Gm-Message-State: AGi0Pubmy/ewSPyby24epZ8y9DS5RBjhX9eteZ1+iNicj6dI1vmsG8cO Uf18IXPR97+q+/OWBs49e13GOBuEi2Mn5bDssQ39rV59
X-Google-Smtp-Source: APiQypIokcZO8pggQJfPCCy//Axyskjm91rZb+Re9PdgtUY6fxzbqd97L09w7WP24lJOWejFdwJuPpf2hsuNFexEDlM=
X-Received: by 2002:a5d:500b:: with SMTP id e11mr13559110wrt.272.1586845244387; Mon, 13 Apr 2020 23:20:44 -0700 (PDT)
MIME-Version: 1.0
References: <26233.1585585343@localhost> <CAJFkdRw8dZoz_DWCcBd7DFNSOMMJ7kgpevVDJ0+uzKqqoc4M6w@mail.gmail.com> <30150.1586816606@localhost>
In-Reply-To: <30150.1586816606@localhost>
From: Ivaylo Petrov <ivaylo@ackl.io>
Date: Tue, 14 Apr 2020 08:20:16 +0200
Message-ID: <CAJFkdRykUTvmsY9pGrAFtfo3O_2Mc32JQmt7SyrnF0FBNZgj5g@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: core <core@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/ytA5qPYoTe5E_xAEcBZi7uRnnLQ>
Subject: Re: [core] comments on CORECONF drafts in WGLC
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2020 06:20:49 -0000
Hello Michael, Thank you for the new comments! Please find my answers below. On Tue, Apr 14, 2020 at 12:23 AM Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > > Ivaylo Petrov <ivaylo@ackl.io> wrote: > >> The security considerations, and authorization for this system is > >> underspecified. This was ultimately was killed SNMPv2, and led to a > >> multi-decade long failure of SNMPv3. > >> I suspect that this part will have a difficult time with security ADs. > >> > > > [IP]: I tried to improve this section to some extent. Please let me know if > > you have other ideas. Text contribution is always welcomed as well. > > It's better. > > > [IP]: I added an informational link to ACE, which for me seems as one of > > the ways authorization can be handled in COMI. Is this what you have in > > mind? > > I didn't really understand it the addition. [IP]: Apologies, I forgot to include the relevant text. Here it is: For secure network management, it is important to restrict access to configuration variables only to authorized parties. CoMI re-uses the security mechanisms already available to CoAP, this includes DTLS [RFC6347] and OSCORE [RFC8613] for protected access to resources, as well as suitable authentication and authorization mechanisms, for example those defined in ACE OAuth [I-D.ietf-ace-oauth-authz]. Or maybe you find the new text difficult/impossible to understand? > > > [IP]: I would imagine so. > > > I disagree with the Security Considerations, that knowing the list of > >> modules helps the attacker to the extent that it is important to provide > >> specific read controls on it. Attackers already have a copy of the ROM ;-) > >> I would say that the entire COMI interface needs authorized read access, > >> and > >> this module no more than any other module. > >> > > > [IP]: I believe the idea here is that the attacker doesn't necessarily know > > which ROM the device is using. Having an easy way to discover that and from > > there all the possible vulnerabilities of that device is what we want to > > avoid. Otherwise I agree that the entire CoMI interface needs authorized > > read access. > > I believe that the attacker will know exactly what the system under attack > is, and likely knows the ROM version, and probably has a copy of that ROM too. [IP]: In the security considerations the assumption was made that the attacker does not know what the ROM version is. If the attacker already knows that and therefore likely has a copy of it, then having read access to the yang-library interface will not give him leverage, unless the vulnerability is inside that very component. So without our assumption, the yang-library interface should be protected similarly to any other CORECONF interface. With our assumption, on the other hand, it needs more protection than some other interfaces as, for example, knowing the time on the system gives leverage to the attacker, but does not give him a concrete list of exploits, which identification of the ROM version might give. Considering those two different cases, we have focused the discussion on the more severe danger. Let us know if you think this would be rephrased to include those two cases and discussions about their significance. > > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > -- Best regards, Ivaylo
- [core] comments on CORECONF drafts in WGLC Michael Richardson
- Re: [core] comments on CORECONF drafts in WGLC Ivaylo Petrov
- Re: [core] comments on CORECONF drafts in WGLC Michael Richardson
- Re: [core] comments on CORECONF drafts in WGLC Ivaylo Petrov