Re: [Danish] Proposed WG Charter

Paul Wouters <paul@nohats.ca> Tue, 15 June 2021 19:14 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DEF93A3ABF for <danish@ietfa.amsl.com>; Tue, 15 Jun 2021 12:14:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KxEnko7dDbim for <danish@ietfa.amsl.com>; Tue, 15 Jun 2021 12:14:20 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F2F23A3AF0 for <danish@ietf.org>; Tue, 15 Jun 2021 12:14:11 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4G4J006DMkzCyd; Tue, 15 Jun 2021 21:14:08 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1623784448; bh=7OG7eNKlq9r1SrEk60SwrtyYweEQhZllkpqUWmBvVcM=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=nCmRTGrganGbiGIwF48ouVWKBiQoLpEs27cs+Juns21bZFy5lkQBbDzznCxPOiNgL 9UQ7sqDX4Eyn5EKcc8y6md6oWdxbc0wKqHHuItyqNrI08/1spUvvoK0ELe0CdY+oXp feM0EeT2XrzcdEeDfZO9lsgcyFfnJt+x7guYhX2Q=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 2ZMdBeAj8_Hb; Tue, 15 Jun 2021 21:14:07 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 15 Jun 2021 21:14:07 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 911288354D; Tue, 15 Jun 2021 15:14:06 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 8CC1B8354C; Tue, 15 Jun 2021 15:14:06 -0400 (EDT)
Date: Tue, 15 Jun 2021 15:14:06 -0400
From: Paul Wouters <paul@nohats.ca>
To: Ash Wilson <ash.wilson@valimail.com>
cc: danish@ietf.org
In-Reply-To: <CAEfM=vSd7CuK58W=eX86GYaxKKBfOs8z1mnQQVXnrXf9x-co0g@mail.gmail.com>
Message-ID: <d997ea8-9fc8-712-e22-fac64b401ab6@nohats.ca>
References: <YMZwG/l/pne2tHJF@straasha.imrryr.org> <A7723DDA-3B78-46AD-9449-B6DF7F211706@nohats.ca> <CAEfM=vSd7CuK58W=eX86GYaxKKBfOs8z1mnQQVXnrXf9x-co0g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="ISO-8859-15"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/LMfjjSPZI00vKJvax2O0be9cbDA>
Subject: Re: [Danish] Proposed WG Charter
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DANE AutheNtication for Iot Service Hardening <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 19:14:33 -0000

On Mon, 14 Jun 2021, Ash Wilson wrote:

> Very often, mobile data used for IoT ends up going into a message broker or message queueing system, and the central application subscribes or otherwise
> consumes information from the messaging middleware. Without some sort of verifiable sender identity attached to the message itself, the identity of the
> sender and the integrity of the message is assumed based on the integrity of all middleware involved in passing messages. If we include the sender's DNS
> name in the message and protect it with a signature, then it may be verified by the central application, independent of the transport over which it
> arrives. Then, mobile data network authentication becomes more about protecting availability and performance than preventing impersonation in a
> message-oriented application. Use cases centering around mobile network identities are a little more nuanced, and the available mechanisms can vary based
> on the mobile operator's tech stack. That's probably a better conversation for 3GPP.

But the price of this method is revealing the DNS FQDN and IP of the IoT
device. I can't come up with a use case where an IoT device would gain
more than it loses from announcing to the world who it is and where it is.

Traditionally, this is all done using public/private CA's where the
client conveys it identity securely via TLS client authentication
using a certificate, or by not authenticating the TLS client and
forcint the client to do an authentication after the TLS connection
has estbalishes, eg via Basic Auth at the HTTP level.

> Consider that if a messaging middleware platform is trusted by multiple sophisticated smart cities applications, and none of those applications implement
> message authentication, the messaging middleware platform itself becomes an attractive target for a well-resourced adversary. Simply signing the messages
> passing through the system removes the pressure on the broker to ensure integrity, and reduces the value of a compromised broker.

But again, at a price of exposing the identity and the IP address /
locatin of the client. That makes it vulnerable to DoS attacks, eg
flood pings to its IP, or more subtle timing attacks - eg I ping it but
depending on the response time I can infer it is busy or not with its
actual job.

Paul