Re: [dhcwg] Review request: draft-ietf-dhc-dhcpv6-lwm2m-bootstrap-options

Srinivasa Rao Nalluri <srinivasa.rao.nalluri@ericsson.com> Mon, 08 January 2018 15:09 UTC

Return-Path: <srinivasa.rao.nalluri@ericsson.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52C41127137 for <dhcwg@ietfa.amsl.com>; Mon, 8 Jan 2018 07:09:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5S70nsq9KZBm for <dhcwg@ietfa.amsl.com>; Mon, 8 Jan 2018 07:09:32 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 852B312706D for <dhcwg@ietf.org>; Mon, 8 Jan 2018 07:09:31 -0800 (PST)
X-AuditID: c1b4fb2d-b35ff70000007932-cd-5a5389a9df71
Received: from ESESSHC022.ericsson.se (Unknown_Domain [153.88.183.84]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 0D.D5.31026.9A9835A5; Mon, 8 Jan 2018 16:09:29 +0100 (CET)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (153.88.183.145) by oa.msg.ericsson.com (153.88.183.84) with Microsoft SMTP Server (TLS) id 14.3.352.0; Mon, 8 Jan 2018 16:09:29 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.onmicrosoft.com; s=selector1-ericsson-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=gq2T21Xs4XoNfN2l1Dn1cJX3FnhqAHqFShPerElSrpU=; b=E/DyDqimo6hcMqLVk8acghVbYu8xXTh/s9GbN6GDs2f+8J5GUKJq9cB1EYAEvnTtnQGFuaFGM3USFAxMbi+RiLrqBc+Dj80LmNlRAP76NtPkcJgIv902anCYQ1qjjkJw/h/PGtoR/ZAy9wVzZJhNwuC7/tY5xKrYn+OkQVwuVBQ=
Received: from AM6PR0702MB3703.eurprd07.prod.outlook.com (52.133.24.144) by AM6PR0702MB3573.eurprd07.prod.outlook.com (52.133.24.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.407.1; Mon, 8 Jan 2018 15:09:26 +0000
Received: from AM6PR0702MB3703.eurprd07.prod.outlook.com ([fe80::8916:f129:960e:d81c]) by AM6PR0702MB3703.eurprd07.prod.outlook.com ([fe80::8916:f129:960e:d81c%13]) with mapi id 15.20.0407.004; Mon, 8 Jan 2018 15:09:26 +0000
From: Srinivasa Rao Nalluri <srinivasa.rao.nalluri@ericsson.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Ari Keränen <ari.keranen@ericsson.com>
CC: "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: Review request: draft-ietf-dhc-dhcpv6-lwm2m-bootstrap-options
Thread-Index: AQHTIh4EuUmvcvKIDkOeWXWL1da/P6LFg1GAgAAA0NCAAAb0gIAAAs7wgABigACAAAwoYIAAABgAgAADOnCAAo29gIAY+UDAgIlX3QA=
Date: Mon, 08 Jan 2018 15:09:25 +0000
Message-ID: <AM6PR0702MB3703D23A5B4DC83A1068C39DDE130@AM6PR0702MB3703.eurprd07.prod.outlook.com>
References: <B1D7B2D5-38E3-4565-A63D-85187850CF98@ericsson.com> <72F1C7FE-782E-472B-8D33-64ACF6262715@ericsson.com> <AM4PR0801MB2706BCB6FCD1ADA66F5934A7FA7A0@AM4PR0801MB2706.eurprd08.prod.outlook.com> <VI1PR0701MB19201DD8672588222B64ED5CDE7A0@VI1PR0701MB1920.eurprd07.prod.outlook.com> <AM4PR0801MB2706EF32EC07A7938EB1B263FA7A0@AM4PR0801MB2706.eurprd08.prod.outlook.com> <HE1PR0701MB1914A563303042503B330AEBDE7A0@HE1PR0701MB1914.eurprd07.prod.outlook.com> <AM4PR0801MB2706B3A8F37F25CD6FAE6D58FA7A0@AM4PR0801MB2706.eurprd08.prod.outlook.com> <HE1PR0701MB191469818C7AD2953DBC5371DE7A0@HE1PR0701MB1914.eurprd07.prod.outlook.com> <AM4PR0801MB27062B416690197F2917881DFA780@AM4PR0801MB2706.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [125.99.225.143]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM6PR0702MB3573; 7:4Au8WDytkv4hRrYbvwiD6DK5sp3LCWCrIvarH3REWNi2wL1KVA347Qi/Z4L0R0SXRH3uESLp2+LhlqoY5t/Fzry2pKqwymX1maAxCj8pK/sCJLkp3wHl9fwcfUlXAljPhcRuDt2Q9nZUQYjEWdW4AkTBfpQq2x5zbtLQhIeTfQ/cbY5T8+g8OjhDiuxjdbJyJF3RtomeNkbsL2ccsuk0ofBFMmi/ELUT3nbGc0EdksAqJpQilg0f5h0I/SUL1qFR
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: dfc76ce9-b6cf-4839-bc2c-08d556a9cee3
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020040)(5600026)(4604075)(3008032)(2017052603307)(7153060)(49563074)(7193020); SRVR:AM6PR0702MB3573;
x-ms-traffictypediagnostic: AM6PR0702MB3573:
x-microsoft-antispam-prvs: <AM6PR0702MB3573E753EEA85543D87621F2DE130@AM6PR0702MB3573.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(158342451672863)(180628864354917)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040470)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(3231023)(944501098)(10201501046)(6041268)(20161123558120)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(6072148)(201708071742011); SRVR:AM6PR0702MB3573; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:AM6PR0702MB3573;
x-forefront-prvs: 054642504A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(396003)(376002)(39380400002)(39860400002)(366004)(189003)(24454002)(199004)(13464003)(51914003)(40434004)(53234004)(305945005)(97736004)(6636002)(93886005)(66066001)(4326008)(2906002)(3280700002)(3660700001)(966005)(5660300001)(6306002)(81166006)(3846002)(8936002)(55016002)(2900100001)(102836004)(6116002)(5890100001)(9686003)(5250100002)(8676002)(53546011)(99936001)(25786009)(86362001)(7696005)(33656002)(99286004)(561944003)(74316002)(345774005)(6436002)(53936002)(6506007)(59450400001)(7736002)(106356001)(316002)(478600001)(6246003)(110136005)(81156014)(76176011)(68736007)(229853002)(14454004)(105586002)(230783001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR0702MB3573; H:AM6PR0702MB3703.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:3; A:1; LANG:en;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=srinivasa.rao.nalluri@ericsson.com;
x-microsoft-antispam-message-info: oBFdk1h2CkIi5Df/0uP9iUUOnKhvwlnU++y6B5CHx7dtGKqEy3tf/OyxD85q4mDYRYb35UDKWI8WXoiaN3UPYw==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0052_01D388C0.C45ACDE0"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: dfc76ce9-b6cf-4839-bc2c-08d556a9cee3
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jan 2018 15:09:26.1880 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR0702MB3573
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrKKsWRmVeSWpSXmKPExsUyM2J7iO7KzuAog7cvtCzudrQwWtyccYrJ gcljzbw1jB5LlvxkCmCK4rJJSc3JLEst0rdL4MpouXyXvWDtDMaKFXdb2BoYN7YzdjFyckgI mEgsnDGdqYuRi0NI4DCjxPL9h5ghnOOMEks/fmYFcVgEepkl7r9uhcrMYJJ43bGODcJ5xijx 6v47dpBhbAIOEtOmPWUDsUUEciTu7PjGCmIzC6hKLL28AWyhsICXxPIFX5kgarwlml+2skPY ZRJPPywEq2ERUJG43DMNrJdXIEHi68RtUAfeYJVoe/STGSTBKCAm8f3UGiaIBeISt57MZ4L4 SETi4cXTbBC2qMTLx/+ABnEA2UoSvT1CEGFZiUvzu6EBsI1JYupEPwhbT2LrxLdQcV+J60/6 wZ6UEJjOKHF44w92iISORMfvPqj5+RKdjxZB7c2VWHf7CjtEwy5miWeXD7JCJGQkmh/ehEps ZZOYvPYI2CQhgVSJ5WtbGScw6s5C8gSE3csosf5GxSxwCAhKnJz5hAUiri3R+7CVEcZetvA1 M4RtLTHj10E2CFtRYkr3Q3YI21Ti9dGPjAsYOVYxihanFhfnphsZ66UWZSYXF+fn6eWllmxi BCaog1t+6+5gXP3a8RCjAAejEg9vQX1wlBBrYllxZe4hRhWgOY82rL7AKMWSl5+XqiTCKxQN lOZNSaysSi3Kjy8qzUktPsQozcGiJM570pM3SkggPbEkNTs1tSC1CCbLxMEp1cDYed/2imQr p6VoZjzD2oQT9i/e98vP3X3NyeCIl2XWmQ0H5ip9WMzxcGmydFrUXh3j/VNem7vWN1+8Hy5Y YcrDYa84kbnCv///t5YbB248cP3/v+VU7E6t8yK6RmnrXk5Jysj5umzxzYkzJ0n+fPvVdoWV ho1MjXrs20tPtvrZxoX6uVWUFc5WYinOSDTUYi4qTgQAk+3fwlgDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/02Ldso_kZLC9YLnFc7xerP8I2Ug>
Subject: Re: [dhcwg] Review request: draft-ietf-dhc-dhcpv6-lwm2m-bootstrap-options
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jan 2018 15:09:35 -0000

Hi Hannes,

Hope you are doing good. 
As discussed during IETF-99, did you get chance to rethink in this regard?

Regards
Srinivas

-----Original Message-----
From: Srinivasa Rao Nalluri 
Sent: Friday, October 13, 2017 11:33 AM
To: 'Hannes Tschofenig'; Ari Keränen
Subject: RE: Review request: draft-ietf-dhc-dhcpv6-lwm2m-bootstrap-options

Hi Hannes,

I am further thinking on this security issue you mentioned. 

Today we have several other servers who's details are shared to DHCP clients as DHCP options. For example Network Time Protocol server, default WWW server and domain name server. 

The issue you mentioned exists in use cases related above mentioned servers and operators are solving issue by deploying DHCP snooping or DHCP relay agents. Maybe LWM2M use case is more sensitive when compare with other scenarios but it can still be secured provided service provider is taking care of it.

Question is what if service provider is not deploying DHCP relay or snooping. I agree there is issue in such case but it becomes deployment problem and we can say service provider is compromised.

By background I am not security expert, but my understanding is  we are talking about an existing problem that is solved for other similar use cases.

Thanks
Srinivas

-----Original Message-----
From: Hannes Tschofenig [mailto:Hannes.Tschofenig@arm.com] 
Sent: Wednesday, September 27, 2017 1:46 PM
To: Srinivasa Rao Nalluri; Ari Keränen
Subject: RE: Review request: draft-ietf-dhc-dhcpv6-lwm2m-bootstrap-options

I think the challenge is to design something that is independent of some other security mechanisms outside the device. Currently, there is no solution in the document that provide this and I fear that in practice this security will not work since those who deploy the solution are not necessarily aware of the tradeoffs.

I fear that your proposal right now causes more security problems then it solves. I will think about can be done about this.

Ciao
Hannes

-----Original Message-----
From: Srinivasa Rao Nalluri [mailto:srinivasa.rao.nalluri@ericsson.com]
Sent: 25 September 2017 19:25
To: Hannes Tschofenig; Ari Keränen
Subject: RE: Review request: draft-ietf-dhc-dhcpv6-lwm2m-bootstrap-options

Hi Hannes,

Irrespective of what device it is, we can assume all devices are connected to IP network. It is service provider responsibility to provide below mentioned secure deployment mechanisms.
Most importantly, like any other DHCP options, these DHCP options mentioned in current draft are NOT mandatory. Server supplies them only when device requested them in DHCP discover message AND same is configured on DHCP server. If device is not requesting OR DHCP server is not configured with option information, device can always fallback to existing mechanisms to know URI and certificate.

So, service provider has an option of choosing what they want.

Regards
Srinivas

-----Original Message-----
From: Hannes Tschofenig [mailto:Hannes.Tschofenig@arm.com]
Sent: Monday, September 25, 2017 10:37 PM
To: Srinivasa Rao Nalluri; Ari Keränen
Subject: RE: Review request: draft-ietf-dhc-dhcpv6-lwm2m-bootstrap-options

Sent a bit too quickly.

The problem is that the IoT device does not known anything about the network environment it sits in. DHCP also offers pretty much no practical security functionality.
So, introducing DHCP for such a security sensitive task sounds like an built-in mechanism for hijacking IoT devices.



-----Original Message-----
From: Hannes Tschofenig
Sent: 25 September 2017 19:05
To: 'Srinivasa Rao Nalluri'; Ari Keränen
Subject: RE: Review request: draft-ietf-dhc-dhcpv6-lwm2m-bootstrap-options

The problem is that the

-----Original Message-----
From: Srinivasa Rao Nalluri [mailto:srinivasa.rao.nalluri@ericsson.com]
Sent: 25 September 2017 18:21
To: Hannes Tschofenig; Ari Keränen
Subject: RE: Review request: draft-ietf-dhc-dhcpv6-lwm2m-bootstrap-options

Hi Hannes,

Thank you for quick review and question.

Issue you mentioned is valid when DHCP offer from rogue DHCP server is accepted by DHCP client. Today this is generic issue for any DHCP offering. So, it is important to accept DHCP offer from trusted DHCP servers.

Question is, what is trusted DHCP server? Any DHCP server that is controlled and configured by service provider can be considered trusted. As you know, by nature DHCP discovery messages are broadcast and in base DHCP protocol there is no mechanism to control them reaching unwanted DHCP servers in L2 network. This problem can be solved in different ways in network deployment. For example,

- Make sure there is L2 switch between DHCP client and server(maybe on or close to access node) and DHCP snooping function running on it. Make sure DHCP server(s) is reachable through one trusted switch port. Use firewall to filter all DHCP server messages on all other ports.

-Install DHCP relay agent (or proxy) on access node so that broad cast messages are terminated and unicast request are sent to preconfigured DHCP servers.

As these DHCP servers which are reachable through above means are controlled by service provider I don’t see any significant risk. These mechanisms are today implemented in network gateways (For example, PGW in 4G core and Broadband Network Gateway in fixed access )

I did not mention above text in draft considering it as deployment explanation. If you think it make sense we can include this in security section of draft.

With Regards
Srinivas



-----Original Message-----
From: Hannes Tschofenig [mailto:Hannes.Tschofenig@arm.com]
Sent: Monday, September 25, 2017 4:01 PM
To: Srinivasa Rao Nalluri; Ari Keränen
Subject: RE: Review request: draft-ietf-dhc-dhcpv6-lwm2m-bootstrap-options

Hi Srinivas,

How do you prevent that an attacker sets up a DHCP server and points to his or her LwM2M bootstrap server and thereby takes full control of the IoT device?

Ciao
Hannes

-----Original Message-----
From: Srinivasa Rao Nalluri [mailto:srinivasa.rao.nalluri@ericsson.com]
Sent: 25 September 2017 12:19
To: Hannes Tschofenig; Ari Keränen
Subject: RE: Review request: draft-ietf-dhc-dhcpv6-lwm2m-bootstrap-options

Hi Hannes,

We have 2 options proposed in this draft

1)  Option to get bootstrap server URI
2) LWM2M bootstrap server and certificate that validates the key presented by server.

Theses option are proposed to get bootstrap server URI and server certificate dynamically rather than hard coding or statically configuring in device. This option is useful incase bootstrap server URI or certificate is changed by the time device is first bootstrapped or by the time re-bootstrapped. In such case, having dynamic option to get LWM2M bootstrap server information helps in avoiding reconfiguration and manual action.

in this scenario, It is important to trust the DHCP server. In particular certificate option SHOULD be used only when we receive from trusted network/DHCP server.

I can correlate this with several similar use cases like  DNS server and NTP server which are fetched using DHCP.

With Regards
Srinivas

-----Original Message-----
From: Hannes Tschofenig [mailto:Hannes.Tschofenig@arm.com]
Sent: Monday, September 25, 2017 3:26 PM
To: Ari Keränen
Cc: Srinivasa Rao Nalluri
Subject: RE: Review request: draft-ietf-dhc-dhcpv6-lwm2m-bootstrap-options

Hi Ari, Hi Srinivas,

Thanks for the introduction.

Srinivas can you say something about the motivation behind the idea of introducing this DHCP option for use with LwM2M.

Ciao
Hannes

-----Original Message-----
From: Ari Keränen [mailto:ari.keranen@ericsson.com]
Sent: 25 September 2017 11:51
To: Hannes Tschofenig
Cc: Srinivasa Rao Nalluri
Subject: Re: Review request: draft-ietf-dhc-dhcpv6-lwm2m-bootstrap-options

Hi Hannes,

Sorry I'm a bit late with this, but you had some questions on the security aspects of the LwM2M DHCPv6 options draft. My colleague Srinivas (Cc'd) is the author of the draft.

Srinivas, Hannes is one of the key drivers of the LwM2M specification work in OMA and also author/driver of whole bunch of security (and other) work at the IETF. Please work with Hannes to make sure the security aspects are properly covered by the draft.


Thanks,
Ari

> On 31 Aug 2017, at 8.57, Ari Keränen <ari.keranen@ericsson.com> wrote:
>
> IoT Directorate,
>
> We received a review request for "DHCPv6 Options for LWM2M bootstrap information" draft from the DHC WG:
> https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-lwm2m-bootstrap-options
>
> Please volunteer for review, especially if you are familiar with LWM2M protocol (but others are welcome too).
>
>
> Thanks,
> Ari
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.