[DNSOP] MUD in DNSOP
Ben Schwartz <bemasc@google.com> Fri, 05 March 2021 22:23 UTC
Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1F6E3A1050 for <dnsop@ietfa.amsl.com>; Fri, 5 Mar 2021 14:23:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q3fbYdcARzBE for <dnsop@ietfa.amsl.com>; Fri, 5 Mar 2021 14:23:51 -0800 (PST)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 543923A104F for <dnsop@ietf.org>; Fri, 5 Mar 2021 14:23:51 -0800 (PST)
Received: by mail-wr1-x42a.google.com with SMTP id e10so3694976wro.12 for <dnsop@ietf.org>; Fri, 05 Mar 2021 14:23:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=va/5x5bU93R3Oeoeb3s5JBX4kL8FSe/5XdFqnZq2+7g=; b=toXvxltM1ZMeJAL6fNHSA/XeMfuIoEBenNgBduQa62S011NmxarW9GJRYorhO0wOxm jtSy/4EeA6XbHplIZISFICteTi9Z/mywzTo+wqbkWijCJunI5BGc54j1/Y+Ba8Q1eGfY kb1qgGoeiQqosiIf8RhvFo0FfbDvpURHavTHPSfgw+KEIp+9Gpn+Uoac9ODwFG2VGoT2 LRjQgj0GsTsqNyltHg0OUo5wWSjnVIOpm4ce5XE5q5TWKYurwgll8AE4bqqdAW4ffQ2H LOMxiRG2WuIX8k2fmp/KaXz7gxTuI2CTG+fK2klR+DNHLFHuwKKF2jWd2nECBx3V8IcM zxDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=va/5x5bU93R3Oeoeb3s5JBX4kL8FSe/5XdFqnZq2+7g=; b=AAadwdckZAxLEsCRGxNBQxTKzjzuAuhAk6Xyid9+BX/l1traQ7bW5Oq51Bl8PUdc8w uyq2wVapkiwjJ6oDQp7YaxjxmQ6Pz1UtE2ZYG239H2/I71pHp2s1HqAxslGXyJZd83go a1xC55HTsOrkCzLfYXupJKPwCwu0lWmiPRKusT6ja+6NMoXpLz59EmqciOPg/BrqdHip 3WXxd5D/s7n7AEBbQctSBEP2oB6UxVvXFxlnbz8CwV6Eh5g2Bmc3AvO2hU3eRzf6IS0r Bl07xtoez1HQbrsBJzMaWBfRvRn5K1Utv1/w0Q1Q7gyei8fhtAxEwLGig4sPiFqc1qLI wIXg==
X-Gm-Message-State: AOAM532aIOEiruMy5uuxsvHlgOerMCuTGuz7FBcQUhUrq77Fh0/sFLOv YJQeZTBcULA/o/Tf5pBLx0MT/RPq/ygC6eJg8Xb0olImH/X29Wj/
X-Google-Smtp-Source: ABdhPJwAO3coolgaLuKDopeiRETouc57tyhQJZoShmgQkcl9yjOqdltieWoqIxCPG+cySjwcWZa0OTAcvE8XKr6+cPU=
X-Received: by 2002:adf:f1c4:: with SMTP id z4mr11716985wro.404.1614983028231; Fri, 05 Mar 2021 14:23:48 -0800 (PST)
MIME-Version: 1.0
From: Ben Schwartz <bemasc@google.com>
Date: Fri, 05 Mar 2021 17:23:36 -0500
Message-ID: <CAHbrMsBOtu69STooBBV=aZfrB33ftdERwufCU9S1t_SMsDwrNw@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000bdf85505bcd1893d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PNJy-kf-6CErJrKf5NSwvTv0srk>
Subject: [DNSOP] MUD in DNSOP
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2021 22:23:54 -0000
I noticed that draft-ietf-opsawg-mud-iot-dns-considerations is on the DNSOP agenda for this week. It considers the problem of using MUD, which applies IP-based filtering to locked-down IoT devices, with DNS-named servers. Some of the recommendations are clearly correct given the limitations of MUD, but I also have significant concerns with parts of the text. Section 4.1 says not to use IP addresses at all. Section 5 and Section 6.4 make recommendations about which resolvers to use for IoT generally. I think this is not necessary or productive. The recommendations should be limited to MUD-DNS devices. The draft recommends that devices use the network-provided DNS server, which is typically a general-purpose resolver that is capable of processing any name. Allowing the device to access this server defeats much of the security benefit of MUD, because malware can communicate bidirectionally through the DNS server, bypassing the MUD profile entirely. It would be more secure to disable the urn:ietf:params:mud:dns permission. Section 6.3 says When aliases point to a Content-Distribution Network (CDN), prefer to > use stable names that point to appropriately load balanced targets. > CDNs that employ very low time-to-live (TTL) values for DNS make it > harder for the MUD controller to get the same answer as the IoT > Device. A CDN that always returns the same set of A and AAAA > records, but permutes them to provide the best one first provides a > more reliable answer. I don't think this guidance is sufficient. MUD's DNS filters assume that the device and gateway have the same answer in their local caches. Even if the device got its answer _through_ the gateway, there's no guarantee that this is true, unless the name always resolves to the same addresses. Even if the name resolves to the same addresses for everyone (no geotargeting or load-balancing), any change to the zone can result in a device-gateway mismatch during the transition, resulting in an outage while the gateway blocks the device's network access. This mismatch can last for the duration of the DNS TTL. Ironically, the guidance here to use long TTLs could result in longer outages, plausibly hours to days. Even if the device always delegates DNS resolution to the MUD gateway, and the gateway attempts to provide deterministic caching (unlike a typical resolver or forwarder), consider the case where the gateway experiences a power glitch and resets. Normally, with MUD, this would likely result in an outage of less than a minute, but if the gateway re-queries the DNS name and gets a new answer, all corresponding devices on the network will be offline for the DNS TTL. I want MUD-DNS to work, but I think that's going to require some deeper changes. The cleanest solution, in my view, would be to avoid the device ever learning about the results of DNS resolution, by forwarding traffic to named destinations through a SOCKS5 proxy operated by the gateway. (SOCKS5 is trivial to implement, far simpler than DNS.) A similar effect could be achieved by IP encapsulation, IPv6 extension headers, and many other mechanisms. A hackier solution would be to add a DHCP option for the MUD gateway to specify its associated resolver, and require devices not to implement any DNS caching. These approaches are compatible with disabling the urn:ietf:params:mud:dns permission, which is typically necessary for real control over the device. --Ben [1] https://www.ietf.org/archive/id/draft-ietf-opsawg-mud-iot-dns-considerations-01.txt
- [DNSOP] MUD in DNSOP Ben Schwartz