[Iot-directorate] Iotdir reviews of draft-richardson-mud-qrcode-02
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 24 December 2021 17:29 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: iot-directorate@ietfa.amsl.com
Delivered-To: iot-directorate@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A7933A0E35; Fri, 24 Dec 2021 09:29:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h0WaRREnwcwb; Fri, 24 Dec 2021 09:29:06 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 959033A0E32; Fri, 24 Dec 2021 09:29:04 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 57EC938BDF; Fri, 24 Dec 2021 12:33:48 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id DsrK5nLWq4VE; Fri, 24 Dec 2021 12:33:45 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id CD2C638AFD; Fri, 24 Dec 2021 12:33:45 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1640367225; bh=ZAHXII+Q6QbqTZLDMCCkY/GbOapNthE9GRNpokdXhEU=; h=From:To:cc:Subject:Date:From; b=3gCiEnKy5zoQujWck0z3LRy5RKrkQsCZEw1T54h6ivU3r6/1aibZRbUkIG/n0SfjZ nfPeeYwEt1qnP28OZv+nb3QeInSOA2FRwZZdBa1GsikBJTOGjIIC/y3rk/7vRVK08y 1rAC0+WZFT6YgBqGt7wudUUaJHan1svfgavPwfaZZlI+QeJKPoBgTU/2E6AmrW7lz6 wv+7d0JwRHO+UjfoodAw4o/wIGdndVo/xTzG8Lk2hR+jMTFfxkk5KIj0qsaOBQf7Gv l7/Ev86bT8DnCTR7BTXXP+/ThB7H+DW8puLbmqXyGl58a0O7DzaH/6Y7KjJ1QitEC6 Xuf+jIMSddLZA==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id D9F3248F; Fri, 24 Dec 2021 12:29:00 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: iot-directorate@ietf.org, draft-richardson-mud-qrcode.all@ietf.org, rfc-ise@rfc-editor.org
cc: joelja@gmail.com, jaime@iki.fi, mud@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.3
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 24 Dec 2021 12:29:00 -0500
Message-ID: <23712.1640366940@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-directorate/3tJ56V68iTPJBf9BHeo4jZpBHqc>
Subject: [Iot-directorate] Iotdir reviews of draft-richardson-mud-qrcode-02
X-BeenThere: iot-directorate@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for the IoT Directorate Members <iot-directorate.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-directorate>, <mailto:iot-directorate-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-directorate/>
List-Post: <mailto:iot-directorate@ietf.org>
List-Help: <mailto:iot-directorate-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-directorate>, <mailto:iot-directorate-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Dec 2021 17:29:11 -0000
This is a public reponses to reviews of draft-richardson-mud-qrcode. The document is in the ISE queue and has received IOT-Direcorate reviews by Jaime Jimenez and Marco Tiloca. An OPSAWG review by Joel has been received, and I include my replies below as well. I'll post a new revision once I'm sure that I've dealt with all the concerns. Marco's comments were unicast, but I've saved them at: https://www.sandelman.ca/SSW/ietf/mud/qrcode/marco-review-01.txt Changes from Marco's review are at: https://github.com/mcr/mud-qrcode/pull/2 Jaime's comments: https://mailarchive.ietf.org/arch/msg/iot-directorate/jB7C-IzhLPAMD-bY-K2I8it9TeE/ Edits from Jaime's review are at: https://github.com/mcr/mud-qrcode/pull/3 and my replies are below: Jaime> When the MAC is not included on the MUD URL then the assumption is that the Jaime> network administrator is the one with physical access to the devices and Jaime> can create the relevant policies. This comes with the caveat of what is Jaime> then the purpose of the QR code if manual configuration is needed anyways. There are two points to RFC8520 MUD files: a) it is true, RFC8520 just encodes rules that the network operator could input themselves. If only they knew all the intricate details of the device, were well enough trained to input those rules accurately into the variety of firewalls and IDS systems they own without error. So RFC8520 files remove many opportunities for mistakes. b) by indirecting through a MUD file hosted by the manufacturer, and signed by the manufacturer, the manufacturer of the device has the opportunity to fix errors or omissions in the ACLs, as well as communicate other meta-data about the device, such as the SBOM info, etc. Additionally, a person installing devices on a campus network does not need to be trusted with super-user access to the entire campus ACLs, just with amending a database of MAC-address -> MUD file mappings in a database. I have added a section 4, Applicability, which I think maybe will address your concerns by putting this activity into a better context. Please see: https://github.com/mcr/mud-qrcode/pull/3 Jaime> A naive attacker could read the QR code that contains the MAC, change Jaime> its own MAC to that of the QR code and then impersonate the device Jaime> effectively blacklisting that MAC address and preventing the actual Jaime> device from attaching to the network in the future. I agree that this could be done. In order to do it, one needs physical access to the network (or ESSID w/credential). If one has that, one could just listen to the network for broadcasts, and then do the attack. 802.1x is designed to deal with such things already. Reviewer: Joel Jaeggli Review result: Has Nits Joel> I reviewed this document on the behalf of the operations and management Joel> directorate. Joel> While this document is adequately evocative of the risks associated with Joel> essentially unsecured information being ingested via QR codes it's fairly Joel> unsatisfying with respect to mitigitations offered. Joel> this is a much a property Joel> of operating in the real world as it is a question of protocol implementation. Joel> While this is described as social engineering, it's a more deeply engineered Joel> falsehood that extends outside the realm of human decision-making. okay. Joel> If I were to nitpick the described security issues it is that operation of or Joel> decision making over a device on the basis of qr code embedded in a sticker Joel> can never provide a degree of certainty that the device is what it says it is Joel> that powering the device up and interrogating it's mud profile can achieve, Joel> that without some transitive trust property that can be extended to the device Joel> on the basis of the security of it's internals (e.g. protected Joel> cryptoghric If I understand you, the sticker has very little value compared to a secured boot process as being described by RATS, TCG, etc. I can't disagree with you.... but I'm hearing: "it's not perfect, so don't even bother" Yet, I'm pretty sure that millions of devices have actually been deployed over the past fourty years, building the Internet as we know it. Yes, some of them have turned out to be trojans. Joel> secrets that the manufacturer or owner have embedded) that the information Joel> embedded in the online formation cannot be trusted to map to that device. so Joel> for example if as part of lifecycle management one decides how to dispose of Joel> something broken or unpowered based on a mud profile sticker that information Joel> is not trustworthy on the basis of anything other than common sense or external Joel> validation. e.g. is this transformer full of dioxin or in fact mineral oil as Joel> the documentation behind the sticker claims. So, I can't say anything about the other contents of the QRcode that RLA.org wishes to put on the devices. These might not be stickers, but would likely be laser etched into the "case". I'm not sure the containers that transformers live in are called cases, but whatever. There are indeed many concerns here. Should these transformers have IP connectable micro-controllers (perhaps to tell the operator that the dioxin is leaking...), my goal is simply that a MUD profile could be associated with these controllers. rseadrian> So the point would be (and this applies to stickers randomly rseadrian> placed by an attacker as much as it does to anything else) that rseadrian> it would be good if the information accessed through the QR code rseadrian> was verifiable back to its origin. MUD files have associated signatures. This is in RFC8520 section 13: https://datatracker.ietf.org/doc/html/rfc8520#section-13 whether or not a MUD controller should trust the resulting file is outside of the scope of this document. RFC8520 does not say a lot about who to trust, although section 16 of that document does say a fair bit about rogue manufacturers. Adrian further asked me: rseadrian> I decided to get ahead and had another scout through the draft. I rseadrian> think I don't quite know what the purpose of the document is. It rseadrian> is clear that, if it came out of (e.g.) the OPSAWG then it would rseadrian> be the IETF's consensus opinion on how to do QR codes in MUD. But rseadrian> in the Independent Stream I think it is one of three things: > 1. If it is documenting a specific implementation (which is hinted at by > "to allow interoperability") then it should name the implementation so > people know what they are interoperating with. > 2. If this is documenting a speculative approach, it should be > experimental and describe how to assess the experiment. > 3. If this is "just" the author's musings about how this might be done, > then it should be caveated accordingly as an opinion. I take your point. I could add an Implementary Summary to the document if that would helpful, but the answer is unfortunately... all of the above. 1. There was a specific implementation which we did do as a proof of concept. http://www.sandelman.ca/SSW/talks/isoc-ca-multistakeholder4-2018/ 2. Based upon experience we gained, we decided that we should have a more mainstream QRcode format, and after some research, it was suggested that rla.org was the right place to converge to. Alas, many other things got in the way of getting this done, some of which is the inevitable chicken-and-egg problem. 3. The document is, yes, "musings" about how we think RFC8520 should be done. This is being done in an RFC, because like, "IP-over-FOO" documents, it seemed best to do this in the IETF. This is a "MUD-over-RLA" document. {I think that this proposal is signficantly more concrete (and less experimental) than many other 100-page Informational RFCs produced by WGs which wind up going nowhere.} -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Iot-directorate] Iotdir reviews of draft-richard… Michael Richardson