Re: [Iot-directorate] Iotdir early review of draft-richardson-mud-qrcode-02
Jaime Jiménez <jaime@iki.fi> Wed, 01 December 2021 06:26 UTC
Return-Path: <jaime@iki.fi>
X-Original-To: iot-directorate@ietfa.amsl.com
Delivered-To: iot-directorate@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 863913A040B; Tue, 30 Nov 2021 22:26:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ULrjNGfdlpAM; Tue, 30 Nov 2021 22:26:09 -0800 (PST)
Received: from wforward4-smtp.messagingengine.com (wforward4-smtp.messagingengine.com [64.147.123.34]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36CDA3A03FF; Tue, 30 Nov 2021 22:26:08 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailforward.west.internal (Postfix) with ESMTP id 8008C1AC02D0; Wed, 1 Dec 2021 01:26:03 -0500 (EST)
Received: from imap45 ([10.202.2.95]) by compute6.internal (MEProxy); Wed, 01 Dec 2021 01:26:03 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=BnkDHIbs+25rZk1Z9pCaKf3crewLMTP/W9pn0bV52 3Q=; b=UmWbMqimWymAVHWnbAHQ6Iss2ClCmbjMCfN/CroQOPZtsevyN4TXfLqjJ +4KEYjg4PRCOkTNJBMdqLwPcJdAlUqPLWzhgCF17ABM8pVR56eFj5yFXvah98YdA XziA00dfUtSg6ziRPLnRhHHsLEioKGN5NgIHhu6vPNBwD+WHq+PFbtjqV/vKmf4Y nXJFPHVwztlbRuU1ITrZ753DwHXjL1E6BESb0ivilGBxfYY+KqIRvr0GJM85qLsc on8AZ9kKE4nUbQMd/4pr3VFYAwva3/kTrWyU4SXNDifNthJUWQFZwQqpcbLmQwyl OTGMM8o//pK2THKhen/tTGFSZMwJw==
X-ME-Sender: <xms:ehWnYbT7tBObvE3_HLowQJC1ZBTb6lYS0wHc4XIikCIBivcmPwtzqA> <xme:ehWnYcz_GGgWVkO9ZHgp-_QDkEajjrk0BT50qhbKme1LMTYr6zFrXwDnl3j3OGQAf iTj6-DogzaDnXYY8w>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddriedvgdeliecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgfgsehtqh ertderreejnecuhfhrohhmpeflrghimhgvpgflihhmrohnvgiiuceojhgrihhmvgesihhk ihdrfhhiqeenucggtffrrghtthgvrhhnpeeludeiffeiudetteduuedtudfhkefffedufe eugeegvdetvdffveduudehleekkeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgr mhepmhgrihhlfhhrohhmpehjrghimhgvsehikhhirdhfih
X-ME-Proxy: <xmx:ehWnYQ2K5ncN1-pJsmZBFZkUk0SDn4Wl0_yfsSxeblVHm0x6E8pi4g> <xmx:ehWnYbDhD_xwvoz1nTJG7d_LRYIiXV2qy0tHo1Uahiw5-sBY2_p7GA> <xmx:ehWnYUj8CoL0g7Gj3v2ieHxxF5R9-6FgLvYaljNZ0W_ElkpmxPzX6g> <xmx:ehWnYcL7o9Mx3Ir02D5mxUuWQHEki_YAij4jUJLdrkRaT6jSgz3wbKARIWw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id B5EA524A0074; Wed, 1 Dec 2021 01:26:02 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-4458-g51a91c06b2-fm-20211130.004-g51a91c06
Mime-Version: 1.0
Message-Id: <1a919d10-f2ac-42a5-91c1-ebcdb764de92@www.fastmail.com>
In-Reply-To: <15386.1637847543@localhost>
References: <163783289022.31136.7276510955956674909@ietfa.amsl.com> <15386.1637847543@localhost>
Date: Wed, 01 Dec 2021 08:25:42 +0200
From: Jaime Jiménez <jaime@iki.fi>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: iot-directorate@ietf.org, draft-richardson-mud-qrcode.all@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-directorate/K-9qI-rmR64U5Ip1OCXumPoS52s>
Subject: Re: [Iot-directorate] Iotdir early review of draft-richardson-mud-qrcode-02
X-BeenThere: iot-directorate@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for the IoT Directorate Members <iot-directorate.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-directorate>, <mailto:iot-directorate-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-directorate/>
List-Post: <mailto:iot-directorate@ietf.org>
List-Help: <mailto:iot-directorate-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-directorate>, <mailto:iot-directorate-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2021 06:26:15 -0000
Thanks for the prompt reply Michael! I have no additional comments on this. Ciao! -- Jaime Jiménez On Thu, Nov 25, 2021, at 3:39 PM, Michael Richardson wrote: > Jaime Jimenez via Datatracker <noreply@ietf.org> wrote: > > As per the IoT Dir request I will be providing a first review of > > draft-richardson-mud-qrcode-02. > > Thank you for the review! > > > To my understanding the aim of the document is to provide the MUD > URL as a QR > > code for devices that do not have MUD support. From the > deployment point of > > view I suppose the process would be done for example via a > deployment > > specialist that scans the code and transmits the URL from the > phone device to > > the MUD Controller. > > yes, it might also occur in the asset management group, which for instance, > receives devices in boxes, adds them to their asset management database, and > then prints some "This device owned by Example Corp, asset tag 234589234" > stickers and affixes them. This is one of the purposes of the RLA QR codes. > > > As per 3.2.5 in some cases the MUD URL contains also the MAC of > the device so > > that when the device connects, the network will recognise it (for > example when > > using ARP or DHCP). That latter part by the way is a bit > undefined at > > The detail here is difficult as it depends upon how the asset database is > integrated with the DHCP, and ultimately, with the MUD controller. > In the worse case, there would be copy and pasting from one system to > another, but that would get better as this this goes on. > No integration with ARP, DHCP or LLDP is required, as the device probably > does not put it's MUD URL into DHCP or LLDP if it has the URL on the outside. > (but that might change over time) > > > A naive attacker could read the QR code that contains the MAC, > change its own > > MAC to that of the QR code and then impersonate the device > effectively > > blacklisting that MAC address and preventing the actual device > from attaching > > to the network in the future. > > Yes, I suppose that this is an attack. > To do it, the attacker must have credentials that let it onto the network in > the first place. Maybe that involves just plugging a cable in to an empty > port. > At which point, they could do all sorts things too. > If the network has 802.1x controls (such as EAP-Enterprise), then the network > would really have already defended itself against that. > > > "The ISE would appreciate reviews from IoT and Operations experts > to gather > > opinions on the document. In particular, the ISE would like to > know whether > > publicaiton would be a bad idea or could be harmful to the > Internet." > > > I personally do not see any specific items on this draft that > could be harmful > > to the general Internet. Some security issues are evident and > affect the use of > > the QR code, but they have been described in the Security section. > > Wunderbar. > > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > > > > > Attachments: > * signature.asc
- [Iot-directorate] Iotdir early review of draft-ri… Jaime Jimenez via Datatracker
- Re: [Iot-directorate] Iotdir early review of draf… Michael Richardson
- Re: [Iot-directorate] Iotdir early review of draf… Jaime Jiménez