IETF Logo Mail Archive

Re: [Iotops] [Secdispatch] I-D: Deploying Publicly Trusted TLS Servers on IoT Devices Using SNI-based End-to-End TLS Forwarding (SNIF)

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 09 February 2022 19:16 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 825863A0813; Wed, 9 Feb 2022 11:16:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_PDS_SHORTFWD_URISHRT_QP=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uXq_fk0Jq2mO; Wed, 9 Feb 2022 11:15:55 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0518F3A07F7; Wed, 9 Feb 2022 11:15:54 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 46AE2389C1; Wed, 9 Feb 2022 14:23:32 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id uzNqT9aj8wg5; Wed, 9 Feb 2022 14:23:28 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 9715C389C0; Wed, 9 Feb 2022 14:23:28 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1644434608; bh=y6085vAWfdRZPRy9ywYw57m8yuMpatT3QTEaLAGvP7w=; h=From:To:CC:Subject:In-Reply-To:References:Date:From; b=vuNMYprBmKmEeOEcFL2Xv3viAZvRlI8XIJ93fBgOmk+nPYadZbnzPaOMBlhXjKKiV 587LzL69VvQEWuHF/i91V4p7N/pMxNa96xDhUUopu/05tK2CQ7PXJlbqPb1sLY0QZz Ga17NnGxu2e2ws0XccEoFabkS1dOMz3ZHbMim4ruwzZapkjwwO0gfA9lMMcQjT8b97 tKN25L0WKZyPq17wjpF0KlOhX3OTFq0k1qUdtGsk6uuxpGPLtQKRTgqtlJW5P6FYGl Mf2iW+3c6tKtGcmUMb13SyYo8jJthwdnJWWtnMx0oAMFcWr25xb7y+O0dVc5CmFrYz kTMMDLYT8E4bg==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 8D52740; Wed, 9 Feb 2022 14:15:46 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Jim Zubov <ietf-list@commercebyte.com>, secdispatch@ietf.org, iotops@ietf.org, anima@ietf.org
CC: Manysecured <manysecured@iotsflists.org>
In-Reply-To: <0075B437-024A-4D84-ABD7-92FE8DAFA59F@commercebyte.com>
References: <0075B437-024A-4D84-ABD7-92FE8DAFA59F@commercebyte.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 09 Feb 2022 14:15:46 -0500
Message-ID: <1865.1644434146@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/U3mgwz47ZX1WpwBiBPhQZaywNYM>
Subject: Re: [Iotops] [Secdispatch] I-D: Deploying Publicly Trusted TLS Servers on IoT Devices Using SNI-based End-to-End TLS Forwarding (SNIF)
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Feb 2022 19:16:01 -0000

TL;DR: Dispatch to IOTOPS.

Hi, I've reviewed your document at:

Jim Zubov <ietf-list@commercebyte.com> wrote:
    > Please consider the following draft:
    > https://datatracker.ietf.org/doc/draft-zubov-snif/

I have three sections of comments: general ones, dispatch ones, and then some
detailed comments on the document/protocol itself.  My general comments are
intended to introduce the concept for who have not (yet?!) read the document.

GENERAL
-------
This seems to be solving a very similiar problem to the Manysecured SUIB
problem.  You can read more about SUIB at a document that is still evolving at:
      https://specs.manysecured.org/suib/SUIB-requirements

This was also on the IETF112 IOTOPS WG agenda:
     slides: https://datatracker.ietf.org/meeting/112/materials/slides-112-iotops-suib-browsing-local-web-resources-in-a-secure-usable-manner-iot-device-configuration-as-a-special-case-00
     video:  https://youtu.be/OIlJrUvwDcI?t=1649

and we hope to return at IETF113.

The SUIB problem addresses the challenge of connecting *locally* to a device,
and doing it securely.  For this to be possible with RFC6125-DNS-ID standard
browser, we need a name for the device, and we need a way to translate that
name into a locally reachable IP address.

The SNIF proposal does not quite solve the above problem.
It does provide a useable name for the device, and it does provide for *an*
address which can be used to reach the device.  But, it essentially has
created a kind of secure TURN service which gives a global (HTTPS) name for a device,
allowing it to be reached globally.    There are some aspects of the SNIF
which seem to deal with ABUSE.

While the SNIF CA and Connection proxies could be run by a number of parties,
given that the devices need to have a pre-existing relationship with those
parties (and that provisioning of credential stage is out of scope according
to the document), it seems that it will only really be operated by the
manufacturer, or some large delegate like an ISP that sells IoT devices.
What would the economic argument/incentive for other parties to operate these
services?
Still, if SNIF is replacing a manufacturer proprietary call-home protocol,
there could be advantages from having well reviewed code bases, and
potentially an ecosystem of SNIF Providers that manufacturers could outsource
to.  Azure/Amazon/... could easily run such services.

SNIF seems very much IPv4 NAT44 focused, and it could benefit from some
understanding of IPv6 and IPv6-over-IPv4 technologies, particularly Teredo.

DISPATCH COMMENTS
-----------------

There are a lot of issues that I have with the proposal that would need
significant work to document and/or sort out.  As such I would definitely
advise against AD sponsor.

This protocol is not really big enough to warrant it's own WG, although other
similiar sized protocols (such as ACME) have their own WG.  If ten people
from four different vendors showed up and wanted to work on this, then a new
WG might be reasonable.
Much of SNIF is about new variations of certificate enrollment.
Some of it is very similiar to draft-ietf-anima-brski-cloud.

If BEHAVE was still alive, dispatching there could make sense because it's a
also a new kind of TURN, and maybe it should just be a new variation.
Dispatch to ACME almost makes sense.
(To quote the _Broken Sword_ game: "That was almost a good idea")

It could be dispatched to ANIMA.  I don't think that it would make it through
ANIMA with the same look, but at least we have lots of RFC7030 expertise.

IOTOPS was chartered to do some IoT dispatch work, and it could be that this
document should go there.  It is not clear to me yet if SECDISPATCH has
the patience to understand the document well enough to make a decision.

DETAILED COMMENTS
-----------------

Section 2 will need a diagram for the Proxy, Relay, Connector, Client, CA.
I think that before introducing the components, a simpler walk through is
needed.

3.1: Connector speaks HTTP or HTTPS.
     It clearly has to speak HTTPS only.

     How does device learn their initUrl?
     If it is programmed into the device by the manufacturer, then basically
     it's the manufacturer's service.
     If it is provided by the end user, through an admin interface, then how
     is that interface secured?
     DHCP option?
     We have a multitude of onboarding protocols now, I suggest that
     extensions to a few of them be provided for here.

     For instance, in an RFC8995 BRSKI situation, the initURL, along with an
     optional trust anchor to validate it (if DNS-ID verification is a
     problem), could be provided in the voucher.  Of course, if one was doing
     BRSKI, then it might be better to just do BRSKI-CLOUD here.
     This flow:
     https://www.ietf.org/archive/id/draft-ietf-anima-brski-cloud-02.html#name-voucher-request-handled-by-
     is essentially exactly what is needed here.

3.2:
     "Any key algorithm acceptable by the CA can be used, generally RSA-4096 is recommended."
     I would not recommend RSA-4096.  Effective security of RSA keys does not
     go up linearly with size. 4096 bits just uses a lot of space for very
     little benefit.  ECDSA, EDDSA would be better recommendations.

     The Connector flow where it allocates a CN is essentially the CSRattrs
     problem that LAMPS is clarifying in RFC7030 with the
     https://datatracker.ietf.org/doc/draft-richardson-lamps-rfc7030-csrattrs/
     which has been neglected since IETF112, but I hope will be adopted at IETF113.

3.3: generally, GET is a bad idea for something that allocates something.
     Either use X-SNIF-CN:, or the payload, not both.  DRY.
     text/plain is probably the wrong choice for a mime type here.

3.4: PUT is an interesting choice.  It's not wrong though.
     Having a 201 reply where one can collect a status report is nice.
     I wish that RFC7030 did that.

3.5: as I understand it, the certificate is actually retrived from the
     DN/dnsName that was allocated using http.
     That seems to imply that http can never be used with the device?
     (I don't think it should, but...)
     At least this should be in /.well-known.

section 4 deals with the relay protocol.
        I didn't look at that deeply at this.
        It seems pretty complex, and as long as this is greenfield, why not
        use HTTP/2 and/or QUIC so that multiple requests can be sent over a
        single pinhole?

This entire part is very very much IPv4 focused.
IPv6 devices shouldn't need any of this.

But, perhaps more to the point, UPnP pretty much already does this.
So does Teredo.

section 4.6 on ABUSE Management is an interesting addition.
This part should be coordinated against what DOTS WG has already built.
I found your security considerations section to be well written.

I'm not sure I understand the IANA registration of "snif", etc.
They *aren't* what IANA would call "IP protocols", which would be things like
TCP, UDP, SCTP, ESP, ...
Has IANA *already* registered port 7123 then?


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email