IETF Logo Mail Archive

Re: [Iotops] [Secdispatch] [Anima] I-D: Deploying Publicly Trusted TLS Servers on IoT Devices Using SNI-based End-to-End TLS Forwarding (SNIF)

Jim Zubov <ietf-list@commercebyte.com> Mon, 07 March 2022 03:30 UTC

Return-Path: <ietf-list@commercebyte.com>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 108773A0CF0; Sun, 6 Mar 2022 19:30:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.109
X-Spam-Level:
X-Spam-Status: No, score=-1.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_AFFORDABLE=1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=commercebyte.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oW2P0v6KwtSc; Sun, 6 Mar 2022 19:30:38 -0800 (PST)
Received: from ocean1.commercebyte.com (ocean1.commercebyte.com [104.131.120.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 844D93A0D3C; Sun, 6 Mar 2022 19:30:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=commercebyte.com; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:References:In-Reply-To:Subject:To:From:Date; bh=YkQ5OtXQJZkMUoHqJ9ynomA1Bb1Vt4hsQfCgRUmKUGA=; b=pH43SdXpwygJyXBx2zWBWsvJathkOl29LSjfMeJoFslrw7AwgR2hUxG3F5+f5lKNekHkuE/0y0V2b5veRBPGCV9caFvsVymusikpCXLuN5pvabd5smYUVl1XvqHKhJrc3zsSByrTjuQujrplLEK0hByXisDe9NnCXAKzVJmZe+M=;
Received: from [47.204.174.73] (port=45334 helo=[127.0.0.1]) by ocean1.commercebyte.com with esmtpsa (UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.82) (envelope-from <ietf-list@commercebyte.com>) id 1nR44w-0007yC-DU; Sun, 06 Mar 2022 22:30:34 -0500
Received: from [206.81.2.95]:7120 (helo=[127.0.0.1]) by [192.168.254.152]:41020 (localhost) with VESmail ESMTP Proxy 1.59 (encrypt=FALSE mode=FALLBACK); Sun, 06 Mar 2022 22:30:33 -0500
Date: Sun, 06 Mar 2022 22:30:24 -0500
From: Jim Zubov <ietf-list@commercebyte.com>
To: secdispatch@ietf.org, Michael Richardson <mcr+ietf@sandelman.ca>, Eric Rescorla <ekr@rtfm.com>, "secdispatch@ietf.org" <secdispatch@ietf.org>, Jim Zubov <ietf-list@commercebyte.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "anima@ietf.org" <anima@ietf.org>, "iotops@ietf.org" <iotops@ietf.org>
User-Agent: K-9 Mail for Android
In-Reply-To: <22243.1646519268@localhost>
References: <0075B437-024A-4D84-ABD7-92FE8DAFA59F@commercebyte.com> <1865.1644434146@localhost> <E1nHwaz-0000LM-I5@ocean1.commercebyte.com> <4026.1644516168@localhost> <685366A1-01F4-4788-B025-0F5F4CE7947F@commercebyte.com> <DBBPR08MB591577EC79C3D11114AA747CFA3C9@DBBPR08MB5915.eurprd08.prod.outlook.com> <FC43EB7C-5ABF-4061-89BA-1503F0B6340D@commercebyte.com> <DBBPR08MB59159BFB36A926DA8E851723FA3D9@DBBPR08MB5915.eurprd08.prod.outlook.com> <665685D3-B9AA-4A5E-B5B0-33D313A40716@commercebyte.com> <6296.1646509436@localhost> <CABcZeBM9sUs2cZyf8564-501p0RUve_FBvEBAd45k2RhyRbFqg@mail.gmail.com> <22243.1646519268@localhost>
Message-ID: <1075E99A-C00A-455E-97E8-2A29BA175F8F@commercebyte.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - ocean1.commercebyte.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - commercebyte.com
X-Get-Message-Sender-Via: ocean1.commercebyte.com: authenticated_id: jz@nixob.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/agr_xI4GRYblwdWj3oYCZrFSNtk>
Subject: Re: [Iotops] [Secdispatch] [Anima] I-D: Deploying Publicly Trusted TLS Servers on IoT Devices Using SNI-based End-to-End TLS Forwarding (SNIF)
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Mar 2022 03:30:52 -0000


On March 5, 2022 5:27:48 PM EST, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>
>Eric Rescorla <ekr@rtfm.com> wrote:
>    > I provided some comments at the end of my review. Briefly, I have doubts
>    > that this
>    > is the best technical approach and so I think if we are to work on this
>    > problem
>    > we should start by working out the problem statement and requirements first.
>
>I would agree with you.
>
>In particular,  I think that UPnP or PCP, in combination with some kind
>of dynamic DNS infrastructure, could do everything SNIF does, and do it in a
>far more decentralized fashion.
>
>So what is it that SNIF does that is truly different?


I had a discussion with Eric about it.

SNIF can work for an IoT device behind NAT or firewall through the relay. For IoT devices that have a clean static IP it's possible to use DDNS to directly connect to the device instead of the relay (not described in my draft but is fairly easy to implement through a peripheral process).

Regarding the certs, a CA, for example Let's Encrypt, operates in terms of a 'Registered Domain', e.g. something.com, that you purchase from a TLD. Registered domains are not free, hence having a unique registered domain per an IoT device is not affordable - even if it's $2/yr nobody's going to eat that cost, and very few IoT end users will be willing to set up their own additional billing.
Therefore, hostnames for individual IoT devices should be subdomains of a certain registered domain. Since a CA sets limits on API calls within each registered domain, if you allow IoT devices to randomly interact with the CA you set yourself on a path to a DoS. So, having a CA proxy that maintains control over the DNS zone and interacts with the CA (without having access to anybody's private keys) while enforcing anti-abuse policies sounds like a good solution.
As for the security risk, it lies in the CA challenge. Having a DDNS server for a zone poses same risk as a CA proxy that has sole control over a DNS zone, with additional headaches and risks of DDNS authentication for each IoT device.
If anybody disagrees or has something to add - please chime in.


>
>    >> Have the SECDISPATCH chairs put it on the
>    >> agenda,
>
>    > I think putting it on the SECDISPATCH agenda would be appropriate
>
>Good.
>
>    >> or is there any agreement that maybe IOTOPS should dispatch it?
>
>    > I think that would be a bad idea. There's nothing really IoT-specific here.
>
>There is often nothing IoT specific about many things.
>There is however a community of people who understand the set of tradeoff in
>deploying systems at large scale that have no human at the helm.
>
>--
>Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>           Sandelman Software Works Inc, Ottawa and Worldwide
>
>
>
>

v2.23.0 | Report a Bug | By Email