IETF Logo Mail Archive

Re: [Iotops] [Secdispatch] I-D: Deploying Publicly Trusted TLS Servers on IoT Devices Using SNI-based End-to-End TLS Forwarding (SNIF)

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Thu, 24 February 2022 10:38 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F260C3A08D5; Thu, 24 Feb 2022 02:38:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.101
X-Spam-Level:
X-Spam-Status: No, score=0.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, PDS_OTHER_BAD_TLD=1.999, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=TvpxFw+A; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=TvpxFw+A
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CbcU5LJCN0xR; Thu, 24 Feb 2022 02:38:06 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on060c.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe02::60c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F89E3A091B; Thu, 24 Feb 2022 02:38:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wEiLMq+XZ38XnKvthhi7htt+0g5xsSPH5jAE4tyDc0k=; b=TvpxFw+AZWGqkzr6hAE7GYwbg67FW/S4lVX2ZyMi5+8LPLa27sI9TFs0rd+4tCi1/zb6e/CpMroGjUC+kY0nA8IFr1+3K3eHS9BVQMfTuZ0laotAITG22bXpVPls05tBNHN7DwMKdKaGSVty6BRnCq68fSw4Q6pXDSiv3ZC74gg=
Received: from AS9PR06CA0246.eurprd06.prod.outlook.com (2603:10a6:20b:45f::12) by DB9PR08MB6649.eurprd08.prod.outlook.com (2603:10a6:10:26c::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.22; Thu, 24 Feb 2022 10:37:57 +0000
Received: from VE1EUR03FT029.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:45f:cafe::14) by AS9PR06CA0246.outlook.office365.com (2603:10a6:20b:45f::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.22 via Frontend Transport; Thu, 24 Feb 2022 10:37:57 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT029.mail.protection.outlook.com (10.152.18.107) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.22 via Frontend Transport; Thu, 24 Feb 2022 10:37:55 +0000
Received: ("Tessian outbound 63bb5eb69ee8:v113"); Thu, 24 Feb 2022 10:37:55 +0000
X-CR-MTA-TID: 64aa7808
Received: from e0c69bcfc1a0.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 1A880ABE-CFDB-4799-9ACC-49301AD68292.1; Thu, 24 Feb 2022 10:37:49 +0000
Received: from EUR04-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id e0c69bcfc1a0.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 24 Feb 2022 10:37:49 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nHDFVQOQukcd78Uv6gYWHmwZd+VjO/ojt2wsqkh3PWOtSMK3Q/ixTfvp2eqI4+pnd4w6d4n2gWCu7rLjq2DWcn/QG/NFkwBwc3SHgpURYpPj3Cp7u9CPjo5as1K8pdhpooAqMOMKSaig3/Y8M9BYtf0FYzMYxTCClS90+TwQ585Z2khgYF21cXBtxwLlZOiWPduROW0RaJKdUGYxHYjuzNBZXEi2wserxC1obPjhfW3PQ3MNALW9p807KhS1xCBRF6uIjYO/GhHU5wN10bgg55x2OuWKzwV2zhT9/R9fyk66OFHoPN6XzajjJNtpNyRe2/arT312glL3wQzlz/bOfA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wEiLMq+XZ38XnKvthhi7htt+0g5xsSPH5jAE4tyDc0k=; b=Pw8yjGIA3BQ14erafMNIVrtTsOcD5FO6lxwtODSfSuCJ/9y/r9JsUFRDZJYZNj/0g2c5XLiUvlFBZu9e4pqYbCfYD1TXCvPLDBXe6XINW6WaX8BWWWuH2+XepcfZ6sStbSTdH+x8KRpnPJSy6VVxvV3BrPuS5dJ9aro23km5fhmzipJusXSncEk41NRlNn9v++KvB+x70wC5drkfwj8yWzRq/xs/pce1e1yVP/W2joQl1ETLpAN5V8QQQUQzoHvJxPJWRKFurHvQ2sGek6L92fXJTSTvRCE1dDKH2Y46xyRq7Vjc7EzC8tI2zqcwHvMMgxPsfHgFjykc9g62oiR23Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wEiLMq+XZ38XnKvthhi7htt+0g5xsSPH5jAE4tyDc0k=; b=TvpxFw+AZWGqkzr6hAE7GYwbg67FW/S4lVX2ZyMi5+8LPLa27sI9TFs0rd+4tCi1/zb6e/CpMroGjUC+kY0nA8IFr1+3K3eHS9BVQMfTuZ0laotAITG22bXpVPls05tBNHN7DwMKdKaGSVty6BRnCq68fSw4Q6pXDSiv3ZC74gg=
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com (2603:10a6:10:20d::17) by VI1PR08MB2829.eurprd08.prod.outlook.com (2603:10a6:802:22::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.21; Thu, 24 Feb 2022 10:37:46 +0000
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::b478:3f3d:2464:65c8]) by DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::b478:3f3d:2464:65c8%5]) with mapi id 15.20.5017.024; Thu, 24 Feb 2022 10:37:46 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Jim Zubov <ietf-list@commercebyte.com>, "secdispatch@ietf.org" <secdispatch@ietf.org>, "secdispatch@ietf.org" <secdispatch@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, "iotops@ietf.org" <iotops@ietf.org>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Iotops] [Secdispatch] I-D: Deploying Publicly Trusted TLS Servers on IoT Devices Using SNI-based End-to-End TLS Forwarding (SNIF)
Thread-Index: AQHYHtVKop3offyr+0q9saoG3HE46Kyg/hiwgABVHACAAAMKAA==
Date: Thu, 24 Feb 2022 10:37:46 +0000
Message-ID: <DBBPR08MB59159BFB36A926DA8E851723FA3D9@DBBPR08MB5915.eurprd08.prod.outlook.com>
References: <0075B437-024A-4D84-ABD7-92FE8DAFA59F@commercebyte.com>, <1865.1644434146@localhost> <E1nHwaz-0000LM-I5@ocean1.commercebyte.com> <4026.1644516168@localhost> <685366A1-01F4-4788-B025-0F5F4CE7947F@commercebyte.com> <DBBPR08MB591577EC79C3D11114AA747CFA3C9@DBBPR08MB5915.eurprd08.prod.outlook.com> <FC43EB7C-5ABF-4061-89BA-1503F0B6340D@commercebyte.com>
In-Reply-To: <FC43EB7C-5ABF-4061-89BA-1503F0B6340D@commercebyte.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: BC58F46847054545A6C12BA3C67F46E6.0
x-checkrecipientchecked: true
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-MS-Office365-Filtering-Correlation-Id: 151980da-76a8-4058-c1c0-08d9f781b809
x-ms-traffictypediagnostic: VI1PR08MB2829:EE_|VE1EUR03FT029:EE_|DB9PR08MB6649:EE_
X-Microsoft-Antispam-PRVS: <DB9PR08MB6649E6BFA8AAD798FAA3463EFA3D9@DB9PR08MB6649.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: v1OPT+x7/5jt/G7RAOSpRdk7JTmh83xx+z8QGU5m0nXdu4ZoRwRBy9zigT3NTHZmhdoIbazV/aZuxQFkLkt2lfyQLL3L8EXBzxcwcqNQMQ8PhkGxOvyjimeOt+1vu7q51Zl+uKZxHAc1eC4j7YJ41zuF2UqDNoslEAxFBhCsdw7nzE2nGatXCWnxjFWtzRn3mM98yvnR/6PvVjlE12PMw7N2MWxGWRt5mf4ZfNHZvWloy/COR9w516RDbuFsRPcjtiZbFzfjtIG5AtsKXzBTqPeoFWwSOistzxIHciHmtbPU5OqowmJelmCP50YVP6aLYwkj6puWfBA4xIro5ftC9BdQUv4qK+5gdXT6Jq3LUMkF0bNbHuvcvCC2LWbEl1Uk2WUJq+6cN2uUHoISTbhP1MTFn4CnpAUaX4xdWJ6JuW47QL7vTAnPaNgKX2Moc/B0TQaGgabDcFCs7oV6gl9bxXtSQahuxJ1zBRaD7F32O/Bwo+QDwiAsqeuzyrZk96Lhf0ZuJyErlF1GfyTbgezyxtgtPiRQkCIVgE+EEMTcHe8fU339wW3KgJ+dsB2acWc0DY+H7e8FWn3aF7hooRgv5mbzSgKjzwJESHDbuZJHxc1R0dQ+PNOgr8iGiYfHcBykDPDGz7gE4xc6y9RL/jPASC25f2sJBbsT8SBVb+6jA5JchyAucIxg0vuvM1SqVOesPUvuj1IQ+7FOHt+GTHtcyeBlR0GWAZ1e1wfxLpMesHJCU5oQtZLL5d75aT4eGnjJhv/HICZjntnyTkxsxF/Zo1GdbrhqtMYEgW2fvzefOFgAj4QsF2oDFWCJM8F8JJKlovz/nWsSifif09oVUeafXcEBAxtO1uKyHCeQ5Tb9A5Q=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB5915.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(86362001)(55016003)(71200400001)(76116006)(6506007)(53546011)(8936002)(66946007)(66446008)(30864003)(66574015)(9686003)(2906002)(122000001)(7696005)(38070700005)(66556008)(52536014)(66476007)(64756008)(8676002)(38100700002)(26005)(83380400001)(316002)(110136005)(33656002)(966005)(5660300002)(186003)(508600001)(69594002); DIR:OUT; SFP:1101;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB2829
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT029.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 33c9a8ca-bc0e-4957-48be-08d9f781b261
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: piG5beYSZBw1Xr9jPbHIJBeb8ZsOt4Bl1kWnkAMg7rbYgrcK9LN/cS8xeDUxjsQvcsUOaDEYrK46Qg2B9p6aWRCzdc+fQiX8WjyHwvdHuIRCFbhRP5rcCG20zwPnO8BVE35bJcIyrN45e/ezebpkgJqUPFY5d1tE/f2aBj47IvvmoZX5/LqngFmlK3js2eXQTukzMlFuiitlxfPNdU4lazWi89VwPddNo5AoagyH2EDvG2HzKdqk2RdMd0vn5qw7Xlys0hGJ0YoAv3LQ1pZso+e2VfA4lbkhwF/rDQTVoVDxmgOkkXmkh+mQIyaGLQoOnpyd5rNVze12RQiP+rfL5ZqI/WKkvEg4ZR3EDJY3H52J3UsARi9TyYDd1ITb0cQKugMOFq31hIbhPvJvvJeB6vFKI2oQhuXVkBAyWZPQcI1QG6AG3iv7jCSHicLSoxyqXk/k9Tw+qSv7rR72HJdaoqX1E54WYSo5K9USKq0gji8fRoCHtQZNG2W5mgJNxtUd2+R7MKJSxY39Mu7DE40jgT+inxCkq+ir55DEU3p7P0R0HsPD0ZhB3iNrT0BX5lzvvWEFuqK61+DExOrqfbtrMCYGBZ9pZZiKpRAkWkMOl6ITCywb//kWw5bNl1uy7QhUYfKcPQLnxYwpYKEit6kSLJhnIoMddbV4skqrFtZBtaKBNlMbC8pWW8toHh2YbeVHXLAxK/9dh1IsNbLvY9oi4j32/PJhj816WVQkTDch3RMTxZa4Q8MoSwVBhl2wbNtnQUpnLFo9xlq3t/36XXaI/QFpNr28CmJXlt2T+XhwnRVf+jjNQaRnwv8A4fQHbj8e
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230001)(4636009)(36840700001)(46966006)(40470700004)(70586007)(70206006)(2906002)(9686003)(8676002)(47076005)(508600001)(52536014)(8936002)(450100002)(36860700001)(966005)(40460700003)(86362001)(186003)(83380400001)(30864003)(316002)(53546011)(26005)(6506007)(55016003)(33656002)(356005)(5660300002)(336012)(66574015)(82310400004)(81166007)(110136005)(7696005)(69594002); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Feb 2022 10:37:55.7943 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 151980da-76a8-4058-c1c0-08d9f781b809
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: VE1EUR03FT029.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR08MB6649
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/lZLTbcq4kuTbs9uOHVfoq57efYI>
Subject: Re: [Iotops] [Secdispatch] I-D: Deploying Publicly Trusted TLS Servers on IoT Devices Using SNI-based End-to-End TLS Forwarding (SNIF)
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2022 10:38:11 -0000

Hi Jim,

Thanks for the quick response. The link to your website is helpful. I now understood that you would also relay the communication through the proxy, which deals with the IoT device being behind a NAT and/or firewall if the IoT device keeps the connection alive.

I wonder whether you have considered to re-use an existing device management solutions since those is widely deployed today?

Ciao
Hannes

-----Original Message-----
From: Iotops <iotops-bounces@ietf.org> On Behalf Of Jim Zubov
Sent: Wednesday, February 23, 2022 4:17 PM
To: secdispatch@ietf.org; Hannes Tschofenig <Hannes.Tschofenig@arm.com>; Jim Zubov <ietf-list@commercebyte.com>; secdispatch@ietf.org; Michael Richardson <mcr+ietf@sandelman.ca>; iotops@ietf.org; anima@ietf.org
Subject: Re: [Iotops] [Secdispatch] I-D: Deploying Publicly Trusted TLS Servers on IoT Devices Using SNI-based End-to-End TLS Forwarding (SNIF)

Thank You for your feedback Hannes, I addressed the comments below -

On February 23, 2022 5:36:15 AM EST, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:
>Hi all,
>
>Thanks for this contribution, Jim.
>
>Reading through the document I agree that the SUIB topic discussed in the IOTOPS WG appears relevant. I also wonder whether the work in the DANISH group (see https://datatracker.ietf.org/wg/danish/about/) is relevant.

Agreed about SUIB, not quite sure about DANISH. DANISH is about certificate based authentication and PKI extensions, while SNIF is about end-to-end relayed trusted TLS that relies on the standard PKI.

>
>Regarding the use in IoT I have a question for my understanding.
>
>In a nutshell, you introduce a proxy that allocates a hostname and requests a creation of a certificate on behalf of the IoT device.

Correct, plus an e2e TLS relay.
>
>To get this to work you rely on three assumptions:
>(1) There has to be a communication infrastructure that associates the "anonymous" hostname with a specific device and conveys these identifiers to the relevant parties.

Each device is configured with an initUrl pointing to a specific CA proxy that allocates a random hostname (a CN to be more accurate), normally a subdomain of a master domain that has a wildcard DNS record pointing to the CA proxy.
Example - the initUrl for public experimental use - https://snif.snif.xyz:4443 The allocated wildcard CN is a subdomain of the master domain snif.xyz


>(2) You assume that a party that wants to contact the IoT device is able to reach the device (i.e. the IoT device is not behind a firewall or NAT).

Both the IoT device and the client connect to the SNIF relay. The whole purpose of SNIF is to be able to work from behind NAT / firewall /etc, and it's been confirmed to work in pre-production. In fact I had a minor hickup with Fortigate in the process of testing which has been resolved.
There are simplified diagrams on https://snif.host to illustrate the concept.


>(3) Someone operating IoT devices has to trust the proxy since it is easy for the proxy to associate a hostname with a public key that was created by the proxy (rather than the end device). This essentially allows the proxy to impersonating the IoT device.
>
>Is my understanding correct?

Yes, I mentioned this vulnerability in the security section. The answer is
- watch the public TLS transparency logs, any party can do it. If any overlapping CNs are found - the CA proxy is permanently compromised,
- do not use random CA proxies owned by unknown parties.


>
>Ciao
>Hannes

Any further questions/suggestions are welcome.

>
>-----Original Message-----
>From: Secdispatch <secdispatch-bounces@ietf.org> On Behalf Of Jim Zubov
>Sent: Friday, February 11, 2022 12:22 AM
>To: secdispatch@ietf.org; Michael Richardson <mcr+ietf@sandelman.ca>;
>Jim Zubov <ietf-list@commercebyte.com>; iotops@ietf.org; anima@ietf.org
>Subject: Re: [Secdispatch] I-D: Deploying Publicly Trusted TLS Servers
>on IoT Devices Using SNI-based End-to-End TLS Forwarding (SNIF)
>
>Thanks for the feedback again, my comment are below.
>I submitted a new version of the draft to reflect some changes.
>
>On February 10, 2022 1:02:48 PM EST, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>>
>>Jim Zubov <ietf-list@commercebyte.com> wrote:
>>    >> This was also on the IETF112 IOTOPS WG agenda:
>>    >> slides:
>>    >> https://datatracker.ietf.org/meeting/112/materials/slides-112-iotops-suib-browsing-local-web-resources-in-a-secure-usable-manner-iot-device-configuration-as-a-special-case-00
>>    >> video:  https://youtu.be/OIlJrUvwDcI?t=1649
>>    >>
>>    >> and we hope to return at IETF113.
>>
>>    > Right, looks like SUIB is working on a similar problem. Thanks for
>>    > pointing this out. In particular, the "Sol #6 Device name DNS" slide
>>    > looks quite similar to SNIF CA Proxy (Section 3). However, SUIB pursues
>>    > bigger infrastructural goals such as changing the localhost TLS
>>    > connection policies (I totally agree and really appreciate the effort),
>>    > while SNIF is a functioning solution within the existing
>>    > infrastructure, tested and proven to work in pre-production.
>>
>>The slides may be too vague.  Changing the TLS policies is a possible
>>solution, but probably an impractical one.  Nevertheless, many people
>>(not steeped in the arts, and often failling into the PHB category)
>>think that it is an obvious solution, so we list it in order to explain why it won't work.
>
>Yes, still sad that localhost slipped through the cracks when the original security standards were written.
>
>>
>>    >> The SUIB problem addresses the challenge of connecting *locally* to a
>>    >> device,
>>    >> and doing it securely.  For this to be possible with RFC6125-DNS-ID
>>    >> standard
>>    >> browser, we need a name for the device, and we need a way to translate
>>    >> that
>>    >> name into a locally reachable IP address.
>>    >>
>>    >> The SNIF proposal does not quite solve the above problem.
>>
>>    > In fact, I originally designed SNIF to solve this specific problem -
>>    > local-to-local trusted TLS connections.
>>
>>Ah, very nice to know.
>>
>>    > * Issue a wildcard cert through SNIF CA Proxy
>>    > (e.g. CN=*.domain.snif.xyz), set a DNS record for
>>    > localhost.domain.snif.xyz to point to localhost's IPv4/v6, and use
>>    > https://localhost.domain.snif.xyz (or other app protocol - imaps
>>    > etc). However, looks like some clients treat the localhost IP as
>>    > inherently unsecure, and issue a warning ever is the cert is perfectly
>>    > valid. The option is still possible, but the applicability might be
>>    > limited.
>>
>>The process we described at
>>
>>https://specs.manysecured.org/suib/Solutions/dnsname-embedded-solution
>>
>>also uses a wildcard cert, but has a magic authoritative DNS server
>>that translates the left-most label into an A or AAAA record.  It's
>>rather a cute hack, but at least:
>>  a) it's cachable
>>  b) it could even be calculated locally, if one ignores DNSSEC.
>
>Yes, using a local network IP instead of a localhost IP is actually a smart idea.
>However, inlining the local IP in the hostname, as SUIB does, means you'll have to change the hostname in your client every time your network is changed.
>I have an thought for SNIF improvement - SNIF connector sends a SNIF DNS command to set a dynamic DNS A/AAAA for a certain hostname within the CN wildcard, and the CA proxy updates the DNS accordingly. This way the hostname can be permanent, but with dynamic DNS.
>Another problem - most platforms won't let you bind to port < 1024 unless you're a root. Might be ok for a device manufacturer, but is a potential show stopper for any user space app. Relayed SNIF works around this problem since the listening ports are on the relay.
>
>
>>
>>    > * Another option is to override the IP routing rules. It is totally
>>    > possible on iOS and Mac through a userspace VPN (only one VPN per
>>    > device though - beware of possible conflicts). In fact I have a
>>    > functioning solution for it, in beta now -
>>
>>That doesn't really scale to many different domains.
>
>Totally agreed, I just mentioned that this option works for *some* cases, tun/tap a is possible option too if you're a root.
>
>>
>>    >> Still, if SNIF is replacing a manufacturer proprietary call-home protocol,
>>    >> there could be advantages from having well reviewed code bases, and
>>    >> potentially an ecosystem of SNIF Providers that manufacturers could
>>    >> outsource
>>
>>    >> to.  Azure/Amazon/... could easily run such services.
>>
>>    > I see two options - a SNIF server implemented by each vendor for their
>>    > own devices/services, or a bigger SNIF SaaS implemented by a trusted
>>    > provider, used by vendors.
>>
>>Yes, but what's the financial motive for this provider?
>
>(1) For a vendor to run their own SNIF server: market as a true auditable end-to-end for IoT devices they offer.
>(2) For a vendor using SNIF SaaS: market as (1) backed by
>{TrustedBigName}
>(3) For a {TrustedBigName} to run SNIF SaaS: collect fees from (2) for using their service and big name.
>
>As a matter of fact, SNIF relay is light on server resources. I've been running it on a minimum DigitalOcean virtual server for months with more than a dozen connectors,   the server load is a fraction of a percent. Of course if somebody connects IoT cameras they can generate some traffic, but IoT vendors already handle it through their proprietary relays.
>
>>
>>    >> SNIF seems very much IPv4 NAT44 focused, and it could benefit from some
>>    >> understanding of IPv6 and IPv6-over-IPv4 technologies,
>> particularly
>>
>>    >> Teredo.
>>
>>    > SNIF is not exactly focused on v4, it works fine with v6 as well. It's
>>    > designed to work around NAT, that's true. However, IPv6 networks may
>>    > pose issues too - firewalls etc, which will prevent to directly accept
>>    > incoming TCP on IPv6 address.
>>
>>Teredo could be used instead and allows the relay to be stateless and
>>distributed, and devolves to ordinary IPv6 when it is present.
>
>Yes, but Teredo is IPv6 specific, the world is not strictly IPv6 yet. And it's a system level solution, while SNIF works fine in a user space.
>
>>
>>    >> It clearly has to speak HTTPS only.
>>
>>    > I specified HTTP because PKCS#10 and X.509 are inherently secure to be
>>    > sent over a plain connection.
>>
>>Yes, but there are privacy concerns which will become a pain, so
>>better to just say HTTPS here.
>
>I respectfully disagree, still think HTTP is an easier answer for SNIF. The problem with HTTPS is - SNIF relay (usually) routes https port to SNIF connectors, and does not serve it within the server. Having a dedicated hostname or an alternate port means than SNIF connectors need additional configuration options, or additional discovery protocols. On the other hand, HTTP allows to derive all API URLs deterministically from the CN.
>I addressed the possible security concerns in more details and amended the Security section in the draft.
>
>
>>
>>    > The best option is the manufacturer I believe. The manufacturer can
>>    > have either their own SNIF server, or work with a trusted SaaS. This
>>    > way it's zero setup for the end user, and doesn't need any
>>    > infrastructure additions.
>>
>>Agreed, the manufacturer has to provision a credential.
>
>Yes I proposed some outlines in the security section, more detailed specs are probably better to describe in a separate draft.
>
>>
>>    > Sure, elliptic curves are better, but some old school clients may have
>>    > problems with them. It may make sense to not mention the recommended
>>    > algorithm in the draft, and just to follow the CA's recommendations.
>>
>>ECDSA acceleration is pretty much ubiquitous, while RSA is not.
>
>Honestly I don't think acceleration is such a big deal, most of TLS job is symmetric ciphers anyway. But I agree - it's better to follow the CA suggestions and industry practices.
>
>>
>>    > I believe there's no security issue, as long as the CN entropy is sufficient.
>>
>>    > I specified the X-SNIF-CN: as mandatory, and text/plain body as an
>>    > optional duplicate of it. To make it cleaner, I can remove the body
>>    > from the specs and say the response body is to be ignored.
>>
>>If both are present, and they don't match, then there is confusion.
>>So just go with one.  I think that it should actually be a JSON or CBOR payload return.
>
>Agreed, I removed the response body from the draft, going with the header.
>
>
>>
>>    >> They *aren't* what IANA would call "IP protocols", which would be things
>>    >> like
>>    >> TCP, UDP, SCTP, ESP, ...
>>
>>    >> Has IANA *already* registered port 7123 then?
>>
>>    > It's not an IP protocol. It's a service that listens on TCP 7123, I
>>    > registered with IANA based on a previous version of the document,
>>    > before I turned it into an I-D.
>>
>>I think you should drop the "snif-*" sentence as it makes no sense.
>>You have already allocated TCP port 7123 to the SNIF *service*, so
>>that's great.
>
>It's actually called "Service Names" in IANA terminology, sorry for the confusion. I updated in the draft.
>
>
>
>>
>>--
>>]               Never tell me the odds!                 | ipv6 mesh networks [
>>]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
>>]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
>>
>
>_______________________________________________
>Secdispatch mailing list
>Secdispatch@ietf.org
>https://www.ietf.org/mailman/listinfo/secdispatch
>IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>
>_______________________________________________
>Secdispatch mailing list
>Secdispatch@ietf.org
>https://www.ietf.org/mailman/listinfo/secdispatch

--
Iotops mailing list
Iotops@ietf.org
https://www.ietf.org/mailman/listinfo/iotops
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email