IETF Logo Mail Archive

Re: [Iotops] [Secdispatch] I-D: Deploying Publicly Trusted TLS Servers on IoT Devices Using SNI-based End-to-End TLS Forwarding (SNIF)

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 10 February 2022 18:03 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C5D33A0E78; Thu, 10 Feb 2022 10:03:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, PDS_OTHER_BAD_TLD=1.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Ial0Ce_McDg; Thu, 10 Feb 2022 10:02:56 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E8763A0AB8; Thu, 10 Feb 2022 10:02:55 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 92C8D389EC; Thu, 10 Feb 2022 13:10:36 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id NUyTzGEMX1Uk; Thu, 10 Feb 2022 13:10:33 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id A0A34389DB; Thu, 10 Feb 2022 13:10:33 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1644516633; bh=jjywtfinMLwXeW5N35J1il8W+dnft6HPNiH08zf0bvY=; h=From:To:Subject:In-Reply-To:References:Date:From; b=KKRl7Ihtw1hcFHISfuDscXC/PfL9VSNEtFMkfW/t8HxKVccq5N1xAI9yvS8EVj3FE DbaX5shIKvM/WEB0n8sJNoOtmzGsy9YvTYaPaTGokin5vIv2H/eMIILJ0FKI1+mJao C46X11dI5QkaLqeF8AQazz1RJ7PifRF7hW+B7kzCcGnt+UAVAeYB6wsNhWH8nFzGTZ R75IP0+gFnofkT7ADODdCBnSU89owLF/VK8iYp1k25DYR1wiUrG9YcnbXAWJs55lFu pAeO6EafhMC8gXb0Qm3DgeX0U29dk32hxusJH+Mi4Y9E0s4g0q/4wKbGuZO5WIJ4kg CY7vi/AZv+M/w==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 0C2ABB5A; Thu, 10 Feb 2022 13:02:48 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Jim Zubov <ietf-list@commercebyte.com>, secdispatch@ietf.org, iotops@ietf.org, anima@ietf.org
In-Reply-To: <E1nHwaz-0000LM-I5@ocean1.commercebyte.com>
References: <0075B437-024A-4D84-ABD7-92FE8DAFA59F@commercebyte.com>, <1865.1644434146@localhost> <E1nHwaz-0000LM-I5@ocean1.commercebyte.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 10 Feb 2022 13:02:48 -0500
Message-ID: <4026.1644516168@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/pkxOtuqjB0T_9PxAm6ctDBr9Mmk>
Subject: Re: [Iotops] [Secdispatch] I-D: Deploying Publicly Trusted TLS Servers on IoT Devices Using SNI-based End-to-End TLS Forwarding (SNIF)
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Feb 2022 18:03:04 -0000

Jim Zubov <ietf-list@commercebyte.com> wrote:
    >> This was also on the IETF112 IOTOPS WG agenda:
    >> slides:
    >> https://datatracker.ietf.org/meeting/112/materials/slides-112-iotops-suib-browsing-local-web-resources-in-a-secure-usable-manner-iot-device-configuration-as-a-special-case-00
    >> video:  https://youtu.be/OIlJrUvwDcI?t=1649
    >>
    >> and we hope to return at IETF113.

    > Right, looks like SUIB is working on a similar problem. Thanks for
    > pointing this out. In particular, the "Sol #6 Device name DNS" slide
    > looks quite similar to SNIF CA Proxy (Section 3). However, SUIB pursues
    > bigger infrastructural goals such as changing the localhost TLS
    > connection policies (I totally agree and really appreciate the effort),
    > while SNIF is a functioning solution within the existing
    > infrastructure, tested and proven to work in pre-production.

The slides may be too vague.  Changing the TLS policies is a possible
solution, but probably an impractical one.  Nevertheless, many people (not
steeped in the arts, and often failling into the PHB category) think that it
is an obvious solution, so we list it in order to explain why it won't work.

    >> The SUIB problem addresses the challenge of connecting *locally* to a
    >> device,
    >> and doing it securely.  For this to be possible with RFC6125-DNS-ID
    >> standard
    >> browser, we need a name for the device, and we need a way to translate
    >> that
    >> name into a locally reachable IP address.
    >>
    >> The SNIF proposal does not quite solve the above problem.

    > In fact, I originally designed SNIF to solve this specific problem -
    > local-to-local trusted TLS connections.

Ah, very nice to know.

    > * Issue a wildcard cert through SNIF CA Proxy
    > (e.g. CN=*.domain.snif.xyz), set a DNS record for
    > localhost.domain.snif.xyz to point to localhost's IPv4/v6, and use
    > https://localhost.domain.snif.xyz (or other app protocol - imaps
    > etc). However, looks like some clients treat the localhost IP as
    > inherently unsecure, and issue a warning ever is the cert is perfectly
    > valid. The option is still possible, but the applicability might be
    > limited.

The process we described at
   https://specs.manysecured.org/suib/Solutions/dnsname-embedded-solution

also uses a wildcard cert, but has a magic authoritative DNS server that
translates the left-most label into an A or AAAA record.  It's rather a cute
hack, but at least:
  a) it's cachable
  b) it could even be calculated locally, if one ignores DNSSEC.

    > * Another option is to override the IP routing rules. It is totally
    > possible on iOS and Mac through a userspace VPN (only one VPN per
    > device though - beware of possible conflicts). In fact I have a
    > functioning solution for it, in beta now -

That doesn't really scale to many different domains.

    >> Still, if SNIF is replacing a manufacturer proprietary call-home protocol,
    >> there could be advantages from having well reviewed code bases, and
    >> potentially an ecosystem of SNIF Providers that manufacturers could
    >> outsource

    >> to.  Azure/Amazon/... could easily run such services.

    > I see two options - a SNIF server implemented by each vendor for their
    > own devices/services, or a bigger SNIF SaaS implemented by a trusted
    > provider, used by vendors.

Yes, but what's the financial motive for this provider?

    >> SNIF seems very much IPv4 NAT44 focused, and it could benefit from some
    >> understanding of IPv6 and IPv6-over-IPv4 technologies, particularly

    >> Teredo.

    > SNIF is not exactly focused on v4, it works fine with v6 as well. It's
    > designed to work around NAT, that's true. However, IPv6 networks may
    > pose issues too - firewalls etc, which will prevent to directly accept
    > incoming TCP on IPv6 address.

Teredo could be used instead and allows the relay to be stateless and
distributed, and devolves to ordinary IPv6 when it is present.

    >> It clearly has to speak HTTPS only.

    > I specified HTTP because PKCS#10 and X.509 are inherently secure to be
    > sent over a plain connection.

Yes, but there are privacy concerns which will become a pain, so better to
just say HTTPS here.

    > The best option is the manufacturer I believe. The manufacturer can
    > have either their own SNIF server, or work with a trusted SaaS. This
    > way it's zero setup for the end user, and doesn't need any
    > infrastructure additions.

Agreed, the manufacturer has to provision a credential.

    > Sure, elliptic curves are better, but some old school clients may have
    > problems with them. It may make sense to not mention the recommended
    > algorithm in the draft, and just to follow the CA's recommendations.

ECDSA acceleration is pretty much ubiquitous, while RSA is not.

    > I believe there's no security issue, as long as the CN entropy is sufficient.

    > I specified the X-SNIF-CN: as mandatory, and text/plain body as an
    > optional duplicate of it. To make it cleaner, I can remove the body
    > from the specs and say the response body is to be ignored.

If both are present, and they don't match, then there is confusion.
So just go with one.  I think that it should actually be a JSON or CBOR payload return.

    >> They *aren't* what IANA would call "IP protocols", which would be things
    >> like
    >> TCP, UDP, SCTP, ESP, ...

    >> Has IANA *already* registered port 7123 then?

    > It's not an IP protocol. It's a service that listens on TCP 7123, I
    > registered with IANA based on a previous version of the document,
    > before I turned it into an I-D.

I think you should drop the "snif-*" sentence as it makes no sense.
You have already allocated TCP port 7123 to the SNIF *service*, so that's
great.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.23.0 | Report a Bug | By Email