Re: [its] Fwd: comments on vehicular communication drafts
Alexandre Petrescu <alexandre.petrescu@gmail.com> Wed, 04 November 2015 09:23 UTC
Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: its@ietfa.amsl.com
Delivered-To: its@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF9CB1B2BCA for <its@ietfa.amsl.com>; Wed, 4 Nov 2015 01:23:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.683
X-Spam-Level:
X-Spam-Status: No, score=-2.683 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, HELO_EQ_FR=0.35, MANGLED_TRNFER=2.3, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_HI=-5, SPF_SOFTFAIL=0.665] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mIfvBlmwzCrP for <its@ietfa.amsl.com>; Wed, 4 Nov 2015 01:22:50 -0800 (PST)
Received: from sainfoin-out.extra.cea.fr (sainfoin-out.extra.cea.fr [132.167.192.145]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFACA1B2BC8 for <its@ietf.org>; Wed, 4 Nov 2015 01:22:49 -0800 (PST)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by sainfoin.extra.cea.fr (8.15.2/8.15.2/CEAnet-Internet-out-2.4) with ESMTP id tA49Ml3B014721; Wed, 4 Nov 2015 10:22:47 +0100
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id DF2AD205B7B; Wed, 4 Nov 2015 10:28:46 +0100 (CET)
Received: from muguet1.intra.cea.fr (muguet1.intra.cea.fr [132.166.192.6]) by pisaure.intra.cea.fr (Postfix) with ESMTP id D1A04202431; Wed, 4 Nov 2015 10:28:46 +0100 (CET)
Received: from [127.0.0.1] ([132.166.84.151]) by muguet1.intra.cea.fr (8.15.2/8.15.2/CEAnet-Intranet-out-1.4) with ESMTP id tA49MgND025325; Wed, 4 Nov 2015 10:22:46 +0100
To: its@ietf.org
References: <D25B77A7.6EDE0%wesley.george@twcable.com> <56370B24.1050000@gmail.com>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Message-ID: <5639CE62.1030308@gmail.com>
Date: Wed, 04 Nov 2015 18:22:42 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <56370B24.1050000@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/its/NUJW6DWk554UyYqtY7r8I9nTPgw>
Cc: "George, Wes" <wesley.george@twcable.com>
Subject: Re: [its] Fwd: comments on vehicular communication drafts
X-BeenThere: its@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: ITS at IETF discussion list <its.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/its>, <mailto:its-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/its/>
List-Post: <mailto:its@ietf.org>
List-Help: <mailto:its-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/its>, <mailto:its-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2015 09:23:03 -0000
Hi, and thanks for reading through the documents. Let me reply to some aspects. > -------- Message transféré -------- Sujet : comments on vehicular > communication drafts Date : Sun, 1 Nov 2015 13:08:47 +0000 De : > George, Wes <wesley.george@twcable.com> Pour : > draft-ietf-ecrit-ecall@ietf.org <draft-ietf-ecrit-ecall@ietf.org>, > draft-ietf-ecrit-car-crash@ietf.org > <draft-ietf-ecrit-car-crash@ietf.org>, > draft-petrescu-its-problem@ietf.org > <draft-petrescu-its-problem@ietf.org>, > draft-petrescu-its-cacc-sdo@ietf.org > <draft-petrescu-its-cacc-sdo@ietf.org> > > Either way (text quoted from the eCall draft) this gave me pause: O > The ability to handle text o The ability for the PSAP to access > vehicle components (e.g., an onboard camera (such as rear facing or > blind-spot cameras) for a visual assessment of the crash site > situation) o The ability for the PSAP to request the vehicle to take > actions (e.g., sound the horn, disable the ignition, lock/unlock > doors) [PSAP: Public Safety Answering Point, might be an emergency center] > The security considerations sections need bolstering in light of > recent revelations around the vulnerability of many CANBUS vehicles > for attacks via their existing cellular/data connections. I agree. > The ability to handle text brings with it the ability to trigger > buffer overruns and other exploits, and so there should be specific > discussion about input validation and protection against this attack > vector. Accessing and manipulating vehicle components especially > critical systems is enough of a privacy and safety concern that there > should be more specific text about how to prevent unauthorized > access. I think this starts with removing this (IMO) faulty > assertion: "emergency call placed over a cellular network, there is a > higher degree of trust that the source is indeed a PSAP" and > replacing it with something that reinforces the "trust but verify" > model, since the cellular network, while marginally more secure, is > subject to call interception and manipulation from a suitably > motivated and equipped actor, just like any other network. (google > Stingray, for example) This section should also discuss, in detail, > what is an acceptable level of security for the certificate to > validate that the PSAP is authorized to send these sorts of commands, > whether in call-back or in initial call, whether the payload data > MUST/SHOULD be encrypted on the path to prevent > interception/manipulation, and usual certificate based best practices > such as mandatory to implement (or mandatory to avoid due to proven > insecurity) algorithms, best practices for keyrolls, cert revocation, > etc. as well as probably some text about general security best > practices (remote software updates, third-party pentesting, airgaps, > signed software, etc). There's no reason to reinvent this, but you > need to reference existing IETF standards defining this for e.g. TLS, > PKI, etc. and adapt where appropriate. Yes, the tools available at IETF should be referenced, such as the basic IPsec, TLS tools, and PKI concepts. > Automakers have demonstrated on multiple occasions that they either > don't understand these aspects of security in the connected car or > don't understand why it's important, (e.g BMW not using HTTPS) so > erring on the side of too much info is IMO the right model, because > we have no reason to believe that the other SDOs involved in this > effort will possess the standards and expertise, nor motivation to > document it properly. Work was performed recently to adapt TLS to vehicular-specific certificates such as defined by IEEE and ETSI ITS: draft-lonc-tls-certieee1609-01.txt This was presented in a TLS session in Prague. Is there any other vehicular security specific work at IETF? Other vehicular related SDOs such as ISO TC204 start as we speak to consider the use of such tools, refraining from defining new ones. > In the case of the Petrescu drafts, explicit language identifying > the system as read-only would probably limit the exposure to some of > the concerns I raised above specific to manipulating important > systems as described in the eCall drafts, Sorry, what do you mean by identifying the system as read-only? In the V2V use-cases such as CACC/Platooning we have an effort ongoing to understand the relationship with V2I. Namely, how should the IP path establishment tools of V2V be involved when communicating with the immediate infrastructure, how should the downwards path from the Internet be considered. In some prototype demonstrators the V2V protocol paths are commpletely independent of the V2Internet paths (e.g. two different disconnected boxes in the car, one in charge of V2V other for V2I). The V2I boxes do run TLS with certificates. And, specific vehicular industry activities consider seriously the establishment of a "vehicular PKI" which is independent of the typical Internet PKI, with some prototype demonstrators in Europe. This raises several questions: 1. Can two boxes in a car be disconnected from each other? 2. How should the V2V tools be used to communicate with the immediate fixed infrastructure? 3. Can an independent PKI be used specifically for vehicles? > but ultimately due to the interconnectedness of these systems within > the vehicle and these drafts, it might make more sense to assume that > this opens a new attack vector to pivot through systems via V2V > communications, and discuss ways to harden the overall system > accordingly. I agree. Given one hacked car, if it is V2V-connected to other cars it leads to an amplified risk. > I am by no means a security expert, so I'm sure that there's more > I'm missing. It may be useful to ask for an early security > directorate review for this set of drafts, or even to ask the > Security ADs to suggest one or more security folks that you can ask > to assist in fleshing out the security considerations. I will ask this around. > You're also missing an opportunity to suggest that if this uses IP > networking, that it MUST support IPv6, given the number of devices > expected to be present, the timeline for deployment, etc. For the ITS problem statement we do assume IPv6 whenever we write IP. In the Charter proposal I think we mean the current generation of Internet Protocols is IPv6. But, one must know that in the current advanced IP-connected cars and prototypes IPv4 is considered first. In vehicles where IP has not yet arrived, IPv4 is already very advanced. Some car manufacturers depend on large fixed infrastructure (datacenters) which is IPv4 only. The immediate infra near the car - the intelligent road - may be more IPv6 though. There is a significant amount of work to do to talk IPv6 concepts (as opposed of IPv4) to car manufacturers. Some times it may be easier to propose just IP, regardless of the version. The word "IPv6" has so much of other aspects attached to it that are irrelevant to some vehicle manufacturers. > While that is not necessarily critical to the function of the > protocol itself, it definitely bears mentioning as acknowledging the > reality of applications that want to add hundreds of thousands of IP > nodes to the mobile data network in the era of exhausted IPv4. I fully agree, this is a good point. In some countries IPv6 is largely available through the cellular operators, which is an essential link for cars. In other countries this is far from happening. And cars target markets on a per-country basis, as opposed to smartphones for example which are much more able to cross borders. For example, I am wondering whether onstar and ecall migration to IPv6 is being considered somewhere. This will be a large effort I think. Alex > > > Thanks, > > > > Wes George > > Anything below this line has been added by my company’s mail server, > I have no control over it. ----------- > > > > > ________________________________ > > This E-mail and any of its attachments may contain Time Warner Cable > proprietary information, which is privileged, confidential, or > subject to copyright belonging to Time Warner Cable. This E-mail is > intended solely for the use of the individual or entity to which it > is addressed. If you are not the intended recipient of this E-mail, > you are hereby notified that any dissemination, distribution, > copying, or action taken in relation to the contents of and > attachments to this E-mail is strictly prohibited and may be > unlawful. If you have received this E-mail in error, please notify > the sender immediately and permanently delete the original and any > copy of this E-mail and any printout. > > > > > > _______________________________________________ its mailing list > its@ietf.org https://www.ietf.org/mailman/listinfo/its >
- [its] Fwd: comments on vehicular communication dr… Alexandre Petrescu
- Re: [its] Fwd: comments on vehicular communicatio… Alexandre Petrescu
- Re: [its] Fwd: comments on vehicular communicatio… George, Wes