Re: [Last-Call] Opsdir last call review of draft-ietf-suit-mud-06
Eliot Lear <lear@lear.ch> Thu, 21 December 2023 11:50 UTC
Return-Path: <lear@lear.ch>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 304A0C09036B; Thu, 21 Dec 2023 03:50:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.897
X-Spam-Level:
X-Spam-Status: No, score=-5.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=lear.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RGciNNoi09WJ; Thu, 21 Dec 2023 03:50:17 -0800 (PST)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [IPv6:2a00:bd80:aa::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BEFDC14F5FD; Thu, 21 Dec 2023 03:49:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1703159386; bh=x0vfdQkiBV+VTxIDoW9XkLFsPCgMK0cNBLJqCNkRQvI=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=iN/Wn+brYJI+nEJGW/bSjAAc6hc9CzdrtSDnFqWzKRC/Yv9cndIXJb8KAwYHtg4eh EScBq8H+hGTmW8t71deYiTppPOiDeyx+b+YMIiyf9eFXxgn7JWHL756BB6QAua5iYD V3CnvT/JORW+dek8aZ5H1kB8Js56lQUhDRi89vUQ=
Received: from [IPV6:2001:420:c0c0:1003::3eb] ([IPv6:2001:420:c0c0:1003:0:0:0:3eb]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-22ubuntu3) with ESMTPSA id 3BLBniXA3289003 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Thu, 21 Dec 2023 12:49:45 +0100
Content-Type: multipart/alternative; boundary="------------c02B8b4JPUv1NWcE0dZzAtBL"
Message-ID: <983b4f20-fc7c-44ac-943f-100253653d4e@lear.ch>
Date: Thu, 21 Dec 2023 12:49:42 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Susan Hares <shares@ndzh.com>, ops-dir@ietf.org
Cc: draft-ietf-suit-mud.all@ietf.org, last-call@ietf.org, suit@ietf.org
References: <170170315182.17411.11522235103450951717@ietfa.amsl.com> <e92a87df-5554-4dda-b5aa-47155f3c4614@gmx.net> <ef80cde4-027a-463d-8b6b-21df80fa9d8e@lear.ch> <aca7f406-ba0e-4f66-ae27-1e34d97cc28c@gmx.net>
From: Eliot Lear <lear@lear.ch>
Autocrypt: addr=lear@lear.ch; keydata= xsBNBFMe1UQBCADdYOS5APDpIpF2ohAxB+nxg1GpAYr8iKwGIb86Wp9NkK5+QwbW9H035clT lpVLciExtN8E3MCTPOIm7aITPlruixAVwlBY3g7U9eRppSw9O2H/7bie2GOnYxqmsw4v1yNZ 9NcMLlD8raY0UcQ5r698c8JD4xUTLqybZXaK2sPeJkxzT+IwupRSQ+vXEvFFGhERQ88zo5Ca Sa1Gw/Rv54oH0Dq2XYkO41rhxQ60BKZLZuQK1d9+1y3I+An3AJeD3AA31fJZD3H8YRKOBgqe ILPILbw1mM7gCtCjfvFCt6AFCwEsjITGx55ceoQ+t5B5XGYJEppMWsIFrwZsfbL+gP31ABEB AAHNGUVsaW90IExlYXIgPGxlYXJAbGVhci5jaD7CwI4EEwECADgCGwMCHgECF4AWIQSY0L2Q Rh2wkqeyYR2HtmtG2dJ6MwUCWxJwMwULCQgHAgYVCAkKCwIEFgIDAQAKCRCHtmtG2dJ6M8KI B/46pFrJX+4Ockl2fHR303ais9Lyx8jv6mXKKOr8WR0UYcJ0syQrhaaZNG1VV98tYQHHK9F5 y7hH4YCsrr3odZ6zoavnx5X1X/2xw8y732f/irVoOOkYLid9IGPxa2e2nYXCZpde5/yvv3we XVE4mG4dEAD5T8iKS4Hz/3fKGJQ15o79Jv92HgC7RpCt0WaiQ0b6acP3PuwjDJzJzLFZzb7j IiB3izxQESSWE1GNRmoAK/k0gW6kmx1/87tQENrK+3Nn4CJSFQWF6entLnY7UeVm95wbMQkJ evwddDWUO2huDbmZnmxgKXGzSSpuNq7n8ICAOlbt0HfdJAZQfy25bwvezsBNBFMe1UQBCAC0 WV7Ydbv95xYGPhthTdChBIpPtl7JPCV/c6/3iEmvjpfGuFNaK4Macj9le20EA5A1BH7PgLGo HOiPM65NysRpZ96RRVX3TNfLmhGMFr5hPOGNdq+xcGHVutmwPV9U7bKeUNRiPFx3YdEkExdd qV2E8FltT0x2FSKe2xszPPHB6gVtMckX5buI9p1K3fbVhXdvEkcYY/jB0JEJGyhS5aEbct5c HUvDAkT81/YFK5Jfg8RRwu1q1t1YuIJSOWAZQ9J9oUsg6D9RpClU+tIFBoe3iTp1AUfJcypu cGKgLYKtpu/aygcpQONHYkYW5003mPsrajFhReVF5veycMbHs4u5ABEBAAHCwF8EGAECAAkF AlMe1UQCGwwACgkQh7ZrRtnSejOSuQgA27p2rYB7Kh20dym6V8c62pWpBHHTgxr/32zevxHS iXl6xvUCg5T8WUwfUk8OvgDcBErK/blDAMXQzSg3sp450JhR8RnXHXF5Zz2T04X7HnlIVJGw f2CjnwyEAJCqMzaCmI+g3Imvg/8L4nyBFvhlFHDv+kIvMiujyycjPAu7xxKplBs1/IEwmDoA MjneFmawvfeQnwdMhSKK8PjKSuzGU5uUmxj3GBfRqvTM0qpmhMPFOmDhJSmH55HLAky2Mlmq JYXJPt/9EfSEhFiua1M6gLiuNEuPkp+8jcnHQqKr0IeHt8UqcwLt2mGfIyl0FVdF9hvWPjNR zGbgqoT1Di03RQ==
In-Reply-To: <aca7f406-ba0e-4f66-ae27-1e34d97cc28c@gmx.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/1zksNLDYOGVzJGN6MY7qnVXJvDw>
Subject: Re: [Last-Call] Opsdir last call review of draft-ietf-suit-mud-06
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Dec 2023 11:50:22 -0000
We don't have a YANG model for the MUD manager itself with operational state. I think that might be a possible next step. On 21.12.2023 12:06, Hannes Tschofenig wrote: > > Hi Eliot, > > > thanks for the quick response. > > > That's good to hear but I haven't read how any error cases are > reported to some central device management system to take some actions. > > Is that functionality documented somewhere as well? For example, some > YANG modules for use with Netconf? > > > Ciao > > Hannes > > > Am 21.12.2023 um 11:35 schrieb Eliot Lear: >> >> Hi Hannes and thanks Sue >> >> The MUD Manager always has the responsibility to "consider the >> source" and then to consider the context. The information provided >> in MUD files *can *be used to automate access control to their >> associated devices. I think this is pretty well covered in RFC 8520, >> but I am starting to think about an update to that document. >> >> Eliot >> >> On 21.12.2023 11:08, Hannes Tschofenig wrote: >>> Hi Susan, >>> >>> thanks for your detailed review. >>> >>> You are correct that this document does not address operational >>> aspects of the MUD Manager and this is certainly something the >>> OPSAWG working group should address since this document is a tiny >>> extension to the already existing MUD RFC. Along these lines you are >>> also correct that the document does not define any mechanism for the >>> MUD Manager to notify the operator about any error situations with >>> the processing of MUD files and/or SUIT manifests. I will reach out >>> to Eliot and the OPSAWG working group to think about standardization >>> work in this direction. >>> >>> I have updated the draft to better explain how the different URIs >>> are passed around. I also added a figure to illustrate it >>> graphically. Attestation Evidence, which is used to convey >>> information about the MUD URL, also allows the network to >>> double-check the firmware/software (and other properties of the >>> device). We didn't go into any details about how Evidence is >>> processed because this is part of different documents, like the RATS >>> architecture RFC. I hope the updated text clarified these aspects. >>> >>> Regarding the CDDL I had a chat with Brendan and we will make an >>> update. >>> >>> Ciao >>> Hannes >>> >>> >>> Am 04.12.2023 um 16:19 schrieb Susan Hares via Datatracker: >>>> Reviewer: Susan Hares >>>> Review result: Has Issues >>>> >>>> Overall comment: >>>> Qualifications: I am not an expert on SUIT implementations or an >>>> operator of >>>> networks using SUIT. Therefore, my issues may be covered by some >>>> general >>>> security considerations in a document I am not aware of. >>>> >>>> General comments to authors: This feature is clearly described in >>>> this >>>> document. Brendan and Hannes did an excellent job of writing the >>>> document. >>>> >>>> Security/Operational Issues: >>>> >>>> The security of MUD URLs may move the attacks from individual >>>> devices to the >>>> MUD Manager. (Instead of a single lemming going over the cliff, a >>>> MUD manager >>>> may send many lemmings over the cliff). This document does not seem >>>> to consider >>>> the operational issues in the MUD Manager or provide mechanisms on >>>> how to check >>>> for these attacks (e.g. Yang modules with operational state). >>>> >>>> 1. An Attack on the MUD Manager can shut down or subvert the entire >>>> network. >>>> >>>> It is not clear how the operator knows an attack on the MUD Manager >>>> is happening >>>> or occurred. If the MUD Manager pulls in broken SUIT manifests and >>>> then pulls in broken software/firmware based on the SUIT manifests >>>> how does the operator know? In other words what device watches >>>> that the MUD Manager is not subverted via a management protocol? >>>> >>>> I do not see any operational state in the MUD Yang module [RFC8620 >>>> section 2.1] >>>> It would seem natural to have some operational state in the MUD >>>> Manager reports >>>> manifest state. Yang's notif protocols could report any manifest >>>> state change >>>> (over secure TLS connections) to a centralized security server. >>>> >>>> 2. For secure URLs transmitted by 802.1X with certificates, >>>> Why are these not a "double-check" on the validity of the software? >>>> >>>> Again, it would seem natural to utilize these secure certificates as >>>> "double-checks" on the MUD Manager being "in-sync" with the devices. >>>> >>>> 3. As a less secure double-check on being "in-sync", is the >>>> reporting of >>>> MUD URL sent via MUD Devices via DHCP or LLDAP that is not what >>>> is in the >>>> manifest. >>>> >>>> These reporting features are useful in transition scenarios as well as >>>> detecting attacks on the MUD manager. >>>> >>>> Editorial nits: >>>> >>>> 1. section 1, last paragraph, sentence 2 >>>> >>>> Old text: /can get/ >>>> New text: /has/ >>>> >>>> English grammar >>>> >>>> 2. Just for my sanity, would you check the following text is correct >>>> >>>> $$SUIT_severable-members-extensions //= ( >>>> suit-manifest-mud => bstr .cbor SUIT_MUD_container >>>> ) >>>> It appears you are looking to define a CBOR Type for the >>>> the SUIT_MOD_container is defined in the text. >>>> >>>> What I think I'm missing is the .cbor value for SUIT. >>>> It looks correct, but I could not derive this from >>>> draft-ietf-suit-manifest-24: >>>> >>>> SUIT_Severable_Manifest_Members = ( >>>> ? suit-payload-fetch => bstr .cbor SUIT_Command_Sequence, >>>> ? suit-install => bstr .cbor SUIT_Command_Sequence, >>>> ? suit-text => bstr .cbor SUIT_Text_Map, >>>> * $$SUIT_severable-members-extensions, >>>> ) >>>> >>>> And your IANA definitions of: >>>> >>>> IANA is requested to add a new value to the SUIT envelope elements >>>> registry >>>> created with [I-D.ietf-suit-manifest]: Label: TBD2 [[Value >>>> allocated from the >>>> standards action address range]] >>>> >>>> Name: Manufacturer Usage Description (MUD) >>>> Reference: [[TBD: This document]] >>>> >>>> Again, this may be due to my incomplete understanding. >>>> This is why this is a NIT rather than an Issue. >>>> >>>> >>>> >>>
- [Last-Call] Opsdir last call review of draft-ietf… Susan Hares via Datatracker
- Re: [Last-Call] Opsdir last call review of draft-… Eliot Lear
- Re: [Last-Call] Opsdir last call review of draft-… Hannes Tschofenig
- Re: [Last-Call] Opsdir last call review of draft-… Hannes Tschofenig
- Re: [Last-Call] Opsdir last call review of draft-… Eliot Lear
- Re: [Last-Call] [Suit] Opsdir last call review of… Hannes Tschofenig
- Re: [Last-Call] Opsdir last call review of draft-… Behcet Sarikaya