Re: [Last-Call] Opsdir last call review of draft-ietf-suit-mud-06
Eliot Lear <lear@lear.ch> Thu, 21 December 2023 10:35 UTC
Return-Path: <lear@lear.ch>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BB1CC090376; Thu, 21 Dec 2023 02:35:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.896
X-Spam-Level:
X-Spam-Status: No, score=-0.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=lear.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uXPc4z6WtY3H; Thu, 21 Dec 2023 02:35:52 -0800 (PST)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [IPv6:2a00:bd80:aa::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A942C14F680; Thu, 21 Dec 2023 02:35:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1703154942; bh=PVW4K4lRougYCy41lZC2FUT0cmoKSgu4HAAV+VyM2/c=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=twUJlbVlysp8Y9XBMB7EZefHAsIXDRCzBJJ/+9waji/kbjHuIIA3DxKFTVVt99wko cl6UBix4YoHBvJigI0k9QgE8+yDJn0VIBWRl+67RVOIWEZiRncuKUy4URKTV9bUO4K CszX3CVGdznMN2LwZDNLFuUpUBpOlcHpiTRcMacE=
Received: from [192.168.0.107] (77-58-144-232.dclient.hispeed.ch [77.58.144.232]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-22ubuntu3) with ESMTPSA id 3BLAZf8O3268876 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Thu, 21 Dec 2023 11:35:41 +0100
Content-Type: multipart/alternative; boundary="------------YjsQfpe8HXA2QuKgv20tvE90"
Message-ID: <ef80cde4-027a-463d-8b6b-21df80fa9d8e@lear.ch>
Date: Thu, 21 Dec 2023 11:35:40 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Susan Hares <shares@ndzh.com>, ops-dir@ietf.org
Cc: draft-ietf-suit-mud.all@ietf.org, last-call@ietf.org, suit@ietf.org
References: <170170315182.17411.11522235103450951717@ietfa.amsl.com> <e92a87df-5554-4dda-b5aa-47155f3c4614@gmx.net>
From: Eliot Lear <lear@lear.ch>
Autocrypt: addr=lear@lear.ch; keydata= xsBNBFMe1UQBCADdYOS5APDpIpF2ohAxB+nxg1GpAYr8iKwGIb86Wp9NkK5+QwbW9H035clT lpVLciExtN8E3MCTPOIm7aITPlruixAVwlBY3g7U9eRppSw9O2H/7bie2GOnYxqmsw4v1yNZ 9NcMLlD8raY0UcQ5r698c8JD4xUTLqybZXaK2sPeJkxzT+IwupRSQ+vXEvFFGhERQ88zo5Ca Sa1Gw/Rv54oH0Dq2XYkO41rhxQ60BKZLZuQK1d9+1y3I+An3AJeD3AA31fJZD3H8YRKOBgqe ILPILbw1mM7gCtCjfvFCt6AFCwEsjITGx55ceoQ+t5B5XGYJEppMWsIFrwZsfbL+gP31ABEB AAHNGUVsaW90IExlYXIgPGxlYXJAbGVhci5jaD7CwI4EEwECADgCGwMCHgECF4AWIQSY0L2Q Rh2wkqeyYR2HtmtG2dJ6MwUCWxJwMwULCQgHAgYVCAkKCwIEFgIDAQAKCRCHtmtG2dJ6M8KI B/46pFrJX+4Ockl2fHR303ais9Lyx8jv6mXKKOr8WR0UYcJ0syQrhaaZNG1VV98tYQHHK9F5 y7hH4YCsrr3odZ6zoavnx5X1X/2xw8y732f/irVoOOkYLid9IGPxa2e2nYXCZpde5/yvv3we XVE4mG4dEAD5T8iKS4Hz/3fKGJQ15o79Jv92HgC7RpCt0WaiQ0b6acP3PuwjDJzJzLFZzb7j IiB3izxQESSWE1GNRmoAK/k0gW6kmx1/87tQENrK+3Nn4CJSFQWF6entLnY7UeVm95wbMQkJ evwddDWUO2huDbmZnmxgKXGzSSpuNq7n8ICAOlbt0HfdJAZQfy25bwvezsBNBFMe1UQBCAC0 WV7Ydbv95xYGPhthTdChBIpPtl7JPCV/c6/3iEmvjpfGuFNaK4Macj9le20EA5A1BH7PgLGo HOiPM65NysRpZ96RRVX3TNfLmhGMFr5hPOGNdq+xcGHVutmwPV9U7bKeUNRiPFx3YdEkExdd qV2E8FltT0x2FSKe2xszPPHB6gVtMckX5buI9p1K3fbVhXdvEkcYY/jB0JEJGyhS5aEbct5c HUvDAkT81/YFK5Jfg8RRwu1q1t1YuIJSOWAZQ9J9oUsg6D9RpClU+tIFBoe3iTp1AUfJcypu cGKgLYKtpu/aygcpQONHYkYW5003mPsrajFhReVF5veycMbHs4u5ABEBAAHCwF8EGAECAAkF AlMe1UQCGwwACgkQh7ZrRtnSejOSuQgA27p2rYB7Kh20dym6V8c62pWpBHHTgxr/32zevxHS iXl6xvUCg5T8WUwfUk8OvgDcBErK/blDAMXQzSg3sp450JhR8RnXHXF5Zz2T04X7HnlIVJGw f2CjnwyEAJCqMzaCmI+g3Imvg/8L4nyBFvhlFHDv+kIvMiujyycjPAu7xxKplBs1/IEwmDoA MjneFmawvfeQnwdMhSKK8PjKSuzGU5uUmxj3GBfRqvTM0qpmhMPFOmDhJSmH55HLAky2Mlmq JYXJPt/9EfSEhFiua1M6gLiuNEuPkp+8jcnHQqKr0IeHt8UqcwLt2mGfIyl0FVdF9hvWPjNR zGbgqoT1Di03RQ==
In-Reply-To: <e92a87df-5554-4dda-b5aa-47155f3c4614@gmx.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/VX38UmCq7_9PyY6uNSFCah3d3nE>
Subject: Re: [Last-Call] Opsdir last call review of draft-ietf-suit-mud-06
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Dec 2023 10:35:56 -0000
Hi Hannes and thanks Sue The MUD Manager always has the responsibility to "consider the source" and then to consider the context. The information provided in MUD files *can *be used to automate access control to their associated devices. I think this is pretty well covered in RFC 8520, but I am starting to think about an update to that document. Eliot On 21.12.2023 11:08, Hannes Tschofenig wrote: > Hi Susan, > > thanks for your detailed review. > > You are correct that this document does not address operational > aspects of the MUD Manager and this is certainly something the OPSAWG > working group should address since this document is a tiny extension > to the already existing MUD RFC. Along these lines you are also > correct that the document does not define any mechanism for the MUD > Manager to notify the operator about any error situations with the > processing of MUD files and/or SUIT manifests. I will reach out to > Eliot and the OPSAWG working group to think about standardization work > in this direction. > > I have updated the draft to better explain how the different URIs are > passed around. I also added a figure to illustrate it graphically. > Attestation Evidence, which is used to convey information about the > MUD URL, also allows the network to double-check the firmware/software > (and other properties of the device). We didn't go into any details > about how Evidence is processed because this is part of different > documents, like the RATS architecture RFC. I hope the updated text > clarified these aspects. > > Regarding the CDDL I had a chat with Brendan and we will make an update. > > Ciao > Hannes > > > Am 04.12.2023 um 16:19 schrieb Susan Hares via Datatracker: >> Reviewer: Susan Hares >> Review result: Has Issues >> >> Overall comment: >> Qualifications: I am not an expert on SUIT implementations or an >> operator of >> networks using SUIT. Therefore, my issues may be covered by some general >> security considerations in a document I am not aware of. >> >> General comments to authors: This feature is clearly described in this >> document. Brendan and Hannes did an excellent job of writing the >> document. >> >> Security/Operational Issues: >> >> The security of MUD URLs may move the attacks from individual devices >> to the >> MUD Manager. (Instead of a single lemming going over the cliff, a MUD >> manager >> may send many lemmings over the cliff). This document does not seem >> to consider >> the operational issues in the MUD Manager or provide mechanisms on >> how to check >> for these attacks (e.g. Yang modules with operational state). >> >> 1. An Attack on the MUD Manager can shut down or subvert the entire >> network. >> >> It is not clear how the operator knows an attack on the MUD Manager >> is happening >> or occurred. If the MUD Manager pulls in broken SUIT manifests and >> then pulls in broken software/firmware based on the SUIT manifests >> how does the operator know? In other words what device watches >> that the MUD Manager is not subverted via a management protocol? >> >> I do not see any operational state in the MUD Yang module [RFC8620 >> section 2.1] >> It would seem natural to have some operational state in the MUD >> Manager reports >> manifest state. Yang's notif protocols could report any manifest >> state change >> (over secure TLS connections) to a centralized security server. >> >> 2. For secure URLs transmitted by 802.1X with certificates, >> Why are these not a "double-check" on the validity of the software? >> >> Again, it would seem natural to utilize these secure certificates as >> "double-checks" on the MUD Manager being "in-sync" with the devices. >> >> 3. As a less secure double-check on being "in-sync", is the reporting of >> MUD URL sent via MUD Devices via DHCP or LLDAP that is not what is >> in the >> manifest. >> >> These reporting features are useful in transition scenarios as well as >> detecting attacks on the MUD manager. >> >> Editorial nits: >> >> 1. section 1, last paragraph, sentence 2 >> >> Old text: /can get/ >> New text: /has/ >> >> English grammar >> >> 2. Just for my sanity, would you check the following text is correct >> >> $$SUIT_severable-members-extensions //= ( >> suit-manifest-mud => bstr .cbor SUIT_MUD_container >> ) >> It appears you are looking to define a CBOR Type for the >> the SUIT_MOD_container is defined in the text. >> >> What I think I'm missing is the .cbor value for SUIT. >> It looks correct, but I could not derive this from >> draft-ietf-suit-manifest-24: >> >> SUIT_Severable_Manifest_Members = ( >> ? suit-payload-fetch => bstr .cbor SUIT_Command_Sequence, >> ? suit-install => bstr .cbor SUIT_Command_Sequence, >> ? suit-text => bstr .cbor SUIT_Text_Map, >> * $$SUIT_severable-members-extensions, >> ) >> >> And your IANA definitions of: >> >> IANA is requested to add a new value to the SUIT envelope elements >> registry >> created with [I-D.ietf-suit-manifest]: Label: TBD2 [[Value allocated >> from the >> standards action address range]] >> >> Name: Manufacturer Usage Description (MUD) >> Reference: [[TBD: This document]] >> >> Again, this may be due to my incomplete understanding. >> This is why this is a NIT rather than an Issue. >> >> >> >
- [Last-Call] Opsdir last call review of draft-ietf… Susan Hares via Datatracker
- Re: [Last-Call] Opsdir last call review of draft-… Eliot Lear
- Re: [Last-Call] Opsdir last call review of draft-… Hannes Tschofenig
- Re: [Last-Call] Opsdir last call review of draft-… Hannes Tschofenig
- Re: [Last-Call] Opsdir last call review of draft-… Eliot Lear
- Re: [Last-Call] [Suit] Opsdir last call review of… Hannes Tschofenig
- Re: [Last-Call] Opsdir last call review of draft-… Behcet Sarikaya