[Madinas] identities for legitimate devices
Michael Richardson <mcr@sandelman.ca> Tue, 03 November 2020 19:13 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: madinas@ietfa.amsl.com
Delivered-To: madinas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60C7D3A0D3A for <madinas@ietfa.amsl.com>; Tue, 3 Nov 2020 11:13:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ziy2Gx_-upa1 for <madinas@ietfa.amsl.com>; Tue, 3 Nov 2020 11:13:10 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 491593A0100 for <madinas@ietf.org>; Tue, 3 Nov 2020 11:13:09 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id CE40138982; Tue, 3 Nov 2020 14:13:08 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id L4wyutgFvhnN; Tue, 3 Nov 2020 14:13:07 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 98AD738983; Tue, 3 Nov 2020 14:13:07 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 5A83C19B2; Tue, 3 Nov 2020 12:55:03 -0500 (EST)
From: Michael Richardson <mcr@sandelman.ca>
To: mohamed.boucadair@orange.com, "madinas@ietf.org" <madinas@ietf.org>
In-Reply-To: <12688_1604409704_5FA15968_12688_371_20_787AE7BB302AE849A7480A190F8B93303156EFFC@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <160407478723.4708.16590139659517606146@ietfa.amsl.com> <CAHLBt83DN3OxhXbkFKPBh7KbPFvKJKjgdf5UfoGVSsTJh6+H=Q@mail.gmail.com> <E37B8383-CAD6-4D57-BDB4-E7170F3EAE63@tzi.org> <21853.1604329792@localhost> <12688_1604409704_5FA15968_12688_371_20_787AE7BB302AE849A7480A190F8B93303156EFFC@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 03 Nov 2020 12:55:03 -0500
Message-ID: <32228.1604426103@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/madinas/8oGmaplLPAvRAZaYJUZ4AI5WkJ8>
Subject: [Madinas] identities for legitimate devices
X-BeenThere: madinas@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: MAC Address Device Identification for Network and Application Services <madinas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/madinas>, <mailto:madinas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/madinas/>
List-Post: <mailto:madinas@ietf.org>
List-Help: <mailto:madinas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/madinas>, <mailto:madinas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2020 19:13:12 -0000
<mohamed.boucadair@orange.com> wrote: > The slides you are referring to are not intended to articulate the > overall problem space but to illustrate a use case where ** means to > unambiguously and persistently identify devices within the home are > required ** to protect the Internet but also to avoid collateral damage > for subscribers hosting such compromised devices. Filtering at the > network is suboptimal. The question then is: Reading the slides, I understood: "Doctor it hurts when I put my foot in the blender" me: "don't put your foot in the blender" > ** how to reliably achieve this without mandating a given network setup > and while minimizing subscriber involvement? ** > Many ISPs offer apps to seek for an ACK from the subscribers whenever a > new device connects to the home network. The identification is usually > based on the MAC@. Notifications will be generated each time a new MAC@ > is generated, which may be disturbing for the subscriber and may lead > to deactivate the app or accept by default all devices. These > considerations (and others) are not discussed in these slides because > this is supposed to be handed in other use cases (device > identification). Yes, it's is good that you agree with me that the real problem is not tracking malicious devices that change evade ACL by changing address, but rather positively identifying legitimate devices so that their MAC address changes can be transparently tracked. mcr> The solution is that one has to construct filters to recognize mcr> legitimate devices and accept their traffic. All other traffic gets mcr> blocked. mcr> It is easy in current software and protocols to provide a per-device mcr> WPA-PSK (for WiFI), and this efficiently binds the device identity mcr> to their MAC address. mcr> This is unfortunately, not yet a BCP (or as our group at the RIPE81 mcr> IoT attempted, a BCoP), because we lack the right standardized mcr> interfaces to be able build a UI to assign a new WPA-PSK per device. mcr> To do this automatically/autonomically, we need BRSKI or DPP or ???, mcr> but it could be done via a management "App" connected to the home mcr> router. mcr> Many ISPs that provide routers provide a management App as well. mcr> Todays interfaces can accept-list devices by MAC address. mcr> The risk is that these lists go stale if *legitimate* devices change mcr> their MAC address. mcr> The biggest risk, in my opinion, is not that malware will learn to mcr> randomize their MAC address. It is that malware will learn to login mcr> to the CPE using the "cheestos"[1] authentication of admin/admin, mcr> and then just accept-list their chosen MAC address. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- [Madinas] New Non-WG Mailing List: madinas -- MAC… IETF Secretariat
- Re: [Madinas] [Int-area] BoF and Non-WG Mailing L… Carsten Bormann
- Re: [Madinas] [Int-area] BoF and Non-WG Mailing L… mohamed.boucadair
- Re: [Madinas] [Int-area] BoF and Non-WG Mailing L… Carsten Bormann
- Re: [Madinas] [Int-area] BoF and Non-WG Mailing L… mohamed.boucadair
- Re: [Madinas] [dhcwg] [Int-area] BoF and Non-WG M… Michael Richardson
- Re: [Madinas] [dhcwg] [Int-area] BoF and Non-WG M… mohamed.boucadair
- [Madinas] identities for legitimate devices Michael Richardson
- Re: [Madinas] identities for legitimate devices mohamed.boucadair