Re: [Madinas] [dhcwg] [Int-area] BoF and Non-WG Mailing List: madinas -- MAC Address Device Identification for Network and Application Services
mohamed.boucadair@orange.com Tue, 03 November 2020 13:21 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: madinas@ietfa.amsl.com
Delivered-To: madinas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 141123A0A3D for <madinas@ietfa.amsl.com>; Tue, 3 Nov 2020 05:21:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4lgxcor6OtfO for <madinas@ietfa.amsl.com>; Tue, 3 Nov 2020 05:21:46 -0800 (PST)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 062113A0A3B for <madinas@ietf.org>; Tue, 3 Nov 2020 05:21:46 -0800 (PST)
Received: from opfedar02.francetelecom.fr (unknown [xx.xx.xx.4]) by opfedar26.francetelecom.fr (ESMTP service) with ESMTP id 4CQVmm4f8WzFpx7; Tue, 3 Nov 2020 14:21:44 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1604409704; bh=+o94pJlNZuMDd73TL5TYxIupyVRDG99xBJZdX2pXFkM=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=OMIS+jsKZnPwyew8bHoLJCBLfpxAnAAQMmwbtac/OQ1HS19N5DnrHIcGdEj2E13NG Rzk+YQ3Twl+Lur4tuiZqI5oMnKc92ksCQP1j5Kh96DxGwL8AYHIeT8BLdi19NnQugy X0oD3MHiIkJpRxIxQoKwnPKfhO/Y/J3tzKOaX2zlB2Evpo8msLx4XphJ+s/3XyFzQJ Nxu5FMeEyFJP9/Efe2gt7wMenCmxUuzAynww4p4mdozFH0T1uHlcarF8dHP0uLbfMT srEv0XW1fSkzjn7CqYIcNaC6LSLDGvyokGDZvSocvhHqCYR14GbNM46UftfnGePJKk kB+28bCAGhffQ==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.57]) by opfedar02.francetelecom.fr (ESMTP service) with ESMTP id 4CQVmm3NYnzCqlJ; Tue, 3 Nov 2020 14:21:44 +0100 (CET)
From: mohamed.boucadair@orange.com
To: Michael Richardson <mcr+ietf@sandelman.ca>, "madinas@ietf.org" <madinas@ietf.org>
Thread-Topic: [Madinas] [dhcwg] [Int-area] BoF and Non-WG Mailing List: madinas -- MAC Address Device Identification for Network and Application Services
Thread-Index: AQHWsSpXZFiYC4lw+0mTl12Tg052iam2YBbA
Date: Tue, 03 Nov 2020 13:21:43 +0000
Message-ID: <12688_1604409704_5FA15968_12688_371_20_787AE7BB302AE849A7480A190F8B93303156EFFC@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <160407478723.4708.16590139659517606146@ietfa.amsl.com> <CAHLBt83DN3OxhXbkFKPBh7KbPFvKJKjgdf5UfoGVSsTJh6+H=Q@mail.gmail.com> <E37B8383-CAD6-4D57-BDB4-E7170F3EAE63@tzi.org> <21853.1604329792@localhost>
In-Reply-To: <21853.1604329792@localhost>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/madinas/GcxL7yIJIkkbXibyjEheuRuZcoI>
Subject: Re: [Madinas] [dhcwg] [Int-area] BoF and Non-WG Mailing List: madinas -- MAC Address Device Identification for Network and Application Services
X-BeenThere: madinas@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: MAC Address Device Identification for Network and Application Services <madinas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/madinas>, <mailto:madinas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/madinas/>
List-Post: <mailto:madinas@ietf.org>
List-Help: <mailto:madinas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/madinas>, <mailto:madinas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2020 13:21:48 -0000
Hi Michael, Thanks for sharing your thoughts. The slides you are referring to are not intended to articulate the overall problem space but to illustrate a use case where ** means to unambiguously and persistently identify devices within the home are required ** to protect the Internet but also to avoid collateral damage for subscribers hosting such compromised devices. Filtering at the network is suboptimal. The question then is: ** how to reliably achieve this without mandating a given network setup and while minimizing subscriber involvement? ** Many ISPs offer apps to seek for an ACK from the subscribers whenever a new device connects to the home network. The identification is usually based on the MAC@. Notifications will be generated each time a new MAC@ is generated, which may be disturbing for the subscriber and may lead to deactivate the app or accept by default all devices. These considerations (and others) are not discussed in these slides because this is supposed to be handed in other use cases (device identification). Cheers, Med > -----Message d'origine----- > De : Madinas [mailto:madinas-bounces@ietf.org] De la part de Michael > Richardson > Envoyé : lundi 2 novembre 2020 16:10 > À : madinas@ietf.org > Objet : Re: [Madinas] [dhcwg] [Int-area] BoF and Non-WG Mailing > List: madinas -- MAC Address Device Identification for Network and > Application Services > > > Carsten Bormann <cabo@tzi.org> wrote: > > On 2020-11-01, at 22:56, Juan Carlos Zuniga > <j.c.zuniga@ieee.org> wrote: > >> > >> https://github.com/jlivingood/IETF109BoF/blob/master/109- > Agenda.md > > > I don’t understand the slides about home device MAC addresses, > > https://github.com/boucadair/IETF109BoF/blob/master/madinas- > ddos%20mitigation-use%20case-rev%2027102020.pdf > > > If mitigations are widely deployed that are based on MAC > address > > filtering, attackers will implement countermeasures (such as > varying > > the MAC address quickly enough to defeat the mitigation > signaling). > > MAC address randomization as implemented by a device vendor > would > > probably be too slow as a countermeasure (if it were, it would > save the > > attacker a little work, but not that much). > > Carsten's point is legitimate, and I think that the slides mostly > fail to articulate the problem well enough. > It seems that there are assumptions made about how DOTS might be > implemented by CPEs. > > Attacking devices by *construction* have unknown MAC addresses. > You can't filter for that. > > The solution is that one has to construct filters to recognize > legitimate devices and accept their traffic. All other traffic gets > blocked. > > It is easy in current software and protocols to provide a per-device > WPA-PSK (for WiFI), and this efficiently binds the device identity > to their MAC address. > This is unfortunately, not yet a BCP (or as our group at the RIPE81 > IoT attempted, a BCoP), because we lack the right standardized > interfaces to be able build a UI to assign a new WPA-PSK per device. > To do this automatically/autonomically, we need BRSKI or DPP or ???, > but it could be done via a management "App" connected to the home > router. > Many ISPs that provide routers provide a management App as well. > > Todays interfaces can accept-list devices by MAC address. > The risk is that these lists go stale if *legitimate* devices change > their MAC address. > > The biggest risk, in my opinion, is not that malware will learn to > randomize their MAC address. It is that malware will learn to login > to the CPE using the "cheestos"[1] authentication of admin/admin, > and then just accept-list their chosen MAC address. > > I wrote draft-richardson-homerouter-provisioning last night, because > I needed to reference it, and I hadn't finished describing the > mechanism in another draft where I had intended originally to. > This deals with the lack of privacy on the CPE management API. > While BBF TR369 (USP) seems to have real potential: I am dismayed by > the lack of a security mechanism, and the document seems to endorse > every protocol. > > [1] https://www.sandelman.ca/mcr/humour/username-admin-password- > admin-admin-password-63615994.png > > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT > consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [Madinas] New Non-WG Mailing List: madinas -- MAC… IETF Secretariat
- Re: [Madinas] [Int-area] BoF and Non-WG Mailing L… Carsten Bormann
- Re: [Madinas] [Int-area] BoF and Non-WG Mailing L… mohamed.boucadair
- Re: [Madinas] [Int-area] BoF and Non-WG Mailing L… Carsten Bormann
- Re: [Madinas] [Int-area] BoF and Non-WG Mailing L… mohamed.boucadair
- Re: [Madinas] [dhcwg] [Int-area] BoF and Non-WG M… Michael Richardson
- Re: [Madinas] [dhcwg] [Int-area] BoF and Non-WG M… mohamed.boucadair
- [Madinas] identities for legitimate devices Michael Richardson
- Re: [Madinas] identities for legitimate devices mohamed.boucadair