Re: [Madinas] [dhcwg] [Int-area] BoF and Non-WG Mailing List: madinas -- MAC Address Device Identification for Network and Application Services
Michael Richardson <mcr+ietf@sandelman.ca> Mon, 02 November 2020 15:09 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: madinas@ietfa.amsl.com
Delivered-To: madinas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 972F13A11D4 for <madinas@ietfa.amsl.com>; Mon, 2 Nov 2020 07:09:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FpaRP5ZRI9zT for <madinas@ietfa.amsl.com>; Mon, 2 Nov 2020 07:09:56 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 347B73A1192 for <madinas@ietf.org>; Mon, 2 Nov 2020 07:09:55 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id D5662389A3 for <madinas@ietf.org>; Mon, 2 Nov 2020 10:16:54 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id olL946FPDqFF for <madinas@ietf.org>; Mon, 2 Nov 2020 10:16:53 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 8988D3899A for <madinas@ietf.org>; Mon, 2 Nov 2020 10:16:53 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 57C811F9 for <madinas@ietf.org>; Mon, 2 Nov 2020 10:09:52 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: madinas@ietf.org
In-Reply-To: <E37B8383-CAD6-4D57-BDB4-E7170F3EAE63@tzi.org>
References: <160407478723.4708.16590139659517606146@ietfa.amsl.com> <CAHLBt83DN3OxhXbkFKPBh7KbPFvKJKjgdf5UfoGVSsTJh6+H=Q@mail.gmail.com> <E37B8383-CAD6-4D57-BDB4-E7170F3EAE63@tzi.org>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 02 Nov 2020 10:09:52 -0500
Message-ID: <21853.1604329792@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/madinas/mr5xlf4TIUFvDynVCkROObGIoPM>
Subject: Re: [Madinas] [dhcwg] [Int-area] BoF and Non-WG Mailing List: madinas -- MAC Address Device Identification for Network and Application Services
X-BeenThere: madinas@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: MAC Address Device Identification for Network and Application Services <madinas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/madinas>, <mailto:madinas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/madinas/>
List-Post: <mailto:madinas@ietf.org>
List-Help: <mailto:madinas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/madinas>, <mailto:madinas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2020 15:10:04 -0000
Carsten Bormann <cabo@tzi.org> wrote: > On 2020-11-01, at 22:56, Juan Carlos Zuniga <j.c.zuniga@ieee.org> wrote: >> >> https://github.com/jlivingood/IETF109BoF/blob/master/109-Agenda.md > I don’t understand the slides about home device MAC addresses, > https://github.com/boucadair/IETF109BoF/blob/master/madinas-ddos%20mitigation-use%20case-rev%2027102020.pdf > If mitigations are widely deployed that are based on MAC address > filtering, attackers will implement countermeasures (such as varying > the MAC address quickly enough to defeat the mitigation signaling). > MAC address randomization as implemented by a device vendor would > probably be too slow as a countermeasure (if it were, it would save the > attacker a little work, but not that much). Carsten's point is legitimate, and I think that the slides mostly fail to articulate the problem well enough. It seems that there are assumptions made about how DOTS might be implemented by CPEs. Attacking devices by *construction* have unknown MAC addresses. You can't filter for that. The solution is that one has to construct filters to recognize legitimate devices and accept their traffic. All other traffic gets blocked. It is easy in current software and protocols to provide a per-device WPA-PSK (for WiFI), and this efficiently binds the device identity to their MAC address. This is unfortunately, not yet a BCP (or as our group at the RIPE81 IoT attempted, a BCoP), because we lack the right standardized interfaces to be able build a UI to assign a new WPA-PSK per device. To do this automatically/autonomically, we need BRSKI or DPP or ???, but it could be done via a management "App" connected to the home router. Many ISPs that provide routers provide a management App as well. Todays interfaces can accept-list devices by MAC address. The risk is that these lists go stale if *legitimate* devices change their MAC address. The biggest risk, in my opinion, is not that malware will learn to randomize their MAC address. It is that malware will learn to login to the CPE using the "cheestos"[1] authentication of admin/admin, and then just accept-list their chosen MAC address. I wrote draft-richardson-homerouter-provisioning last night, because I needed to reference it, and I hadn't finished describing the mechanism in another draft where I had intended originally to. This deals with the lack of privacy on the CPE management API. While BBF TR369 (USP) seems to have real potential: I am dismayed by the lack of a security mechanism, and the document seems to endorse every protocol. [1] https://www.sandelman.ca/mcr/humour/username-admin-password-admin-admin-password-63615994.png -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Madinas] New Non-WG Mailing List: madinas -- MAC… IETF Secretariat
- Re: [Madinas] [Int-area] BoF and Non-WG Mailing L… Carsten Bormann
- Re: [Madinas] [Int-area] BoF and Non-WG Mailing L… mohamed.boucadair
- Re: [Madinas] [Int-area] BoF and Non-WG Mailing L… Carsten Bormann
- Re: [Madinas] [Int-area] BoF and Non-WG Mailing L… mohamed.boucadair
- Re: [Madinas] [dhcwg] [Int-area] BoF and Non-WG M… Michael Richardson
- Re: [Madinas] [dhcwg] [Int-area] BoF and Non-WG M… mohamed.boucadair
- [Madinas] identities for legitimate devices Michael Richardson
- Re: [Madinas] identities for legitimate devices mohamed.boucadair