Re: [Mud] [Captive-portals] putting quarantined IoT devices behind a captive portal (fwd) Michael Richardson: putting quarantined IoT devices behind a captive portal
Erik Kline <ek@loon.com> Sun, 21 July 2019 03:34 UTC
Return-Path: <ek@google.com>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CFB81200C4 for <mud@ietfa.amsl.com>; Sat, 20 Jul 2019 20:34:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.25
X-Spam-Level:
X-Spam-Status: No, score=-9.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=loon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BTI2BSmRG7_1 for <mud@ietfa.amsl.com>; Sat, 20 Jul 2019 20:33:59 -0700 (PDT)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79EF31200D8 for <mud@ietf.org>; Sat, 20 Jul 2019 20:33:57 -0700 (PDT)
Received: by mail-io1-xd2d.google.com with SMTP id g20so66597803ioc.12 for <mud@ietf.org>; Sat, 20 Jul 2019 20:33:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=loon.com; s=google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=YVKouiH4IryHPCGvbLhozYilZxCVzqr30tRpJy48F68=; b=L8AIKYprWBT8GAbw3dYd1ZW+9D1joHdcb/QJZ1npWYpfocdXAh/YRqUbTyuL8CTnDb 8kL0rjDfQJkCtlkOTtpQxwWfffrXyXDB2Wt6vXzv5QPEyBuCYWtkg7e6z0ohOKhZR5rZ pb68PSSJED1ELBbCd5kGTqTO2E9KUb0NKafEk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=YVKouiH4IryHPCGvbLhozYilZxCVzqr30tRpJy48F68=; b=IuFNVgKuv7KJWzR/zUXb6Yjt9DnFBAIm3qVtA8xy2iag4yhP3gbpvstMV5slChtjeA sUWmDUX5/dsAny8sXhowGah420X9KJytmF+TYO2KHUMpJCqLpLIU0yxATHFoDn8MpT4h FrVdCvY+nBYcBfpsNUjQz2BwvO+z8dmhp5Knhr0D+gVabthrh3BfVcmsnVDJzGTy6CRb k1glBNloXDW3HSqK6tlU9xGakzFdzr6f0eyTsdYAuH4ocWwHyx0EjhZxCNtTNg2C0hQH 3a/SE8rwHS1wfDUol3VQx5vstizMqZfkoj7sS0JmsSnklSgMNqrfgNowkJvppU7ZFQgx CtGg==
X-Gm-Message-State: APjAAAWy50pko40hs/rSgITS424vXpkybQoKulFP+4e0LvHsOkpqs8Fk P4SIaeJl5YjVop7V3DLibPd/MIbgcYZ3tJbytw+Upg==
X-Google-Smtp-Source: APXvYqx7WQH3n8air9grurutLZyjmulQroGtyb6Psp83zhcRMIZWN5sUKM+v+JwcFeKOe3+0aXmF2RMg4/G18cgQhzk=
X-Received: by 2002:a02:1a86:: with SMTP id 128mr15179903jai.95.1563680036325; Sat, 20 Jul 2019 20:33:56 -0700 (PDT)
MIME-Version: 1.0
References: <27897.1562697682@localhost>
In-Reply-To: <27897.1562697682@localhost>
Reply-To: ek@loon.com
From: Erik Kline <ek@loon.com>
Date: Sat, 20 Jul 2019 23:33:44 -0400
Message-ID: <CAAedzxq6b3Ec-az0nUFbowfJS71GFoN2bq=vBo5GY73ze=sVGA@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: captive-portals <captive-portals@ietf.org>, opsawg@ietf.org, mud@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001be4ce058e28a124"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/1AJ-DCq-hsBNiCycLBSsT3MX0LU>
X-Mailman-Approved-At: Sun, 21 Jul 2019 11:38:42 -0700
Subject: Re: [Mud] [Captive-portals] putting quarantined IoT devices behind a captive portal (fwd) Michael Richardson: putting quarantined IoT devices behind a captive portal
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jul 2019 03:34:01 -0000
Most discussion has, co-chair hat off, be circling around some minimal
working API mechanism to get things started.
That said, one could easily imagine, for example, something as simple as an
additional API boolean key,
"quarantined": true|false,
Perhaps once there's some experience with 7710bis+API implementation...
On Tue, 9 Jul 2019 at 14:41, Michael Richardson <mcr+ietf@sandelman.ca>
wrote:
>
> Again, a WG whose ML is not the WG name, and there is no alias. ARGH.
> Here are some emails that didn't get to captive-portals@ietf.org.
> Sorry for the duplication for others.
>
>
>
>
> ---------- Forwarded message ----------
> From: Michael Richardson <mcr+ietf@sandelman.ca>
> To: "opsawg@ietf.org" <opsawg@ietf.org>, "mud@ietf.org" <mud@ietf.org>,
> capport@ietf.org
> Cc:
> Bcc:
> Date: Tue, 09 Jul 2019 10:41:58 -0400
> Subject: putting quarantined IoT devices behind a captive portal
>
> Between editing drafts yesterday, I got to thinking about CAPPORT.
> I have been working on what to do when an IoT device violates it's MUD
> profile. There are a bunch of issues around this.
>
> Yesterday, it occured to me that when such a device is quarantined
> (I really think it should be "quaranteed", but that's not a word)
> that the capport controls and APIs should be available to the device to
> learn what went on.
>
> This is not new, I think that this as been the approach of most enterprise
> NEA systems upon encountering "infection". This has, I assume, involved
> forced HTTP proxies to inform human. But, if we have APIs, we can inform
> device as well.
>
> Is this on anyone's radar?
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
>
>
>
>
>
>
> ---------- Forwarded message ----------
> From: Michael Richardson <mcr+ietf@sandelman.ca>
> To: Eliot Lear <lear@cisco.com>
> Cc: "opsawg@ietf.org" <opsawg@ietf.org>, "mud@ietf.org" <mud@ietf.org>,
> capport@ietf.org
> Bcc:
> Date: Tue, 09 Jul 2019 14:38:58 -0400
> Subject: Re: [OPSAWG] putting quarantined IoT devices behind a captive
> portal
>
> Eliot Lear <lear@cisco.com> wrote:
> > I’m not quite certain how it would work. Can you show a flow that
> will
> > work for an IoT device (e.g., headless and no display)?
>
> Device gets quarantined, and the MUD-controller moves it into an isolated
> "VLAN". I put air/scare quotes around VLAN, because it's a "MAC-address
> VLAN", not an 802.1Q thing. It's really just a layer-2 ACL.
>
> {We have no way to force the mishaving device into tagging it's packets,
> nor
> can we force it onto some other ESSID. We can't do a "port-based" VLAN,
> because wifi has no ports, and we don't really know how many unmanaged
> switches might be on the port anyway.
> One might map this onto a IEEE 802.1Q VLAN across a backbone}
>
> Instead of just dropping all traffic for a device in this category,
> all traffic (other than excepted traffic if you implement
>
> https://datatracker.ietf.org/doc/draft-richardson-shg-mud-quarantined-access/
> )
> would go into a captive portal system.
>
> Such a system would, according to
> https://datatracker.ietf.org/doc/draft-ietf-capport-architecture/
> receive a message when it initiates connections which are not allowed.
> (While the capport WG contemplated an ICMP unreachable message with a
> URI in it at one point, that is not the current design)
>
> Actually, I have no idea from reviewing the documentation what the
> appropriate "you might be captive" ICMP is now.. THERE IS ONE RIGHT?
>
> Once the IoT device gets such a message, it can use the API
> described at: https://datatracker.ietf.org/doc/draft-ietf-capport-api/
> to retrieve a JSON object telling it that it is captive. At which point, it
> can flash a LED, or attempt a firmware upgrade, or maybe just reboot if a
> timer goes off. (%)
>
> This requires that the IoT device get the captive portal API end point,
> which
> https://datatracker.ietf.org/doc/draft-ietf-capport-rfc7710bis/ can
> deliver
> via DHCPv4/v6 or RA.
>
>
> >> On 9 Jul 2019, at 16:41, Michael Richardson <mcr+ietf@sandelman.ca>
> >> wrote:
> >>
> >> Signed PGP part
> >>
> >> Between editing drafts yesterday, I got to thinking about CAPPORT.
> I
> >> have been working on what to do when an IoT device violates it's MUD
> >> profile. There are a bunch of issues around this.
> >>
> >> Yesterday, it occured to me that when such a device is quarantined
> (I
> >> really think it should be "quaranteed", but that's not a word) that
> >> the capport controls and APIs should be available to the device to
> >> learn what went on.
> >>
> >> This is not new, I think that this as been the approach of most
> >> enterprise NEA systems upon encountering "infection". This has, I
> >> assume, involved forced HTTP proxies to inform human. But, if we
> have
> >> APIs, we can inform device as well.
> >>
> >> Is this on anyone's radar?
> >>
> >> --
> >> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software
> Works
> >> -= IPv6 IoT consulting =-
> >>
> >>
> >>
> >>
> >>
>
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
>
>
>
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
>
>
>
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals
>
- [Mud] putting quarantined IoT devices behind a ca… Michael Richardson
- Re: [Mud] [Captive-portals] putting quarantined I… Erik Kline
- Re: [Mud] [Captive-portals] putting quarantined I… Michael Richardson