Re: [Mud] [OPSAWG] putting quarantined IoT devices behind a captive portal
Eliot Lear <lear@cisco.com> Tue, 09 July 2019 18:52 UTC
Return-Path: <lear@cisco.com>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51026120AD3; Tue, 9 Jul 2019 11:52:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CsecRfnD0lbs; Tue, 9 Jul 2019 11:52:30 -0700 (PDT)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88DDC120AB5; Tue, 9 Jul 2019 11:52:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3398; q=dns/txt; s=iport; t=1562698349; x=1563907949; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=hFEByi7QRzay1zhP9A6ajkGn5me3qf5ObSZJajw7kN8=; b=MC04zu7Yz3+lZjS0HTKR/Fr8YI6n4AySEgh31t/vUYFDBKz4eEUw9NVA PMb034SFfbUgGs9ouTfAg1JupcxxpWyugEock3r5D58gFjAZgcfPxVjCy Kk3XF77WtpNPfNBtuXSbzx29VD5iRj89cTZF9yUgRNZaj7Je6Vr+FIOyZ k=;
X-Files: signature.asc : 195
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ADAAD64SRd/xbLJq1mGQEBAQEBAQEBAQEBAQcBAQEBAQGBUwQBAQEBAQsBghZqUjIohByIHF+LTyWYdIF7AgcBAQEJAwEBIwwBAYFLgnUCgmY0CQ4BAwEBBAEBAgEFbYU8DIVKAQEBAQIBI1YFCwsSBioCAkkOBhODIgGBew8PrFWBMoRGQUCEXgoGgTQBgVCKJYF/gREnDBOCTD6CYQIDAYRnMoImBIxKiByVbAmCGYIfgQyDK4FCi20UB4IslVSUcYxzgwoCBAYFAhWBUDiBWDMaCBsVZQGCQT6LCIVBPQMwj1gBAQ
X-IronPort-AV: E=Sophos;i="5.63,471,1557187200"; d="asc'?scan'208";a="14123268"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 09 Jul 2019 18:52:27 +0000
Received: from dhcp-10-61-102-2.cisco.com (dhcp-10-61-102-2.cisco.com [10.61.102.2]) by aer-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id x69IqPBV027822 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 9 Jul 2019 18:52:26 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <EE6AC0E8-0596-4B58-AA38-003078BF4B23@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_83F63F30-421B-40DD-B387-6592867E8E25"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 09 Jul 2019 20:52:25 +0200
In-Reply-To: <27334.1562697538@localhost>
Cc: "opsawg@ietf.org" <opsawg@ietf.org>, "mud@ietf.org" <mud@ietf.org>, capport@ietf.org
To: Michael Richardson <mcr+ietf@sandelman.ca>
References: <B8F9A780D330094D99AF023C5877DABAA49CD8C1@nkgeml513-mbx.china.huawei.com> <CAFpG3gc4ijy+xH7O_9EzpzwcROu3XcTA4xpSAH9P+oyhWQzMyg@mail.gmail.com> <4486.1562683318@localhost> <7534958E-E1A6-470D-B4BB-6B88CD27B54C@cisco.com> <27334.1562697538@localhost>
X-Mailer: Apple Mail (2.3445.104.11)
X-Outbound-SMTP-Client: 10.61.102.2, dhcp-10-61-102-2.cisco.com
X-Outbound-Node: aer-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/32R36nckOP_DDXyYKsAitdjSeHE>
Subject: Re: [Mud] [OPSAWG] putting quarantined IoT devices behind a captive portal
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 18:52:33 -0000
It’s the following part that I’m thinking about: > On 9 Jul 2019, at 20:38, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > Such a system would, according to > https://datatracker.ietf.org/doc/draft-ietf-capport-architecture/ > receive a message when it initiates connections which are not allowed. > (While the capport WG contemplated an ICMP unreachable message with a > URI in it at one point, that is not the current design) > > Actually, I have no idea from reviewing the documentation what the > appropriate "you might be captive" ICMP is now.. THERE IS ONE RIGHT? > > Once the IoT device gets such a message, it can use the API > described at: https://datatracker.ietf.org/doc/draft-ietf-capport-api/ > to retrieve a JSON object telling it that it is captive. At which point, it > can flash a LED, or attempt a firmware upgrade, or maybe just reboot if a > timer goes off. (%) > You are suggesting that a device self-remediate. Some devices may be able to eventually do that, but I have my doubts. Were I a hacker, I would have the device pretend to do just that. And so this ties somewhat to RATS. I think a MUD extension might be able to help in as much as one could imagine a “remediation” recommendation. Eliot > This requires that the IoT device get the captive portal API end point, which > https://datatracker.ietf.org/doc/draft-ietf-capport-rfc7710bis/ can deliver > via DHCPv4/v6 or RA. > > >>> On 9 Jul 2019, at 16:41, Michael Richardson <mcr+ietf@sandelman.ca> >>> wrote: >>> >>> Signed PGP part >>> >>> Between editing drafts yesterday, I got to thinking about CAPPORT. I >>> have been working on what to do when an IoT device violates it's MUD >>> profile. There are a bunch of issues around this. >>> >>> Yesterday, it occured to me that when such a device is quarantined (I >>> really think it should be "quaranteed", but that's not a word) that >>> the capport controls and APIs should be available to the device to >>> learn what went on. >>> >>> This is not new, I think that this as been the approach of most >>> enterprise NEA systems upon encountering "infection". This has, I >>> assume, involved forced HTTP proxies to inform human. But, if we have >>> APIs, we can inform device as well. >>> >>> Is this on anyone's radar? >>> >>> -- >>> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works >>> -= IPv6 IoT consulting =- >>> >>> >>> >>> >>> > > > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > > >
- [Mud] Fwd: New Version Notification for draft-red… tirumal reddy
- Re: [Mud] New Version Notification for draft-redd… Eliot Lear
- Re: [Mud] [OPSAWG] Fwd: New Version Notification … Qin Wu
- Re: [Mud] New Version Notification for draft-redd… tirumal reddy
- Re: [Mud] [OPSAWG] Fwd: New Version Notification … tirumal reddy
- [Mud] putting quarantined IoT devices behind a ca… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Eliot Lear
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Eliot Lear
- Re: [Mud] [OPSAWG] putting quarantined IoT device… M. Ranganathan
- Re: [Mud] [OPSAWG] putting quarantined IoT device… M. Ranganathan
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Montgomery, Douglas (Fed)
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Eliot Lear
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Juergen Schoenwaelder
- Re: [Mud] [OPSAWG] putting quarantined IoT device… John Romkey