Re: [Mud] [OPSAWG] putting quarantined IoT devices behind a captive portal
John Romkey <romkey@romkey.com> Wed, 10 July 2019 00:58 UTC
Return-Path: <romkey@romkey.com>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D8AC12013B for <mud@ietfa.amsl.com>; Tue, 9 Jul 2019 17:58:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.703
X-Spam-Level:
X-Spam-Status: No, score=-0.703 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=romkey.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WkbZ5VD1ltJH for <mud@ietfa.amsl.com>; Tue, 9 Jul 2019 17:58:31 -0700 (PDT)
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF77F120048 for <mud@ietf.org>; Tue, 9 Jul 2019 17:58:30 -0700 (PDT)
Received: by mail-pf1-x42c.google.com with SMTP id b13so214642pfo.1 for <mud@ietf.org>; Tue, 09 Jul 2019 17:58:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=romkey.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=KYxPYYwfJYEg0J6VJZhNj35oQnEjNX56ul0U8vMIFf8=; b=fbpck0y6mzEkuS+cqKzvWUtWPFnglTHmytptimrjYIHyx192jfxaVsF+8lhocUodoa jmBr+ySNKNc2/82FERq+ZUh+83AibvxdKhS8WRPUbb0qxUG3pKfYd6LL8To+ysqQ4Ce6 mvueY0S3jm4NvjFv7Ihly58vESk4HEsBFQsAOC0d3tCPrOn2F+uFhQ41H+0r7HdQY94i /Ep6jdHLyOZcG9PzkOpqpyuSXO88aX75EL9zWX/OO/DHTGVY2B5jgv1M9YJLA7ejYr2Q vdVcV2PqhE1Mqot5Df8aJhmqSMSU/q0n+cITt7hL65InTraEA7QDA1jEu61xpChOj0Nj p9lQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=KYxPYYwfJYEg0J6VJZhNj35oQnEjNX56ul0U8vMIFf8=; b=bZgakJT+IFt7CDnumtdFwlD2Of4a0v4pbG3r1Vy1404doBIhCSWrV/FCD3/B9e2a7w nV2LeoqCUzAiyg34YeF9O3mEmLx4bLZ91UaFxdPT7ogDKFC8ZeEDFSt6YjjjRiLmCzzN BnekvBNwLlFRIe23N5szKzycIsNe0dAY/J01V8eIvCx5+dhPrpNxgH+p4KJtWk0j2NPW aePxWsWAPeGli/1+mCnJyXX0ShfpXnXWVpD15mNCXee/Dxav3gm6IJu+IHg2HMnYh94F /wtlJummcBaJZIndszPFhxAnFpB0zqpElBK7kO1OmIiTSF3HSy/lOcSr/87QPyHycK4r rq3g==
X-Gm-Message-State: APjAAAV4+I++x+zbmUDJRaJdXLi8HsiosPv2imU5na+mmKrhHLD3Fglr Ok4L0gKsseqvYcUhix3yzg2avQ==
X-Google-Smtp-Source: APXvYqzboKQcWA3uXQ9wWP5vDNJTUum17vFMCm8bjI+D9XPyjMMSwlGGvQEZc1A/kkesuVBG2NbGPQ==
X-Received: by 2002:a63:e20a:: with SMTP id q10mr33131317pgh.24.1562720310181; Tue, 09 Jul 2019 17:58:30 -0700 (PDT)
Received: from johns-mbp-3.localdomain ([97.115.131.172]) by smtp.gmail.com with ESMTPSA id e5sm279242pfd.56.2019.07.09.17.58.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Jul 2019 17:58:28 -0700 (PDT)
From: John Romkey <romkey@romkey.com>
Message-Id: <46656FBE-06E8-4E65-AF61-4BDE2F206F00@romkey.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_EABAD983-EB6E-4F93-A1D3-3C6FB9586844"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 09 Jul 2019 17:58:27 -0700
In-Reply-To: <18178.1562719763@localhost>
Cc: Eliot Lear <lear@cisco.com>, captive-portal@ietf.org, "opsawg@ietf.org" <opsawg@ietf.org>, "mud@ietf.org" <mud@ietf.org>
To: Michael Richardson <mcr+ietf@sandelman.ca>
References: <B8F9A780D330094D99AF023C5877DABAA49CD8C1@nkgeml513-mbx.china.huawei.com> <CAFpG3gc4ijy+xH7O_9EzpzwcROu3XcTA4xpSAH9P+oyhWQzMyg@mail.gmail.com> <4486.1562683318@localhost> <7534958E-E1A6-470D-B4BB-6B88CD27B54C@cisco.com> <27334.1562697538@localhost> <EE6AC0E8-0596-4B58-AA38-003078BF4B23@cisco.com> <18178.1562719763@localhost>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/GPwsLJmeMLUnHy5_5hjZqtlcuF4>
X-Mailman-Approved-At: Wed, 10 Jul 2019 01:18:16 -0700
Subject: Re: [Mud] [OPSAWG] putting quarantined IoT devices behind a captive portal
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 00:58:33 -0000
> On Jul 9, 2019, at 5:49 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > > Eliot Lear <lear@cisco.com> wrote: > >>> to retrieve a JSON object telling it that it is captive. At which point, it >>> can flash a LED, or attempt a firmware upgrade, or maybe just reboot if a >>> timer goes off. (%) > >> You are suggesting that a device self-remediate. Some devices may be >> able to eventually do that, but I have my doubts. Were I a hacker, I >> would have the device pretend to do just that. And so this ties >> somewhat to RATS. I think a MUD extension might be able to help in as >> much as one could imagine a “remediation” recommendation. > > Yes, so a full attack on the IoT device would do what you describe. > A partial attack might miss messing this. A reboot might clear out the > malware, or might mitigate it enough (such as going to boot firmware) that > would permit new firmware to be loaded. > > Yes, getting completely out of the quarantine would require either > attestation or human intervention. But, if the device now has good firmware, > it would be able to send the "please unquarantine me" signal. I believe strongly that the only safe thing you can do with a device that’s been in any way compromised is completely isolate it.It shouldn’t be able to send an “unquarantine” signal. You shouldn’t even try to talk to it. Let the firewall which is implementing MUD notify the user about the problem. Let the device’s app or cloud services notify the user that the device is offline. Possibly in a later evolution of MUD the firewall might have a way to notify the device’s cloud service, but I wouldn’t hamstring the initial version of MUD with an attempt to do that. - john romkey https;//romkey.com <http://romkey.com/>
- [Mud] Fwd: New Version Notification for draft-red… tirumal reddy
- Re: [Mud] New Version Notification for draft-redd… Eliot Lear
- Re: [Mud] [OPSAWG] Fwd: New Version Notification … Qin Wu
- Re: [Mud] New Version Notification for draft-redd… tirumal reddy
- Re: [Mud] [OPSAWG] Fwd: New Version Notification … tirumal reddy
- [Mud] putting quarantined IoT devices behind a ca… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Eliot Lear
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Eliot Lear
- Re: [Mud] [OPSAWG] putting quarantined IoT device… M. Ranganathan
- Re: [Mud] [OPSAWG] putting quarantined IoT device… M. Ranganathan
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Montgomery, Douglas (Fed)
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Eliot Lear
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Juergen Schoenwaelder
- Re: [Mud] [OPSAWG] putting quarantined IoT device… John Romkey