Re: [Mud] [Last-Call] Opsdir last call review of draft-ietf-suit-mud-06 (fwd) Hannes Tschofenig: Re: [Last-Call] Opsdir last call review of draft-ietf-suit-mud-06
Michael Richardson <mcr@sandelman.ca> Fri, 22 December 2023 16:03 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FFC0C14CF0C for <mud@ietfa.amsl.com>; Fri, 22 Dec 2023 08:03:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YM1iJhTqfvtk for <mud@ietfa.amsl.com>; Fri, 22 Dec 2023 08:03:13 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5203C37DD46 for <mud@ietf.org>; Fri, 22 Dec 2023 07:30:39 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id EA27C1800F for <mud@ietf.org>; Fri, 22 Dec 2023 10:30:38 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id zBah-2vPpYf1 for <mud@ietf.org>; Fri, 22 Dec 2023 10:30:37 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 6F4221800C for <mud@ietf.org>; Fri, 22 Dec 2023 10:30:37 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1703259037; bh=iGNjeyjaJ+nNPxyNnadQ0w5h0q7rkP2dcV6ihMsW3yE=; h=From:To:Subject:Date:From; b=MYraAEga4PlcrmcaIAJBn6IpCiurbtdYFI6+nfs797D95SwezRpQeAWt10PkcxeLs jVAaYljjGIepkvnhche2gbJ5hgL5vg2jlCtlr6XzAHLFENg76qO9DH5LoIAwGcGaFP kDXW++tDbLZU9SMWRpr5ov2A7kb5S7qUJa9D9mpCO9x2KiCck4+99kU4+8bJoTZCV3 MsrLN9cSsCsvtBu03mQPITq1Vry/wayX48ZEMVhPMygd4LsL8F8sBwQjSQUnxA+Ozk UxL4HU2qAHwmidQ6U5Atrjt2s++QJ9zUvOja52twOsyipFX2hxS5JtMpZcri1Jtnuw 47TnFAHkDgU8Q==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 6B6A916E for <mud@ietf.org>; Fri, 22 Dec 2023 10:30:37 -0500 (EST)
From: Michael Richardson <mcr@sandelman.ca>
To: mud@ietf.org
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: message/rfc822
Content-Disposition: inline; filename="772"
Content-Description: forwarded message
Date: Fri, 22 Dec 2023 10:30:37 -0500
Message-ID: <23073.1703259037@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/Hn_0ct-esDPz-rP9PSpBuMFUUlw>
Subject: Re: [Mud] [Last-Call] Opsdir last call review of draft-ietf-suit-mud-06 (fwd) Hannes Tschofenig: Re: [Last-Call] Opsdir last call review of draft-ietf-suit-mud-06
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Dec 2023 16:03:19 -0000
--- Begin Message ---Hi Susan, thanks for your detailed review. You are correct that this document does not address operational aspects of the MUD Manager and this is certainly something the OPSAWG working group should address since this document is a tiny extension to the already existing MUD RFC. Along these lines you are also correct that the document does not define any mechanism for the MUD Manager to notify the operator about any error situations with the processing of MUD files and/or SUIT manifests. I will reach out to Eliot and the OPSAWG working group to think about standardization work in this direction. I have updated the draft to better explain how the different URIs are passed around. I also added a figure to illustrate it graphically. Attestation Evidence, which is used to convey information about the MUD URL, also allows the network to double-check the firmware/software (and other properties of the device). We didn't go into any details about how Evidence is processed because this is part of different documents, like the RATS architecture RFC. I hope the updated text clarified these aspects. Regarding the CDDL I had a chat with Brendan and we will make an update. Ciao Hannes Am 04.12.2023 um 16:19 schrieb Susan Hares via Datatracker: > Reviewer: Susan Hares > Review result: Has Issues > > Overall comment: > Qualifications: I am not an expert on SUIT implementations or an operator of > networks using SUIT. Therefore, my issues may be covered by some general > security considerations in a document I am not aware of. > > General comments to authors: This feature is clearly described in this > document. Brendan and Hannes did an excellent job of writing the document. > > Security/Operational Issues: > > The security of MUD URLs may move the attacks from individual devices to the > MUD Manager. (Instead of a single lemming going over the cliff, a MUD manager > may send many lemmings over the cliff). This document does not seem to consider > the operational issues in the MUD Manager or provide mechanisms on how to check > for these attacks (e.g. Yang modules with operational state). > > 1. An Attack on the MUD Manager can shut down or subvert the entire network. > > It is not clear how the operator knows an attack on the MUD Manager is happening > or occurred. If the MUD Manager pulls in broken SUIT manifests and > then pulls in broken software/firmware based on the SUIT manifests > how does the operator know? In other words what device watches > that the MUD Manager is not subverted via a management protocol? > > I do not see any operational state in the MUD Yang module [RFC8620 section 2.1] > It would seem natural to have some operational state in the MUD Manager reports > manifest state. Yang's notif protocols could report any manifest state change > (over secure TLS connections) to a centralized security server. > > 2. For secure URLs transmitted by 802.1X with certificates, > Why are these not a "double-check" on the validity of the software? > > Again, it would seem natural to utilize these secure certificates as > "double-checks" on the MUD Manager being "in-sync" with the devices. > > 3. As a less secure double-check on being "in-sync", is the reporting of > MUD URL sent via MUD Devices via DHCP or LLDAP that is not what is in the > manifest. > > These reporting features are useful in transition scenarios as well as > detecting attacks on the MUD manager. > > Editorial nits: > > 1. section 1, last paragraph, sentence 2 > > Old text: /can get/ > New text: /has/ > > English grammar > > 2. Just for my sanity, would you check the following text is correct > > $$SUIT_severable-members-extensions //= ( > suit-manifest-mud => bstr .cbor SUIT_MUD_container > ) > It appears you are looking to define a CBOR Type for the > the SUIT_MOD_container is defined in the text. > > What I think I'm missing is the .cbor value for SUIT. > It looks correct, but I could not derive this from draft-ietf-suit-manifest-24: > > SUIT_Severable_Manifest_Members = ( > ? suit-payload-fetch => bstr .cbor SUIT_Command_Sequence, > ? suit-install => bstr .cbor SUIT_Command_Sequence, > ? suit-text => bstr .cbor SUIT_Text_Map, > * $$SUIT_severable-members-extensions, > ) > > And your IANA definitions of: > > IANA is requested to add a new value to the SUIT envelope elements registry > created with [I-D.ietf-suit-manifest]: Label: TBD2 [[Value allocated from the > standards action address range]] > > Name: Manufacturer Usage Description (MUD) > Reference: [[TBD: This document]] > > Again, this may be due to my incomplete understanding. > This is why this is a NIT rather than an Issue. > > > -- last-call mailing list last-call@ietf.org https://www.ietf.org/mailman/listinfo/last-call--- End Message ---
- Re: [Mud] [Last-Call] Opsdir last call review of … Michael Richardson