Re: [Mud] how to increase trust in MUD URL
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 22 January 2020 21:35 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EB45120045 for <mud@ietfa.amsl.com>; Wed, 22 Jan 2020 13:35:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UzOYMMQw43pD for <mud@ietfa.amsl.com>; Wed, 22 Jan 2020 13:35:10 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9398612001B for <mud@ietf.org>; Wed, 22 Jan 2020 13:35:10 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 5E9D23897E; Wed, 22 Jan 2020 16:34:36 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id E40A0C69; Wed, 22 Jan 2020 16:35:08 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: mud@ietf.org
cc: "M. Ranganathan" <mranga@gmail.com>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
In-Reply-To: <CAHiu4JOXOAt2U5soxrHB2D8EMxwkQ-tKv62F2vxAVPdvqAgfzg@mail.gmail.com>
References: <157918044299.26236.8163535356477976451.idtracker@ietfa.amsl.com> <CAFpG3gehp98VB2RpL6LenRJsV=RRQ=1jCTX7mcrmd27pzkYqfg@mail.gmail.com> <CAFpG3gek8qrHjN5LNQUrRrS9+zFuVQQ4y+XorRrr5xySs2fP1g@mail.gmail.com> <20570.1579314460@localhost> <30267.1579654985@localhost> <9b50e4ca-d516-3f3b-5992-1695f8147d18@sit.fraunhofer.de> <30626.1579713687@localhost> <CAHiu4JOXOAt2U5soxrHB2D8EMxwkQ-tKv62F2vxAVPdvqAgfzg@mail.gmail.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 22 Jan 2020 16:35:08 -0500
Message-ID: <428.1579728908@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/IbQhS9IL6pUU22FPw4lJimMxu4M>
Subject: Re: [Mud] how to increase trust in MUD URL
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 21:35:13 -0000
M. Ranganathan <mranga@gmail.com> wrote: > On Wed, Jan 22, 2020 at 12:21 PM Michael Richardson > <mcr+ietf@sandelman.ca> wrote: >> >> >> Henk Birkholz <henk.birkholz@sit.fraunhofer.de> wrote: > On 22.01.20 >> 02:03, Michael Richardson wrote: >> But, updating the URL in IDevID is >> difficult to do. Quite reasonably it might >> be impossible without a >> device recall. The IDevID version is much easier to >> invest trust >> into. And it clearly links back to the manufacturer. >> >> > This is one of the biggest issues that came to my mind ad-hoc. Is >> changing > the URI really an option? I would assume this type of >> encapsulation is > trustworthy, I think. >> >> Changing the URI in an IDevID is not, in my opinion, feasible. While >> I can imagine ways for an IDevID to be renewed online, I would prefer >> that it be buried so deep into the TPM that it can't be changed in the >> field. > I see some words to the contrary in > https://tools.ietf.org/html/draft-richardson-opsawg-mud-acceptable-urls-00 > i.e. I see the following: > "The DHCP and LLDP mechanisms are not signed, but are asserted by the > device. " > Why can't the MUD URL emitted by the device using DHCP be signed with > the device private key? It could be. Bud: a) we haven't defined the MUD DHCP extension that way. We could probably sign the entire DHCP request with RFC3110. I've done this in the distant past. b) it doesn't gain us anything. It's not a signature from an IDevID (or LDevID) that is interesting. The malware, having taken over the device could do that. That could be as easy, on a *nix machine, as dropping a file into /etc/dhclient.d/ with the new MUD URL, and the DHCP mechanism would sign it for you. What we want is a signature from the manufacturer, or possibly, as Eliot suggests, from a TEE/TPM. But, how does it know what the MUD URL for this firmware is? And, if you've got all that, then you have remote attestation anyway, so why not just have the RATS Verifier provide the MUD URL as part of the Attestation Results? Since remote attestation is not going to be common case for home appliances in the near future (not because the devices are incapable, but because the homes are ill-equipped [%]), what we can do do today to easily keep the MUD URL from changing too much, without locking it down completely? [%] - the lack of equipment to do remote attestation also means that probably also has no secure controller to do onboarding, or evaluate the IDevID. So, MUD will be TOFU. Henk Birkholz <henk.birkholz@sit.fraunhofer.de> wrote: Henk> If you do not allow for a MUD URL to change, you avoid a lot of Henk> complexity. The simplicity of MUD is one of its main selling Henk> points. Eliot had previously convinced me that updating the MUD file in place was probably workable, and this was not that big a deal. The TLS profile convinces me otherwise. The need to pin the manufacturer signature probably deals with a lot of the changes that we might need. Eliot Lear <lear@cisco.com> wrote: >> This is one of the biggest issues that came to my mind ad-hoc. Is >> changing the URI really an option? I would assume this type of >> encapsulation is trustworthy, I think. Eliot> To me this is something that TEEs can really assist with, but we Eliot> may need to think about how the URL is communicated. Should it be Eliot> in an idevid long term or in some other signed object? I think that you really mean a TPM-enabled secureboot environment, which a TEE can implement. If the firmware (update) comes with a signed blob that the boot environment can interpret, then that could also contain a manufacturer signed URL. The SUIT manifest pretty much satisfies this requirement, but we still need a signed thing to put into a DHCP (or LLDP) package. That would likely need to be a simple CoseSign0 object.
-- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- [Mud] how to increase trust in MUD URL Michael Richardson
- Re: [Mud] how to increase trust in MUD URL Henk Birkholz
- Re: [Mud] how to increase trust in MUD URL Michael Richardson
- Re: [Mud] how to increase trust in MUD URL M. Ranganathan
- Re: [Mud] how to increase trust in MUD URL Henk Birkholz
- Re: [Mud] how to increase trust in MUD URL Eliot Lear
- Re: [Mud] how to increase trust in MUD URL Michael Richardson
- Re: [Mud] how to increase trust in MUD URL Michael Richardson
- Re: [Mud] how to increase trust in MUD URL Ted Lemon
- Re: [Mud] how to increase trust in MUD URL Michael Richardson
- Re: [Mud] how to increase trust in MUD URL Eliot Lear
- Re: [Mud] how to increase trust in MUD URL Michael Richardson