Re: [Mud] [OPSAWG] putting quarantined IoT devices behind a captive portal
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 10 July 2019 00:49 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 262F21200CE; Tue, 9 Jul 2019 17:49:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EbwBYzHgIqFi; Tue, 9 Jul 2019 17:49:26 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 938FF1200C4; Tue, 9 Jul 2019 17:49:25 -0700 (PDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id B64353808A; Tue, 9 Jul 2019 20:47:20 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 6B33C5BE; Tue, 9 Jul 2019 20:49:23 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Eliot Lear <lear@cisco.com>
cc: "opsawg@ietf.org" <opsawg@ietf.org>, "mud@ietf.org" <mud@ietf.org>, captive-portal@ietf.org
In-Reply-To: <EE6AC0E8-0596-4B58-AA38-003078BF4B23@cisco.com>
References: <B8F9A780D330094D99AF023C5877DABAA49CD8C1@nkgeml513-mbx.china.huawei.com> <CAFpG3gc4ijy+xH7O_9EzpzwcROu3XcTA4xpSAH9P+oyhWQzMyg@mail.gmail.com> <4486.1562683318@localhost> <7534958E-E1A6-470D-B4BB-6B88CD27B54C@cisco.com> <27334.1562697538@localhost> <EE6AC0E8-0596-4B58-AA38-003078BF4B23@cisco.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 09 Jul 2019 20:49:23 -0400
Message-ID: <18178.1562719763@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/ybR-ch5217oYky7u2Aeutmht0vY>
Subject: Re: [Mud] [OPSAWG] putting quarantined IoT devices behind a captive portal
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 00:49:29 -0000
Eliot Lear <lear@cisco.com> wrote: > It’s the following part that I’m thinking about: ... >> to retrieve a JSON object telling it that it is captive. At which point, it >> can flash a LED, or attempt a firmware upgrade, or maybe just reboot if a >> timer goes off. (%) > You are suggesting that a device self-remediate. Some devices may be > able to eventually do that, but I have my doubts. Were I a hacker, I > would have the device pretend to do just that. And so this ties > somewhat to RATS. I think a MUD extension might be able to help in as > much as one could imagine a “remediation” recommendation. Yes, so a full attack on the IoT device would do what you describe. A partial attack might miss messing this. A reboot might clear out the malware, or might mitigate it enough (such as going to boot firmware) that would permit new firmware to be loaded. Yes, getting completely out of the quarantine would require either attestation or human intervention. But, if the device now has good firmware, it would be able to send the "please unquarantine me" signal. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Mud] Fwd: New Version Notification for draft-red… tirumal reddy
- Re: [Mud] New Version Notification for draft-redd… Eliot Lear
- Re: [Mud] [OPSAWG] Fwd: New Version Notification … Qin Wu
- Re: [Mud] New Version Notification for draft-redd… tirumal reddy
- Re: [Mud] [OPSAWG] Fwd: New Version Notification … tirumal reddy
- [Mud] putting quarantined IoT devices behind a ca… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Eliot Lear
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Eliot Lear
- Re: [Mud] [OPSAWG] putting quarantined IoT device… M. Ranganathan
- Re: [Mud] [OPSAWG] putting quarantined IoT device… M. Ranganathan
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Montgomery, Douglas (Fed)
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Michael Richardson
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Eliot Lear
- Re: [Mud] [OPSAWG] putting quarantined IoT device… Juergen Schoenwaelder
- Re: [Mud] [OPSAWG] putting quarantined IoT device… John Romkey