Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-opsawg-mud-acceptable-urls-11: (with DISCUSS and COMMENT)
Deb Cooley <debcooley1@gmail.com> Sat, 13 April 2024 13:27 UTC
Return-Path: <debcooley1@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 610CEC14F60E; Sat, 13 Apr 2024 06:27:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.844
X-Spam-Level:
X-Spam-Status: No, score=-6.844 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1lLcRYbrxknq; Sat, 13 Apr 2024 06:27:04 -0700 (PDT)
Received: from mail-il1-x134.google.com (mail-il1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A910C14F686; Sat, 13 Apr 2024 06:27:04 -0700 (PDT)
Received: by mail-il1-x134.google.com with SMTP id e9e14a558f8ab-36b1774e453so243125ab.1; Sat, 13 Apr 2024 06:27:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713014823; x=1713619623; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=RWQ7iTuoU8uw8sDpWXKEiky3mrKPyWXV/VY1xlh3Qxw=; b=Wgw1gW0WuZgTn3ZU2wcHmwWXOe4oLCv5DtVfJCZ0FuYvrmZPPqWeHMJF+uoBwQRToZ l3qbiK8sYVrin8zdw678ZclCZqNh/C7wBdg0VMJ6LglZ0+pLxDoTV+svYZao8sWlHDfH jgeuYK/QtK3mtjOWZDA3nHEPR7HBcLhRh6+1sf5xvUv2uaUrm2DSv8M4tHd4pA2Ezx1G oyx+XnfVWJJOoObc7E803EpqXxcjsmJwSNJAhIi7PfOXQgOirVxCgjbpy5A9+lp98Uo6 STasWBx0nB+JsshjPfFMtwVyTYlkRUL2OM7jsanFiUDdeYWJhMk9jjkM786LBns3nhEh 92/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713014823; x=1713619623; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=RWQ7iTuoU8uw8sDpWXKEiky3mrKPyWXV/VY1xlh3Qxw=; b=bKt1rB3Jn4TClLfKQ6QvhzeKDL9NuduAJGacUK/UDiqtFaC+HGDoizmASb7stlUXtw ll/c8VDi7soc+GZ3HBFFTxf/ay1z9kXK8sIc2O55FBi5TWMXEXPcGTi0+q8JFyLB0Wzw 3tQU3M1BV6RVj2oiA04UYIjApxxorSmSfZWYl4ZmDC5mnYF1tMfsZFWQLWF7cwrafHIf dxAj78RLtjP4ZvwW4tv1kWyu/akOVkvJky1R0XvWpqPZ26RvuzooSKVDE3TL2L6/mtTd 2rx6a9yM3WB/1Ku8mrl/F4GjCHtcJzhyAg383cEnLFVkQQ1rMLXemib4K1Ev5r8USXJT r/cg==
X-Forwarded-Encrypted: i=1; AJvYcCXQyBnY/TWSJAyi/KCmvsmU/tpq59xmx4A/DuR2pzOnm6he3Es33CAhpauSnb9NDraFf5IFN7i50/PdddU4sowuIuDiRSfGx7/khUZtf3BVUFQcJ0mCivftVb5ILLXwpzZguiSqlcLasjspF2KvbaIu2VmWt65ea8M4VCQM88ar+QLczYYZNeM=
X-Gm-Message-State: AOJu0Yz9yB0ipUTHOQZ72OtdOkdgKiZ/jKKx2cdIRGq3H5g/F5Z4wH/o 2WX70j7+XVNgMk/ezk7PRcSB3/z0wGcnSenYgbHXe2ni/hdeZAHsPTo+ZQbnoeOOhLDsNFaTI5r iKtlf8WpkSE5G5+CaxjdZbG6UNYN1
X-Google-Smtp-Source: AGHT+IE1vyjLKNYdm0XSeGStZcLw3EZpeGJWNKimkESNvHKKvTehnUDanQEm7PHhjVR9fg4EZO11FtFqvNZoLDkMy/g=
X-Received: by 2002:a05:6e02:18cc:b0:36b:80d:b930 with SMTP id s12-20020a056e0218cc00b0036b080db930mr5920821ilu.26.1713014822994; Sat, 13 Apr 2024 06:27:02 -0700 (PDT)
MIME-Version: 1.0
References: <171223113635.18757.2029607792392526207@ietfa.amsl.com> <8c09e877-dfc4-4fd9-9242-b55ee70ab5a8@lear.ch>
In-Reply-To: <8c09e877-dfc4-4fd9-9242-b55ee70ab5a8@lear.ch>
From: Deb Cooley <debcooley1@gmail.com>
Date: Sat, 13 Apr 2024 09:26:40 -0400
Message-ID: <CAGgd1OcWTedxG_6kL-Jx_ugpruFqeA+Rg--bOKrqpmEMJ=OUAA@mail.gmail.com>
To: Eliot Lear <lear@lear.ch>
Cc: The IESG <iesg@ietf.org>, draft-ietf-opsawg-mud-acceptable-urls@ietf.org, opsawg@ietf.org, opsawg-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000050ab90615fa58d1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/-GUH0AGbRq2M2S9CWiHlj0CKgig>
Subject: Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-opsawg-mud-acceptable-urls-11: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Apr 2024 13:27:08 -0000
Thanks for the site config fix. 802.1AR you say? No mention of 802.1 in the draft at all. If the PKI rules are different in 802, seems like that would be good to at least mention. At least distinguish whether we are talking about L2 or L3 (or app layer - wherever HTTPS lives) Deb On Thu, Apr 4, 2024 at 8:26 AM Eliot Lear <lear@lear.ch> wrote: > Hi Deb, > > On 04.04.2024 13:45, Deb Cooley via Datatracker wrote: > > > > Shepherd writeup: It would be nice to enumerate the manufacturers that > have > > implemented this concept. The link to 'https://mudmaker.org' causes my > browser > > to throw big flashy warning signs. When I click through them, it tells > me to > > 'GO AWAY'. fun... > > Hi Deb. There was a config error on a server. It's fixed. Thanks for > pointing it out. > > > > Section 3.1 upgrade causes vulnerabilities: One would think that this > > situation should be avoided at all costs. There could be a way for the > device > > to signal which version of F/W it is running, allowing the MUD file to be > > tailored. > > This may or may not be possible. It depends on how the MUD URL is > communicated. If it's communicated in a certificate, then the cert > would have to change, and as 802.1AR makes clear, that's not supposed to > happen. I hold out hope that SUIT will provide a better path here, but > these are still early days. > > I should point out that in the vast majority of cases, a MUD URL rarely > has to change because you can have a superset of access that won't be at > all harmful (a good example would be adding a new new endpoint that is > used by new versions). The corner case is primarily about services > being turned off. > > > > > Section 3.2: The same applies for this section as well. False > positives can > > be just as dangerous (because they bury the real positives). > > > > Section 4: Updating IDevID URLs can't be updated with a F/W update? F/W > > updates are signed by the manufacturer's signing key, correct? > > See above. Not permitted by 802.1AR. But there may be a more SUITable > fix over time. > > I'll leave the the rest to Michael. > > Eliot > > > > > Section 4.2: Just how hard would it be to specify the CA certificate > paired > > with a subject name (subject alt name, or CN)? Seems like this is more > secure > > than your proposed methods. Oddly enough, Section 5.1 proposes this. > > > > Section 5, last para: Instead of subject names, SKI should be used > [RFC5280, > > section 4.2.1.2]. This can be easily checked in a certificate validate > that is > > presented. > > > > Section 5.2: Can't this be used all the time? > > > > Section 5.3.3: Classically to change a 'root' one signs the new with > the old > > and signs the old with the new. If it is done this way, I suspect one > could > > change whatever names, CAs one needs to change. > > > > Section 7: One might argue that the use of server authenticated TLS > might > > mitigate a bunch of concerns. > > > > Section 9. This is confusing. Please seperate the before issues and the > after > > issues into seperate sections (at least). There are many potential > > vulnerabilities listed earlier in the draft. Please consolidate those > here > > (possibly with draft section links to where the mitigation is suggested). > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > > > Nits: > > Section 1, para 6: change 'check the signatures, rejecting files whose > > signatures do not match' to '... whose signatures do not validate'. > Using > > language like 'match' leads to bad behavior, when the entity should be > taking a > > positive action to validate the signature. > > > > Section 9, last sentence: jargon? I'm not sure I know what this means, > and > > English is my (only) language. > > > > > > > > _______________________________________________ > > OPSAWG mailing list > > OPSAWG@ietf.org > > https://www.ietf.org/mailman/listinfo/opsawg > > >
- [OPSAWG] Deb Cooley's Discuss on draft-ietf-opsaw… Deb Cooley via Datatracker
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Eliot Lear
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Michael Richardson
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Deb Cooley
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Deb Cooley
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Eliot Lear
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Deb Cooley