Re: [OPSAWG] Eric Rescorla's Discuss on draft-ietf-opsawg-mud-20: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Mon, 16 April 2018 14:04 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66B22127137 for <opsawg@ietfa.amsl.com>; Mon, 16 Apr 2018 07:04:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uhxGSSy1PrPq for <opsawg@ietfa.amsl.com>; Mon, 16 Apr 2018 07:04:20 -0700 (PDT)
Received: from mail-ot0-x22b.google.com (mail-ot0-x22b.google.com [IPv6:2607:f8b0:4003:c0f::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFC1012D952 for <opsawg@ietf.org>; Mon, 16 Apr 2018 07:04:11 -0700 (PDT)
Received: by mail-ot0-x22b.google.com with SMTP id v64-v6so17469901otb.13 for <opsawg@ietf.org>; Mon, 16 Apr 2018 07:04:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=BJHnIvSOlLh/elljDfyHlIRZbqx9Yp2rl+WmuB4wlNk=; b=rv2/LgLya5ez+oHIBuUF7DmYhL+6JpiZJQO11H18VyM+XpMkKt8WEdzQpMDRfdFOQc f/Pfvb0Bq7WOj+t4oUh7ntlaVQl0+U0sPPxtZe7sVLI7AmujdNY51AeQptLoahbFe/FV zDsSQ3NezyDjTbnTULtvzqaFaE//eP9xdUNZAN/I5366rZZ3KZZ26MLvnJTpsRYjQBis HE6b7TYul9EuGhV6Nh4X+1DVDGmIvlhXoQ8/ADlB+MROOdAgR7efRKCgELOhX6Hlz268 tRduE1UhJqdhzUsL83cRjdpOX5ZYzzycE7A662ZOqkXio+02bd2O5Ge+cfwz/06Bg4HY KtzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=BJHnIvSOlLh/elljDfyHlIRZbqx9Yp2rl+WmuB4wlNk=; b=ec1Ik4ThIvmUZd37f2GphXFq53iVCaKYv/nFFtFtzAVR0CKAIBSRSWr9j00QWqmWPI jReMPInUYDyIx/5q/sklBHgpYvbvXBVw9boshPxPoB50JcDMVqSCmg0HzeREffhl/5OE tjKyb0zXfWuSqQ8XHuZeRV0rvpbAALZJfLWetuQlsJfkYgV50KFR1D+usHJOaESzhV7A 52RMQX4MErAeOFA5n3CTAaPnynNxOz8gK0N6hOSrzHZOUOtCXq5peHTvJ3PIY7LlBaEE U3i+pYy9a9PS3bzu6fGU/q3IXGeBda28RCAi8RpLy+Rmphs0PioXIeW9JrzK2Z3L/ERA 8Rqg==
X-Gm-Message-State: ALQs6tCcUrs+oax+rjJ2d+rZI1EVl1gzd8qRZzOrFjVAmlXa+i7At/k0 rPNy4aOX85CI/zcNJqq/pZgKRdaK6rjm0BXU5IW9XA==
X-Google-Smtp-Source: AIpwx4/V15xRa3ZJH1EAGUs1wo8eZN3v9zlC/iAvf/281IXh68mbAbalWGNu+DOWWBeiHbFdax+W2kzGIm2rMWG2qGE=
X-Received: by 2002:a9d:2a4f:: with SMTP id t73-v6mr3770811ota.392.1523887449947; Mon, 16 Apr 2018 07:04:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.138.18.132 with HTTP; Mon, 16 Apr 2018 07:03:29 -0700 (PDT)
In-Reply-To: <20ed5819-a47a-be0d-712a-6e3f566393ee@cisco.com>
References: <152379196417.19651.6380075441438812361.idtracker@ietfa.amsl.com> <55cc525b-b85c-7316-4b2c-d0d32135a20f@cisco.com> <CABcZeBM5KR210g2QrAUCNDsiv+yun7QTZFggydh=Gf4-Ai6eSQ@mail.gmail.com> <591a7d2b-5379-0eff-2a0e-72e9394e64c1@cisco.com> <CABcZeBPmBCJnnmG1=0SW-3PLcxHPaNCVzQCc62xsYRyWM-4d5Q@mail.gmail.com> <20ed5819-a47a-be0d-712a-6e3f566393ee@cisco.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 16 Apr 2018 07:03:29 -0700
Message-ID: <CABcZeBNT5PkcCWrkFCuDzw6MDZVcfNOfSVn6Z+NR6RSPNOTXAg@mail.gmail.com>
To: Eliot Lear <lear@cisco.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-opsawg-mud@ietf.org, Joe Clarke <jclarke@cisco.com>, opsawg-chairs@ietf.org, opsawg@ietf.org
Content-Type: multipart/alternative; boundary="00000000000021d50a0569f7b2e4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/2KU_Seafg39di3usi1lqnkbI1_g>
Subject: Re: [OPSAWG] Eric Rescorla's Discuss on draft-ietf-opsawg-mud-20: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2018 14:04:30 -0000
On Mon, Apr 16, 2018 at 6:55 AM, Eliot Lear <lear@cisco.com> wrote: > Hi Eric, > On 16.04.18 14:25, Eric Rescorla wrote: > > Hi Eliot, > > Thanks for continuing the conversation. My question is how this fits into > the system as a whole. > > ISTM that there are two ways in which a MUD policy can affect the > network's behavior: > > - Additive -- it lets the device do things it otherwise might not be > permitted to do (e.g., accept incoming TCP connections) > - Restrictive -- it stops the device from doing things that it otherwise > would be permitted to do (e.g., make connections to IP addresses on non-443 > ports) > > > What you describe is the choice of the network administrator, and not the > standard nor the manufacturer. You are essentially asking, “what is the > default policy? > No, I'm not asking that. What I'm looking for is the document to describe the various use cases and ensure that the mechanisms it provides actually be able to effect those use cases. In the former case, it's very important not to be able to forge acceptable > MUD policies, but in the latter case, an attacker can just not serve *any* > MUD policy and be in a stronger position than they would be if they had a > valid policy,[...] > > > And so that will depend on the deployment. And many of the attacks would > be detectable. > How would those attacks be detectable? I should mention one use case that I did think of, where additive would be > immediately useful: "This device is made by the same manufacturer as > another device (and hence they can talk to each other). However, I note > that MUD is actually not capable of securely conveying that, because > there's no proof that the device in hand actually is made by the > manufacturer, only that it possesses a public credential for some device > made by that manufacturer. > > > That is the point of building out a PKI, and as I wrote, there are some > interested in providing what amounts to a certification for this purpose. > This is also something the MUD manager can take on: as time goes on it can > white list signers, and it can flag devices that are not recognized as > being risky. In addition, if you have someone willing to take > accountability for that device to lay a claim, it may not be "proof", but > that is good enough in an enterprise environment, where someone can be > called to account for having added the device. > Well, there are two types of PKI here: 1. The one associated with the device certificate 2. The one associated with the MUD signature. My point is that only the former provides any assurance that the actual device has anything to do with the manufacturer. In the latter case, I can just stuff the URL of any manufacturer's MUD policy in my device that I please. -Ekr
- [OPSAWG] Eric Rescorla's Discuss on draft-ietf-op… Eric Rescorla
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eliot Lear
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eliot Lear
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Spencer Dawkins at IETF
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eliot Lear
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eric Rescorla