IETF Logo Mail Archive

Re: [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls

tirumal reddy <kondtir@gmail.com> Sun, 20 September 2020 08:00 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 262C33A112E for <opsawg@ietfa.amsl.com>; Sun, 20 Sep 2020 01:00:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DN7mCSh6z4iD for <opsawg@ietfa.amsl.com>; Sun, 20 Sep 2020 01:00:22 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 360483A1129 for <opsawg@ietf.org>; Sun, 20 Sep 2020 01:00:22 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id y74so12045058iof.12 for <opsawg@ietf.org>; Sun, 20 Sep 2020 01:00:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=z+IlzD1e09DEBxBx5YuCTM/VrBEjZvfoQ/69q2zzYBY=; b=c3P/aCLjvr5tYTiG8ZVgPCzd6NSzhRmvLm8v8jXxP+3rixLS9Uxvadk1qcQz4gbcVH KYOlA1+Pa4HAKJUuJSs1WIR2Jj1N2282dlm4Bnwi/VwY6ZRABK6Wj989BTXs2VSSllVn UHGzoCwFszMQKWGF4n+k8gxNRXggEDysxbxIju9jhRHIUOQIwYYKy7sAY2IUnHBR/Zrp lU44xdDwppRRQpBbis5EddlCGeUho8j4sn48rv9J8ggDBA4J03/Y9Yh72Q81omaqCDwK scMkNhRJj/YwCUNG/nImGokEB1aOtfKNTBjmyifnapbkExytZuQd4oJEgv0nWyZd+dbU uVPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=z+IlzD1e09DEBxBx5YuCTM/VrBEjZvfoQ/69q2zzYBY=; b=mavjms8mWXZzb6IbN6/eRNcY2zB9eZRPY0jame8S+LFy2VbXE0+lnx/D9LLfWkOdQS B8XEiAgut/nj4+e6G329c6cIry6bL6rJLtqTFm47rR4yElN2VvhbAfdjKGYHsBICyRqr lrFFuGLPihrjrpV258w9Y0qgzinJ4gV9WMsF1lRnmWqJGPRJSH4DViXTeuMzY5BCmV9U 5iUlF5cECrNa+ugtXdIRXjz/iY9p6PpBzdMhFD8A2PF9lGHtxKleMFSObuzJ05Ngpy2E n5Eg1Hi/sfuMtsAhcbOAWcqZn2BIviwCL5bYzS9WHABj1XzPoEX2Cd5z+K7ZPn1jqsQq Q+5g==
X-Gm-Message-State: AOAM531gZqU/Y8GnAJHDe2JdKQX7KShoGSda/p6m8DNwDs6AGMG48GCp zPjN9WB/N+RdApYO7pPqs4KkA1qFa+fd3FMkslg=
X-Google-Smtp-Source: ABdhPJw9qBNGMVtpQUtrNGrmndNT1AQay5Vi1rpntkLOSbw/TG6caODuQLX3s/8WSFQ7/l5zsrkghc7/JYMQ9YGL+c8=
X-Received: by 2002:a6b:d908:: with SMTP id r8mr32948008ioc.21.1600588821363; Sun, 20 Sep 2020 01:00:21 -0700 (PDT)
MIME-Version: 1.0
References: <21BA8D05-DD83-44DE-81B9-457692484CAD@cisco.com> <CAFpG3gdTHaEXAy7vCHpRyZWK-ZUWL14FDK-CeeihD641_ui_KA@mail.gmail.com> <CAAeK7PuKQO=SdwNZ6+9TyjvLgdhzhAjna4zEuMYOZLv63T9Pvg@mail.gmail.com>
In-Reply-To: <CAAeK7PuKQO=SdwNZ6+9TyjvLgdhzhAjna4zEuMYOZLv63T9Pvg@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Sun, 20 Sep 2020 13:30:09 +0530
Message-ID: <CAFpG3gfLCdPVv9tOaZiPrj=Dt187armXMHR7fAfb-mujpKKPxg@mail.gmail.com>
To: Sandeep Rao <sandeeprao.ietf@gmail.com>
Cc: opsawg <opsawg@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002101f305afba202b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/6D4pN8dbk0UgRx-hwFLhcwGoRhQ>
Subject: Re: [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Sep 2020 08:00:24 -0000

Hi Sandeep,

Please see inline

On Wed, 16 Sep 2020 at 02:35, Sandeep Rao <sandeeprao.ietf@gmail.com> wrote:

> Hi,
>
>
> I have read this document and its support adoption here.
>
>
> There’s one comment,  maybe the authors can clarify this in the draft.
>
>
> I believe though not widely used, was recently involved in a talk about
> usefulness of TLS session resumption in IoT implementations to improve
> session establishment efficiency and speed.   As the resumption handshake
> would not carry the typical ClientHello parameters , how would the MUD IoT
> firewall profile such legitimate ingress with no specific profile
> parameters or indications in the handshake ?
>

The client does not know whether the server will honor the ticket or not,
it will include all the ClientHello parameters (see
https://tools.ietf.org/html/rfc5077 and
https://tools.ietf.org/html/rfc8446#section-2.2) to allow the server to
decline the resumption and fall back to a full handshake.


> Probably this is expressed in ‘mud-tls-profile’ with an attribute such as
> “sessionTicket” : "T/F" or  in “extension-types” indicating the
> possibility of such behaviour of the IoT device and let Firewall handle it
> in its implementation.  Will help to get some clarity around this in the
> document.
>

In TLS 1.2, SessionTicket is an extension (see value 35 in
https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml).
If the client supports this extension, it will be included in the
"extension-types" list defined in the YANG module.

TLS 1.3 obsoletes the session resumption mechanism in TLS 1.2 and defines a
new session resumption mechanism in the base TLS 1.3 spec (RFC8446) itself.
In other words, TLS 1.3 clients will always support session resumption
(unlike TLS 1.2 clients).

Cheers,
-Tiru


> Thanks
>
> -Sandeep
>
>
>>
>> ---------- Forwarded message ---------
>> From: Joe Clarke (jclarke) <jclarke=40cisco.com@dmarc.ietf.org>
>> Date: Wed, 2 Sep 2020 at 20:36
>> Subject: [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls
>> To: opsawg <opsawg@ietf.org>
>>
>>
>> Hello, opsawg.  This draft as underwent a number of revisions based on
>> reviews and presentations at the last few IETF meetings.  The authors feel
>> they have addressed the issues and concerns from the WG in their latest
>> posted -05 revision.  As a reminder, this document describes how to use
>> (D)TLS profile parameters with MUD to expose potential unauthorized
>> software or malware on an endpoint.
>>
>> To that end, this serves as a two-week call for adoption for this work.
>> Please reply with your support and/or comments by September 16, 2020.
>>
>> Thanks.
>>
>> Joe and Tianran
>> _______________________________________________
>> OPSAWG mailing list
>> OPSAWG@ietf.org
>> https://www.ietf.org/mailman/listinfo/opsawg
>>
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg
>

v2.23.0 | Report a Bug | By Email