Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-opsawg-mud-acceptable-urls-11: (with DISCUSS and COMMENT)
Eliot Lear <lear@lear.ch> Thu, 04 April 2024 12:26 UTC
Return-Path: <lear@lear.ch>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB58EC14F5FF; Thu, 4 Apr 2024 05:26:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.887
X-Spam-Level:
X-Spam-Status: No, score=-5.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=lear.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ha0Ymu_xuKRH; Thu, 4 Apr 2024 05:26:35 -0700 (PDT)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [IPv6:2a00:bd80:aa::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7BC8C14F5E3; Thu, 4 Apr 2024 05:26:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1712233587; bh=r7K5Vtday+9a9tn/uGO8+Yp0yraig9L7QyrKuFCfQQc=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=O/eOurLhGK3/5J5LHApyxk5LfH30HfwCpM7gaUow8WH/Qg2Ypoj5PakKYRkIUO1rZ dLulmKICdC7QBIUjX8UkxdW60y2aeWzJH1I4odQUKtHsPTaP3SaPwJdkUBptoTHegw eyTXgK/Z/HkGPZqfG1TPTotmAcn9N+GNwC/G991Y=
Received: from [192.168.0.99] (77-58-144-232.dclient.hispeed.ch [77.58.144.232]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-22ubuntu3) with ESMTPSA id 434CQOJK684974 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Thu, 4 Apr 2024 14:26:25 +0200
Message-ID: <8c09e877-dfc4-4fd9-9242-b55ee70ab5a8@lear.ch>
Date: Thu, 04 Apr 2024 14:26:23 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Deb Cooley <debcooley1@gmail.com>, The IESG <iesg@ietf.org>
Cc: draft-ietf-opsawg-mud-acceptable-urls@ietf.org, opsawg@ietf.org, opsawg-chairs@ietf.org
References: <171223113635.18757.2029607792392526207@ietfa.amsl.com>
Content-Language: en-US
From: Eliot Lear <lear@lear.ch>
Autocrypt: addr=lear@lear.ch; keydata= xsBNBFMe1UQBCADdYOS5APDpIpF2ohAxB+nxg1GpAYr8iKwGIb86Wp9NkK5+QwbW9H035clT lpVLciExtN8E3MCTPOIm7aITPlruixAVwlBY3g7U9eRppSw9O2H/7bie2GOnYxqmsw4v1yNZ 9NcMLlD8raY0UcQ5r698c8JD4xUTLqybZXaK2sPeJkxzT+IwupRSQ+vXEvFFGhERQ88zo5Ca Sa1Gw/Rv54oH0Dq2XYkO41rhxQ60BKZLZuQK1d9+1y3I+An3AJeD3AA31fJZD3H8YRKOBgqe ILPILbw1mM7gCtCjfvFCt6AFCwEsjITGx55ceoQ+t5B5XGYJEppMWsIFrwZsfbL+gP31ABEB AAHNGUVsaW90IExlYXIgPGxlYXJAbGVhci5jaD7CwI4EEwECADgCGwMCHgECF4AWIQSY0L2Q Rh2wkqeyYR2HtmtG2dJ6MwUCWxJwMwULCQgHAgYVCAkKCwIEFgIDAQAKCRCHtmtG2dJ6M8KI B/46pFrJX+4Ockl2fHR303ais9Lyx8jv6mXKKOr8WR0UYcJ0syQrhaaZNG1VV98tYQHHK9F5 y7hH4YCsrr3odZ6zoavnx5X1X/2xw8y732f/irVoOOkYLid9IGPxa2e2nYXCZpde5/yvv3we XVE4mG4dEAD5T8iKS4Hz/3fKGJQ15o79Jv92HgC7RpCt0WaiQ0b6acP3PuwjDJzJzLFZzb7j IiB3izxQESSWE1GNRmoAK/k0gW6kmx1/87tQENrK+3Nn4CJSFQWF6entLnY7UeVm95wbMQkJ evwddDWUO2huDbmZnmxgKXGzSSpuNq7n8ICAOlbt0HfdJAZQfy25bwvezsBNBFMe1UQBCAC0 WV7Ydbv95xYGPhthTdChBIpPtl7JPCV/c6/3iEmvjpfGuFNaK4Macj9le20EA5A1BH7PgLGo HOiPM65NysRpZ96RRVX3TNfLmhGMFr5hPOGNdq+xcGHVutmwPV9U7bKeUNRiPFx3YdEkExdd qV2E8FltT0x2FSKe2xszPPHB6gVtMckX5buI9p1K3fbVhXdvEkcYY/jB0JEJGyhS5aEbct5c HUvDAkT81/YFK5Jfg8RRwu1q1t1YuIJSOWAZQ9J9oUsg6D9RpClU+tIFBoe3iTp1AUfJcypu cGKgLYKtpu/aygcpQONHYkYW5003mPsrajFhReVF5veycMbHs4u5ABEBAAHCwF8EGAECAAkF AlMe1UQCGwwACgkQh7ZrRtnSejOSuQgA27p2rYB7Kh20dym6V8c62pWpBHHTgxr/32zevxHS iXl6xvUCg5T8WUwfUk8OvgDcBErK/blDAMXQzSg3sp450JhR8RnXHXF5Zz2T04X7HnlIVJGw f2CjnwyEAJCqMzaCmI+g3Imvg/8L4nyBFvhlFHDv+kIvMiujyycjPAu7xxKplBs1/IEwmDoA MjneFmawvfeQnwdMhSKK8PjKSuzGU5uUmxj3GBfRqvTM0qpmhMPFOmDhJSmH55HLAky2Mlmq JYXJPt/9EfSEhFiua1M6gLiuNEuPkp+8jcnHQqKr0IeHt8UqcwLt2mGfIyl0FVdF9hvWPjNR zGbgqoT1Di03RQ==
In-Reply-To: <171223113635.18757.2029607792392526207@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------ERYnR750WgX5zWljBB0OPXh5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/6DYKI4IxPxIKD8D8dt9_yit8hiU>
Subject: Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-opsawg-mud-acceptable-urls-11: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 12:26:41 -0000
Hi Deb, On 04.04.2024 13:45, Deb Cooley via Datatracker wrote: > > Shepherd writeup: It would be nice to enumerate the manufacturers that have > implemented this concept. The link to 'https://mudmaker.org' causes my browser > to throw big flashy warning signs. When I click through them, it tells me to > 'GO AWAY'. fun... Hi Deb. There was a config error on a server. It's fixed. Thanks for pointing it out. > Section 3.1 upgrade causes vulnerabilities: One would think that this > situation should be avoided at all costs. There could be a way for the device > to signal which version of F/W it is running, allowing the MUD file to be > tailored. This may or may not be possible. It depends on how the MUD URL is communicated. If it's communicated in a certificate, then the cert would have to change, and as 802.1AR makes clear, that's not supposed to happen. I hold out hope that SUIT will provide a better path here, but these are still early days. I should point out that in the vast majority of cases, a MUD URL rarely has to change because you can have a superset of access that won't be at all harmful (a good example would be adding a new new endpoint that is used by new versions). The corner case is primarily about services being turned off. > > Section 3.2: The same applies for this section as well. False positives can > be just as dangerous (because they bury the real positives). > > Section 4: Updating IDevID URLs can't be updated with a F/W update? F/W > updates are signed by the manufacturer's signing key, correct? See above. Not permitted by 802.1AR. But there may be a more SUITable fix over time. I'll leave the the rest to Michael. Eliot > > Section 4.2: Just how hard would it be to specify the CA certificate paired > with a subject name (subject alt name, or CN)? Seems like this is more secure > than your proposed methods. Oddly enough, Section 5.1 proposes this. > > Section 5, last para: Instead of subject names, SKI should be used [RFC5280, > section 4.2.1.2]. This can be easily checked in a certificate validate that is > presented. > > Section 5.2: Can't this be used all the time? > > Section 5.3.3: Classically to change a 'root' one signs the new with the old > and signs the old with the new. If it is done this way, I suspect one could > change whatever names, CAs one needs to change. > > Section 7: One might argue that the use of server authenticated TLS might > mitigate a bunch of concerns. > > Section 9. This is confusing. Please seperate the before issues and the after > issues into seperate sections (at least). There are many potential > vulnerabilities listed earlier in the draft. Please consolidate those here > (possibly with draft section links to where the mitigation is suggested). > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > Nits: > Section 1, para 6: change 'check the signatures, rejecting files whose > signatures do not match' to '... whose signatures do not validate'. Using > language like 'match' leads to bad behavior, when the entity should be taking a > positive action to validate the signature. > > Section 9, last sentence: jargon? I'm not sure I know what this means, and > English is my (only) language. > > > > _______________________________________________ > OPSAWG mailing list > OPSAWG@ietf.org > https://www.ietf.org/mailman/listinfo/opsawg >
- [OPSAWG] Deb Cooley's Discuss on draft-ietf-opsaw… Deb Cooley via Datatracker
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Eliot Lear
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Michael Richardson
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Deb Cooley
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Deb Cooley
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Eliot Lear
- Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-o… Deb Cooley