Re: [OPSAWG] I-D Action: draft-ietf-opsawg-mud-23.txt
Benjamin Kaduk <kaduk@mit.edu> Mon, 04 June 2018 17:57 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFB3E130DC0 for <opsawg@ietfa.amsl.com>; Mon, 4 Jun 2018 10:57:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JQ1k0ymBlx_4 for <opsawg@ietfa.amsl.com>; Mon, 4 Jun 2018 10:57:52 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92027130DBE for <opsawg@ietf.org>; Mon, 4 Jun 2018 10:57:52 -0700 (PDT)
X-AuditID: 1209190f-fafff70000007185-f0-5b157d9d8493
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 9D.FB.29061.D9D751B5; Mon, 4 Jun 2018 13:57:50 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w54Hvlrl025872; Mon, 4 Jun 2018 13:57:48 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w54Hvimc031264 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 4 Jun 2018 13:57:46 -0400
Date: Mon, 04 Jun 2018 12:57:44 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Eliot Lear <lear@cisco.com>
Cc: opsawg@ietf.org, EKR <ekr@rtfm.com>
Message-ID: <20180604175744.GH72167@kduck.kaduk.org>
References: <152794661436.529.13303090441907505185@ietfa.amsl.com> <fc713342-1cbf-0ce7-71c7-931f526e88b0@cisco.com> <20180604154046.GF72167@kduck.kaduk.org> <5308aaa9-ef66-dd94-14bb-a7261020c1de@cisco.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="dc+cDN39EJAMEtIO"
Content-Disposition: inline
In-Reply-To: <5308aaa9-ef66-dd94-14bb-a7261020c1de@cisco.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrDKsWRmVeSWpSXmKPExsUixCmqrDuvVjTaYPY/ZosVr8+xW3z918Fi seLkZiYHZo8pvzeyeixZ8pPJY/LjNuYA5igum5TUnMyy1CJ9uwSujPMNG9kLllhVfN4+n62B cbluFyMnh4SAicSfmXdYuxi5OIQEFjNJtB/4yQzhbGCUmPJ8BytIlZDAFSaJa7NFQGwWARWJ Y/fvgsXZgOyG7svMILaIgLxE69n9YHFmAXWJB983g9nCAnYS5zp6wWxeoG2//i9lg1hwmVGi 5dF5FoiEoMTJmU9YIJrLJFZM/8TexcgBZEtLLP/HARLmFLCV+LvyBhuILSqgLLG37xD7BEaB WUi6ZyHpnoXQDRHWkdi59Q4bhrC2xLKFr5khbFuJdevesyxgZF/FKJuSW6Wbm5iZU5yarFuc nJiXl1qka6KXm1mil5pSuokRHBmS/DsY5zR4H2IU4GBU4uFtsBGNFmJNLCuuzD3EKMnBpCTK G58GFOJLyk+pzEgszogvKs1JLT7EqAK069GG1RcYpVjy8vNSlUR4TxcA1fGmJFZWpRblw5RJ c7AoifNmL2KMFhJITyxJzU5NLUgtgsnKcHAoSfC21AA1ChalpqdWpGXmlCCkmTg4DzFKcPAA De8HqeEtLkjMLc5Mh8ifYtTlmLasp4dZCOwCKXHeJSBFAiBFGaV5cHNAiU4ie3/NK0ZxoBeF eXeBVPEAkyTcpFdAS5iAljyrEAZZUpKIkJJqYLQ6ukHc8vtZ8zd8XcHr9z3JSP164cn7u01R dgfuXUztOsD8/vH+Z8de1wptnLUyTzWgLCflyrx5Z7UWvk2S97LrPnE35Mm/rQvD3n25OO+y 98lnp3ecT9AJZBH7yJGQcSzQ95ZjwLQ953iv9z2dV90QmtP64iDDC9fQllNVU4uqXQ389rLK GJoosRRnJBpqMRcVJwIAm/Mo5E8DAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/DuKpf5-iKdc_qKnBCiyiUBu3m2c>
Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-mud-23.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jun 2018 17:57:55 -0000
On Mon, Jun 04, 2018 at 07:50:47PM +0200, Eliot Lear wrote: > Ben, > > Barring any objections to the below I will issue a new draft with edits > tomorrow. Now please see below. Okay, thanks. (I'm okay with leaving out the extra text about the file+signature being untrusted input until the signature is verifeid.) -Benjamin > On 04.06.18 17:40, Benjamin Kaduk wrote: > > Hi Eliot, > > > > On Sat, Jun 02, 2018 at 03:40:34PM +0200, Eliot Lear wrote: > >> This update contains only the following changes: > >> > >> * A correction (signature -> certificate) > >> * Slightly change language to make clear that the certificate subject > >> must be the sameas the id-pe-mudsigner > >> * Updated dates on the YANG files > >> > >> At this point, I really hope we're done. Eric, Ben? > > I think we're basically done -- I have just one quibble which > > hopefully is not problematic, and also noted a handful of editorial > > things you can deal with at your leisure. Thanks for going through > > the multiple rounds of changes addressing our concerns -- the > > document really is much better for it! > > > > At the start of the Security Considerations, we say: > > > > Based on how a MUD URL is emitted, a Thing may be able to lie about > > what it is, thus gaining additional network access. This happens > > when a device emits a MUD URL using DHCP or LLDP, and is either > > inappropriately admitted to a class such as "same-manufacturer" or > > given access to a device such as "my-controller", where such access > > would otherwise be disallowed. > > > > To me, "[t]his happens when" indicates that the subsequent > > enumeration is an exhaustive list. I don't really think we've got > > enough experience with this stuff to be able to make such a claim, > > and the list should instead be treated as illustrative. I think > > that there was some text emailed around that did this nicely, > > something like: > > > > % Based on how a MUD URL is emitted, a Thing may be able to lie about > > % what it is, thus gaining additional network access. This can happen > > % in a number of ways when a device emits a MUD URL using DHCP or > > % LLDP, such as being inappropriately admitted to a class such as > > % "same-manufacturer", given access to a device such as > > % "my-controller", or being permitted access to an Internet resource, > > % where such access would otherwise be disallowed. > > I think that's fine. > > > > > > And, here's the editorial stuff. > > > > Section 1.5 > > > > o A DHCP option[RFC2131],[RFC3315] that the DHCP client uses to > > inform the DHCP server. The DHCP server may take further actions, > > such as act as the MUD manager or otherwise pass it along to the > > MUD manager. > > > > nit: We lost the immediately previous "URL" that "it" referred to, so we > > may want to specifically say "pass the MUD URL along". > > > > Section 13.2 > > > > Prior to processing the rest of a MUD file, the MUD manager MUST > > retrieve the MUD signature file by retrieving the value of "mud- > > signature" and validating the signature across the MUD file. The Key > > Usage Extension in the signing certificate MUST have the bit > > digitalSignature(0) set. > > > > nit: do we need to go with "MUST be present and have the bit > > digitalsignature(0) set"? > > That is fine. > > > > The subject of this certificate MUST be > > equal to that of the value of id-pe-mudsigner when that extension is > > present in the device certificate. If these conditions are not met, > > or if it cannot validate the chain of trust to a known trust anchor, > > the MUD manager MUST cease processing the MUD file until an > > administrator has given approval. > > > > nit-level as well, I guess: I might wordsmith this differently. > > > > NEW: > > > > When the id-pe-mudsigner extension is present in a device's X.509 > > certificate, the MUD signature file MUST have been generated by > > a certificate whose subject matches the contents of that > > id-pe-mudsigner extension. If these conditions are not met, > > or if it cannot validate the chain of trust to a known trust anchor, > > the MUD manager MUST cease processing the MUD file until an > > administrator has given approval. > > Ok. > > > > I might also consider adding something like the following (though > > hopefully it would be obvious and thus not necessary to say): > > > > Before the signature has been validated, both the MUD file and > > the resource retrived from the "mud-signature" URL are unverified > > and should be treated as untrusted input. In particular, MUD > > managers can impose a cap on the number of bytes they retrieve > > from a "mud-signature" URL, to avoid DoS attacks involving > > presenting a large (invalid) signature file or similar scenarios. > > I would rather leave this out for the very reasons you state. The draft > is already quite wordy. > > > > Section 16 > > > > Implementations SHOULD be configurable to > > disallow additive access for devices using MUD-URLs that not emitted > > in a secure fashion such as in a certificate. > > > > nit: "that are not emitted". > > Ok > > > > When certificates are not present, Things claiming to be of a certain > > manufacturer SHOULD NOT be included in that manufacturer grouping > > without additional validation of some form. This will be relevant > > when it makes use of primitives such as "manufacturer" for the > > purpose of accessing Things of a particular type. > > > > What is "it" that makes use of primitives such as "manufacturer"? > > the MUD manager. > > > > [...] If the actual MUD file has changed, the MUD > > manager MAY check the WHOIS database to see if registration ownership > > of a domain has changed. > > > > Do we need a reference for WHOIS? > > I don't think so. RFC Editor will sort if so. > > > > Appendix C > > > > In this sample extension we augment the core MUD model to indicate > > whether the device implements DETNET. If a device claims not to use > > NETNET, but then later attempts to do so, a notification or exception > > > > That's also supposed to be 'D'ETNET, right? > > Indeed. Thanks. > > Eliot > >
- [OPSAWG] I-D Action: draft-ietf-opsawg-mud-23.txt internet-drafts
- Re: [OPSAWG] I-D Action: draft-ietf-opsawg-mud-23… Eliot Lear
- Re: [OPSAWG] I-D Action: draft-ietf-opsawg-mud-23… Benjamin Kaduk
- Re: [OPSAWG] I-D Action: draft-ietf-opsawg-mud-23… Benjamin Kaduk
- [OPSAWG] Fwd: I-D Action: draft-ietf-opsawg-mud-2… Eliot Lear