Re: [OPSAWG] Last Call Review of draft-ietf-opsawg-mud-acceptable-urls-10
Christian Huitema <huitema@huitema.net> Wed, 28 February 2024 19:16 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAFBBC14F6FB for <opsawg@ietfa.amsl.com>; Wed, 28 Feb 2024 11:16:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HY44_Oru4zp4 for <opsawg@ietfa.amsl.com>; Wed, 28 Feb 2024 11:16:51 -0800 (PST)
Received: from out16-27.antispamcloud.com (out16-27.antispamcloud.com [185.201.18.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05A9FC14F5EB for <opsawg@ietf.org>; Wed, 28 Feb 2024 11:16:50 -0800 (PST)
Received: from xse239.mail2web.com ([66.113.196.239] helo=xse.mail2web.com) by mx191.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1rfPQ7-00Gtbp-He for opsawg@ietf.org; Wed, 28 Feb 2024 20:16:49 +0100
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4TlPH24kDrz2pQ for <opsawg@ietf.org>; Wed, 28 Feb 2024 11:16:46 -0800 (PST)
Received: from [10.5.2.15] (helo=xmail05.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1rfPQ6-0006kM-HF for opsawg@ietf.org; Wed, 28 Feb 2024 11:16:46 -0800
Received: (qmail 25350 invoked from network); 28 Feb 2024 19:16:46 -0000
Received: from unknown (HELO [192.168.1.101]) (Authenticated-user:_huitema@huitema.net@[172.56.201.145]) (envelope-sender <huitema@huitema.net>) by xmail05.myhosting.com (qmail-ldap-1.03) with ESMTPA for <lear@lear.ch>; 28 Feb 2024 19:16:46 -0000
Message-ID: <cc555621-e17e-44b1-97e2-6802d263fa8c@huitema.net>
Date: Wed, 28 Feb 2024 11:16:46 -0800
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Eliot Lear <lear@lear.ch>
Cc: "sec-ads@ietf.org" <sec-ads@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>, draft-ietf-opsawg-mud-acceptable-urls@ietf.org
References: <8a2c556a-905b-46f9-926c-03f09ed98f32@lear.ch> <66588cac-0f33-4924-920f-6b4dbd5c2964@huitema.net> <51cc9f21-748b-4527-9809-f51c11cd9144@lear.ch>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; keydata= xjMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1RmvN J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PsKWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAzjgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB8J+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
In-Reply-To: <51cc9f21-748b-4527-9809-f51c11cd9144@lear.ch>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Originating-IP: 66.113.196.239
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5zW1cVNaPy0Svy7+rHdNzP342UuDhyzVYcwl2RB+0AaehcB b3Qx0qtw13bJ2DW301Ih55uqY3MhMgFAHq5BxPxPXn36fLqvhISQ5ykyqUZqUd1jhnM/Mbva2XLV /LIEzaL2KoAZhJekBPedneT7f699rEueMcbwHiStu2b2gG2awIPAgTtUp75uqlx0KezvZHUpV4VT te4O0zCBJZMXQivvWQaaSSaRcFTFxaRvADgOuFdAU5fRzM/QzQW9/IoH33AG8ECuCwECazCwODtO F78PiyQEs+dlGXUJLWZ+Gc08Nmllke3azHdKmySKNUVQl4ntlVxnbS8qIO7oudHyb2T1VQ58xe/l rqiRGalI3YPsxOTrFXToVyBmRCgQVX6zVyFUu8qzeMQP6uTHL0d9UjfYgBBNGjSbbSRA1Z+Pmb5M C1YFvf25LVONYbYifH5OzZDcG6hsRQZiAIgw+z837AqgX7ewI8e1h7RITgN14BHmGVt/ReJ9Mfhz zmbKTH7wI9GEU1utNskUAORCV2WFZX0jx3caGAzdV/C/SjDBWfO1Gx7LPF7EDlAW33KYN4Xc+Ec6 Fpjavv4BJsMlUhpI/Bb6DRojSVizNl0ce/s7u0P9b9Tml6eOMCV9kYYwkPx6ZsXvIUzTXkDAiiJi mGhLUFuS2lhaIetXfCg1JdAVrOwKfE0qkNSNI7pDREH9biLnDINUoFIvD3sIcP1fhJPM6B/8UVJ9 hXGQ6ZFTgSHWVaPNwnnLWJD1TphEa9wfh5+++heJ+dym1L8cD17Js0v4cp1Mw7Jr1z00mixyfVzq /AhEiTcKVNeVJ9BXyu9+ceCqThTYg2px1fSoqxQCCHnLMo/m9VKh99btUAanjnMCAH2co+fBoeG+ Hs0afhsY/5zhNYWRVYKU9W9tbmVXJBqdHHDmZEKhyNAv1N35kYWaEdgLurFV5oTvAcwA4rM3FkfW 8/1kE/e7sUnsVpINvARNxpFO
X-Report-Abuse-To: spam@quarantine14.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/FTd3e8H6FpfQpTBxXb1CQHdHuFI>
Subject: Re: [OPSAWG] Last Call Review of draft-ietf-opsawg-mud-acceptable-urls-10
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 19:16:51 -0000
On 2/28/2024 2:15 AM, Eliot Lear wrote: > Hi Christian, > > Just on this point: > > On 28.02.2024 10:05, Christian Huitema wrote: >> >> How do you know that a specific URL is a rollback? It looks easy when >> the example say "revision1" and "revision2", but I am sure there are >> cases where you cannot tell by just looking at the URL. You may be >> able to download the "old" and "new" URL, and check the date of the >> signature. But then, please describe the process so implementers are >> not confused. > > The MUD manager should keep a history of bindings between devices and > MUD-URLs. That's obviously only as secure as the binding of that URL to > the device (I would also note that that is improving day-by-day). I am not entirely convinced. This looks like keeping logs, keeping them online, and accessing them in real-time. That can be challenging in many environments. I would prefer that the draft be updated to present the "play old URL back" issue, and then that this log-based rule be proposed as one of the possible solutions. If I was implementing this, I would probably prefer some kind of real-time mitigation. -- Christian Huitema
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Eliot Lear
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Christian Huitema
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Eliot Lear
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Christian Huitema
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Eliot Lear
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Michael Richardson
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Michael Richardson
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Michael Richardson
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Christian Huitema
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Michael Richardson
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Michael Richardson
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Christian Huitema