Re: [OPSAWG] [Last-Call] Secdir telechat review of draft-ietf-opsawg-mud-acceptable-urls-11

Christian Huitema <huitema@huitema.net> Tue, 02 April 2024 20:12 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46784C14CF12; Tue, 2 Apr 2024 13:12:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t8-dTAnAJGUE; Tue, 2 Apr 2024 13:12:04 -0700 (PDT)
Received: from semf11.mfg.siteprotect.com (semf11.mfg.siteprotect.com [64.26.60.174]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AB96C14F6AD; Tue, 2 Apr 2024 13:12:00 -0700 (PDT)
Received: from smtpauth02.mfg.siteprotect.com ([64.26.60.151]) by se03.mfg.siteprotect.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1rrkUB-000TPN-2X; Tue, 02 Apr 2024 16:11:59 -0400
Received: from [192.168.1.102] (unknown [172.56.169.185]) (Authenticated sender: huitema@huitema.net) by smtpauth02.mfg.siteprotect.com (Postfix) with ESMTPSA id 4V8Jtz10Y1z2YQp3v; Tue, 2 Apr 2024 16:11:54 -0400 (EDT)
Message-ID: <c4387e86-e819-4fe2-afe3-ad9b97e2b471@huitema.net>
Date: Tue, 02 Apr 2024 13:11:54 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: secdir@ietf.org
Cc: draft-ietf-opsawg-mud-acceptable-urls.all@ietf.org, last-call@ietf.org, opsawg@ietf.org
References: <171208421848.25764.7088576678860275846@ietfa.amsl.com>
Content-Language: en-US
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; keydata= xjMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1RmvN J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PsKWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAzjgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB8J+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
In-Reply-To: <171208421848.25764.7088576678860275846@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Authentication-Results: mfg.siteprotect.com; auth=pass smtp.auth=huitema@huitema.net
X-Originating-IP: 64.26.60.151
X-SpamExperts-Domain: mfg.outbound
X-SpamExperts-Username: 64.26.60.150/31
Authentication-Results: mfg.siteprotect.com; auth=pass smtp.auth=64.26.60.150/31@mfg.outbound
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.06)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT/HcI55XROFQcgsqYD3TcuGPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5ye509rjEAh78oQKfvUa7HmIGrTe00ydZa3NVR5sCbsPlc8 CRIE7RJ9Rz6dfH101bqUT+4b54NI0IK30pVhlc/Jzsxz9KVIB2B9lE8s2Mlzyd1gHZckTNE/el0I R4B8XrQIgwWm3JpGJmfiBZ7kLnB5ZdZBl0EDS65F5tY3KAesx/4IpXiNcp4xJGCy4CAalwe34C0q QyRDME4CoLpZ9Vu9hs8/Jo3IGBdG2pQDAv7jXd1jhnM/Mbva2XLV/LIEzaL+HriGXQg0IcQkWmfO jo3so83rRScaJBVMl+TCMFPq64PAgTtUp75uqlx0KezvZHXQc0h6epn4W7jX7U5oJ+1jQ7mIg7mK l7+g3lL26RgcQWbDfw2eIgR1NYypXOHSHk7Vc3waVDSCWwrKecyVNDBj6cTrAfIBtLJVe62uoyOA UiRpQ3QLeYhNsFlFLQb+0cMhi/TssQDLDLuU4hzngwallx7Hp1aMKPE4kK8U+sjMEpKsWBzx54ys hfKivn9qlcJqTWbjJdkaRaxfzkQgah+xBraVdH6FC+2ovBUpaid7ObSYFqYtBF41hdn7MSp1Yxh8 K4EgtgsN2Ij6q4Ui0HC++C9J5Pk6KD1dYdgV7t/3PDwRx+e3C5DfAXdMJvI6kQu4iva3nvoFMh8F 3DVup6/AaIfVaCHpEB6cFH6WJxE4ZuC7yCFZn2VMUxAN+iG0/t7xpJ/LSLRxdDpwHReAUXiVTMiG zw1JsKQ+AX7Wkv/PTJtGhMNnHeLK1Q38zl1xM5RqX1nnMOo697ej8oJtOE12zW7S7VCIzHW9RrzO bcx6HYsEMysPur9wmiDBurOy6iQKWtimG6cUPuTRZsbBPnCAxDM3qyX0GvVAGCrIBFfKfm5h9fKp 6C+eiFYqgO7JNTDrlooIFfSWaf2mAmp6ek9ejo/uOEYoxQrsEPFIUiZ1vkQJ5cKSnMwpQ1kESO0J kq2Hyc7opiEDCipDg+wd1qmLkozAZoc5uK89a6v/tNTyC66Xy8YqsOR990w7SSnMppaigteIgQV5 QGU1jM5ctvuZkqWv8KrtTa+BcuCE/OFcplhz9BAS4J3VKAIui/agy9fa30ga3GdxY79jfMUqhnF3 trxgHlfnfusrcNxW3hhakScMZbMcB0ytnM8pSlSd1BI=
X-Report-Abuse-To: spam@se02.mfg.siteprotect.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/FhkGE9WI7NvcvBIJXo9LCYHrWec>
Subject: Re: [OPSAWG] [Last-Call] Secdir telechat review of draft-ietf-opsawg-mud-acceptable-urls-11
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2024 20:12:08 -0000

Sorry about that -- I botched the copy of my review into the web form. 
The first paragraph should read:

In my initial security review of this draft 
(https://datatracker.ietf.org/doc/review-ietf-opsawg-mud-acceptable-urls-10-secdir-lc-huitema-2024-02-19/) 
I made a number of recommendations.

On 4/2/2024 11:56 AM, Christian Huitema via Datatracker wrote:
> Reviewer: Christian Huitema
> Review result: Ready
> 
> acceptable-urls-10-secdir-lc-huitema-2024-02-19/), I made a number of
> recommendations.
> 
> One of the first recommendation was to clarify whether the distinction between
> "small changes" and "big changes" was really necessary, and maybe to just keep
> the stricter "big changes" process. The authors did not do that, probably based
> on their assessment of deployment considerations. However, they did address the
> substance of the issue in several ways.
> 
> The draft now explicitly uses the same "small change/big change" terminology
> that I used in my review. That's a good way to clarify the issue. In the "small
> change" section, the draft now uses explicit references to the URL syntax in
> RFC3986, instead of the "righmost '/'" text that was encouraging "shotgun
> parsing". That's good.
> 
> The previous "small change" process was vulnerable to "rollback" attacks, in
> which an attacker would reuse an old, more permissive, version of the MUD URL.
> The new draft version addresses that issue explicitly, asking MUD managers to
> keep track of previous versions so as to detect such rollback attacks. The
> authors assess that keeping such logs is practical, and I am ready to believe
> them.
> 
> The previous security review pointed out that the use of "detached signatures"
> when evaluating "big changes" was somewhat unspecified. The introduction of
> section 4 now includes an explicit reference to Section 13.2 of RFC8520 where
> this problem is defined.
> 
> I added to my previous comment a remark about the possibility to generate
> spurious intrusion alarms by sending spoofed messages through DHCP or LLDP. The
> authors pointed out that this such spoofed messages can only happen if the
> local network has been breached, and thus are valid alarms. There is already a
> related discussion in section 3.2, with references to the "boy cries wolf"
> issues.
> 
> The new draft version feels significantly improved from the version that I
> reviewd, and I believe that my concerns have been addressed.
> 
>