[OPSAWG] MUD in DNSOP (fwd) Ben Schwartz: MUD in DNSOP
Michael Richardson <mcr+ietf@sandelman.ca> Sat, 06 March 2021 00:06 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48BEA3A1441; Fri, 5 Mar 2021 16:06:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tRqFLPmk0iJp; Fri, 5 Mar 2021 16:06:50 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B85453A16B1; Fri, 5 Mar 2021 16:06:17 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 7B674389E3; Fri, 5 Mar 2021 19:11:03 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 2R4srx5NFTxF; Fri, 5 Mar 2021 19:11:02 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 8096D389E2; Fri, 5 Mar 2021 19:11:02 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 005E1B2; Fri, 5 Mar 2021 19:06:16 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: opsawg@ietf.org, iotops@ietf.org, dnsop@ietf.org
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Date: Fri, 05 Mar 2021 19:06:15 -0500
Message-ID: <17317.1614989175@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/HOBbG9zUMu4k2f3E23yIfRl7ML4>
Subject: [OPSAWG] MUD in DNSOP (fwd) Ben Schwartz: MUD in DNSOP
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Mar 2021 00:06:52 -0000
Forwarding comments. <#secure method=pgpmime mode=sign>
--- Begin Message ---I noticed that draft-ietf-opsawg-mud-iot-dns-considerations is on the DNSOP agenda for this week. It considers the problem of using MUD, which applies IP-based filtering to locked-down IoT devices, with DNS-named servers. Some of the recommendations are clearly correct given the limitations of MUD, but I also have significant concerns with parts of the text. Section 4.1 says not to use IP addresses at all. Section 5 and Section 6.4 make recommendations about which resolvers to use for IoT generally. I think this is not necessary or productive. The recommendations should be limited to MUD-DNS devices. The draft recommends that devices use the network-provided DNS server, which is typically a general-purpose resolver that is capable of processing any name. Allowing the device to access this server defeats much of the security benefit of MUD, because malware can communicate bidirectionally through the DNS server, bypassing the MUD profile entirely. It would be more secure to disable the urn:ietf:params:mud:dns permission. Section 6.3 says When aliases point to a Content-Distribution Network (CDN), prefer to > use stable names that point to appropriately load balanced targets. > CDNs that employ very low time-to-live (TTL) values for DNS make it > harder for the MUD controller to get the same answer as the IoT > Device. A CDN that always returns the same set of A and AAAA > records, but permutes them to provide the best one first provides a > more reliable answer. I don't think this guidance is sufficient. MUD's DNS filters assume that the device and gateway have the same answer in their local caches. Even if the device got its answer _through_ the gateway, there's no guarantee that this is true, unless the name always resolves to the same addresses. Even if the name resolves to the same addresses for everyone (no geotargeting or load-balancing), any change to the zone can result in a device-gateway mismatch during the transition, resulting in an outage while the gateway blocks the device's network access. This mismatch can last for the duration of the DNS TTL. Ironically, the guidance here to use long TTLs could result in longer outages, plausibly hours to days. Even if the device always delegates DNS resolution to the MUD gateway, and the gateway attempts to provide deterministic caching (unlike a typical resolver or forwarder), consider the case where the gateway experiences a power glitch and resets. Normally, with MUD, this would likely result in an outage of less than a minute, but if the gateway re-queries the DNS name and gets a new answer, all corresponding devices on the network will be offline for the DNS TTL. I want MUD-DNS to work, but I think that's going to require some deeper changes. The cleanest solution, in my view, would be to avoid the device ever learning about the results of DNS resolution, by forwarding traffic to named destinations through a SOCKS5 proxy operated by the gateway. (SOCKS5 is trivial to implement, far simpler than DNS.) A similar effect could be achieved by IP encapsulation, IPv6 extension headers, and many other mechanisms. A hackier solution would be to add a DHCP option for the MUD gateway to specify its associated resolver, and require devices not to implement any DNS caching. These approaches are compatible with disabling the urn:ietf:params:mud:dns permission, which is typically necessary for real control over the device. --Ben [1] https://www.ietf.org/archive/id/draft-ietf-opsawg-mud-iot-dns-considerations-01.txt--- End Message ---
-- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [OPSAWG] MUD in DNSOP (fwd) Ben Schwartz: MUD in … Michael Richardson