IETF Logo Mail Archive

Re: [OPSAWG] Fwd: New Version Notification for draft-ietf-opsawg-mud-21.txt

Eliot Lear <lear@cisco.com> Tue, 22 May 2018 13:03 UTC

Return-Path: <lear@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1FE212EB31; Tue, 22 May 2018 06:03:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.509
X-Spam-Level:
X-Spam-Status: No, score=-14.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CBSOndaRWzn2; Tue, 22 May 2018 06:03:06 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94DA1127023; Tue, 22 May 2018 06:03:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=14188; q=dns/txt; s=iport; t=1526994185; x=1528203785; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=jvThCBItCCMHnRR5iS+rvve7QpWwV5GBdCQOHTNFV+g=; b=E2qDj7z/+w6/V8G7DkVNCWTJ6VcoNBxXQtA8mSrWH9ahHQsASvCMP1fO D9Kg7cPG34D1EFRfTkN2vrrD7iiA5X9JNpHbQyjxr79z/cLXYUvr6Wd1U vSWvkTYPoNVC2+1hU+JOtJpoV/VUNFBeTdjxqFSdqN9scxRhE6cglTYY0 U=;
X-Files: signature.asc : 488
X-IronPort-AV: E=Sophos;i="5.49,430,1520899200"; d="asc'?scan'208,217";a="3952801"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 May 2018 13:03:04 +0000
Received: from [10.61.160.117] ([10.61.160.117]) by aer-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id w4MD33jb017730; Tue, 22 May 2018 13:03:03 GMT
To: Eric Rescorla <ekr@rtfm.com>
Cc: Joe Clarke <jclarke@cisco.com>, "opsawg@ietf.org" <opsawg@ietf.org>, IESG <iesg@ietf.org>
References: <152657039204.7694.840577957694607451.idtracker@ietfa.amsl.com> <8bafe1e0-12af-6526-d16e-6d39fded3bf3@cisco.com> <0dc704d2-73a2-977f-08c8-8e0b01c3b57c@cisco.com> <CABcZeBPgiSi7rxPwj9XPECcD1SimZ1B=Xnym5tXoUkASFD2TGg@mail.gmail.com> <998ca370-69b1-cd29-15d8-25d2e55459e1@cisco.com> <CABcZeBOqTQkqicN7exzk+_sqpYHAPx3TYa-BBF9uHj3qRafPqg@mail.gmail.com> <7ed8a9c3-4b71-3b62-c722-9c9158fc27e9@cisco.com> <CABcZeBNy4wQe82-Pdjh23DoTWERM-ZGKh30G2g029jkkQC6hwA@mail.gmail.com>
From: Eliot Lear <lear@cisco.com>
Openpgp: preference=signencrypt
Autocrypt: addr=lear@cisco.com; prefer-encrypt=mutual; keydata= xsBNBFMe1UQBCADdYOS5APDpIpF2ohAxB+nxg1GpAYr8iKwGIb86Wp9NkK5+QwbW9H035clT lpVLciExtN8E3MCTPOIm7aITPlruixAVwlBY3g7U9eRppSw9O2H/7bie2GOnYxqmsw4v1yNZ 9NcMLlD8raY0UcQ5r698c8JD4xUTLqybZXaK2sPeJkxzT+IwupRSQ+vXEvFFGhERQ88zo5Ca Sa1Gw/Rv54oH0Dq2XYkO41rhxQ60BKZLZuQK1d9+1y3I+An3AJeD3AA31fJZD3H8YRKOBgqe ILPILbw1mM7gCtCjfvFCt6AFCwEsjITGx55ceoQ+t5B5XGYJEppMWsIFrwZsfbL+gP31ABEB AAHNJUVsaW90IExlYXIgPGxlYXJAb2Zjb3Vyc2VpbXJpZ2h0LmNvbT7CwHsEEwECACUCGwMG CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJTHtXCAhkBAAoJEIe2a0bZ0nozBNoH/j0Mdnyg CgNNmI4DyL9mGfTJ/+XiTxWXMK4TTszwwn/tsXjyPQWjoO6nYqz5i96ItmSpkelSGVpzU+LK LQxSjFeUvKw23bp1rVecfGR+OENSE1m6KfFj3vtzQOZ2/FgK210MWnlYNNyAHX6Pf6hKInTP v6LbZiAQMCmf0aPvRbk/aPSNJAuIKrLrrCgAlwelrTavFsSwnKI3dhSG8DJ9+z/uiXDiHYra Ub3BKp5K/x71Zd8hUsWm2simnE/6HvZaZz7CC29JSZ/5gGtNB3OMNKLzLWUbQacF3IKxpW66 ZFYFYnlBV4jRnKlmb40YcEXWVJkkVC8g+/J9Qo6R8BdmSTXOwE0EUx7VRAEIALRZXth1u/3n FgY+G2FN0KEEik+2Xsk8JX9zr/eISa+Ol8a4U1orgxpyP2V7bQQDkDUEfs+Asagc6I8zrk3K xGln3pFFVfdM18uaEYwWvmE84Y12r7FwYdW62bA9X1Ttsp5Q1GI8XHdh0SQTF12pXYTwWW1P THYVIp7bGzM88cHqBW0xyRflu4j2nUrd9tWFd28SRxhj+MHQkQkbKFLloRty3lwdS8MCRPzX 9gUrkl+DxFHC7WrW3Vi4glI5YBlD0n2hSyDoP1GkKVT60gUGh7eJOnUBR8lzKm5wYqAtgq2m 79rKBylA40diRhbnTTeY+ytqMWFF5UXm97Jwxsezi7kAEQEAAcLAXwQYAQIACQUCUx7VRAIb DAAKCRCHtmtG2dJ6M5K5CADbunatgHsqHbR3KbpXxzralakEcdODGv/fbN6/EdKJeXrG9QKD lPxZTB9STw6+ANwESsr9uUMAxdDNKDeynjnQmFHxGdcdcXlnPZPThfseeUhUkbB/YKOfDIQA kKozNoKYj6Dcia+D/wvifIEW+GUUcO/6Qi8yK6PLJyM8C7vHEqmUGzX8gTCYOgAyOd4WZrC9 95CfB0yFIorw+MpK7MZTm5SbGPcYF9Gq9MzSqmaEw8U6YOElKYfnkcsCTLYyWaolhck+3/0R 9ISEWK5rUzqAuK40S4+Sn7yNycdCoqvQh4e3xSpzAu3aYZ8jKXQVV0X2G9Y+M1HMZuCqhPUO LTdF
Message-ID: <47eac3b3-aa78-2a58-e583-0d7edf696a51@cisco.com>
Date: Tue, 22 May 2018 15:03:01 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBNy4wQe82-Pdjh23DoTWERM-ZGKh30G2g029jkkQC6hwA@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="wuallXc8I2H0eCmDRIMAepH4vwfzisUZB"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/IO59514DTjchzrLu3nrme-4yuRM>
Subject: Re: [OPSAWG] Fwd: New Version Notification for draft-ietf-opsawg-mud-21.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 May 2018 13:03:08 -0000

I'm ok with that change, and I'll ping Russ on the bits.

Eliot


On 22.05.18 14:51, Eric Rescorla wrote:
>
>
> On Fri, May 18, 2018 at 12:52 PM, Eliot Lear <lear@cisco.com
> <mailto:lear@cisco.com>> wrote:
>
>
>
>     On 18.05.18 20:59, Eric Rescorla wrote:
>>
>>
>>     On Fri, May 18, 2018 at 11:56 AM, Eliot Lear <lear@cisco.com
>>     <mailto:lear@cisco.com>> wrote:
>>
>>         Hi EKR,
>>
>>
>>         On 18.05.18 19:57, Eric Rescorla wrote:
>>         > Eliot, > > The certificate part seems basically right (I think you
>>         should require specific KeyUsage bits).
>>         It's in there:
>>>         It is expected that the Key Usage extension would contain
>>>         "Digital
>>>         Signature" and that the extended key usage would include
>>>         either "code
>>>         signing" or "email protection".
>>
>>         This leaves a little a little flexibility.  I think this is
>>         sufficient, and compatible with existing CAs.
>>
>>
>>     I disagree. This is going to lead to a lot of interop problems.
>>     You need to actually specify the bits
>
>
>     Do you mean something like this:
>
>     The Key Usage Extension in the MUD file signature MUST have the
>     bit digitalSignature(0) or set.
>
>
> Yes. Though I would defer to Russ on the bits :)
>
>> > > Maybe I missed it, but I didn't see anything about the level of
>> trust you should have in cases where you can't reliably tie the
>> endpoint's transmissions to its certificate.
>> It's there but could be clearer:
>>
>> OLD:
>>> A
>>> MUD manager MUST cease processing of that file it cannot validate the
>>> chain of trust to a known trust anchor until an administrator has
>>> given approval.
>>
>> NEW:
>>
>>> A
>>> MUD manager MUST cease processing of that file it cannot validate the
>>> chain of trust to a known trust anchor or the MUDsigner until an
>>> administrator has
>>> given approval.
>>
>> That is- throw an exception and let the admin sort it out.
>>
>> This is about the file. I'm talking about IP/MAC forgery.
>
> OK.  Noting that this is NOT an authentication standard, we can
> certainly reference them.  I propose the following in Security
> Considerations:
>
> Devices may forge source (L2/L3) information.  Deployments should
> apply appropriate protections to bind communications to the
> authentication that has taken place.  For 802.1X authentication, IEEE
> 802.1AE (MACsec) is one means by which this may happen.  A similar
> approach can be used with 802.11i (WPA2).  Other means are available
> with other lower layer technologies.  Implementations using
> session-oriented access that is not cryptographically bound should
> take care to remove state when any form of break in the session is
> detected.
>
> Comments
>
> I think the relevant point is:
> "Implementations SHOULD NOT grant elevated permissions (beyond those
> of devices presenting no MUD policy) to devices which do not strongly
> bind their identity to their L2/L3 transmissions"
>
> -Ekr
>
>

v2.23.0 | Report a Bug | By Email