IETF Logo Mail Archive

Re: [OPSAWG] Fwd: New Version Notification for draft-reddy-opswg-mud-tls-00.txt

tirumal reddy <kondtir@gmail.com> Tue, 09 July 2019 10:09 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5ADC1203FC; Tue, 9 Jul 2019 03:09:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.702
X-Spam-Level:
X-Spam-Status: No, score=-0.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k4O7MJFGp6mE; Tue, 9 Jul 2019 03:09:11 -0700 (PDT)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8880A120390; Tue, 9 Jul 2019 03:09:11 -0700 (PDT)
Received: by mail-io1-xd35.google.com with SMTP id z3so26945225iog.0; Tue, 09 Jul 2019 03:09:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PKD773QIkIdrevgSbOBwAzLvGCy598u0iw5tFMZdZes=; b=E3tMSQ0hM4CAVsx4tRMzVrGJnwNuu5Vod+oR8ecFVihaJVjvHz583Cei5XfTupMqMb Qj4VinTaaqB5fIjwA6C4Fkdz9sAMV74wUSk5srFvKbmMyW7GlwR3+n53fPQVkBqc4jCH MfAQ0QMxX4MugMo/pU+CSH6XWhXfrkX7vsmOp0zkcwg+tqNS2CKzvtzeIRO9X+KRZEeu q+xvIArw9Kc4ZyPu6lmWUDx0+Czcy/QHsqH8z29JeVl2LoujtUXU7Ok6rXETY0ThLWfZ v8SqB1Spq+8JqE0bI/zu/xJkuBTw9BPQZAswcY3t0jucU5fEYBGm/ba2hCN6n8I7LLa7 ByEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PKD773QIkIdrevgSbOBwAzLvGCy598u0iw5tFMZdZes=; b=FYEOHtUz1DHk3MYizCE685DORt5i4KrhMcN9+vOA6zUadrh5h1UCUzO7+yROTQKEIt 5W5bFbEEwKkBB3ezwBswljtYsSEmvOpxIyJILWK7aGDv57Qn8gFatSC5eSvwkHFQIxXU +WXWLfQ9xSDhrpK3D8EZZsEdWJp9ea4NI+I9tFTlw8fUx4gwGPK6ldW3HyonAcnjgC1H YIDGxtQvezOxdQjBASAphj5DfD8B+AphRAmsmYUVg845zKD3hRaDVbnK4SqqMWzYcnLW JcyT3ibUUprR0aVe64G3DbxKSCoPgYydidNdh3JosJZtCn68YJEokExgGcRV765Mch0N Lv/w==
X-Gm-Message-State: APjAAAVhhMwVR2S9HdZDAD5hWA+ZKhr6hDuYk6haTgMwUTfNDCcGq+wa JGzv46nn+UEc1fTi73hVlkUFIkMLhut8Fyei+IU=
X-Google-Smtp-Source: APXvYqwrIokumQT7AIOrBjfW5E+1MCTY4POXfQRin9NB4CoKH+X52P0uNMyDs03W0aA+fZSnErNIZxalm1e0R27F//c=
X-Received: by 2002:a5d:940b:: with SMTP id v11mr8518007ion.69.1562666950790; Tue, 09 Jul 2019 03:09:10 -0700 (PDT)
MIME-Version: 1.0
References: <B8F9A780D330094D99AF023C5877DABAA49CD8C1@nkgeml513-mbx.china.huawei.com>
In-Reply-To: <B8F9A780D330094D99AF023C5877DABAA49CD8C1@nkgeml513-mbx.china.huawei.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 09 Jul 2019 15:38:59 +0530
Message-ID: <CAFpG3gc4ijy+xH7O_9EzpzwcROu3XcTA4xpSAH9P+oyhWQzMyg@mail.gmail.com>
To: Qin Wu <bill.wu@huawei.com>
Cc: "opsawg@ietf.org" <opsawg@ietf.org>, "mud@ietf.org" <mud@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008110da058d3cc006"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/JTm0VjukVdVMmTh-semMuYYk9WQ>
Subject: Re: [OPSAWG] Fwd: New Version Notification for draft-reddy-opswg-mud-tls-00.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 10:09:14 -0000

Hi Qin,

Please see inline

On Tue, 9 Jul 2019 at 08:30, Qin Wu <bill.wu@huawei.com> wrote:

> Interesting work, three questions:
>
> 1.       Can the IoT device (D)TLS profile be disclosed to malicious agent or IoT device? If not, how do you prevent these sensitive information leaking?
>
> It is not sensitive information, on-path network devices can inspect or
monitor the TLS handshake without acting as a TLS proxy. In TLS
1.3, ClientHello message is not encrypted and few parameters in the
ServerHello message are still visible (such as the chosen cipher).


> 2.       Do you frequently update DTLS profile disclosed to IoT device to prevent malicious agent from snooping?
>
> No, Malware frequently uses its own libraries (SSL config) for its
activities, and malware developers will have to develop malicious agents
per IoT device type, manufacturer and model (which will be several
thousands and practically not possible).

> 3.       How does enterprise firewal use DTLS profile to detect malicious flow or legitimate flow?
>
> If (D)TLS session from the IoT device violates MUD (D)TLS profile,
firewall detects the flow is malicious and blocks it. As you may know,
Enterprise firewalls inspect TLS handshake and are capable of acting as a
(D)TLS proxy (please see
https://tools.ietf.org/html/draft-camwinget-tls-use-cases-05).

Cheers,
-Tiru

-Qin
>
> *发件人:* OPSAWG [mailto:opsawg-bounces@ietf.org] *代表 *tirumal reddy
> *发送时间:* 2019年7月8日 22:03
> *收件人:* opsawg@ietf.org; mud@ietf.org
> *主题:* [OPSAWG] Fwd: New Version Notification for
> draft-reddy-opswg-mud-tls-00.txt
>
>
>
> This draft https://tools.ietf.org/html/draft-reddy-opswg-mud-tls-00
> discusses Manufacturer Usage Description (MUD) extension to model (D)TLS
> profile on IoT devices. This allows a firewall to notice abnormal DTLS or
> TLS usage, which has been a strong indicator of other software running on
> the endpoint, typically malware.
>
>
> Comments, suggestions, and questions are more than welcome.
>
> Cheers,
> -Tiru
>
>
>
> ---------- Forwarded message ---------
> From: <internet-drafts@ietf.org>
> Date: Mon, 8 Jul 2019 at 19:18
> Subject: New Version Notification for draft-reddy-opswg-mud-tls-00.txt
> To: Tirumaleswar Reddy <kondtir@gmail.com>, Dan Wing <danwing@gmail.com>
>
>
>
>
> A new version of I-D, draft-reddy-opswg-mud-tls-00.txt
> has been successfully submitted by Tirumaleswar Reddy and posted to the
> IETF repository.
>
> Name:           draft-reddy-opswg-mud-tls
> Revision:       00
> Title:          MUD (D)TLS profiles for IoT devices
> Document date:  2019-07-08
> Group:          Individual Submission
> Pages:          16
> URL:
> https://www.ietf.org/internet-drafts/draft-reddy-opswg-mud-tls-00.txt
> Status:
> https://datatracker.ietf.org/doc/draft-reddy-opswg-mud-tls/
> Htmlized:       https://tools.ietf.org/html/draft-reddy-opswg-mud-tls-00
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-reddy-opswg-mud-tls
>
>
> Abstract:
>    This memo extends Manufacturer Usage Description (MUD) to model DTLS
>    and TLS usage.  This allows a network element to notice abnormal DTLS
>    or TLS usage which has been strong indicator of other software
>    running on the endpoint, typically malware.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>

v2.23.0 | Report a Bug | By Email