IETF Logo Mail Archive

Re: [OPSAWG] Eric Rescorla's Discuss on draft-ietf-opsawg-mud-20: (with DISCUSS and COMMENT)

Eliot Lear <lear@cisco.com> Mon, 16 April 2018 06:27 UTC

Return-Path: <lear@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A76E12711B; Sun, 15 Apr 2018 23:27:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dCpiWpeQQ1MD; Sun, 15 Apr 2018 23:27:14 -0700 (PDT)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99010127058; Sun, 15 Apr 2018 23:27:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=19819; q=dns/txt; s=iport; t=1523860034; x=1525069634; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=E1IeZLhCncAQjWu5zusGpZ88tF0ZP9TKJ37VFeuWqqA=; b=UGOsnbH00H8L3bue6QOIbHU8+ZJp1SojuMXo6DcCmFzjuPVxoQl7owCw JxkAcl7k5xeKHqq/v0tcIiHZo6IjBVmu+/j/Hzjy0j72ftG/e+KBtY0tA dnY1I1vRdq/NVU9+jpnakamIxzqMucPzJ2vZ0XOOKubXT7BWbTcDizgOq I=;
X-Files: signature.asc : 488
X-IronPort-AV: E=Sophos;i="5.48,458,1517875200"; d="asc'?scan'208,217";a="3165276"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Apr 2018 06:27:11 +0000
Received: from [10.61.83.172] (ams3-vpn-dhcp5037.cisco.com [10.61.83.172]) by aer-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id w3G6R9j9016943; Mon, 16 Apr 2018 06:27:09 GMT
To: Eric Rescorla <ekr@rtfm.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-opsawg-mud@ietf.org, Joe Clarke <jclarke@cisco.com>, opsawg-chairs@ietf.org, opsawg@ietf.org
References: <152379196417.19651.6380075441438812361.idtracker@ietfa.amsl.com> <55cc525b-b85c-7316-4b2c-d0d32135a20f@cisco.com> <CABcZeBM5KR210g2QrAUCNDsiv+yun7QTZFggydh=Gf4-Ai6eSQ@mail.gmail.com>
From: Eliot Lear <lear@cisco.com>
Openpgp: preference=signencrypt
Autocrypt: addr=lear@cisco.com; prefer-encrypt=mutual; keydata= xsBNBFMe1UQBCADdYOS5APDpIpF2ohAxB+nxg1GpAYr8iKwGIb86Wp9NkK5+QwbW9H035clT lpVLciExtN8E3MCTPOIm7aITPlruixAVwlBY3g7U9eRppSw9O2H/7bie2GOnYxqmsw4v1yNZ 9NcMLlD8raY0UcQ5r698c8JD4xUTLqybZXaK2sPeJkxzT+IwupRSQ+vXEvFFGhERQ88zo5Ca Sa1Gw/Rv54oH0Dq2XYkO41rhxQ60BKZLZuQK1d9+1y3I+An3AJeD3AA31fJZD3H8YRKOBgqe ILPILbw1mM7gCtCjfvFCt6AFCwEsjITGx55ceoQ+t5B5XGYJEppMWsIFrwZsfbL+gP31ABEB AAHNJUVsaW90IExlYXIgPGxlYXJAb2Zjb3Vyc2VpbXJpZ2h0LmNvbT7CwHsEEwECACUCGwMG CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJTHtXCAhkBAAoJEIe2a0bZ0nozBNoH/j0Mdnyg CgNNmI4DyL9mGfTJ/+XiTxWXMK4TTszwwn/tsXjyPQWjoO6nYqz5i96ItmSpkelSGVpzU+LK LQxSjFeUvKw23bp1rVecfGR+OENSE1m6KfFj3vtzQOZ2/FgK210MWnlYNNyAHX6Pf6hKInTP v6LbZiAQMCmf0aPvRbk/aPSNJAuIKrLrrCgAlwelrTavFsSwnKI3dhSG8DJ9+z/uiXDiHYra Ub3BKp5K/x71Zd8hUsWm2simnE/6HvZaZz7CC29JSZ/5gGtNB3OMNKLzLWUbQacF3IKxpW66 ZFYFYnlBV4jRnKlmb40YcEXWVJkkVC8g+/J9Qo6R8BdmSTXOwE0EUx7VRAEIALRZXth1u/3n FgY+G2FN0KEEik+2Xsk8JX9zr/eISa+Ol8a4U1orgxpyP2V7bQQDkDUEfs+Asagc6I8zrk3K xGln3pFFVfdM18uaEYwWvmE84Y12r7FwYdW62bA9X1Ttsp5Q1GI8XHdh0SQTF12pXYTwWW1P THYVIp7bGzM88cHqBW0xyRflu4j2nUrd9tWFd28SRxhj+MHQkQkbKFLloRty3lwdS8MCRPzX 9gUrkl+DxFHC7WrW3Vi4glI5YBlD0n2hSyDoP1GkKVT60gUGh7eJOnUBR8lzKm5wYqAtgq2m 79rKBylA40diRhbnTTeY+ytqMWFF5UXm97Jwxsezi7kAEQEAAcLAXwQYAQIACQUCUx7VRAIb DAAKCRCHtmtG2dJ6M5K5CADbunatgHsqHbR3KbpXxzralakEcdODGv/fbN6/EdKJeXrG9QKD lPxZTB9STw6+ANwESsr9uUMAxdDNKDeynjnQmFHxGdcdcXlnPZPThfseeUhUkbB/YKOfDIQA kKozNoKYj6Dcia+D/wvifIEW+GUUcO/6Qi8yK6PLJyM8C7vHEqmUGzX8gTCYOgAyOd4WZrC9 95CfB0yFIorw+MpK7MZTm5SbGPcYF9Gq9MzSqmaEw8U6YOElKYfnkcsCTLYyWaolhck+3/0R 9ISEWK5rUzqAuK40S4+Sn7yNycdCoqvQh4e3xSpzAu3aYZ8jKXQVV0X2G9Y+M1HMZuCqhPUO LTdF
Message-ID: <591a7d2b-5379-0eff-2a0e-72e9394e64c1@cisco.com>
Date: Mon, 16 Apr 2018 08:27:08 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBM5KR210g2QrAUCNDsiv+yun7QTZFggydh=Gf4-Ai6eSQ@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="pw65UXkCSB05A0PyMjlOpd27nqDBfo0vS"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/JUiSxS2VgWq5cjFrnwGvt2ye_kc>
Subject: Re: [OPSAWG] Eric Rescorla's Discuss on draft-ietf-opsawg-mud-20: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2018 06:27:17 -0000

Hi Eric,

Trimming.


On 15.04.18 21:22, Eric Rescorla wrote:
>
>
>
>
>>     IMPORTANT
>>>          The certificate extension is described below.
>>>
>>>          The information returned by the MUD file server (a web server) is
>>>          valid for the duration of the Thing's connection, or as specified in
>>>          the description.  Thus if the Thing is disconnected, any associated
>>>          configuration in the switch can be removed.  Similarly, from time to
>>     IMPORTANT: What does "disconnected" mean in this context? Does a
>>     reboot count? What if I am wireless? This is a critical question if
>>     MUD is intended as a post-compromise mechanism. Say that an attacker
>>     compromises the firmware for a device and then forces a reboot
>>     followed by a 2 hour pause before the wireless NIC is activated. Will
>>     this result in configuration removal? If so, MUD seems of limited use,
>>     because it can then make itself appear to be a new device with a new
>>     MUD configuration. (This is of course true in general in a wireless
>>     context if the firmware can change the client's L2 address).
>
>     Yes, configuration is intended to be removed when a device
>     disconnects or a session terminates.  This would be considered
>     normal garbage collection.  But whether or not you can simply
>     replace the firmware and gain the same access will depend on how
>     the MUD-URL is learned.  If it is in a manufacturer certificate,
>     for instance, that's not something an attacker will easily
>     replace.  If the assertion is coming via LLDP, or DHCP, then one
>     has to apply the mitigations discussed in the security
>     considerations section (and they are numerous).
>
>
> I'm not following you here. Say it's in a manufacturer certificate,
> what stops me from getting my own certificate for Attacker LLC and
> then serving a wide open policy? The mitigations don't really seem to
> do much to counteract this.

I believe this point and one down below, where you write:
> This doesn't seem to address my concern, which is that there's no
> realistic way of knowing
> what trust anchors apply. If it's not WebPKI, then what? 
are related, and so I propose to address them together, and this text
could go into security considerations.  The *intent* is that mud
managers or their providers will keep a list of known trusted signers. 
Examples are likely to include certification bodies (we are aware of at
least one that is very interested), the MUD manager vendor themselves,
and perhaps others.  Because these are early days, I don't want to be
too declarative, but we can say this:

NEW:

---
MUD managers and their administrators MUST NOT automatically trust a
manufacturer's certificate simply because it validates.  Rather, the
certificate MUST be signed by an entity that has previously established
trust for this explicit purpose.  In particular, the WebPKI alone is not
appropriate.
---


That means that just because Joe Evil signed the darn thing doesn't mean
that we should believe it.  On the other hand, I might trust a security
company to vet this stuff.  Would this address your concern?  Also, I'll
correct the previous factual error.

And again, I view this as early days.  The architecture is going to need
some time to mature and evolve.


>
>
>
>
>>     ----------------------------------------------------------------------
>>     COMMENT:
>>     ----------------------------------------------------------------------
>>
>>
>>>       Abstract
>>>
>>>          This memo specifies a component-based architecture for manufacturer
>>>          usage descriptions (MUD).  The goal of MUD is to provide a means for
>>>          Things to signal to the network what sort of access and network
>>     I realize that "Things" has become a marketing term, but it's opaque
>>     and unnecessary here. "elements" would be the conventional term.
>
>     How about "end devices"?  That makes it clear in the abstract.  I
>     don't propose to do a global substitute, because we scope the term
>     well in the introduction, as you note directly below.
>
>
> To be honest, I would do a search and replace, but I agree that theis
> would resolve the ambiguity here.
>
>
>>>          it continues to make sense for general purpose computing devices
>>>          today, including laptops, smart phones, and tablets.
>>>
>>>          [RFC7452] discusses design patterns for, and poses questions about,
>>>          smart objects.  Let us then posit a group of objects that are
>>>          specifically not general purpose computers.  These devices, which
>>     I don't think this makes sense. These devices usually *are* general
>>     purpose computers (turing complete, etc.)
>
>     That these objects might happen to use a general purpose CPU or
>     operations system doesn't in and of itself make them general
>     purpose devices.  As a complete SKU they are sold with a single or
>     small number of uses in mind.  That is what is posited.  Is there
>     a way to make that clearer?
>
>
> Perhaps "not intended to be used for general purpose computing tasks"

Ok.

>
>
>>>          specifically not general purpose computers.  These devices, which
>>>          this memo refers to as Things, have a specific purpose.  By
>>>          definition, therefore, all other uses are not intended.  The
>>>          combination of these two statements can be restated as a manufacturer
>>>          usage description (MUD) that can be applied at various points within
>>>          a network.
>>     I would make the point here that the purpose of the MUD is to describe
>>     the communications pattern. You only really get that by the statement
>>     in S 1.1 that the communication pattern of other devices is too
>>     complicated to profile.
>
>     I think this statement is predicated on your previous comment, and
>     would prefer not to change text at this time.
>
>
> Hmmm.... No, I don't think you're reading me right here. I'm just
> saying that it would be useful upfront to say that MUD
> is about saying "this is what communications pattern these devices are
> expected to have"

Ok.  I think that's a good add, and propose to add a statement based on
your quoted text.

Thanks again,

Eliot

v2.23.0 | Report a Bug | By Email