IETF Logo Mail Archive

[OPSAWG] Fwd: New Version Notification for draft-ietf-opsawg-mud-21.txt

Eliot Lear <lear@cisco.com> Tue, 22 May 2018 14:15 UTC

Return-Path: <lear@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA9F112EB4C for <opsawg@ietfa.amsl.com>; Tue, 22 May 2018 07:15:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.509
X-Spam-Level:
X-Spam-Status: No, score=-14.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vseEV1OqUofL for <opsawg@ietfa.amsl.com>; Tue, 22 May 2018 07:15:39 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA78812EB48 for <opsawg@ietf.org>; Tue, 22 May 2018 07:15:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=27985; q=dns/txt; s=iport; t=1526998539; x=1528208139; h=references:subject:to:from:message-id:date:mime-version: in-reply-to; bh=aLh/rDL6VEUB58rnQkmwsrsHYy63iV8PLTspPbiZmDM=; b=T3+UC8nOsbdGYKEGjis3WN5k8HboKOuU9asAGyoEzfbpHdcI4UsC+mWs FcF0oUKscRxOwO1uNGLxsx1yZNZtH2/3AsgnmpI+i/k33ssahZ6SHzjcD 5W/m0PVWB/uQ2YBuN2M8sr5tMsvOhpVqQFmdqSnohGjc/7OHytI30pB74 E=;
X-Files: signature.asc : 488
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DMAQCXJARb/xbLJq1UCRkBAQEBAQEBAQEBAQEHAQEBAQGEJX0og3WIY41oKYEPkzYUgWQIAxgBCoQDRgKCQjYWAQIBAQEBAQECbBwBC4UoAQEBAQIBAQEhSwkHCxwDAQIBJwMCAicfBwIIBg0GAgEBgx4CgXcID6heghwfiCaCAAoFikiBDySCaYMRAQGBLQEICQIBJxcWgkqCVAKYTwmDRoFUgyWGEgaHYoUckHqBJSMKJ2FxMxoIGxU7gkOCG4h1hUA9MIwaK4IZAQE
X-IronPort-AV: E=Sophos;i="5.49,430,1520899200"; d="asc'?eml'208?scan'208,208,217";a="3954225"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 May 2018 14:15:36 +0000
Received: from [10.61.160.117] ([10.61.160.117]) by aer-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id w4MEFaYV018868 for <opsawg@ietf.org>; Tue, 22 May 2018 14:15:36 GMT
References: <6B7D79E0-13EB-4597-8BC7-B363167B06B9@vigilsec.com>
To: "opsawg@ietf.org" <opsawg@ietf.org>
From: Eliot Lear <lear@cisco.com>
Openpgp: preference=signencrypt
Autocrypt: addr=lear@cisco.com; prefer-encrypt=mutual; keydata= xsBNBFMe1UQBCADdYOS5APDpIpF2ohAxB+nxg1GpAYr8iKwGIb86Wp9NkK5+QwbW9H035clT lpVLciExtN8E3MCTPOIm7aITPlruixAVwlBY3g7U9eRppSw9O2H/7bie2GOnYxqmsw4v1yNZ 9NcMLlD8raY0UcQ5r698c8JD4xUTLqybZXaK2sPeJkxzT+IwupRSQ+vXEvFFGhERQ88zo5Ca Sa1Gw/Rv54oH0Dq2XYkO41rhxQ60BKZLZuQK1d9+1y3I+An3AJeD3AA31fJZD3H8YRKOBgqe ILPILbw1mM7gCtCjfvFCt6AFCwEsjITGx55ceoQ+t5B5XGYJEppMWsIFrwZsfbL+gP31ABEB AAHNJUVsaW90IExlYXIgPGxlYXJAb2Zjb3Vyc2VpbXJpZ2h0LmNvbT7CwHsEEwECACUCGwMG CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJTHtXCAhkBAAoJEIe2a0bZ0nozBNoH/j0Mdnyg CgNNmI4DyL9mGfTJ/+XiTxWXMK4TTszwwn/tsXjyPQWjoO6nYqz5i96ItmSpkelSGVpzU+LK LQxSjFeUvKw23bp1rVecfGR+OENSE1m6KfFj3vtzQOZ2/FgK210MWnlYNNyAHX6Pf6hKInTP v6LbZiAQMCmf0aPvRbk/aPSNJAuIKrLrrCgAlwelrTavFsSwnKI3dhSG8DJ9+z/uiXDiHYra Ub3BKp5K/x71Zd8hUsWm2simnE/6HvZaZz7CC29JSZ/5gGtNB3OMNKLzLWUbQacF3IKxpW66 ZFYFYnlBV4jRnKlmb40YcEXWVJkkVC8g+/J9Qo6R8BdmSTXOwE0EUx7VRAEIALRZXth1u/3n FgY+G2FN0KEEik+2Xsk8JX9zr/eISa+Ol8a4U1orgxpyP2V7bQQDkDUEfs+Asagc6I8zrk3K xGln3pFFVfdM18uaEYwWvmE84Y12r7FwYdW62bA9X1Ttsp5Q1GI8XHdh0SQTF12pXYTwWW1P THYVIp7bGzM88cHqBW0xyRflu4j2nUrd9tWFd28SRxhj+MHQkQkbKFLloRty3lwdS8MCRPzX 9gUrkl+DxFHC7WrW3Vi4glI5YBlD0n2hSyDoP1GkKVT60gUGh7eJOnUBR8lzKm5wYqAtgq2m 79rKBylA40diRhbnTTeY+ytqMWFF5UXm97Jwxsezi7kAEQEAAcLAXwQYAQIACQUCUx7VRAIb DAAKCRCHtmtG2dJ6M5K5CADbunatgHsqHbR3KbpXxzralakEcdODGv/fbN6/EdKJeXrG9QKD lPxZTB9STw6+ANwESsr9uUMAxdDNKDeynjnQmFHxGdcdcXlnPZPThfseeUhUkbB/YKOfDIQA kKozNoKYj6Dcia+D/wvifIEW+GUUcO/6Qi8yK6PLJyM8C7vHEqmUGzX8gTCYOgAyOd4WZrC9 95CfB0yFIorw+MpK7MZTm5SbGPcYF9Gq9MzSqmaEw8U6YOElKYfnkcsCTLYyWaolhck+3/0R 9ISEWK5rUzqAuK40S4+Sn7yNycdCoqvQh4e3xSpzAu3aYZ8jKXQVV0X2G9Y+M1HMZuCqhPUO LTdF
X-Forwarded-Message-Id: <6B7D79E0-13EB-4597-8BC7-B363167B06B9@vigilsec.com>
Message-ID: <2d227f04-7dfc-d57e-f271-8cd5b51e349d@cisco.com>
Date: Tue, 22 May 2018 16:15:34 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <6B7D79E0-13EB-4597-8BC7-B363167B06B9@vigilsec.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="sq3DvlfAvVHCNY7NhZPW5UNQxaFZatm4n"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/JqezY7I4mD_tlfhOPXki8n0tyaw>
Subject: [OPSAWG] Fwd: New Version Notification for draft-ietf-opsawg-mud-21.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 May 2018 14:15:42 -0000

And here's Russ' response.

Eliot
--- Begin Message --- 
Eliot:

I would just say that the validation MUST check for digitalSignature bit, and say nothing about the nonRepudiation bit.

Russ

P.S.  Feel free to forward this advice to the working group mail list if that will be helpful.



> On May 22, 2018, at 9:20 AM, Eliot Lear <lear@cisco.com> wrote:
> 
> Russ- can you help me with the key usage bits and make sure they're in order?
> 
> Eliot
> 
> 
> From: Eliot Lear <lear@cisco.com>
> Subject: Re: [OPSAWG] Fwd: New Version Notification for draft-ietf-opsawg-mud-21.txt
> Date: May 22, 2018 at 9:03:01 AM EDT
> To: Eric Rescorla <ekr@rtfm.com>
> Cc: "opsawg@ietf.org" <opsawg@ietf.org>, IESG <iesg@ietf.org>
> 
> 
> I'm ok with that change, and I'll ping Russ on the bits.
> 
> Eliot
> 
> On 22.05.18 14:51, Eric Rescorla wrote:
>> 
>> 
>> On Fri, May 18, 2018 at 12:52 PM, Eliot Lear <lear@cisco.com <mailto:lear@cisco.com>> wrote:
>> 
>> 
>> On 18.05.18 20:59, Eric Rescorla wrote:
>>> 
>>> 
>>> On Fri, May 18, 2018 at 11:56 AM, Eliot Lear <lear@cisco.com <mailto:lear@cisco.com>> wrote:
>>> Hi EKR,
>>> 
>>> 
>>> On 18.05.18 19:57, Eric Rescorla wrote:
>>> > Eliot,
>>> >
>>> > The certificate part seems basically right (I think you should require specific KeyUsage bits).
>>> 
>>> It's in there:
>>>> It is expected that the Key Usage extension would contain "Digital
>>>> Signature" and that the extended key usage would include either "code
>>>> signing" or "email protection".
>>> 
>>> This leaves a little a little flexibility.  I think this is sufficient, and compatible with existing CAs.
>>> 
>>> I disagree. This is going to lead to a lot of interop problems. You need to actually specify the bits
>> 
>> 
>> Do you mean something like this:
>> 
>> The Key Usage Extension in the MUD file signature MUST have the bit digitalSignature(0) or set.
>> 
>> Yes. Though I would defer to Russ on the bits :)
>> 
>>>  >
>>> > Maybe I missed it, but I didn't see anything about the level of trust you should have in cases where you can't reliably tie the endpoint's transmissions to its certificate.
>>> 
>>> It's there but could be clearer:
>>> 
>>> OLD:
>>>> A
>>>> MUD manager MUST cease processing of that file it cannot validate the
>>>> chain of trust to a known trust anchor until an administrator has
>>>> given approval.
>>> 
>>> NEW:
>>> 
>>>> A
>>>> MUD manager MUST cease processing of that file it cannot validate the
>>>> chain of trust to a known trust anchor or the MUDsigner until an administrator has
>>>> given approval.
>>> 
>>> That is- throw an exception and let the admin sort it out.
>>> 
>>> This is about the file. I'm talking about IP/MAC forgery.
>> 
>> OK.  Noting that this is NOT an authentication standard, we can certainly reference them.  I propose the following in Security Considerations:
>> 
>> Devices may forge source (L2/L3) information.  Deployments should apply appropriate protections to bind communications to the authentication that has taken place.  For 802.1X authentication, IEEE 802.1AE (MACsec) is one means by which this may happen.  A similar approach can be used with 802.11i (WPA2).  Other means are available with other lower layer technologies.  Implementations using session-oriented access that is not cryptographically bound should take care to remove state when any form of break in the session is detected.
>> 
>> Comments
>> 
>> I think the relevant point is:
>> "Implementations SHOULD NOT grant elevated permissions (beyond those of devices presenting no MUD policy) to devices which do not strongly bind their identity to their L2/L3 transmissions"
>> 
>> -Ekr
>> 
>> 
> 
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg
> 
>
--- End Message ---

v2.23.0 | Report a Bug | By Email