IETF Logo Mail Archive

Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-opsawg-mud-acceptable-urls-11: (with DISCUSS and COMMENT)

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 12 April 2024 13:07 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3D20C14F681; Fri, 12 Apr 2024 06:07:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k8glfOJNZ7lb; Fri, 12 Apr 2024 06:07:33 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6766C14F6A2; Fri, 12 Apr 2024 06:07:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id DF0AB3898B; Fri, 12 Apr 2024 09:07:29 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id TeNzX-lnCjsA; Fri, 12 Apr 2024 09:07:26 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 3B5C138988; Fri, 12 Apr 2024 09:07:26 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1712927246; bh=9JJBRWAmd9v1+TODz3vpHIzUMwYPJZxS/N1jsZk0QQ0=; h=From:To:Subject:In-Reply-To:References:Date:From; b=OuuP3GULpC7pVqLvFS6udNIJj4kHyU626d21rMFTMQ0e/NCf6jqXXQpQ4NGC0UlNj 3Oi3ZKXg66JWPROJI+l7nZHVZ/zy1MKzeFOD15gWYXw+FE8MOl/UyWtMQRdGVibhBe vGkTHHaLUG8pwqjr4SB4mCiih70CwKTpWD5DPgvUnJpiRhHA33eREzFDTvTcu3HZAY NzazXVCAUTdInl3tpIesYMZXehZDUxxKpdmlMCt8dEJIYGBs3dAAhmyax00AfTETDW qbRuRR2Q7WFI6P032kiWwVC5DTdbQbj45VMXN+y9qcYZThUrfSo6mXqITMYxtd3P2a VOrMdtODsRX3g==
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 3152D1B4; Fri, 12 Apr 2024 09:07:26 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Deb Cooley <debcooley1@gmail.com>, The IESG <iesg@ietf.org>, draft-ietf-opsawg-mud-acceptable-urls@ietf.org, opsawg-chairs@ietf.org, opsawg@ietf.org, henk.birkholz@ietf.contact, henk.birkholz@sit.fraunhofer.de, mud@ietf.org
In-Reply-To: <171223113635.18757.2029607792392526207@ietfa.amsl.com>
References: <171223113635.18757.2029607792392526207@ietfa.amsl.com>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 12 Apr 2024 09:07:26 -0400
Message-ID: <8047.1712927246@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/Jv7qkd1HEVVYAaHDEWpz2ib5-0U>
Subject: Re: [OPSAWG] Deb Cooley's Discuss on draft-ietf-opsawg-mud-acceptable-urls-11: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 13:07:37 -0000

Hi, Deb, thank you for the comments.

Deb Cooley via Datatracker <noreply@ietf.org> wrote:
    > ----------------------------------------------------------------------
    > DISCUSS:
    > ----------------------------------------------------------------------

    > I don't have a ton of experience w/ mud, but I do have a fair bit of experience
    > w/ PKI certs.  I think there is work to be done on this draft to tighten it up
    > and make it clearer, hence my discuss. Where I could, I have made suggestions.
    > I agree with the other comments on this draft.



    > Shepherd writeup:  It would be nice to enumerate the manufacturers that have
    > implemented this concept.  The link to 'https://mudmaker.org' causes my browser
    > to throw big flashy warning signs.  When I click through them, it tells me to
    > 'GO AWAY'.  fun...

This is not really DISCUSSable.
Some large lighting and microcontroller manufacturers have implemented
RFC8520.
But that’s an issue for 8520 not this document.
We’re not seeking to elevate 8520 at this time: if we were we would provide
interoperation evidence.

    > Section 3.1 upgrade causes vulnerabilities:  One would think that this
    > situation should be avoided at all costs.  There could be a way for the device
    > to signal which version of F/W it is running, allowing the MUD file to be
    > tailored.

Deb, I think have misunderstood Section 3, and if you did, surely others will
as well.  ALL of section 3 is a risk analysis,  and doesn’t go into resolving
the issues that raised.  Section 3 establishes the need for multiple MUD
files being active when devices are at different firmware revisions.
Updating in place is clearly a better choice: when you can do it.

That’s for Sections 4, 5, and 6.  Keep in mind, all of this is about
improving existing deployments of RFC 8520.
We do think the example in Section 3.1 goes off course, and we’ve removed it.
The device *does* signal which version of MUD file it needs via LLDP or DHCP
(and perhaps later via SUIT)

> Section 4:  Updating IDevID URLs can't be updated with a F/W update?  F/W updates are signed by the manufacturer's signing key, correct?

As discussed in Eliot's previous message, it’s not possible to update an 802.1AR
certificate.  This is in part because that would require a per-device action,
and the point of a burned-in certificate is to provide some level of
assurance that it is the manufacturer and not the device that is making
claims about the MUD URL.  We might be able to do something with
SUIT, but the manufacturers are not there yet.

> Section 4.2:  Just how hard would it be to specify the CA certificate paired with a subject name (subject alt name, or CN)?  Seems like this is more secure than your proposed methods.  Oddly enough, Section 5.1 proposes this.

We need to make clear which certificate we’re talking about.  This is the
detached signature of the MUD file, and the threat occurs when the MUD-URL
itself in Section 4.2 is being emitted via insecure means, such as LLDP or
DHCP, as specified by RFC 8520.

Malware on the device would modify the MUD URL, as discussed in security
considerations of that document, to choose an inappropriate MUD file that
uses the same trusted CA.

As you point out, the rules in Section 5.1 limit the risks.  Obviously this
is better solved by using more secure communication paths, but for some
manufacturers, especially of older or constrained devices, that’s not
possible.  So we are attempting to provide some additional advice in this
insecure case.

We will clarify the text a little bit to make clear the above.

> Section 5, last para:  Instead of subject names, SKI should be used [RFC5280, section 4.2.1.2].  This can be easily checked in a certificate validate that is presented.

We should be clear: it’s not possible to use an SKI for end entity
certificates because those are going to change just as  they age.
It is possible for us to use them for CA certificates.
We expect that manufacturers might need to rotate the MUD file End Entity key pair.

>
> Section 5.2:  Can't this be used all the time?

If the intended MUD file change is bound to a firmware update, then it cannot be used when old firmware needs the old MUD file and new firmware needs the new one.

>
> Section 5.3.3:  Classically to change a 'root' one signs the new with the
> old and signs the old with the new.  If it is done this way, I suspect one
> could change whatever names, CAs one needs to change.

We aren't trying to change the root here, but rather to continue to use the
same End Entity certificate that was used the first time.  So SKI pin for CA,
with SubjectAltName pin for the EE.

>
> Section 7:  One might argue that the use of server authenticated TLS might mitigate a bunch of concerns.

If we are just repeating RFC8520's concerns, we could remove the section.
The second paragraph suggests server authenticated TLS.

>
> Section 9.  This is confusing. Please seperate the before issues and the
> after issues into seperate sections (at least). There are many potential
> vulnerabilities listed earlier in the draft.  Please consolidate those here
> (possibly with draft section links to where the mitigation is suggested).

I understand the confusion, and maybe section 9.0 is more of a conclusion.
I will rework that section.


    > ----------------------------------------------------------------------
    > COMMENT:
    > ----------------------------------------------------------------------


    > Nits:
    > Section 1, para 6: change 'check the signatures, rejecting files whose
    > signatures do not match' to '... whose signatures do not validate'.  Using
    > language like 'match' leads to bad behavior, when the entity should be taking a
    > positive action to validate the signature.

changed match to validate.

    > Section 9, last sentence:  jargon?  I'm not sure I know what this means, and
    > English is my (only) language.

Is it this sentence:

>   There is therefore no significant flag day: MUD controllers may
>   implement the new policy without significant concern about backwards
>   compatibility.


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email