Re: [OPSAWG] 🔔 WG Adoption Call on draft-richardson-opsawg-mud-iot-dns-considerations-03
tirumal reddy <kondtir@gmail.com> Tue, 05 January 2021 07:27 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 612993A0A26 for <opsawg@ietfa.amsl.com>; Mon, 4 Jan 2021 23:27:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OXpvKy6f256Q for <opsawg@ietfa.amsl.com>; Mon, 4 Jan 2021 23:27:21 -0800 (PST)
Received: from mail-il1-x12e.google.com (mail-il1-x12e.google.com [IPv6:2607:f8b0:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DA223A0A1D for <opsawg@ietf.org>; Mon, 4 Jan 2021 23:27:21 -0800 (PST)
Received: by mail-il1-x12e.google.com with SMTP id r17so27682115ilo.11 for <opsawg@ietf.org>; Mon, 04 Jan 2021 23:27:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1iqZHpzzDO8tIHaLefasVutHbXFF7bJ041bacgXw6Og=; b=rmPYgzglyLucZmA8Eq3K1o8C6J8Cfgpq8KLzEP13mElycsxRZNN1wqn8XsQoBMsB+M 5KQfPsIK5mPQNXWCx02z59e3edSUqT58KeD4NOdjUqpzH0cAX1S5M5hePZ2Q6WmYR3qE yfWdPB8xwuix66KrZ145B8akYzpjISOcS+pFc7OXBxhwwYWJ25nwWaKjNbJCTDNJNhpp hQQoAJqJ89NYpc5i9secohU9ALRu4u2vqB7LCvjopZcPt4tZOjkomspOBbVVKt33+qpG 591v5YkR+5xhD3M21W6meQ3XpGKZZLtvz1dknBoqPD2EvB8eRVeLtq3MdApXJNX4gIGz xPAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1iqZHpzzDO8tIHaLefasVutHbXFF7bJ041bacgXw6Og=; b=O38Isb0rUfOY29dKHP0Jwpw0v/LCSUxbQPv4FzRTcch5u4BAQD4YU+myT6GOSScnIw /rbRmc7fuFZtIm8BU7bAGEUJHoHnyZGVrMWswRm3/7+kcrXNC63DkepfARNRUkzvHmhi zWOIn9nEtrJv3Zl5D3PqSZvlJsPfJtTW2VCutv2ivmP4tfgj21zt/5JxosTg/K7UmCAU rSV9y8yG+vUZZi5TAhqU9Vs7d6DzzZtYCkgSi6fQcin/yvt1NPTRcIxtrqdQzQJTUGbr OQRj1sXf+os6gyO2ZoHwvYJ6ct1WnE1/yvyrr5OPqcK0ra2dbnADXhKcWvK0HeGMfsk2 MWfg==
X-Gm-Message-State: AOAM530PEDARY2wBLzvu7nT2j4Ih4KoqoPBXi0dNGiceD+4epwq9cdh6 B+sUIAAPN/O4l1fNw9dGKe+20xI0qYdOsYFmjaQNQC9Bzwg=
X-Google-Smtp-Source: ABdhPJx2e5sFajJSkx7zSXrFFf6iYzw9KxzplYX9lhioGCp2Rz5/39V00BcZGgMJmPSxF+/7WANEcPyc1N3QVolXA1U=
X-Received: by 2002:a05:6e02:12c8:: with SMTP id i8mr32582635ilm.32.1609831640509; Mon, 04 Jan 2021 23:27:20 -0800 (PST)
MIME-Version: 1.0
References: <ecd58332-3192-7dbf-9685-afddf9a5030e@sit.fraunhofer.de>
In-Reply-To: <ecd58332-3192-7dbf-9685-afddf9a5030e@sit.fraunhofer.de>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 05 Jan 2021 12:57:09 +0530
Message-ID: <CAFpG3gcvsywDwNDEhY_savtp5Rx+JqTPfTcFRjge55x7LsNE_w@mail.gmail.com>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Cc: opsawg <opsawg@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000014b16805b822237e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/LC0CMZRJMpwe7VXS2LHW9DA4ucc>
Subject: Re: [OPSAWG] 🔔 WG Adoption Call on draft-richardson-opsawg-mud-iot-dns-considerations-03
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2021 07:27:23 -0000
I support adoption of the draft. My initial comments below: 1) Use of DoT to a local DNS recursive resolver is a preferred choice, assuming that the trust anchor for the local DNS server can be obtained, such as via [I-D.reddy-dprive-bootstrap-dns-server]. Comment> I would replace DoT with "Encrypted DNS connection" 2) The use of DoT and DoH eliminates the minimizes threat from passive eavesdropped, but still exposes the list to the operator of the DoT or DoH server. Comment> The threat is further minimized by the use of oblivous DNS https://tools.ietf.org/html/draft-pauly-dprive-oblivious-doh-03 (see https://blog.cloudflare.com/oblivious-dns/). 3) IoT devices that reach out to the manufacturer at regular intervals to check for firmware updates are informing passive eavesdroppers of the existence of a specific manufacturer's device being present at the origin location. Comment> Identifying the IoT device type empowers the attacker to launch targeted attacks to the IoT device (e.g., Attacker can advantage of the device vulnerability). 4) IoT Devices should prefer doing DNS to the network provided DNS servers. Whether this is restricted to Classic DNS (Do53) or also includes using DoT/DoH is a local decision, but a locally provided DoT server SHOULD be used, as recommended by [I-D.reddy-dprive-bootstrap-dns-server] and [I-D.peterson-doh-dhcp]. Comment> ADD WG is currently only focusing on insecure discovery mechanisms like DHCP/RA (https://tools.ietf.org/html/draft-btw-add-home-10) and DNS based discovery mechanisms ( https://tools.ietf.org/html/draft-pauly-add-deer-00). Secure discovery of network provided DoH/DoT resolver is possible using the mechanisms discussed in https://tools.ietf.org/html/draft-reddy-add-enterprise-00#section-4. 5) Wildcard certificates are also commonly available which allowed for an infinite number of possible names. Comment> https://tools.ietf.org/html/rfc6125#section-6.4.3 does not recommend the use of wildcard certificates. 6) Where the solution is more complex is when the MUD controller is located elsewhere in an Enteprise, or remotely in a cloud such as when a Software Defines Network (SDN) is used to manage the ACLs. The DNS servers for a particular device may not be known to the MUD controller, nor the MUD controller be even permitted to make recusive queries that server if it is known. In this case, additional installation specific mechanisms are probably needed to get the right view of DNS. Comment> The MUD controller can program the Enterprise DNS resolver to enforce the DNS filtering rules. DNS resolvers can enforce device specific filtering. Cheers, -Tiru On Mon, 4 Jan 2021 at 23:34, Henk Birkholz <henk.birkholz@sit.fraunhofer.de> wrote: > Dear OPSAWG members, > > this starts a call for Working Group Adoption on > > https://tools.ietf.org/html/draft-richardson-opsawg-mud-iot-dns-considerations-03 > ending on Monday, January 25. > > As a reminder, this I-D describes potential issues and concerns > regarding the use of DNS names and IP addressed with RFC8520 > Manufacturer Usage Description (MUD) in support of device access. > > Please reply with your support and especially any substantive comments > you may have. > > > For the OPSAWG co-chairs, > > Henk > > _______________________________________________ > OPSAWG mailing list > OPSAWG@ietf.org > https://www.ietf.org/mailman/listinfo/opsawg >
- [OPSAWG] 🔔 WG Adoption Call on draft-richardson-o… Henk Birkholz
- Re: [OPSAWG] 🔔 WG Adoption Call on draft-richards… Eliot Lear
- Re: [OPSAWG] 🔔 WG Adoption Call on draft-richards… tirumal reddy
- Re: [OPSAWG] 🔔 WG Adoption Call on draft-richards… Qin Wu
- Re: [OPSAWG] 🔔 WG Adoption Call on draft-richards… Panwei (William)
- Re: [OPSAWG] 🔔 WG Adoption Call on draft-richards… Wubo (lana)
- Re: [OPSAWG] 🔔 WG Adoption Call on draft-richards… Henk Birkholz
- [OPSAWG] revisions in draft-ietf-opsawg-mud-iot-d… Michael Richardson
- Re: [OPSAWG] revisions in draft-ietf-opsawg-mud-i… tirumal reddy
- Re: [OPSAWG] revisions in draft-ietf-opsawg-mud-i… Michael Richardson