IETF Logo Mail Archive

Re: [OPSAWG] 🔔 WG Adoption Call on draft-richardson-opsawg-mud-iot-dns-considerations-03

tirumal reddy <kondtir@gmail.com> Tue, 05 January 2021 07:27 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 612993A0A26 for <opsawg@ietfa.amsl.com>; Mon, 4 Jan 2021 23:27:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OXpvKy6f256Q for <opsawg@ietfa.amsl.com>; Mon, 4 Jan 2021 23:27:21 -0800 (PST)
Received: from mail-il1-x12e.google.com (mail-il1-x12e.google.com [IPv6:2607:f8b0:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DA223A0A1D for <opsawg@ietf.org>; Mon, 4 Jan 2021 23:27:21 -0800 (PST)
Received: by mail-il1-x12e.google.com with SMTP id r17so27682115ilo.11 for <opsawg@ietf.org>; Mon, 04 Jan 2021 23:27:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1iqZHpzzDO8tIHaLefasVutHbXFF7bJ041bacgXw6Og=; b=rmPYgzglyLucZmA8Eq3K1o8C6J8Cfgpq8KLzEP13mElycsxRZNN1wqn8XsQoBMsB+M 5KQfPsIK5mPQNXWCx02z59e3edSUqT58KeD4NOdjUqpzH0cAX1S5M5hePZ2Q6WmYR3qE yfWdPB8xwuix66KrZ145B8akYzpjISOcS+pFc7OXBxhwwYWJ25nwWaKjNbJCTDNJNhpp hQQoAJqJ89NYpc5i9secohU9ALRu4u2vqB7LCvjopZcPt4tZOjkomspOBbVVKt33+qpG 591v5YkR+5xhD3M21W6meQ3XpGKZZLtvz1dknBoqPD2EvB8eRVeLtq3MdApXJNX4gIGz xPAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1iqZHpzzDO8tIHaLefasVutHbXFF7bJ041bacgXw6Og=; b=O38Isb0rUfOY29dKHP0Jwpw0v/LCSUxbQPv4FzRTcch5u4BAQD4YU+myT6GOSScnIw /rbRmc7fuFZtIm8BU7bAGEUJHoHnyZGVrMWswRm3/7+kcrXNC63DkepfARNRUkzvHmhi zWOIn9nEtrJv3Zl5D3PqSZvlJsPfJtTW2VCutv2ivmP4tfgj21zt/5JxosTg/K7UmCAU rSV9y8yG+vUZZi5TAhqU9Vs7d6DzzZtYCkgSi6fQcin/yvt1NPTRcIxtrqdQzQJTUGbr OQRj1sXf+os6gyO2ZoHwvYJ6ct1WnE1/yvyrr5OPqcK0ra2dbnADXhKcWvK0HeGMfsk2 MWfg==
X-Gm-Message-State: AOAM530PEDARY2wBLzvu7nT2j4Ih4KoqoPBXi0dNGiceD+4epwq9cdh6 B+sUIAAPN/O4l1fNw9dGKe+20xI0qYdOsYFmjaQNQC9Bzwg=
X-Google-Smtp-Source: ABdhPJx2e5sFajJSkx7zSXrFFf6iYzw9KxzplYX9lhioGCp2Rz5/39V00BcZGgMJmPSxF+/7WANEcPyc1N3QVolXA1U=
X-Received: by 2002:a05:6e02:12c8:: with SMTP id i8mr32582635ilm.32.1609831640509; Mon, 04 Jan 2021 23:27:20 -0800 (PST)
MIME-Version: 1.0
References: <ecd58332-3192-7dbf-9685-afddf9a5030e@sit.fraunhofer.de>
In-Reply-To: <ecd58332-3192-7dbf-9685-afddf9a5030e@sit.fraunhofer.de>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 05 Jan 2021 12:57:09 +0530
Message-ID: <CAFpG3gcvsywDwNDEhY_savtp5Rx+JqTPfTcFRjge55x7LsNE_w@mail.gmail.com>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Cc: opsawg <opsawg@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000014b16805b822237e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/LC0CMZRJMpwe7VXS2LHW9DA4ucc>
Subject: Re: [OPSAWG] 🔔 WG Adoption Call on draft-richardson-opsawg-mud-iot-dns-considerations-03
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2021 07:27:23 -0000

I support adoption of the draft. My initial comments below:

1)

Use of DoT to a local DNS recursive resolver is a preferred
choice, assuming that the trust anchor for the local DNS server can
be obtained, such as via [I-D.reddy-dprive-bootstrap-dns-server].

Comment> I would replace DoT with "Encrypted DNS connection"

2)
   The use of DoT and DoH eliminates the minimizes threat from passive
   eavesdropped, but still exposes the list to the operator of the DoT
   or DoH server.

Comment> The threat is further minimized by the use of oblivous DNS
https://tools.ietf.org/html/draft-pauly-dprive-oblivious-doh-03 (see
https://blog.cloudflare.com/oblivious-dns/).

3)  IoT devices that reach out to the manufacturer at regular intervals
   to check for firmware updates are informing passive eavesdroppers of
   the existence of a specific manufacturer's device being present at
   the origin location.

Comment> Identifying the IoT device type empowers the attacker to launch
targeted attacks
to the IoT device (e.g., Attacker can advantage of the device
vulnerability).

4) IoT Devices should prefer doing DNS to the network provided DNS
    servers.  Whether this is restricted to Classic DNS (Do53) or also
    includes using DoT/DoH is a local decision, but a locally provided
    DoT server SHOULD be used, as recommended by
    [I-D.reddy-dprive-bootstrap-dns-server] and [I-D.peterson-doh-dhcp].

Comment> ADD WG is currently only focusing on insecure discovery mechanisms
like DHCP/RA (https://tools.ietf.org/html/draft-btw-add-home-10) and DNS
based discovery mechanisms (
https://tools.ietf.org/html/draft-pauly-add-deer-00). Secure discovery of
network provided DoH/DoT resolver is possible using the mechanisms
discussed in
https://tools.ietf.org/html/draft-reddy-add-enterprise-00#section-4.

5) Wildcard certificates are also commonly available which allowed for an
   infinite number of possible names.

Comment> https://tools.ietf.org/html/rfc6125#section-6.4.3 does not
recommend the use of wildcard certificates.

6)
  Where the solution is more complex is when the MUD controller is
   located elsewhere in an Enteprise, or remotely in a cloud such as
   when a Software Defines Network (SDN) is used to manage the ACLs.
   The DNS servers for a particular device may not be known to the MUD
   controller, nor the MUD controller be even permitted to make recusive
   queries that server if it is known.  In this case, additional
   installation specific mechanisms are probably needed to get the right
   view of DNS.

Comment> The MUD controller can program the Enterprise DNS resolver to
enforce the DNS
filtering rules. DNS resolvers can enforce device specific filtering.

Cheers,
-Tiru

On Mon, 4 Jan 2021 at 23:34, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
wrote:

> Dear OPSAWG members,
>
> this starts a call for Working Group Adoption on
>
> https://tools.ietf.org/html/draft-richardson-opsawg-mud-iot-dns-considerations-03
> ending on Monday, January 25.
>
> As a reminder, this I-D describes potential issues and concerns
> regarding the use of DNS names and IP addressed with RFC8520
> Manufacturer Usage Description (MUD) in support of device access.
>
> Please reply with your support and especially any substantive comments
> you may have.
>
>
> For the OPSAWG co-chairs,
>
> Henk
>
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg
>

v2.23.0 | Report a Bug | By Email