IETF Logo Mail Archive

Re: [OPSAWG] [secdir] Secdir last call review of draft-ietf-opsawg-mud-tls-10

tirumal reddy <kondtir@gmail.com> Mon, 09 January 2023 06:07 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99B36C14CE2E; Sun, 8 Jan 2023 22:07:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IPZyofRQAJXP; Sun, 8 Jan 2023 22:07:33 -0800 (PST)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DC20C14CF18; Sun, 8 Jan 2023 22:07:33 -0800 (PST)
Received: by mail-lf1-x130.google.com with SMTP id g13so11400922lfv.7; Sun, 08 Jan 2023 22:07:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7FS3mVkVpClbhJy0oYb9U8RN5aJdNtTWDcdb3gf0gaQ=; b=BOUWPmlPdmIzHSZvBtPa3to5S7C7nQCzl+pC8Fg+E2THlWnPgZ4is4PBNjY6WHgdFT zLtRMYaR3NzDq99aMy6D15DgspDaRQIw6iFZ3pwdBQozPxFuILKxmji7eYuSG11oGt5K u/eY1Sx/UtQ2iXI/oQ4PgqUt2DuCHLsWpW+OIvCxlwqf2cS+Xgl5p05UiD9CyoEHt2tz IXt11RCsSE9zQcjKkvT5CHFnKfByFqEnLhvM80QmURpuR8l/B2SpTVX3gbc9TUnUTT+V YvYn9IdbKFS9+jFQ14devvS39W2kLJghEzpBVaxfOyRfknz/9pBGjq4iGSSsnxYHWtbY BPPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7FS3mVkVpClbhJy0oYb9U8RN5aJdNtTWDcdb3gf0gaQ=; b=njZYDpWdJ+jZK++FmPVnxVf7bavrW5/dUXuXJ1sw91GmHx0UCYCVvuOtn7qK2Pqjxn FjBB2sWmOwJjO6t4s3dWm0gbdX4/jVLJ5Lz5QWJGWgbm4ul5xU9QFEY/w3vaa7lBMFAa CE8QrIQ1FkGW1GwZrMlEjESxzCbMOIN4vSsd1DVS/gQv57u2hwdQErCpAO6+9MHPxlLx xr0Kr0S2X34GwHXHP2raeV6GQWzbha+pWWy17W6TEA2764ux0SCy02D2D0odQcBBNkyv YrnEblTUuTCjYwD3JjGKSroAQJ1ly89qbk7wxTEVCh/1D6X7OPBXQ5dAMVHrRgZ5WzqX kiLg==
X-Gm-Message-State: AFqh2kpHRh4MHXm6zAKWgdcXbg7YYzasV6Yieqt7YCkURBFDsFcdjqHM V88Y+vKSJsmb/JgbbsBp09GbgMq3J40WqoqxF9rSvBSEHoo=
X-Google-Smtp-Source: AMrXdXs7cRWmmsqPoKpsSe+KoAe95uObSM0krpTD4cwHnVHCtkZwsJjXayOAO6sqZjpEHgHmZOdNvHZqZ165/g4ZScM=
X-Received: by 2002:ac2:5ec1:0:b0:4cc:8682:ec5f with SMTP id d1-20020ac25ec1000000b004cc8682ec5fmr5443lfq.28.1673244451309; Sun, 08 Jan 2023 22:07:31 -0800 (PST)
MIME-Version: 1.0
References: <166879247786.62318.15372394698104176531@ietfa.amsl.com> <CAHbrMsCrCXe68f1YAH=p4vo7=ESuGUEjmAW+T6SovCMyhA75Gw@mail.gmail.com>
In-Reply-To: <CAHbrMsCrCXe68f1YAH=p4vo7=ESuGUEjmAW+T6SovCMyhA75Gw@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Mon, 09 Jan 2023 11:37:19 +0530
Message-ID: <CAFpG3geKg8cfe8DXuXq3L-6ARAhUGD92E3zr3_6Aa3vNteMuPA@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
Cc: Linda Dunbar <linda.dunbar@futurewei.com>, secdir@ietf.org, draft-ietf-opsawg-mud-tls.all@ietf.org, last-call@ietf.org, opsawg@ietf.org
Content-Type: multipart/alternative; boundary="00000000000024901e05f1ce9563"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/MYnpTkBPKR0WPWROb6EctWeyvbM>
Subject: Re: [OPSAWG] [secdir] Secdir last call review of draft-ietf-opsawg-mud-tls-10
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jan 2023 06:07:35 -0000

Hi Ben,

I re-looked into the discussion in the TLS WG mailing list and we have
addressed all the comments raised by the WG members.

The issues raised by the TLS WG and addressed in the draft are:

(a) We added Section 6 to explain the rules to processing the MUD (D)TLS
rules to handle ossification and updated Section 10 to enable faster update
to the YANG module.
(b) Updates to the draft that the YANG module must not include GREASE
values (see Section 5).
(c) Privacy issues related to not revealing the MUD URL to an attacker is
discussed in Section 9.

Please let us know if you see any other pending issues.

Cheers,
-Tiru

On Fri, 6 Jan 2023 at 21:43, Ben Schwartz <bemasc@google.com> wrote:

> Since this happened to cross my inbox, I want to reiterate that, in my
> view, this document has not been properly reviewed by the TLS WG.  As the
> shepherd's writeup notes, previous reviews in the TLS group raised some
> significant concerns about whether this draft's approach is advisable.
>
> I would encourage the responsible AD(s) to make sure that this document
> has strong consensus support from the TLS WG before proceeding.
>
> On Fri, Nov 18, 2022 at 12:29 PM Linda Dunbar via Datatracker <
> noreply@ietf.org> wrote:
>
>> Reviewer: Linda Dunbar
>> Review result: Has Nits
>>
>> I have reviewed this document as part of the security directorate's
>> ongoing
>> effort to review all IETF documents being processed by the IESG.  These
>> comments were written primarily for the benefit of the security area
>> directors.
>> Document editors and WG chairs should treat these comments just like any
>> other
>> last-call comments.
>>
>> This document extends the Manufacturer Usage Description specification to
>> incorporate the (D)TLS profile parameters for a network security service
>> to
>> identify unexpected (D)TLS usage. The document has very good description
>> of
>> common malware behavior that is informative.
>>
>> Questions
>> - Are the profile on the remote IoT device or on the network device? If
>> the
>> profile is on remote IoT devices, are those attributes in the profiles
>> attached
>> as metadata when requesting TLS connections? Are those attributes
>> encrypted? -
>> If the Malware on IoT doesn't participate in TLS, can those MUD be used to
>> detect the Malware on the remote IoT devices?
>>
>> - Page 6, first paragraph says:
>>  "malware developers will have to develop malicious agents per IoT device
>> type,
>>  manufacturer and model, infect the device with the tailored malware
>> agent and
>>  will have keep up with updates to the device's (D)TLS profile parameters
>> over
>>  time."
>>
>> Does it mean that if all the IoT devices deployed in the network register
>> their
>> DeviceType/ManufacturerName/Model with the network services, then the
>> network
>> services can validate the TLS requests from the IoT?
>>
>> -  Section 3 last paragraph says that "compromised IoT devices are
>> typically
>> used for launching DDoS attacks". Can today's TLS re-negotiation validate
>> the
>> TLS requests by evaluating if the server certificates are signed by the
>> same
>> certifying authorities trusted by the IoT device"?
>>
>> Thank you very much,
>>
>> Linda Dunbar
>>
>>
>> _______________________________________________
>> secdir mailing list
>> secdir@ietf.org
>> https://www.ietf.org/mailman/listinfo/secdir
>> wiki: https://trac.ietf.org/trac/sec/wiki/SecDirReview
>>
>

v2.23.0 | Report a Bug | By Email