Re: [OPSAWG] [Mud] Declaring something to be a controller in MUD

"M. Ranganathan" <mranga@gmail.com> Wed, 26 June 2019 14:27 UTC

Return-Path: <mranga@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 478A3120191; Wed, 26 Jun 2019 07:27:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pgG46YaQL0lW; Wed, 26 Jun 2019 07:27:31 -0700 (PDT)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 153B5120189; Wed, 26 Jun 2019 07:27:31 -0700 (PDT)
Received: by mail-io1-xd2d.google.com with SMTP id r185so5473057iod.6; Wed, 26 Jun 2019 07:27:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xc5p2uLi5UB/mWJ8hmCFkGe7KoIMUywDxm1Jgsx0DBU=; b=mmRdjhybuaeXAASdMqL3sIkbWkj4Pck2eXCowEe6W4xL8RltX8T6rz33SXT/B06R+F NAm0dMV+4cRktrwtWP5l2F4QVAkya8gxaGkh2rdFzKr4n7E0QXDW1mWn2BmZ3+JRAD1d YEZFc6qdLq9KvJIX6OnGxScbdEaJgJaU9yvV4bfy+c3xMHKBjkaf4EZGS0jGufwzIPBC 8VpHefVxXVJv0jrX2pmrUDDPAJKnVrd32Kfvxmw1/1Rqjy/ptIJltXzz0JELFeBVTeM6 6SiKmOCgpqlEgWsYnil8UlCD1ubMuhFau+Q52IlIPpLhkteGZdBqVmfIb3zmI9fIfMQ6 prGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xc5p2uLi5UB/mWJ8hmCFkGe7KoIMUywDxm1Jgsx0DBU=; b=AzjMmobD6GEF5RT2Yh6ZehJM7/qR/bJgpeUrr9EvASk0YuRVH4Y0cS28XlJKLLdHGO G5L9lveNhuIL64gxgLL/eusmcA+3r0ldiHOyLo5vZ+G8hUuLD/zwkYtbInujKJTQ1317 3lm+z0qa9Y6c+EFh14P9ALAV9LIEdbmxfTxsQZUCbCPBArp/WeT9OfdelD2tjpNT1Mpy Pbr+3boBicVOT0cEy0/NKi/xq0bkMLQy0aqUcWVEDKaO0/Sfd2qAJUp9/qOz4cGsohh6 5odZVbmUSNyWe2wEkvjZWrvTgOiB91JoxgjqlnUFPIytJfnaLamolVPBIeB3m/zJtvb5 WTOA==
X-Gm-Message-State: APjAAAXaKdUDR+JuwcbfEVGcRQPFxozrjHW2Bx8h62fbuYrQQKyXchP4 DfdhEKIgYvoIq2upGIJPrjeBlYs2FjZi9/ph6o8=
X-Google-Smtp-Source: APXvYqwee6+EFsY2ZheXBDFZnl4aLand6pxBiCi/3toptGMje9XalkPvLKcMzb2NGlEijbbr/JrvZqwgP0c4T0dOJlA=
X-Received: by 2002:a5e:d615:: with SMTP id w21mr5620227iom.0.1561559250082; Wed, 26 Jun 2019 07:27:30 -0700 (PDT)
MIME-Version: 1.0
References: <1FDE5A58-569B-47FD-8C24-435D78F8A3B2@cisco.com> <1547.1561492346@localhost> <BE16542E-7383-4006-A00F-5000BEC4E68B@cisco.com>
In-Reply-To: <BE16542E-7383-4006-A00F-5000BEC4E68B@cisco.com>
From: "M. Ranganathan" <mranga@gmail.com>
Date: Wed, 26 Jun 2019 10:26:53 -0400
Message-ID: <CAHiu4JOK+TYZ32zOCK6-g=Qo_+7eCWcFeDFAF+yM82yVBEPTpA@mail.gmail.com>
To: Eliot Lear <lear@cisco.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, opsawg@ietf.org, mud@ietf.org
Content-Type: multipart/alternative; boundary="00000000000065a6c9058c3ad84d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/TSNsQehxsWHUw5WUdTElpGQ-Kv0>
Subject: Re: [OPSAWG] [Mud] Declaring something to be a controller in MUD
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2019 14:27:38 -0000

On Wed, Jun 26, 2019 at 6:56 AM Eliot Lear <lear@cisco.com> wrote:

>
>
> > On 25 Jun 2019, at 21:52, Michael Richardson <mcr+ietf@sandelman.ca>
> wrote:
> >
> > Signed PGP part
> >
> > Eliot Lear <lear@cisco.com> wrote:
> >> A few of us are just trying to put out an initial draft that addresses
> >> one gap in MUD (there are several).
> >
> >> In a MUD file one can say that one
> >> wants to access a controller in two ways: either "my-controller”
> >> meaning a controller that services devices of a particular MUD URL or a
> >> “controller” class that services devices based on a particular class
> >> name of controller.
> >
> > I think that we have two potential avenues for security attacks here:
> >  1) a device that claims to be a controller in order to gain access to
> >     devices.
> >  2) devices that claim to be belong to a controller in order to attack
> >     controllers.
> >
> > To my mind there are some different things we could do:
> >
> > 1) insist that to user the my-controller connections that the two devices
> >   have to be signed by the "same" entity.  ["same" could mean literal the
> >   same key, the same certificate Issuer/DN,  or something more complex]
> >
> > 2) we could have devices declare in an MUD extension the
> >   DN/certificate/entity which must sign their controller device.
>

controller or my-controller could refer to an application (not necessarily
another device). However, the approach you are suggesting could apply to an
application as well.


>
> > 3) (2) above, but with some level of indirection through some URL.
>
>
> I could see these as options.
>
> >
> >> In either case, right now the administrator has to manually know and
> >> populate information, to say - some device 1.2.3.4 is a controller,
> >> either for MUD URL https://example.com/mud <https://example.com/mud> or
> >> a class http://example.com/mudclass1 <http://example.com/mudclass1>.
> >> That can be laborious.  To assist, we are examining ways to have a
> >> controller declare itself as a candidate controller.  That at least
> >> provides a hint to the administrator that this particular device is
> >> capable of serving in a particular role.
> >
> > I think that anything that requires administrator activity to be a fail
> for
> > residential use.  It's too complex.
>
> There will ALWAYS be a need for an administrator in the enterprise case.
> But maybe with the options above we can ease the consumer burden over
> time.  In the consumer case, you might want an app for initial device
> admission control anyway, no?  Can we not rely on that interaction as an
> approval step in this instance?
>
> >
> >> To make that declaration, the device must- Form the declaration; Find
> >> the MUD manager; and Send it.
> >
> >> Finding the MUD manager depends on one question: Was the device built
> >> to be a controller or is it a general purpose device that has an app
> >> that is intended to be a controller?
> >
> >> If the device was built to be a controller, we can simply cram the
> >> declaration into that devices own MUD file as an extension.  If the
> >> device is a general purpose computer, things get a bit more
> >> interesting.
>


More precisely if the application that wants to declare itself to be a
controller is running on a general purpose controller then things could
become interesting.




>
> > Yes... but I think that we have to solve the multi-purpose computer MUD
> > anyway.  The intelligent speakers (Echo,Home,Mycroft,etc.) need to gain
> new
> > MUD definitions as they gain "skills", and I think that we can treat a
> > smartphone in a similar way.
>


It's a chicken and egg problem but I think we need to see some further
adoption before throwing such complications into the mix.


>
> > This might be a place where IPv6 wins, if we can split off each skill
> into a
> > new provisioning domain, giving it a new IPv6 IID.  I was thinking that
> maybe
> > we can associate the private key that signed the MUD file to the IID via
> > something like SEND/CGA, but I'm not sure how many private keys we have
> > (one for the app developer, or one per app installed on each device).
>
>
> >
> >> In this case we have two choices:
> >
> >> Either create a MUD file that points somewhere internally - this
> >> doesn’t seem very plug and play.  Make the declaration directly to the
> >> MUD manager.
> >
> >> I’m going to focus on the latter for the moment.  It is easy enough to
> >> create a RESTful interface for this purpose, but it requires a
> >> mechanism to discovered the MUD manager, which up until now has been an
> >> internal part of the network infrastructure.
>
>
> >> Let me call this out plainly: letting the app itself directly call the
> >> MUD manager requires that the MUD manager itself become exposed to the
> >> user infrastructure, which is a change.
> >
> > Agreed.
> > And that the MUD manager have some reason to trust the device is not
> p0wned,
> > and sending a bogus MUD file up.   A certificate chain back to the
> > manufacturer is not enough, it has to be signed by a key that an attacker
> > can't get access to.  So that requires attested keys if they are
> "local", or
> > for the signature to be done elsewhere.
> >
> >> One possibility to address this is to incorporate the new RESTful
> >> endpoint into an ANIMA BRSKI join registrar, which may already be
> >> exposed.  But that requires that ANIMA BRSKI be in play, which it may
> >> not.
>


I think the simplest approach would be to define a REST interface to the
mud controller. This can be invoked by the join registrar (in case brski is
being used) so that it is not directly exposed. When a controller (which
could be an application) is admitted to the network, the join registrar
signals the MUD manager.  Thus the MUD manager does not need exposure in
case brski is being used.

In case brski is not being used, exposure (or limited exposure) may not be
avoidable.

How to discover the MUD manager (i.e. where it is running the API server)
in case brski is not being used? Not clear, but won't simple direct
configuration do the trick?  Alternatively there are many discovery
protocols (some better than others).

 So long as the application declaring itself to be the controller can be
trusted, I don't see a big problem with exposing a RESTful API. Yes you now
have an API that can be invoked by anyone who can access the MUD manager.
How do you authenticate the invoker of this API? Again - many answers
possible. A simple one -- it must present a trusted  certificate signed by
a trusted authority (verified using a certificate chain and yes key
exposure is a known risk but isn't that always the case for public key
encryption?). There application itself must be trustworthy but that can be
verified by checking its code signature manually or automatically while
installing it. So while not perfect I think it is a reasonable solution.



Just my 2c.


> >
> > It is, however, a really good idea for the case where it is in play.
> >
> >> My thinking is that we do this work in two stages.  First handle the
> >> easy case, which is the MUD file extension, and then figure out how to
> >> do the app version of this.
> >
> >> Thoughts?
> >
> > yes.
> >
>
> Was that “yes” to the two stage approach?
>
> Eliot
>
> > --
> > Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
> > -= IPv6 IoT consulting =-
> >
> >
> >
> >
> >
>
> --
> Mud mailing list
> Mud@ietf.org
> https://www.ietf.org/mailman/listinfo/mud
>


-- 
M. Ranganathan