IETF Logo Mail Archive

Re: [OPSAWG] AD review draft-ietf-opsawg-mud-tls-12

Paul Wouters <paul.wouters@aiven.io> Tue, 23 January 2024 19:33 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDE44C14EB17 for <opsawg@ietfa.amsl.com>; Tue, 23 Jan 2024 11:33:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KksG3Oozdav7 for <opsawg@ietfa.amsl.com>; Tue, 23 Jan 2024 11:33:30 -0800 (PST)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83827C14F748 for <opsawg@ietf.org>; Tue, 23 Jan 2024 11:33:23 -0800 (PST)
Received: by mail-lf1-x131.google.com with SMTP id 2adb3069b0e04-50ea9e189ebso5215327e87.3 for <opsawg@ietf.org>; Tue, 23 Jan 2024 11:33:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1706038401; x=1706643201; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=jehoTcD53oylfmTi0RaefK/u1X1TqKHKKDO/obf18b0=; b=OKJ0f9knwoydP5fGYItcJxHxoIhQvk/aCq4mTVJN+ShJFqh5Q+E0b28uBEcaanuDwv mYxmTxfPKIIsv438pvay9rHhJgYPlcKKnXddR7GQThooQZVMNpy94zriUFi0VWawgvro +ryazxQfGyQz1Sarf5dfqkGd1Ov/Xi+76rg1M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706038401; x=1706643201; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jehoTcD53oylfmTi0RaefK/u1X1TqKHKKDO/obf18b0=; b=S6SkoY72HQdCfAISiyaEyFaY6KL178XwIGr6/Cu57SsoL60ERcoPqe/qOXpLtiVhz+ lk/aAdBTGLO74tgwuo6lwI9SwtBPR0saQkQw0Yo20ESoYxuMeaR8Az0nTjRd4o32pdK1 B2Dk9tEAaYAhrmsHjAG+ymuq0K7hm3a9hBM0/1jYnE/s2pYOQSuizISc3jy+xb/luEyD dyIxwaIRzwoSwURyIpXABfTGmOAnM29NN6OfaIV6odPFYtn3trQCuAVEvk8sin6DcKw8 wCR1tqVQBMqFrEeBZZxBjFi7SXjtBY9XwAR6palCMg/WoMQnOzPD7RdyvtaddzAEkyw5 PbrA==
X-Gm-Message-State: AOJu0Yyetcj6KYsNmgEC/IAbZDx9+AH95mqdlikq3rIGoQUrn1QHcZEP eSFhmim/hgnN4tkNv0Lo4cnZ7YVdZgFbGHueViSEXK70EH5z2CBD/3L47+cnUjhgVwENbOPY0z9 31j6gbVUdev3XRoh/U9oad9k9rW/pgijKnTbcJg==
X-Google-Smtp-Source: AGHT+IG75ekCUYAtdxBrhv7HJaOUD9ndfgkAfPJn5zheyjs3Hq8zKlMeZo1LdIkslAIqKPgsoDcmzv+hm5MkYCDAEDM=
X-Received: by 2002:ac2:5bdc:0:b0:50f:a19:aeb7 with SMTP id u28-20020ac25bdc000000b0050f0a19aeb7mr2802210lfn.136.1706038400838; Tue, 23 Jan 2024 11:33:20 -0800 (PST)
MIME-Version: 1.0
References: <CAGL5yWYg92ZWZ+7dOpXwt_HVBrSi5Tas2uPR0SyN+k_2gXEcFA@mail.gmail.com> <CAFpG3gfHJ_gBE2F6dUVigUChdo4VyC-Aot2FabWYWRTFOkB5eA@mail.gmail.com>
In-Reply-To: <CAFpG3gfHJ_gBE2F6dUVigUChdo4VyC-Aot2FabWYWRTFOkB5eA@mail.gmail.com>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Tue, 23 Jan 2024 14:33:10 -0500
Message-ID: <CAGL5yWYfVyGj2QagTcD5XjR1WAkTVqz=LG9EQ_MbgLSkE6=6mw@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>
Cc: danwing@gmail.com, blake.anderson@cisco.com, opsawg@ietf.org
Content-Type: multipart/alternative; boundary="000000000000db3a9d060fa204c1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/URbycHGk3FBZknSs--JTUoJv78I>
Subject: Re: [OPSAWG] AD review draft-ietf-opsawg-mud-tls-12
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jan 2024 19:33:34 -0000

On Tue, Jan 23, 2024 at 1:20 AM tirumal reddy <kondtir@gmail.com> wrote:

> Hi Paul,
>
> Thanks for the review. Please see inline
>
> On Sat, 20 Jan 2024 at 03:55, Paul Wouters <paul.wouters@aiven.io> wrote:
>
>> Hi,
>>
>> I am assisting Rob Wilton with some documents, as so I am the (temporary)
>> responsible AD for draft-ietf-opsawg-mud-tls
>>
>> I have reviewed this document and have a few questions and comments. I
>> think the document generally is clear.
>>
>> I can see the MUD use case for using endpoint recognition based on TLS
>> properties (eg SNI, ClientHello in TLS 1.2, IP addresses and hostnames. I
>> don't have as much faith in using MUD to identify rogue TLS connections
>> based on their cryptographic or extension properties (eg ciphersuites). I
>> would expect that ciphersuites would change, and that an IoT device would
>> mostly only implement the one or two ciphersuites (and TLS extensions) it
>> supports. Malware would have to ensure their C&C can talk all kinds of
>> ciphersuites and extensions to allow all kinds of limited implementation
>> IoT devices to connect to it. So I don't think those parts would likely to
>> trigger a MUD security rule. But there is no harm in trying.
>>
>
> In our research, TLS properties can be used to identify benign and malware
> flows. The results with Google Home and several malware families were
> presented in T2TRG few years back, please see
> https://datatracker.ietf.org/meeting/interim-2020-t2trg-01/materials/slides-interim-2020-t2trg-01-sessa-mud-dtls-profiles-for-iot-devices-00.pdf for
> details.
>

The question remains, is the additional infrastructure being build to
detect this going to be useful for long. I assume the malware will quickly
adept. Anyway, as I said, I don't object to deploying this and seeing how
long it will be useful for.

Good catch, modified the YANG module to use uint16 to represent the cipher
> suite to match the TLS IANA registry of cipher suite (that includes
> non-AEAD ciphers). The supported-group in the YANG module matches TLS
> supported groups registry, see
> https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
> .
>

Sounds good.


>
>
>>
>>           +--rw application-protocol*
>>
>> Is ALPN meant here?
>>
>
> Yes, please see Section 5.3 of the draft
>
>   typedef application-protocol {
>     type string;
>     description
>       "Application-Layer Protocol Negotiation (ALPN) Protocol ID
>        registry as defined in Section 6 of RFC7301.";
>   }
>
>
>> Perhaps using "alpn" instead of "application-protocol"
>> would be clearer? But I'm okay with whatever the WG / authors deem better.
>>
>
I take it you want to leave it as it, which is fine.


>
>> Section 9:
>>
>>         An attacker cannot read the MUD URL and identify the IoT device.
>>
>> Should this be "so that an attacker ....." ?
>>
>
This was not answered, but it is something the RFC Editor or other IESG
members will point out as well.


>
>> It could use a more inclusive term for "man-in-the-middle", eg "on path
>> attacker" or "machine-in-the-middle"
>>
>
> Agreed, updated text as follows:
>
>    The MUD URL MUST be encrypted and shared only with the authorized
> components in the
>    network (see Section 1.5 and Section 1.8 of [RFC8520]) so that an on-
>    path attacker cannot read the MUD URL and identify the IoT device.
>

Sounds good.

Once I see -13, I will initiate the IETF Last Call.

Paul

v2.39.1 | Report a Bug | By Email | System Status