IETF Logo Mail Archive

Re: [OPSAWG] Eric Rescorla's Discuss on draft-ietf-opsawg-mud-20: (with DISCUSS and COMMENT)

Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Mon, 16 April 2018 13:04 UTC

Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C11CA124F57; Mon, 16 Apr 2018 06:04:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mHqV1XAcWKW0; Mon, 16 Apr 2018 06:04:01 -0700 (PDT)
Received: from mail-yw0-x235.google.com (mail-yw0-x235.google.com [IPv6:2607:f8b0:4002:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1E6F120227; Mon, 16 Apr 2018 06:04:00 -0700 (PDT)
Received: by mail-yw0-x235.google.com with SMTP id i144so5814683ywc.2; Mon, 16 Apr 2018 06:04:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Beg1JiuXtYVcLXWPe1YMhdIQ7MtM+QTtT/l3O/6xAVo=; b=OEeQXjKDToz0qlKUydA8xo4+Co0O2vck+474PwQ0SOXbLEE1KM+q/G+70EEJjaFrOB AQurRCHRS7Vc4iVM9QDpQbCk6BQfgAnskZZ7HqRS7ANKIFNn9ndgdLVsNWWO6j5hC4yS 6+IriJb2OzSSU7tkSw+JSqjdhpVGWSbq6Iv0EmYQ19ydzIn20mXMdpKWcKEJYhfd4RFf KfykRTc5g1eaq21RjSF8Wx7yeXMVaMZ9F4wHE9PfrhEtTihOwh7pzrqEvQLn+bxWfyAI LG8B+4kq0IzOIXmjpBhuPhhk6zccPP8WsxWlaXLavK5IJw3ihfqJfZQK4vHasgUvyg3D Afmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Beg1JiuXtYVcLXWPe1YMhdIQ7MtM+QTtT/l3O/6xAVo=; b=P647izR0wvu6hAYbutITP16km6cREZz45X/NJc5GOYg11jiVzVZ4MbVn00Copu5kG7 KM8ZIe4JdQCmzMTK4HJ9X6L0UGUR+hibhCiogXodXFWbRYm7JDzd4pd4U2iz9GFlvozL cqzVVvXxmVTyNulMzNcSScGEqiI7GYr/kjfrA7w0pDGg40GG961tbA3BYb3LRMHhR5+K bBwnpAIaZFZfzs29KqC2jU6/FFuX/UHdzZGp6cHPBS5GqVRx0FukAiRaa6a8R5pDlloC WmYiQ9q3h8w3GgsdooSWRNPZQGinzTXZvyNNlQInjc+agXfQuZ7aaemrBOn8xaNByiy8 bPQA==
X-Gm-Message-State: ALQs6tDNG+0vJHgI2a+tszWXuZ3D2neCo6A+z6B72QxQDe/nj7R02Ep3 rNrDsU869/ChGZA2dQhSbFsO9e8Qc/RpJekj7cE=
X-Google-Smtp-Source: AIpwx4995VxFyoRWnTw9DpgIH7ts6X+HO+hgvJ8yRf+l7QWjjGyniNWHCLloRfu4sd5OKje225hNA0/M/TcxZd5sqrE=
X-Received: by 10.129.41.209 with SMTP id p200mr6445363ywp.424.1523883839658; Mon, 16 Apr 2018 06:03:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a5b:c06:0:0:0:0:0 with HTTP; Mon, 16 Apr 2018 06:03:59 -0700 (PDT)
In-Reply-To: <CABcZeBPmBCJnnmG1=0SW-3PLcxHPaNCVzQCc62xsYRyWM-4d5Q@mail.gmail.com>
References: <152379196417.19651.6380075441438812361.idtracker@ietfa.amsl.com> <55cc525b-b85c-7316-4b2c-d0d32135a20f@cisco.com> <CABcZeBM5KR210g2QrAUCNDsiv+yun7QTZFggydh=Gf4-Ai6eSQ@mail.gmail.com> <591a7d2b-5379-0eff-2a0e-72e9394e64c1@cisco.com> <CABcZeBPmBCJnnmG1=0SW-3PLcxHPaNCVzQCc62xsYRyWM-4d5Q@mail.gmail.com>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Mon, 16 Apr 2018 08:03:59 -0500
Message-ID: <CAKKJt-f4dJ9iq_WE+bTNwagcj3=KJTOoqG3GRisrA9+teWc2uA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Eliot Lear <lear@cisco.com>, draft-ietf-opsawg-mud@ietf.org, opsawg@ietf.org, Joe Clarke <jclarke@cisco.com>, opsawg-chairs@ietf.org, The IESG <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="001a11422594f11e8f0569f6da5b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/aeVQQJOwRASvKM1t9mzTXZ4PA5s>
Subject: Re: [OPSAWG] Eric Rescorla's Discuss on draft-ietf-opsawg-mud-20: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2018 13:04:05 -0000

I haven't balloted yet, and this is EKR's ballot thread, but one point is
worth bringing up here ...

On Mon, Apr 16, 2018 at 7:25 AM, Eric Rescorla <ekr@rtfm.com> wrote:

> Hi Eliot,
>
> Thanks for continuing the conversation. My question is how this fits into
> the system as a whole.
>
> ISTM that there are two ways in which a MUD policy can affect the
> network's behavior:
>
> - Additive -- it lets the device do things it otherwise might not be
> permitted to do (e.g., accept incoming TCP connections)
> - Restrictive -- it stops the device from doing things that it otherwise
> would be permitted to do (e.g., make connections to IP addresses on non-443
> ports)
>

I've read previous versions of this draft and some of the mailing list
discussion, but not a lot. Having said that, I hadn't heard anyone express
the possibility of the additive case described here. The context I always
heard about, was roughly "we've gotta keep all the coke machines on campus
from doing anything except reporting that they need to be refilled", or
whatever variation of cameras, printers, or *mumble* have access to your
network for a specific reason, are running some arbitrary version of some
OS stack that included TCP or UDP capabilities, aren't being maintained
enough to be current on security patches, and aren't being managed, so are
ripe for attacks to create botnets.

Perhaps I need to get out more. Almost certainly. But ... the possibility
of additive policies is interesting, and new to me.

I'll be interested to watch this discussion. Eric, thanks for asking the
question.

Spencer

In the former case, it's very important not to be able to forge acceptable
> MUD policies, but in the latter case, an attacker can just not serve *any*
> MUD policy and be in a stronger position than they would be if they had a
> valid policy, Thus, it's only in the former (additive) case where forging a
> policy is useful to the attacker, and, in fact, it seems like accepting an
> unsigned MUD policy would be better than no policy. Given the ubiquity of
> non-MUD devices and the relatively limited capabilities that MUD seems to
> want to convey, it seems like the additive case isn't very useful.
>
> I should mention one use case that I did think of, where additive would be
> immediately useful: "This device is made by the same manufacturer as
> another device (and hence they can talk to each other). However, I note
> that MUD is actually not capable of securely conveying that, because
> there's no proof that the device in hand actually is made by the
> manufacturer, only that it possesses a public credential for some device
> made by that manufacturer. So, I'm actually left wondering how that feature
> is intended to work. I regret not catching this earlier, but perhaps you
> could explain?
>
> Thanks,
> -Ekr
>
>
> On Sun, Apr 15, 2018 at 11:27 PM, Eliot Lear <lear@cisco.com> wrote:
>
>> Hi Eric,
>>
>> Trimming.
>>
>> On 15.04.18 21:22, Eric Rescorla wrote:
>>
>>
>>
>>
>>
>>> IMPORTANT
>>>
>>>      The certificate extension is described below.
>>>
>>>      The information returned by the MUD file server (a web server) is
>>>      valid for the duration of the Thing's connection, or as specified in
>>>      the description.  Thus if the Thing is disconnected, any associated
>>>      configuration in the switch can be removed.  Similarly, from time to
>>>
>>> IMPORTANT: What does "disconnected" mean in this context? Does a
>>> reboot count? What if I am wireless? This is a critical question if
>>> MUD is intended as a post-compromise mechanism. Say that an attacker
>>> compromises the firmware for a device and then forces a reboot
>>> followed by a 2 hour pause before the wireless NIC is activated. Will
>>> this result in configuration removal? If so, MUD seems of limited use,
>>> because it can then make itself appear to be a new device with a new
>>> MUD configuration. (This is of course true in general in a wireless
>>> context if the firmware can change the client's L2 address).
>>>
>>>
>>> Yes, configuration is intended to be removed when a device disconnects
>>> or a session terminates.  This would be considered normal garbage
>>> collection.  But whether or not you can simply replace the firmware and
>>> gain the same access will depend on how the MUD-URL is learned.  If it is
>>> in a manufacturer certificate, for instance, that's not something an
>>> attacker will easily replace.  If the assertion is coming via LLDP, or
>>> DHCP, then one has to apply the mitigations discussed in the security
>>> considerations section (and they are numerous).
>>>
>>
>> I'm not following you here. Say it's in a manufacturer certificate, what
>> stops me from getting my own certificate for Attacker LLC and then serving
>> a wide open policy? The mitigations don't really seem to do much to
>> counteract this.
>>
>>
>> I believe this point and one down below, where you write:
>>
>> This doesn't seem to address my concern, which is that there's no
>> realistic way of knowing
>> what trust anchors apply. If it's not WebPKI, then what?
>>
>> are related, and so I propose to address them together, and this text
>> could go into security considerations.  The *intent* is that mud managers
>> or their providers will keep a list of known trusted signers.  Examples are
>> likely to include certification bodies (we are aware of at least one that
>> is very interested), the MUD manager vendor themselves, and perhaps
>> others.  Because these are early days, I don't want to be too declarative,
>> but we can say this:
>>
>> NEW:
>>
>> ---
>> MUD managers and their administrators MUST NOT automatically trust a
>> manufacturer's certificate simply because it validates.  Rather, the
>> certificate MUST be signed by an entity that has previously established
>> trust for this explicit purpose.  In particular, the WebPKI alone is not
>> appropriate.
>> ---
>>
>>
>> That means that just because Joe Evil signed the darn thing doesn't mean
>> that we should believe it.  On the other hand, I might trust a security
>> company to vet this stuff.  Would this address your concern?  Also, I'll
>> correct the previous factual error.
>>
>> And again, I view this as early days.  The architecture is going to need
>> some time to mature and evolve.
>>
>>
>>
>>
>>
>>
>>> ----------------------------------------------------------------------
>>> COMMENT:
>>> ----------------------------------------------------------------------
>>>
>>>
>>>
>>>   Abstract
>>>
>>>      This memo specifies a component-based architecture for manufacturer
>>>      usage descriptions (MUD).  The goal of MUD is to provide a means for
>>>      Things to signal to the network what sort of access and network
>>>
>>> I realize that "Things" has become a marketing term, but it's opaque
>>> and unnecessary here. "elements" would be the conventional term.
>>>
>>>
>>> How about "end devices"?  That makes it clear in the abstract.  I don't
>>> propose to do a global substitute, because we scope the term well in the
>>> introduction, as you note directly below.
>>>
>>
>> To be honest, I would do a search and replace, but I agree that theis
>> would resolve the ambiguity here.
>>
>>>
>>>      it continues to make sense for general purpose computing devices
>>>      today, including laptops, smart phones, and tablets.
>>>
>>>      [RFC7452] discusses design patterns for, and poses questions about,
>>>      smart objects.  Let us then posit a group of objects that are
>>>      specifically not general purpose computers.  These devices, which
>>>
>>> I don't think this makes sense. These devices usually *are* general
>>> purpose computers (turing complete, etc.)
>>>
>>>
>>> That these objects might happen to use a general purpose CPU or
>>> operations system doesn't in and of itself make them general purpose
>>> devices.  As a complete SKU they are sold with a single or small number of
>>> uses in mind.  That is what is posited.  Is there a way to make that
>>> clearer?
>>>
>>
>> Perhaps "not intended to be used for general purpose computing tasks"
>>
>>
>> Ok.
>>
>>
>>>
>>>      specifically not general purpose computers.  These devices, which
>>>      this memo refers to as Things, have a specific purpose.  By
>>>      definition, therefore, all other uses are not intended.  The
>>>      combination of these two statements can be restated as a manufacturer
>>>      usage description (MUD) that can be applied at various points within
>>>      a network.
>>>
>>> I would make the point here that the purpose of the MUD is to describe
>>> the communications pattern. You only really get that by the statement
>>> in S 1.1 that the communication pattern of other devices is too
>>> complicated to profile.
>>>
>>>
>>> I think this statement is predicated on your previous comment, and would
>>> prefer not to change text at this time.
>>>
>>
>> Hmmm.... No, I don't think you're reading me right here. I'm just saying
>> that it would be useful upfront to say that MUD
>> is about saying "this is what communications pattern these devices are
>> expected to have"
>>
>>
>> Ok.  I think that's a good add, and propose to add a statement based on
>> your quoted text.
>>
>> Thanks again,
>>
>> Eliot
>>
>
>

v2.23.0 | Report a Bug | By Email