IETF Logo Mail Archive

Re: [OPSAWG] Last Call Review of draft-ietf-opsawg-mud-acceptable-urls-10

Christian Huitema <huitema@huitema.net> Wed, 28 February 2024 09:05 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2523EC14F680 for <opsawg@ietfa.amsl.com>; Wed, 28 Feb 2024 01:05:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MV9erZOWoq7V for <opsawg@ietfa.amsl.com>; Wed, 28 Feb 2024 01:05:13 -0800 (PST)
Received: from out16-27.antispamcloud.com (out16-27.antispamcloud.com [185.201.18.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17CF2C14F600 for <opsawg@ietf.org>; Wed, 28 Feb 2024 01:05:12 -0800 (PST)
Received: from xse328.mail2web.com ([66.113.197.74] helo=xse.mail2web.com) by mx196.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1rfFsD-000x02-A8 for opsawg@ietf.org; Wed, 28 Feb 2024 10:05:11 +0100
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4Tl7jG4Cvyz2qH for <opsawg@ietf.org>; Wed, 28 Feb 2024 01:05:06 -0800 (PST)
Received: from [10.5.2.15] (helo=xmail05.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1rfFsA-00059W-Dv for opsawg@ietf.org; Wed, 28 Feb 2024 01:05:06 -0800
Received: (qmail 13523 invoked from network); 28 Feb 2024 09:05:06 -0000
Received: from unknown (HELO [192.168.1.101]) (Authenticated-user:_huitema@huitema.net@[172.56.169.196]) (envelope-sender <huitema@huitema.net>) by xmail05.myhosting.com (qmail-ldap-1.03) with ESMTPA for <lear@lear.ch>; 28 Feb 2024 09:05:05 -0000
Message-ID: <66588cac-0f33-4924-920f-6b4dbd5c2964@huitema.net>
Date: Wed, 28 Feb 2024 01:05:05 -0800
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Eliot Lear <lear@lear.ch>
Cc: "sec-ads@ietf.org" <sec-ads@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>, draft-ietf-opsawg-mud-acceptable-urls@ietf.org
References: <8a2c556a-905b-46f9-926c-03f09ed98f32@lear.ch>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; keydata= xjMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1RmvN J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PsKWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAzjgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB8J+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
In-Reply-To: <8a2c556a-905b-46f9-926c-03f09ed98f32@lear.ch>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Originating-IP: 66.113.197.74
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5zW1cVNaPy0Svy7+rHdNzP342UuDhyzVYcwl2RB+0Aaelxs AvlAVhDuNdf4xRhgnvIh55uqY3MhMgFAHq5BxPxPXn36fLqvhISQ5ykyqUZqUd1jhnM/Mbva2XLV /LIEzaL2KoAZhJekBPedneT7f699rEueMcbwHiStu2b2gG2awIPAgTtUp75uqlx0KezvZHWGbhAV ALb/P8z3UlcpGCbAWQaaSSaRcFTFxaRvADgOuFdAU5fRzM/QzQW9/IoH33AG8ECuCwECazCwODtO F78PiyQEs+dlGXUJLWZ+Gc08Nmllke3azHdKmySKNUVQl4ntlVxnbS8qIO7oudHyb2T1VQ58xe/l rqiRGalI3YPsxOTrFXToVyBmRCgQVX6zVyFUu8qzeMQP6uTHL0d9UjfYgBBNGjSbbSRA1Z+Pmb5M C1YFvf25LVONYbYifH5OzZDcG6hsRQZiAIgw+z837AqgX7ewI8e1h7RITgN14BHmGVt/ReJ9Mfhz zmbKTH7wI9GEU1utNskUAORCV2WFZX0j188AKPEzWNlSNwJuvzJAPB7LPF7EDlAW33KYN4Xc+EfH k3EcH/v8fN2cTZnP0iXqDRojSVizNl0ce/s7u0P9b7Oijoc3SCZfWp1RjkjWCw/vIUzTXkDAiiJi mGhLUFuS2lhaIetXfCg1JdAVrOwKfNzJjshHqs1YxfCNaddchxdUoFIvD3sIcP1fhJPM6B/8K0ja 3Lx9qyVvUR+ysOib4gs87+hbk89LRXt/6FhXoqk37Fo9Xqg2bQC831cpDah1VRA8+LceLCkhmRPM mF/IJG0AuXq0T17woJo3avKeADIsy647Mn0zwmGzAi3Zn+YdthRNgs7Ig4l/XErpYn3glZTKFuaT l19W3ISq9+1KiLsESGU+y+fjdgjudZxiTPi+MG1QP35nsYfP84c+RFK3KiZuZ5OAUoGBziSYFLZu u6zX3xxsmqT8l9ARlsTalAaf
X-Report-Abuse-To: spam@quarantine14.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/cNeqe7VwTUecIOOsnQjBr9n0VHU>
Subject: Re: [OPSAWG] Last Call Review of draft-ietf-opsawg-mud-acceptable-urls-10
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 09:05:14 -0000


On 2/28/2024 12:04 AM, Eliot Lear wrote:
> Hi Christian and thanks for another good read of another MUD document. 
> You've largely summarized the situation well, taking into account what 
> RFC 8520 states.
> 
> I want to note that your comments about detached signatures were 
> specified in RFC 8520.  This draft tries to work within that framework 
> without updating the format.  Signatures were detached for a particular 
> reason- readability during the early stages of this technology's 
> deployment without the need to apply canonicalization rules that would 
> obscure the text.  The issues this document raises are not specifically 
> around the fact that the signature is detached, but that the underlying 
> MUD URL could change.  There may indeed be threats involved with using 
> detached signatures, but I would hold that work for an overall MUD 
> revision, which I think should happen at some point soon.  This draft is 
> considerably more tightly scoped.

Reading the document, I could not figure out how to proceed with that 
signature verification. A pointer to the proper doc would be nice.

> 
> Regarding this text, first I note editorially that we should separate 
> the the file structure change from the rest of the Section 5 chapeau 
> text.  I will work with Michael on that.
> 
>> This "common prefix" rule for "small changes" is light weight but has an
>> obvious hole. Suppose that a manufacturer has first published a rather 
>> loose
>> rule in "https://example.com/widget-x/revision1.html  
>> <https://example.com/widget-x/revision1.html>", and then upgraded it to
>> a stricter rule in "https://example.com/widget-x/revision2.html  
>> <https://example.com/widget-x/revision2.html>". The common
>> prefix rule will not prevent the virus from "rolling back" to 
>> revision1. A
>> simple solution would be for the manufacturer to update the MUD FILE 
>> served at
>> the old MUD URL so that it point to the new MUD URL -- which is 
>> exactly what
>> the manufacturer would do under the "big change" rules.
> 
> I would note that the risk here is when revision1 contains rules that 
> allow for broader access *beyond *the domain of the manufacturer or when 
> a portion of the manufacturer's infrastructure itself has been 
> compromised.  For instance: revision1 contains a rule that permits local 
> access when revision2 removes that access, or when revision1 contains 
> access to a domain that revision2 has removed.  When might this happen? 
> A good example might be when a device is no longer supported by the 
> manufacturer for Internet connectivity, but itself can continue to 
> function independently.
> 
> I think there is a simple approach to dealing with this risk: do not 
> permit rollbacks for a given device.  This text could be placed in the 
> security considerations section.

How do you know that a specific URL is a rollback? It looks easy when 
the example say "revision1" and "revision2", but I am sure there are 
cases where you cannot tell by just looking at the URL. You may be able 
to download the "old" and "new" URL, and check the date of the 
signature. But then, please describe the process so implementers are not 
confused.
> 
> [Nit- there is one instance of mud controller that should be mud manager.]
> 
> Regarding your grammar check, I agree that there is a parser problem, 
> and we should simply change that as follows:
> 
> OLD:
> 
>> The test is simplified to: remove everything to the right of
>>     the last (rightmost) "/" in the URL of "root" MUD file URL, and the
>>     proposed new URL.  The resulting two strings MUST be identical
> 
> NEW:
> 
> The test is simplified as to: remove the last segment of the URL and all 
> text to its right.

Something like that, but please add a pointer to the syntax description, 
to introduce the terms "segment", etc.

> 
>   ABNF does not support removal, so this will have to be narrative.  You 
> may characterize this as a “shotgun parser”, but bullet proofing it 
> starting from a valid URL means about 16 lines of C, 3 lines of python 
> with URLLIB, or probably one long line of SNOBOL.  We could put these in 
> an appendix if you like.

It is not a shotgun parser if you base it on the ABNF of the URL syntax. 
But "look for the rightmost slash" is...
> 
> Regarding the following text:
> 
>> Regarding the security consideration section, I notice that there is a 
>> mild DOS
>> attack possible against MUD Managers and MUD servers. The new MUD URL are
>> advertised using insecure processes, DHCP or LLDP. Attackers with 
>> access to the
>> local network can spoof that. The MUD manager will have to retrieve 
>> and try to
>> validate the new MUD file, which requires a combination of network 
>> access and
>> cryptographic validation, and probably triggers some intrusion 
>> detection system.
> This is really no different than a rogue device generating a random MUD 
> URL.  Similarly, I would prefer not to restate the security 
> considerations of RFC 8520, but simply reference them.

Yes. As I said, it is a mild attack, and yes it is one of many. I don't 
remember seeing it in the security section of 8520, but it would belong 
there. Maybe something to note for a revision.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email