Re: [OPSAWG] Eric Rescorla's Discuss on draft-ietf-opsawg-mud-20: (with DISCUSS and COMMENT)
Eliot Lear <lear@cisco.com> Mon, 16 April 2018 13:55 UTC
Return-Path: <lear@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 095EF12D947; Mon, 16 Apr 2018 06:55:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ir2dZHHNKNbM; Mon, 16 Apr 2018 06:55:34 -0700 (PDT)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5009F1243F3; Mon, 16 Apr 2018 06:55:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10268; q=dns/txt; s=iport; t=1523886933; x=1525096533; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=VqvYuqxN8nzxxTiLuhZP1/+Z4KaU440s7oYnkl1itg8=; b=Xc2dPK5aEg0S+htcoesj+3R5vUsMM7oKdzqD/IkHYD9cvFSR33gGc9lI 2TR8Qdinhf1VLv4dzk6QUG92rW3OrWa8F7bLhIZ70lgWKn5WIT9ZepppO uRKRbCqgD033oIwfPZB4bUk37BF7LMugygWeTK4RX73ndUP+gH2bObX9H 8=;
X-Files: signature.asc : 488
X-IronPort-AV: E=Sophos;i="5.48,459,1517875200"; d="asc'?scan'208,217";a="3222705"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Apr 2018 13:55:31 +0000
Received: from [10.61.91.30] (ams3-vpn-dhcp6943.cisco.com [10.61.91.30]) by aer-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id w3GDtUgE009640; Mon, 16 Apr 2018 13:55:30 GMT
To: Eric Rescorla <ekr@rtfm.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-opsawg-mud@ietf.org, Joe Clarke <jclarke@cisco.com>, opsawg-chairs@ietf.org, opsawg@ietf.org
References: <152379196417.19651.6380075441438812361.idtracker@ietfa.amsl.com> <55cc525b-b85c-7316-4b2c-d0d32135a20f@cisco.com> <CABcZeBM5KR210g2QrAUCNDsiv+yun7QTZFggydh=Gf4-Ai6eSQ@mail.gmail.com> <591a7d2b-5379-0eff-2a0e-72e9394e64c1@cisco.com> <CABcZeBPmBCJnnmG1=0SW-3PLcxHPaNCVzQCc62xsYRyWM-4d5Q@mail.gmail.com>
From: Eliot Lear <lear@cisco.com>
Openpgp: preference=signencrypt
Autocrypt: addr=lear@cisco.com; prefer-encrypt=mutual; keydata= xsBNBFMe1UQBCADdYOS5APDpIpF2ohAxB+nxg1GpAYr8iKwGIb86Wp9NkK5+QwbW9H035clT lpVLciExtN8E3MCTPOIm7aITPlruixAVwlBY3g7U9eRppSw9O2H/7bie2GOnYxqmsw4v1yNZ 9NcMLlD8raY0UcQ5r698c8JD4xUTLqybZXaK2sPeJkxzT+IwupRSQ+vXEvFFGhERQ88zo5Ca Sa1Gw/Rv54oH0Dq2XYkO41rhxQ60BKZLZuQK1d9+1y3I+An3AJeD3AA31fJZD3H8YRKOBgqe ILPILbw1mM7gCtCjfvFCt6AFCwEsjITGx55ceoQ+t5B5XGYJEppMWsIFrwZsfbL+gP31ABEB AAHNJUVsaW90IExlYXIgPGxlYXJAb2Zjb3Vyc2VpbXJpZ2h0LmNvbT7CwHsEEwECACUCGwMG CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJTHtXCAhkBAAoJEIe2a0bZ0nozBNoH/j0Mdnyg CgNNmI4DyL9mGfTJ/+XiTxWXMK4TTszwwn/tsXjyPQWjoO6nYqz5i96ItmSpkelSGVpzU+LK LQxSjFeUvKw23bp1rVecfGR+OENSE1m6KfFj3vtzQOZ2/FgK210MWnlYNNyAHX6Pf6hKInTP v6LbZiAQMCmf0aPvRbk/aPSNJAuIKrLrrCgAlwelrTavFsSwnKI3dhSG8DJ9+z/uiXDiHYra Ub3BKp5K/x71Zd8hUsWm2simnE/6HvZaZz7CC29JSZ/5gGtNB3OMNKLzLWUbQacF3IKxpW66 ZFYFYnlBV4jRnKlmb40YcEXWVJkkVC8g+/J9Qo6R8BdmSTXOwE0EUx7VRAEIALRZXth1u/3n FgY+G2FN0KEEik+2Xsk8JX9zr/eISa+Ol8a4U1orgxpyP2V7bQQDkDUEfs+Asagc6I8zrk3K xGln3pFFVfdM18uaEYwWvmE84Y12r7FwYdW62bA9X1Ttsp5Q1GI8XHdh0SQTF12pXYTwWW1P THYVIp7bGzM88cHqBW0xyRflu4j2nUrd9tWFd28SRxhj+MHQkQkbKFLloRty3lwdS8MCRPzX 9gUrkl+DxFHC7WrW3Vi4glI5YBlD0n2hSyDoP1GkKVT60gUGh7eJOnUBR8lzKm5wYqAtgq2m 79rKBylA40diRhbnTTeY+ytqMWFF5UXm97Jwxsezi7kAEQEAAcLAXwQYAQIACQUCUx7VRAIb DAAKCRCHtmtG2dJ6M5K5CADbunatgHsqHbR3KbpXxzralakEcdODGv/fbN6/EdKJeXrG9QKD lPxZTB9STw6+ANwESsr9uUMAxdDNKDeynjnQmFHxGdcdcXlnPZPThfseeUhUkbB/YKOfDIQA kKozNoKYj6Dcia+D/wvifIEW+GUUcO/6Qi8yK6PLJyM8C7vHEqmUGzX8gTCYOgAyOd4WZrC9 95CfB0yFIorw+MpK7MZTm5SbGPcYF9Gq9MzSqmaEw8U6YOElKYfnkcsCTLYyWaolhck+3/0R 9ISEWK5rUzqAuK40S4+Sn7yNycdCoqvQh4e3xSpzAu3aYZ8jKXQVV0X2G9Y+M1HMZuCqhPUO LTdF
Message-ID: <20ed5819-a47a-be0d-712a-6e3f566393ee@cisco.com>
Date: Mon, 16 Apr 2018 15:55:29 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBPmBCJnnmG1=0SW-3PLcxHPaNCVzQCc62xsYRyWM-4d5Q@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="FUtxksxiUsbMLw5bkIFsZHBZKmla5WkkI"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/et2RBr_9rKlK4zc1IPwHTl0o0Ys>
Subject: Re: [OPSAWG] Eric Rescorla's Discuss on draft-ietf-opsawg-mud-20: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2018 13:55:36 -0000
Hi Eric,
On 16.04.18 14:25, Eric Rescorla wrote:
> Hi Eliot,
>
> Thanks for continuing the conversation. My question is how this fits
> into the system as a whole.
>
> ISTM that there are two ways in which a MUD policy can affect the
> network's behavior:
>
> - Additive -- it lets the device do things it otherwise might not be
> permitted to do (e.g., accept incoming TCP connections)
> - Restrictive -- it stops the device from doing things that it
> otherwise would be permitted to do (e.g., make connections to IP
> addresses on non-443 ports)
What you describe is the choice of the network administrator, and not
the standard nor the manufacturer. You are essentially asking, “what is
the default policy?” and that will vary based on deployment. It could
be "additive", "restrictive", or something else. It could be a
walled-off IoT network. Consider the cases:
* This device has a MUD file and will be segmented accordingly.
* This device has no MUD file and we may,
o 1: give it no access,
o 2: give it all access,
o 3: give it some limited access,
o 4: ask, or
o 5: other.
All of these are perfectly valid approaches, depending on the deployment.
>
> In the former case, it's very important not to be able to forge
> acceptable MUD policies, but in the latter case, an attacker can just
> not serve *any* MUD policy and be in a stronger position than they
> would be if they had a valid policy,[...]
And so that will depend on the deployment. And many of the attacks
would be detectable. All? I would never be so bold. But also, MUD is
not an acronym for "magic bullet". I really did try to spell that out
in the draft.
> I should mention one use case that I did think of, where additive
> would be immediately useful: "This device is made by the same
> manufacturer as another device (and hence they can talk to each
> other). However, I note that MUD is actually not capable of securely
> conveying that, because there's no proof that the device in hand
> actually is made by the manufacturer, only that it possesses a public
> credential for some device made by that manufacturer.
That is the point of building out a PKI, and as I wrote, there are some
interested in providing what amounts to a certification for this
purpose. This is also something the MUD manager can take on: as time
goes on it can white list signers, and it can flag devices that are not
recognized as being risky. In addition, if you have someone willing to
take accountability for that device to lay a claim, it may not be
"proof", but that is good enough in an enterprise environment, where
someone can be called to account for having added the device.
And we have to start somewhere. The goal here it to establish a “walk
before we run” approach in several dimensions. I just ask that we be
allowed to walk ;-)
With that, how would you like to proceed? I've proposed text but could
go further if you like.
Eliot
- [OPSAWG] Eric Rescorla's Discuss on draft-ietf-op… Eric Rescorla
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eliot Lear
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eliot Lear
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Spencer Dawkins at IETF
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eliot Lear
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eric Rescorla