Re: [OPSAWG] New Version Notification for draft-reddy-opsawg-mud-tls-02.txt
tirumal reddy <kondtir@gmail.com> Tue, 21 January 2020 13:06 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 070921200F8 for <opsawg@ietfa.amsl.com>; Tue, 21 Jan 2020 05:06:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id csBfX7GfJKAu for <opsawg@ietfa.amsl.com>; Tue, 21 Jan 2020 05:06:27 -0800 (PST)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BE141200F7 for <opsawg@ietf.org>; Tue, 21 Jan 2020 05:06:27 -0800 (PST)
Received: by mail-io1-xd2e.google.com with SMTP id z8so2810375ioh.0 for <opsawg@ietf.org>; Tue, 21 Jan 2020 05:06:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wh2YdqaYS0Z9EKzTzAHl5nkVgFeGIFsS93IwEOTZx6w=; b=VID7R6l/ANdI8KEC1s6ktwrrES2f+hCsKPenPMq1V7hmJWXXRkIWO1cSR6P2uhl7wm GuL39Llt1s3ryrFzWqv7mZlvA34Bg/emK+mL3ORYYBaIitFg9UfKXW5GCuG+3xCxLkIV vcHSS9wpQhOG4cLj0d9QrzBzH4CbOHgF3kYYRbR0BwWSjfm5eYU+Xvznqr7aMiHAp4Uw upLB5rq4h1eJ7yC0jUfLkLZRvvJ/FAhazcOKoCkadQSR13iYUgD2TW1g4lUOLRUkZ3me rFzACtZeYX7toeuiSzcu7VogY8wlmAaghI2O59+5rg/rrL5unCvxfpGvTJDx/yAqc/Gy Gp7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wh2YdqaYS0Z9EKzTzAHl5nkVgFeGIFsS93IwEOTZx6w=; b=Qf5sjg83YFerAxNyacgKw1R6U5Hem2OQyzj418IyXy16xehfBlvXXvihzhHVwlSKzp eKHKKGoYFMwwaQVwtVqRDexVkJ7MCIv2ffbPEIMkPwLKHB3LvcnBkZHbf6QFnl6udy87 KArH/5H4/jffiyrm1vbtL2gjkho4vNnlFyXcoUbbPN7A3bZxqdKaVveuX4DKxE+UMgBY K5L+i85ww6Wdev7UhLpky7LX472QzF0nF0JvDUmE80/taXOHPUCj3XPOtt2Ndn47PFV0 xqFRBvYcRTisZ16nb1xAZ+zmQiqGzVFPaaRqghjCyn905Vz1yZNztjhcmcGe3CabJkpM P7Xw==
X-Gm-Message-State: APjAAAWUYm8l9Uylq4Ny9ZVLPsMLQAo3kHxoh562evpxw3+TEvjSufNq tzQIIWNNB4U28QPhT1j8RpcIZPESpAwXJ4laa0C/YQwg
X-Google-Smtp-Source: APXvYqxdH2bV5DLRNeQvI6AcaXJZnfQHHEspWb96ogjVL6Jy/XxjJvQ7GOmwmgwS0hOMevIiXOdh/ps0pcV15jwQkuc=
X-Received: by 2002:a02:b897:: with SMTP id p23mr3287090jam.58.1579611986683; Tue, 21 Jan 2020 05:06:26 -0800 (PST)
MIME-Version: 1.0
References: <157918044299.26236.8163535356477976451.idtracker@ietfa.amsl.com> <CAFpG3gehp98VB2RpL6LenRJsV=RRQ=1jCTX7mcrmd27pzkYqfg@mail.gmail.com> <CAFpG3gek8qrHjN5LNQUrRrS9+zFuVQQ4y+XorRrr5xySs2fP1g@mail.gmail.com> <20570.1579314460@localhost>
In-Reply-To: <20570.1579314460@localhost>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 21 Jan 2020 18:36:14 +0530
Message-ID: <CAFpG3gd_8ed_Dp1XW8=af_NegwCgkMLk=UZf85KCfRyWtYXQOg@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: opsawg@ietf.org
Content-Type: multipart/mixed; boundary="0000000000005a44b8059ca613b0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/fLJ4dlKQpI7c02W9cnyjuMogw-4>
Subject: Re: [OPSAWG] New Version Notification for draft-reddy-opsawg-mud-tls-02.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2020 13:06:33 -0000
Hi Michael, Thanks for the review. Please see inline On Sat, 18 Jan 2020 at 07:57, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > tirumal reddy <kondtir@gmail.com> wrote: > > This revision > > https://tools.ietf.org/html/draft-reddy-opsawg-mud-tls-02 updates > the > > draft to discuss privacy enhancing technologies and evasion > techniques > > used by malware, visibility into TLS 1.3 parameters and how certain > > types of malware can be blocked without acting as a (D)TLS 1.3 proxy. > > > As a reminder, this draft extends Manufacturer Usage Description > (MUD) > > to incorporate (D)TLS profile parameters. This allows a network > > element to identify unexpected (D)TLS usage, which can indicate the > > presence of unauthorized software or malware on an endpoint. > > I have read opsawg-mud-tls, and I am in general very very reluctant to > provide detailed instructions on doing innovation kill intrusive DPI. > I think that it will ultimately not result in any improvements to network > security. > No, the proposed mechanism will help identify the presence of unauthorized software or malware on an IoT device. MUD is not suitable for IoT devices with broad communication patterns and TLS profile parameters can be used on such devices to permit intended TLS use and block malicious TLS use. Middleboxes act as TLS proxies in several deployments and the behavior of a compliant TLS 1.3 proxy is discussed in Section 9.3 of https://tools.ietf.org/html/rfc8446. Most importantly, network security services have been using TLS profile parameters to successfully identify malware and benign flows for several years (for example, see https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf ). We have profiled several IoT devices in our lab and also observed TLS profile parameters of thousands of malware flows. Our analysis helped conclude intended TLS use can be permitted and malicious TLS can be blocked (see https://datatracker.ietf.org/meeting/106/materials/slides-106-opsawg-draft-reddy-opsawg-mud-tls (slides 7 to 15) for more details). > I see two advantages of this work, which mitigates my concern slightly. > (but, only slightly) > 1) if it's gonna get done by IDS vendors, then IoT device manufacturers > might as well provide a way to help them *get it right* > 2) it seems that manufacturers might be able to say, "HANDS OFF" > to IDS systems. (perhaps avoiding use of more colourful language) > Network security vendors offering firewalls/IPS to enterprise networks already have the capability of performing TLS handshake inspection and acting as a TLS proxy, they can leverage the proposed mechanism. Further, firewalls acting as TLS proxy do several checks to identify MiTM attack. For example, the most recent one is the Microsoft vulnerability to validate certificates https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF; middle boxes can identify such MiTM attacks and protect endpoints. > > The document says: > In other words, malware developers will > have to develop malicious agents per IoT device type, manufacturer > and model, infect the device with the tailored malware agent and will > have keep up with updates to the device's (D)TLS profile parameters > over time. Further, the malware's command and control server > certificates need to be signed by the same certifying authorities > trusted by the IoT devices. Typically, IoT devices have an > infrastructure that supports a rapid deployment of updates, and > malware agents will have a near-impossible task of similarly > deploying updates and continuing to mimic the TLS behavior of the IoT > device it has infected. > > It seems to me that malware will know exactly, thanks to this extension how > to perfectly impersonate the device. Network security services have been using TLS profile parameters to successfully identify malware and benign flows for several years. The data features and ML models used by the security services is a public domain information and also known to malware developers for a long time (for example see https://arxiv.org/pdf/1607.01639.pdf). > Given that TLS1.3 makes so many of the > characteristics of the implementation less visible, it seems that this is > just a dangerous arms race. As border MUD gateways get more detailed in > the > way they examine things, the ability to innovate in TLS will simply > diminish. > It is my understand that we already had to do the TLS 1.3 version > negotiation > differently thanks to middle boxes because of such nonsense. > Middle boxes from several security vendors acting as TLS proxies do keep up with the updates to protocols (especially TLS) and strive be complaint TLS middle boxes. You may want to look into the best practices for implementing TLS proxies discussed in https://tools.ietf.org/html/draft-wang-tls-proxy-best-practice-00. > > I don't think that section 4.1 needs to explain how BRSKI works. > Yes, the mechanism to bootstrap the IoT device with the middlebox's CA certificate need not be discussed; will remove. > In any case, it's not BRSKI that matters, but EST(RFC7030)'s /cacerts. > I see that it's probably difficult to get to RFC7030 just to run /cacerts, > but if BRSKI is being used already. {If this gets better IoT onboarding > into > Enterprises.... well. What a Faustian bargin...} > > I believe that attempting to auto-configure a TLS 1.3 MITM proxy using EST > is > a really bad idea. Devices that are willing to fall prey to such a > "friendly-fire" attack would seem to be broken to me, period. > I suspect that US HIPAA legislation and probably European GDRP might well > make such a MITM a serious privacy violation. Any medical device that > communicates > patient data that could be spoofed like this might be considered to be > violating. > Yes, both security and privacy are required. Network security services typically have a configuration option to act as a TLS proxy for endpoints. It is up to the IT admin to determine whether the network security service should terminate the TLS connection for a endpoint and destination address. For example, IT administrator can configure firewall to bypass traffic decryption for a connection destined to a healthcare web service due to privacy compliance requirements. Further, TLS proxies do protect the privacy of the user and do not store PII data (See sections 4.9 and 4.10 in https://tools.ietf.org/html/draft-wang-tls-proxy-best-practice-00#section-4.9 ). We will update the draft to clarify a middlebox can as a (D)TLS proxy for the IoT devices managed by the IT team and the (D)TLS proxy must meet the security and privacy requirements of the organization. > > Additional, it is entirely reasonable (perhaps, given MITM attacks!) for > an IoT > device manufacturer to "call home" using a baked in, non-public, trust > anchor. Such a situation would be indiguishable from malware calling C&C > using a baked-in trust anchor. > I would certainly want to do this for firmware updates. > I don't get your comment. How will malware's command and control server certificate be signed by the baked-in non-public trust anchor on the IoT device ? > Given that MUD can clearly control where connections are made, it seems to > me that much of this effort is a mis-guided relic of pre-MUD DPI IDS > systems. > No, we are using MUD for IoT devices in our product https://securehomeplatform.mcafee.com/ but as you already know MUD is not suitable for IoT devices with broad communication pattern. TLS profile parameters can be used on such devices to permit intended TLS use and block malicious TLS use. > > I suggest that section 4.2 reference > draft-richardson-opsawg-mud-iot-dns-considerations-01. > > I didn't understand the purpose of the SPKI pin info mentioned in section > 5. > SPKI pin info can be configured on the IoT device to validate self-signed server certificates or raw public keys (we observed IoT devices communicating with legitimate servers using self-signed certificates and malware C&C servers also use self-signed certificates). SPKI pin info helps to permit benign TLS flows using self-signed certificates and block malware TLS flows using self-signed certificates. > I suggest that you remove details from this overview section, and list just > the high-level and leave the details for a section on each part. > > As far as I can tell from the YANG module and the example, the stated TLS > profile appears to apply to any/all TLS traffic coming from the device. > I would have expected it to be expressed on a per-port outgoing/incoming > basis. > (Perhaps defining the profile(s) once and then re-using it) > Good point, will update. Cheers, -Tiru > > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > > > > _______________________________________________ > OPSAWG mailing list > OPSAWG@ietf.org > https://www.ietf.org/mailman/listinfo/opsawg >
- [OPSAWG] Fwd: New Version Notification for draft-… tirumal reddy
- Re: [OPSAWG] New Version Notification for draft-r… tirumal reddy
- Re: [OPSAWG] New Version Notification for draft-r… Michael Richardson
- Re: [OPSAWG] New Version Notification for draft-r… tirumal reddy
- [OPSAWG] how to increase trust in MUD URL Michael Richardson
- Re: [OPSAWG] New Version Notification for draft-r… Michael Richardson
- Re: [OPSAWG] New Version Notification for draft-r… tirumal reddy
- Re: [OPSAWG] New Version Notification for draft-r… Michael Richardson
- Re: [OPSAWG] New Version Notification for draft-r… tirumal reddy