Re: [OPSAWG] Eric Rescorla's Discuss on draft-ietf-opsawg-mud-20: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Mon, 16 April 2018 12:25 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4466312D882 for <opsawg@ietfa.amsl.com>; Mon, 16 Apr 2018 05:25:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JownniK2jT4Q for <opsawg@ietfa.amsl.com>; Mon, 16 Apr 2018 05:25:45 -0700 (PDT)
Received: from mail-ot0-x22d.google.com (mail-ot0-x22d.google.com [IPv6:2607:f8b0:4003:c0f::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33C7B12DA2C for <opsawg@ietf.org>; Mon, 16 Apr 2018 05:25:45 -0700 (PDT)
Received: by mail-ot0-x22d.google.com with SMTP id h8-v6so6029125otj.7 for <opsawg@ietf.org>; Mon, 16 Apr 2018 05:25:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=O8pzmVh/PfKKyWxE6WFjUkm3nTgAST/UheywVOjnUzg=; b=Hz3lT/I8dZvKbA6CSiFa5XItuSGPCTPd6jOIboQkG6Uwg482yIuVzOf1jplSQba/hS ZjtgStzyFjaJDHiZKkCjEXYzx0HMkJVPgUc+sjCR10wp/ilTPZIpOWN4M7VJmLNLv2ZQ SKHZLvcN8QmunhYiIs7cscLWMLsUxF2TF/OkWJQbWXeSzo9UQh17pIhS/wxak7AVv3YM 7itD4EGW57A/+SoVhvMQ53A+LyF8yes5MHxI57pxEd2uSCkOm8KYoSq4ONNzS99qPYdK Lu8sTAGVAVApAGKIHDQhI8XL2w1L/s4mOAdK7r/eRHaIb4YlBcXsTnhTFAgzQdBEXicw jpRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=O8pzmVh/PfKKyWxE6WFjUkm3nTgAST/UheywVOjnUzg=; b=uMIbZ7qlTOB7APaZFYXAu9F9L7IMPR6WRtGy9qXC/MIJMkDvuLu1PToJiHXv+lLiDN XEU3Ar5uQs+jtTk+ZoSuSty1m9+jyJgMSGdNDNdokvR29Z4uUPcu+KaBteb1sY/mt+sy qjqh6XaJBeyfec2qpuGwkMEvM47I3Ba2Gs1Yn32guPOnYyZb2s6lejcuh4UTbwoUhm1l qAEEzibJnkNgUcghoHMqD4y15U8Qg9ZDb+y8+zaEQ1CE2k1XzjSCfXZDp/K1MWPxLwhM 5HFhHqVgd6ouh9Ygc/mZH4X7RjIzawCGmmtl0blhHm33Fjq+ttqSkLVkNlL3ydCx3S7W gDjQ==
X-Gm-Message-State: ALQs6tD5pxP0dayydtgZ+VJaCz4ivo4mTjj/IGGxglXl+jT6O/a6QD5e vtDN+H3lrANG6604CvghDeBvHQDNSthsBFDH3Qi0hQ==
X-Google-Smtp-Source: AIpwx4+h18DSZxRXyRC/WYXD2wWu+fkbq3XBqwn6djpKLSCGDOMKvjAelS51nFHA6wRAzNpyzAHHmnb9tcVnaoaJwpM=
X-Received: by 2002:a9d:3ec6:: with SMTP id b64-v6mr1475526otc.371.1523881544482; Mon, 16 Apr 2018 05:25:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.138.18.132 with HTTP; Mon, 16 Apr 2018 05:25:04 -0700 (PDT)
In-Reply-To: <591a7d2b-5379-0eff-2a0e-72e9394e64c1@cisco.com>
References: <152379196417.19651.6380075441438812361.idtracker@ietfa.amsl.com> <55cc525b-b85c-7316-4b2c-d0d32135a20f@cisco.com> <CABcZeBM5KR210g2QrAUCNDsiv+yun7QTZFggydh=Gf4-Ai6eSQ@mail.gmail.com> <591a7d2b-5379-0eff-2a0e-72e9394e64c1@cisco.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 16 Apr 2018 05:25:04 -0700
Message-ID: <CABcZeBPmBCJnnmG1=0SW-3PLcxHPaNCVzQCc62xsYRyWM-4d5Q@mail.gmail.com>
To: Eliot Lear <lear@cisco.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-opsawg-mud@ietf.org, Joe Clarke <jclarke@cisco.com>, opsawg-chairs@ietf.org, opsawg@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002395770569f6521e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/iN-mEUEZyEhmXAAaEv0pFaCVbQ4>
Subject: Re: [OPSAWG] Eric Rescorla's Discuss on draft-ietf-opsawg-mud-20: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2018 12:25:49 -0000
Hi Eliot, Thanks for continuing the conversation. My question is how this fits into the system as a whole. ISTM that there are two ways in which a MUD policy can affect the network's behavior: - Additive -- it lets the device do things it otherwise might not be permitted to do (e.g., accept incoming TCP connections) - Restrictive -- it stops the device from doing things that it otherwise would be permitted to do (e.g., make connections to IP addresses on non-443 ports) In the former case, it's very important not to be able to forge acceptable MUD policies, but in the latter case, an attacker can just not serve *any* MUD policy and be in a stronger position than they would be if they had a valid policy, Thus, it's only in the former (additive) case where forging a policy is useful to the attacker, and, in fact, it seems like accepting an unsigned MUD policy would be better than no policy. Given the ubiquity of non-MUD devices and the relatively limited capabilities that MUD seems to want to convey, it seems like the additive case isn't very useful. I should mention one use case that I did think of, where additive would be immediately useful: "This device is made by the same manufacturer as another device (and hence they can talk to each other). However, I note that MUD is actually not capable of securely conveying that, because there's no proof that the device in hand actually is made by the manufacturer, only that it possesses a public credential for some device made by that manufacturer. So, I'm actually left wondering how that feature is intended to work. I regret not catching this earlier, but perhaps you could explain? Thanks, -Ekr On Sun, Apr 15, 2018 at 11:27 PM, Eliot Lear <lear@cisco.com> wrote: > Hi Eric, > > Trimming. > > On 15.04.18 21:22, Eric Rescorla wrote: > > > > > >> IMPORTANT >> >> The certificate extension is described below. >> >> The information returned by the MUD file server (a web server) is >> valid for the duration of the Thing's connection, or as specified in >> the description. Thus if the Thing is disconnected, any associated >> configuration in the switch can be removed. Similarly, from time to >> >> IMPORTANT: What does "disconnected" mean in this context? Does a >> reboot count? What if I am wireless? This is a critical question if >> MUD is intended as a post-compromise mechanism. Say that an attacker >> compromises the firmware for a device and then forces a reboot >> followed by a 2 hour pause before the wireless NIC is activated. Will >> this result in configuration removal? If so, MUD seems of limited use, >> because it can then make itself appear to be a new device with a new >> MUD configuration. (This is of course true in general in a wireless >> context if the firmware can change the client's L2 address). >> >> >> Yes, configuration is intended to be removed when a device disconnects or >> a session terminates. This would be considered normal garbage collection. >> But whether or not you can simply replace the firmware and gain the same >> access will depend on how the MUD-URL is learned. If it is in a >> manufacturer certificate, for instance, that's not something an attacker >> will easily replace. If the assertion is coming via LLDP, or DHCP, then >> one has to apply the mitigations discussed in the security considerations >> section (and they are numerous). >> > > I'm not following you here. Say it's in a manufacturer certificate, what > stops me from getting my own certificate for Attacker LLC and then serving > a wide open policy? The mitigations don't really seem to do much to > counteract this. > > > I believe this point and one down below, where you write: > > This doesn't seem to address my concern, which is that there's no > realistic way of knowing > what trust anchors apply. If it's not WebPKI, then what? > > are related, and so I propose to address them together, and this text > could go into security considerations. The *intent* is that mud managers > or their providers will keep a list of known trusted signers. Examples are > likely to include certification bodies (we are aware of at least one that > is very interested), the MUD manager vendor themselves, and perhaps > others. Because these are early days, I don't want to be too declarative, > but we can say this: > > NEW: > > --- > MUD managers and their administrators MUST NOT automatically trust a > manufacturer's certificate simply because it validates. Rather, the > certificate MUST be signed by an entity that has previously established > trust for this explicit purpose. In particular, the WebPKI alone is not > appropriate. > --- > > > That means that just because Joe Evil signed the darn thing doesn't mean > that we should believe it. On the other hand, I might trust a security > company to vet this stuff. Would this address your concern? Also, I'll > correct the previous factual error. > > And again, I view this as early days. The architecture is going to need > some time to mature and evolve. > > > > > > >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> >> >> Abstract >> >> This memo specifies a component-based architecture for manufacturer >> usage descriptions (MUD). The goal of MUD is to provide a means for >> Things to signal to the network what sort of access and network >> >> I realize that "Things" has become a marketing term, but it's opaque >> and unnecessary here. "elements" would be the conventional term. >> >> >> How about "end devices"? That makes it clear in the abstract. I don't >> propose to do a global substitute, because we scope the term well in the >> introduction, as you note directly below. >> > > To be honest, I would do a search and replace, but I agree that theis > would resolve the ambiguity here. > >> >> it continues to make sense for general purpose computing devices >> today, including laptops, smart phones, and tablets. >> >> [RFC7452] discusses design patterns for, and poses questions about, >> smart objects. Let us then posit a group of objects that are >> specifically not general purpose computers. These devices, which >> >> I don't think this makes sense. These devices usually *are* general >> purpose computers (turing complete, etc.) >> >> >> That these objects might happen to use a general purpose CPU or >> operations system doesn't in and of itself make them general purpose >> devices. As a complete SKU they are sold with a single or small number of >> uses in mind. That is what is posited. Is there a way to make that >> clearer? >> > > Perhaps "not intended to be used for general purpose computing tasks" > > > Ok. > > >> >> specifically not general purpose computers. These devices, which >> this memo refers to as Things, have a specific purpose. By >> definition, therefore, all other uses are not intended. The >> combination of these two statements can be restated as a manufacturer >> usage description (MUD) that can be applied at various points within >> a network. >> >> I would make the point here that the purpose of the MUD is to describe >> the communications pattern. You only really get that by the statement >> in S 1.1 that the communication pattern of other devices is too >> complicated to profile. >> >> >> I think this statement is predicated on your previous comment, and would >> prefer not to change text at this time. >> > > Hmmm.... No, I don't think you're reading me right here. I'm just saying > that it would be useful upfront to say that MUD > is about saying "this is what communications pattern these devices are > expected to have" > > > Ok. I think that's a good add, and propose to add a statement based on > your quoted text. > > Thanks again, > > Eliot >
- [OPSAWG] Eric Rescorla's Discuss on draft-ietf-op… Eric Rescorla
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eliot Lear
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eliot Lear
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Spencer Dawkins at IETF
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eliot Lear
- Re: [OPSAWG] Eric Rescorla's Discuss on draft-iet… Eric Rescorla