IETF Logo Mail Archive

Re: [OPSAWG] [secdir] Secdir early review of draft-ietf-opsawg-mud-iot-dns-considerations-03

Ben Schwartz <bemasc@google.com> Mon, 28 March 2022 19:01 UTC

Return-Path: <bemasc@google.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 841C23A18B9 for <opsawg@ietfa.amsl.com>; Mon, 28 Mar 2022 12:01:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.609
X-Spam-Level:
X-Spam-Status: No, score=-17.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f9xQZlhR5sXJ for <opsawg@ietfa.amsl.com>; Mon, 28 Mar 2022 12:01:22 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 092343A1987 for <opsawg@ietf.org>; Mon, 28 Mar 2022 12:01:11 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id x4so18279642iop.7 for <opsawg@ietf.org>; Mon, 28 Mar 2022 12:01:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=U8Neyvox7dTr6wPcg9lC9tEmHaQOTpLJBIc70WaJd+4=; b=ID8pC87FGBkIH+MRUUbdWx3VFVWbndlOqsltgzSDUtgNPwpTKhz1bHP3Q6/zFEBCDv NqIUmJrqChXjjHF6CTl2a1AYmVAafbRmb4Vik86PCF/ctqRGFKMtk7dzTY9e894pVQdn N+bcvGMc3dQzzCoUjPyzCrXEosoFfjGuFT8ABp02n1CRGsrnNDcV96kSbtyZiXZmzxfx BRLpC7m74ha7QmmRedA6XrlPho0fHwAILEv9b2T2a0FY+k9r3f5FP9O5kJMT53eKr289 8aIvENlUybPFTA+bxdtR6tTdCXvddV0t6gIT8OZ0JCFFLg/YaQ2y3fv//Ek3QbKyAEaY Gyhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=U8Neyvox7dTr6wPcg9lC9tEmHaQOTpLJBIc70WaJd+4=; b=S2cqHXI4sL8M9tKBYxC82SOVS73+oTBcChg0q4dtIRfqxZPIs6w9pZ5wTAd8+UcT0u D1IaAVKbFDaETy9PavYNYwFKRSlxbzStr9dDStBBc87IOhLBnNjXk7aHAzN1oKPYfz8v xWwPs1RBAp7T1Ops2lSxaF7KujKnhExYSShjlR1J2XgfPgpN3D/0NQy/YbfvQ1PLaOA1 adqmTyL3zrAKQROU5BrRmnR+OFwklPhahWXVdzBcR4wZk59PHz2xzbidFhqNlxubDqbX TSKU4QS5n261cpqjIfINuhoT+RpgW/oupU1PSx7gBE7TzKV+R93iQSQwcG3m/OCUgFMD 3U4w==
X-Gm-Message-State: AOAM5334J8jrcjmhjG9fgkauhYjnKKUWNEMLKKjk11pwRy2cbwpbpABc xOeNRHc/YTVXLQrZNZZjJXxd1hTLORfrO6KSii4Byo18q3HYlw==
X-Google-Smtp-Source: ABdhPJwxMDz0hGymkfjySFWeNhb8KfT0n6hK1sbI7ie28Yig5VNAeGCgHU1uTvmfnXcZDjLLBMGSZPSA10GhiJTfXxs=
X-Received: by 2002:a02:cb98:0:b0:323:64bb:7c57 with SMTP id u24-20020a02cb98000000b0032364bb7c57mr4592886jap.126.1648494070579; Mon, 28 Mar 2022 12:01:10 -0700 (PDT)
MIME-Version: 1.0
References: <164661249505.9085.15140248784912063860@ietfa.amsl.com> <1C625713-898F-48D2-97E6-83B23893D3FA@heapingbits.net> <CAHbrMsATaT9SBveN94YP=Sr3Z5L9uE8cH=hMm022QkYjnHuDhw@mail.gmail.com> <81b54118-a080-b09f-3591-d303b8b6e2ec@sandelman.ca>
In-Reply-To: <81b54118-a080-b09f-3591-d303b8b6e2ec@sandelman.ca>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 28 Mar 2022 19:00:59 +0000
Message-ID: <CAHbrMsDZizpDAVXX-BhKo15p7N0kAa3mhwujO=emU2aWmRsupQ@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: opsawg <opsawg@ietf.org>, mud@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000008452c105db4bef58"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/iQWFqOz53ZnF6lVKsZXEvBsj-7M>
Subject: Re: [OPSAWG] [secdir] Secdir early review of draft-ietf-opsawg-mud-iot-dns-considerations-03
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2022 19:01:37 -0000

On Sat, Mar 26, 2022 at 8:32 PM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

> On 2022-03-07 11:47, Ben Schwartz wrote:
> > I reviewed [1] this draft at version 01, but my concerns largely stand
> with
> > the current version.
> >
> > The fundamental issue here, in my view, is that the
> urn:ietf:params:mud:dns
> > permission is not compatible with the desired threat model.  A correct
> > solution would be to recommend against this permission, and introduce a
> new
> > one that provides explicit coupling between DNS resolution, transport
> > setup, and the MUD gateway (e.g. using a SOCKS5 proxy).
>
> I have been struggling to find a way to deal with your comments.
> https://github.com/mcr/iot-mud-dns-considerations/pull/2 is the
> beginnings of a recommendation to use SOCKS5 if it is present on
> networks.  I don't think that we have a way to do that.
>
> Perhaps there is some discovery of SOCKS5 in some vendor DHCP option,
> but I haven't found that yet.
>

Local SOCKS5 proxies are conventionally discovered via WPAD [1], which
returns a PAC file [2].  I'm no great fan of WPAD, but it is widely
implemented in browsers and OSes.

I don't mean to claim that SOCKS5 specifically, or domain-oriented
transport proxies generally, are the right solution here.  My point is that
the MUD gateway architecture described here is fatally flawed.
Specifically, I'm focused on this text:

   Aside from the list of records being incomplete, the list may have
   changed between the time that the MUD controller did the lookup and
   the time that the IoT device does the lookup, and this change can
   result in a failure for the ACL to match.

   In order to compensate for this, the MUD controller SHOULD regularly
   do DNS lookups in order to get never have stale data.  These lookups
   need to be rate limited in order to avoid load.  It may be necessary
   to avoid local recursive DNS servers.  The MUD controller SHOULD
   incorporate its own recursive caching DNS server.  Properly designed
   recursive servers should cache data for many minutes to days, while
   the underlying DNS data can change at a higher frequency, providing
   different answers to different queries!

   A MUD controller that is aware of which recursive DNS server that the
   IoT device will use can instead query that server on a periodic
   basis.

The problem description here is accurate, but the proposed MUD controller
behaviors are not reliably compatible with RFC 8520-compliant devices, so
they cannot safely be deployed.  The only reliable solution is to update
the allowed IPs based on the specific DNS responses that are being used by
the device's connections.  This could either be done implicitly (via a
transport proxy) or explicitly (by ensuring the MUD controller _is_ the
client's DNS resolver, and adding IP ACLs before returning any DNS response
containing IP addresses).

This also touches on another issue with MUD DNS support: RFC 8520 does not
clearly define any rule regarding the allowed DNS QNAMEs.  This enables
arbitrary data flows to be tunneled through the DNS to arbitrary
destinations.  In my view, this is a very large hole in the MUD
protections.  A transport proxy or tighter DNS binding would also help to
close this loophole.

[1] https://datatracker.ietf.org/doc/html/draft-ietf-wrec-wpad-01
[2]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file

v2.23.0 | Report a Bug | By Email