Re: [OPSAWG] [secdir] Secdir early review of draft-ietf-opsawg-mud-iot-dns-considerations-03
Ben Schwartz <bemasc@google.com> Mon, 28 March 2022 19:01 UTC
Return-Path: <bemasc@google.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 841C23A18B9 for <opsawg@ietfa.amsl.com>; Mon, 28 Mar 2022 12:01:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.609
X-Spam-Level:
X-Spam-Status: No, score=-17.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f9xQZlhR5sXJ for <opsawg@ietfa.amsl.com>; Mon, 28 Mar 2022 12:01:22 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 092343A1987 for <opsawg@ietf.org>; Mon, 28 Mar 2022 12:01:11 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id x4so18279642iop.7 for <opsawg@ietf.org>; Mon, 28 Mar 2022 12:01:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=U8Neyvox7dTr6wPcg9lC9tEmHaQOTpLJBIc70WaJd+4=; b=ID8pC87FGBkIH+MRUUbdWx3VFVWbndlOqsltgzSDUtgNPwpTKhz1bHP3Q6/zFEBCDv NqIUmJrqChXjjHF6CTl2a1AYmVAafbRmb4Vik86PCF/ctqRGFKMtk7dzTY9e894pVQdn N+bcvGMc3dQzzCoUjPyzCrXEosoFfjGuFT8ABp02n1CRGsrnNDcV96kSbtyZiXZmzxfx BRLpC7m74ha7QmmRedA6XrlPho0fHwAILEv9b2T2a0FY+k9r3f5FP9O5kJMT53eKr289 8aIvENlUybPFTA+bxdtR6tTdCXvddV0t6gIT8OZ0JCFFLg/YaQ2y3fv//Ek3QbKyAEaY Gyhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=U8Neyvox7dTr6wPcg9lC9tEmHaQOTpLJBIc70WaJd+4=; b=S2cqHXI4sL8M9tKBYxC82SOVS73+oTBcChg0q4dtIRfqxZPIs6w9pZ5wTAd8+UcT0u D1IaAVKbFDaETy9PavYNYwFKRSlxbzStr9dDStBBc87IOhLBnNjXk7aHAzN1oKPYfz8v xWwPs1RBAp7T1Ops2lSxaF7KujKnhExYSShjlR1J2XgfPgpN3D/0NQy/YbfvQ1PLaOA1 adqmTyL3zrAKQROU5BrRmnR+OFwklPhahWXVdzBcR4wZk59PHz2xzbidFhqNlxubDqbX TSKU4QS5n261cpqjIfINuhoT+RpgW/oupU1PSx7gBE7TzKV+R93iQSQwcG3m/OCUgFMD 3U4w==
X-Gm-Message-State: AOAM5334J8jrcjmhjG9fgkauhYjnKKUWNEMLKKjk11pwRy2cbwpbpABc xOeNRHc/YTVXLQrZNZZjJXxd1hTLORfrO6KSii4Byo18q3HYlw==
X-Google-Smtp-Source: ABdhPJwxMDz0hGymkfjySFWeNhb8KfT0n6hK1sbI7ie28Yig5VNAeGCgHU1uTvmfnXcZDjLLBMGSZPSA10GhiJTfXxs=
X-Received: by 2002:a02:cb98:0:b0:323:64bb:7c57 with SMTP id u24-20020a02cb98000000b0032364bb7c57mr4592886jap.126.1648494070579; Mon, 28 Mar 2022 12:01:10 -0700 (PDT)
MIME-Version: 1.0
References: <164661249505.9085.15140248784912063860@ietfa.amsl.com> <1C625713-898F-48D2-97E6-83B23893D3FA@heapingbits.net> <CAHbrMsATaT9SBveN94YP=Sr3Z5L9uE8cH=hMm022QkYjnHuDhw@mail.gmail.com> <81b54118-a080-b09f-3591-d303b8b6e2ec@sandelman.ca>
In-Reply-To: <81b54118-a080-b09f-3591-d303b8b6e2ec@sandelman.ca>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 28 Mar 2022 19:00:59 +0000
Message-ID: <CAHbrMsDZizpDAVXX-BhKo15p7N0kAa3mhwujO=emU2aWmRsupQ@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: opsawg <opsawg@ietf.org>, mud@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000008452c105db4bef58"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/iQWFqOz53ZnF6lVKsZXEvBsj-7M>
Subject: Re: [OPSAWG] [secdir] Secdir early review of draft-ietf-opsawg-mud-iot-dns-considerations-03
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2022 19:01:37 -0000
On Sat, Mar 26, 2022 at 8:32 PM Michael Richardson <mcr+ietf@sandelman.ca> wrote: > On 2022-03-07 11:47, Ben Schwartz wrote: > > I reviewed [1] this draft at version 01, but my concerns largely stand > with > > the current version. > > > > The fundamental issue here, in my view, is that the > urn:ietf:params:mud:dns > > permission is not compatible with the desired threat model. A correct > > solution would be to recommend against this permission, and introduce a > new > > one that provides explicit coupling between DNS resolution, transport > > setup, and the MUD gateway (e.g. using a SOCKS5 proxy). > > I have been struggling to find a way to deal with your comments. > https://github.com/mcr/iot-mud-dns-considerations/pull/2 is the > beginnings of a recommendation to use SOCKS5 if it is present on > networks. I don't think that we have a way to do that. > > Perhaps there is some discovery of SOCKS5 in some vendor DHCP option, > but I haven't found that yet. > Local SOCKS5 proxies are conventionally discovered via WPAD [1], which returns a PAC file [2]. I'm no great fan of WPAD, but it is widely implemented in browsers and OSes. I don't mean to claim that SOCKS5 specifically, or domain-oriented transport proxies generally, are the right solution here. My point is that the MUD gateway architecture described here is fatally flawed. Specifically, I'm focused on this text: Aside from the list of records being incomplete, the list may have changed between the time that the MUD controller did the lookup and the time that the IoT device does the lookup, and this change can result in a failure for the ACL to match. In order to compensate for this, the MUD controller SHOULD regularly do DNS lookups in order to get never have stale data. These lookups need to be rate limited in order to avoid load. It may be necessary to avoid local recursive DNS servers. The MUD controller SHOULD incorporate its own recursive caching DNS server. Properly designed recursive servers should cache data for many minutes to days, while the underlying DNS data can change at a higher frequency, providing different answers to different queries! A MUD controller that is aware of which recursive DNS server that the IoT device will use can instead query that server on a periodic basis. The problem description here is accurate, but the proposed MUD controller behaviors are not reliably compatible with RFC 8520-compliant devices, so they cannot safely be deployed. The only reliable solution is to update the allowed IPs based on the specific DNS responses that are being used by the device's connections. This could either be done implicitly (via a transport proxy) or explicitly (by ensuring the MUD controller _is_ the client's DNS resolver, and adding IP ACLs before returning any DNS response containing IP addresses). This also touches on another issue with MUD DNS support: RFC 8520 does not clearly define any rule regarding the allowed DNS QNAMEs. This enables arbitrary data flows to be tunneled through the DNS to arbitrary destinations. In my view, this is a very large hole in the MUD protections. A transport proxy or tighter DNS binding would also help to close this loophole. [1] https://datatracker.ietf.org/doc/html/draft-ietf-wrec-wpad-01 [2] https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file
- [OPSAWG] Secdir early review of draft-ietf-opsawg… Christopher Wood via Datatracker
- Re: [OPSAWG] [secdir] Secdir early review of draf… Christopher Wood
- Re: [OPSAWG] [secdir] Secdir early review of draf… Ben Schwartz
- Re: [OPSAWG] [secdir] Secdir early review of draf… Michael Richardson
- Re: [OPSAWG] [secdir] Secdir early review of draf… Ben Schwartz
- Re: [OPSAWG] [secdir] Secdir early review of draf… Michael Richardson
- Re: [OPSAWG] [secdir] Secdir early review of draf… Ben Schwartz
- Re: [OPSAWG] [secdir] Secdir early review of draf… Independent Submissions Editor (Eliot Lear)
- Re: [OPSAWG] [secdir] Secdir early review of draf… Eliot Lear
- Re: [OPSAWG] [secdir] Secdir early review of draf… Michael Richardson