Re: [OPSAWG] Last Call Review of draft-ietf-opsawg-mud-acceptable-urls-10
Eliot Lear <lear@lear.ch> Wed, 28 February 2024 08:04 UTC
Return-Path: <lear@lear.ch>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 068A6C14CEED; Wed, 28 Feb 2024 00:04:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.895
X-Spam-Level:
X-Spam-Status: No, score=-0.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=lear.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VoWZ4jQO4eQ; Wed, 28 Feb 2024 00:04:23 -0800 (PST)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [IPv6:2a00:bd80:aa::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48B78C14F700; Wed, 28 Feb 2024 00:04:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1709107447; bh=z77lk8D+83aBFG0QEO/FpCEO4OFH5SouhyM4FQRoVfQ=; h=Date:From:To:Cc:Subject:From; b=GyyiHZtWpHXTU9j0+aAuVeL14CZfNg2XuAujwJVfAbStcxzdk6MLy59kV4C2gk8XV o8y1P9oyxIrjfxMEBrD2WCHN7FIIUwyH11EX3DIpR/IbIzdSV1OcClUZ6cIj3h9R1F NY9mTT3rdOQu2pq0KyKjSG6U6dKpS8DfmNMCuHo4=
Received: from [IPV6:2001:420:c0c0:1011::1] ([IPv6:2001:420:c0c0:1011:0:0:0:1]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-22ubuntu3) with ESMTPSA id 41S845sY1120513 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Wed, 28 Feb 2024 09:04:07 +0100
Content-Type: multipart/alternative; boundary="------------hK2sTYCw5B92R2P7UeL0BAqV"
Message-ID: <8a2c556a-905b-46f9-926c-03f09ed98f32@lear.ch>
Date: Wed, 28 Feb 2024 09:04:02 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
From: Eliot Lear <lear@lear.ch>
Autocrypt: addr=lear@lear.ch; keydata= xsBNBFMe1UQBCADdYOS5APDpIpF2ohAxB+nxg1GpAYr8iKwGIb86Wp9NkK5+QwbW9H035clT lpVLciExtN8E3MCTPOIm7aITPlruixAVwlBY3g7U9eRppSw9O2H/7bie2GOnYxqmsw4v1yNZ 9NcMLlD8raY0UcQ5r698c8JD4xUTLqybZXaK2sPeJkxzT+IwupRSQ+vXEvFFGhERQ88zo5Ca Sa1Gw/Rv54oH0Dq2XYkO41rhxQ60BKZLZuQK1d9+1y3I+An3AJeD3AA31fJZD3H8YRKOBgqe ILPILbw1mM7gCtCjfvFCt6AFCwEsjITGx55ceoQ+t5B5XGYJEppMWsIFrwZsfbL+gP31ABEB AAHNGUVsaW90IExlYXIgPGxlYXJAbGVhci5jaD7CwI4EEwECADgCGwMCHgECF4AWIQSY0L2Q Rh2wkqeyYR2HtmtG2dJ6MwUCWxJwMwULCQgHAgYVCAkKCwIEFgIDAQAKCRCHtmtG2dJ6M8KI B/46pFrJX+4Ockl2fHR303ais9Lyx8jv6mXKKOr8WR0UYcJ0syQrhaaZNG1VV98tYQHHK9F5 y7hH4YCsrr3odZ6zoavnx5X1X/2xw8y732f/irVoOOkYLid9IGPxa2e2nYXCZpde5/yvv3we XVE4mG4dEAD5T8iKS4Hz/3fKGJQ15o79Jv92HgC7RpCt0WaiQ0b6acP3PuwjDJzJzLFZzb7j IiB3izxQESSWE1GNRmoAK/k0gW6kmx1/87tQENrK+3Nn4CJSFQWF6entLnY7UeVm95wbMQkJ evwddDWUO2huDbmZnmxgKXGzSSpuNq7n8ICAOlbt0HfdJAZQfy25bwvezsBNBFMe1UQBCAC0 WV7Ydbv95xYGPhthTdChBIpPtl7JPCV/c6/3iEmvjpfGuFNaK4Macj9le20EA5A1BH7PgLGo HOiPM65NysRpZ96RRVX3TNfLmhGMFr5hPOGNdq+xcGHVutmwPV9U7bKeUNRiPFx3YdEkExdd qV2E8FltT0x2FSKe2xszPPHB6gVtMckX5buI9p1K3fbVhXdvEkcYY/jB0JEJGyhS5aEbct5c HUvDAkT81/YFK5Jfg8RRwu1q1t1YuIJSOWAZQ9J9oUsg6D9RpClU+tIFBoe3iTp1AUfJcypu cGKgLYKtpu/aygcpQONHYkYW5003mPsrajFhReVF5veycMbHs4u5ABEBAAHCwF8EGAECAAkF AlMe1UQCGwwACgkQh7ZrRtnSejOSuQgA27p2rYB7Kh20dym6V8c62pWpBHHTgxr/32zevxHS iXl6xvUCg5T8WUwfUk8OvgDcBErK/blDAMXQzSg3sp450JhR8RnXHXF5Zz2T04X7HnlIVJGw f2CjnwyEAJCqMzaCmI+g3Imvg/8L4nyBFvhlFHDv+kIvMiujyycjPAu7xxKplBs1/IEwmDoA MjneFmawvfeQnwdMhSKK8PjKSuzGU5uUmxj3GBfRqvTM0qpmhMPFOmDhJSmH55HLAky2Mlmq JYXJPt/9EfSEhFiua1M6gLiuNEuPkp+8jcnHQqKr0IeHt8UqcwLt2mGfIyl0FVdF9hvWPjNR zGbgqoT1Di03RQ==
To: Christian Huitema <huitema@huitema.net>
Cc: "sec-ads@ietf.org" <sec-ads@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>, draft-ietf-opsawg-mud-acceptable-urls@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/izs8VY2Xt15mBz7qDS2C0J484dg>
Subject: Re: [OPSAWG] Last Call Review of draft-ietf-opsawg-mud-acceptable-urls-10
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 08:04:28 -0000
Hi Christian and thanks for another good read of another MUD document. You've largely summarized the situation well, taking into account what RFC 8520 states. I want to note that your comments about detached signatures were specified in RFC 8520. This draft tries to work within that framework without updating the format. Signatures were detached for a particular reason- readability during the early stages of this technology's deployment without the need to apply canonicalization rules that would obscure the text. The issues this document raises are not specifically around the fact that the signature is detached, but that the underlying MUD URL could change. There may indeed be threats involved with using detached signatures, but I would hold that work for an overall MUD revision, which I think should happen at some point soon. This draft is considerably more tightly scoped. Regarding this text, first I note editorially that we should separate the the file structure change from the rest of the Section 5 chapeau text. I will work with Michael on that. > This "common prefix" rule for "small changes" is light weight but has an > obvious hole. Suppose that a manufacturer has first published a rather loose > rule in "https://example.com/widget-x/revision1.html <https://example.com/widget-x/revision1.html>", and then upgraded it to > a stricter rule in "https://example.com/widget-x/revision2.html <https://example.com/widget-x/revision2.html>". The common > prefix rule will not prevent the virus from "rolling back" to revision1. A > simple solution would be for the manufacturer to update the MUD FILE served at > the old MUD URL so that it point to the new MUD URL -- which is exactly what > the manufacturer would do under the "big change" rules. I would note that the risk here is when revision1 contains rules that allow for broader access *beyond *the domain of the manufacturer or when a portion of the manufacturer's infrastructure itself has been compromised. For instance: revision1 contains a rule that permits local access when revision2 removes that access, or when revision1 contains access to a domain that revision2 has removed. When might this happen? A good example might be when a device is no longer supported by the manufacturer for Internet connectivity, but itself can continue to function independently. I think there is a simple approach to dealing with this risk: do not permit rollbacks for a given device. This text could be placed in the security considerations section. [Nit- there is one instance of mud controller that should be mud manager.] Regarding your grammar check, I agree that there is a parser problem, and we should simply change that as follows: OLD: > The test is simplified to: remove everything to the right of > the last (rightmost) "/" in the URL of "root" MUD file URL, and the > proposed new URL. The resulting two strings MUST be identical NEW: The test is simplified as to: remove the last segment of the URL and all text to its right. ABNF does not support removal, so this will have to be narrative. You may characterize this as a “shotgun parser”, but bullet proofing it starting from a valid URL means about 16 lines of C, 3 lines of python with URLLIB, or probably one long line of SNOBOL. We could put these in an appendix if you like. Regarding the following text: > Regarding the security consideration section, I notice that there is a mild DOS > attack possible against MUD Managers and MUD servers. The new MUD URL are > advertised using insecure processes, DHCP or LLDP. Attackers with access to the > local network can spoof that. The MUD manager will have to retrieve and try to > validate the new MUD file, which requires a combination of network access and > cryptographic validation, and probably triggers some intrusion detection system. This is really no different than a rogue device generating a random MUD URL. Similarly, I would prefer not to restate the security considerations of RFC 8520, but simply reference them. Regards, Eliot
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Eliot Lear
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Christian Huitema
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Eliot Lear
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Christian Huitema
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Eliot Lear
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Michael Richardson
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Michael Richardson
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Michael Richardson
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Christian Huitema
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Michael Richardson
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Michael Richardson
- Re: [OPSAWG] Last Call Review of draft-ietf-opsaw… Christian Huitema