IETF Logo Mail Archive

Re: [OPSAWG] Last Call Review of draft-ietf-opsawg-mud-acceptable-urls-10

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 01 March 2024 00:38 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07B94C14F602; Thu, 29 Feb 2024 16:38:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xt9YJXbwZpx7; Thu, 29 Feb 2024 16:38:04 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D117FC14F5FF; Thu, 29 Feb 2024 16:38:03 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 03C403898D; Thu, 29 Feb 2024 19:38:01 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id slaYqd6w-Aox; Thu, 29 Feb 2024 19:37:59 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id C75593898E; Thu, 29 Feb 2024 19:37:59 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1709253479; bh=0+15MrWRYNFYYqVhE3vhcBre/lD+CRPStp5eDPa6oj0=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=TS0Zm8nFvCPDzEhG5KE4US84zQNpbWZlhrRHORhzP2fIPLrLBK6pu4My21tsdka27 UmmUUGN+mtFAiv0rG3FV3RXqFDsUlshCVD3tVUj7IZiFHPL6ZM6llDaxJL9D3ftEM9 FEt27I0ppqcWXS0UxRK72mqt2pShfCCIjKwvBLdUI7iJOMSlqRk4WeEVZxzd4B7CW1 3k16BFMN2UCEipTwblbEg1lL6z1tLjiXYtfZL0vXWVFEgHVz14ZRBr3ZHViRlDfqhN xrK1rVeA0s2sbRHwuHgRcMDSpgqLu1/Fl4i8RXEnxNEx0wnd7O9d/K7L/+RyxkVrcc 0+sGCBxW2F/Yw==
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id C2AAC873; Thu, 29 Feb 2024 19:37:59 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Christian Huitema <huitema@huitema.net>
cc: Eliot Lear <lear@lear.ch>, "sec-ads@ietf.org" <sec-ads@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>, draft-ietf-opsawg-mud-acceptable-urls@ietf.org
In-Reply-To: <66588cac-0f33-4924-920f-6b4dbd5c2964@huitema.net>
References: <8a2c556a-905b-46f9-926c-03f09ed98f32@lear.ch> <66588cac-0f33-4924-920f-6b4dbd5c2964@huitema.net>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 29 Feb 2024 19:37:59 -0500
Message-ID: <6398.1709253479@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/jl7g21dFqWNVHMjgA-uj0Cl2xo8>
Subject: Re: [OPSAWG] Last Call Review of draft-ietf-opsawg-mud-acceptable-urls-10
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2024 00:38:09 -0000

Christian Huitema <huitema@huitema.net> wrote:
    > How do you know that a specific URL is a rollback? It looks easy when
    > the example say "revision1" and "revision2", but I am sure there are
    > cases where you cannot tell by just looking at the URL. You may be able
    > to download the "old" and "new" URL, and check the date of the
    > signature. But then, please describe the process so implementers are
    > not confused.

I've added some text to explain this rollback attack.
Attackers can only change the URL, they can't change the content of the file
on the server, so I don't really have to worry about situations where the
contents of the file have changed.

I agree that if we use HTTP links that an active on-path attacker on the
Internet side of the MUD manager could substitute old files and old files.
This could be done with a DNS poisoning attack.  Use DNSSEC or use HTTPS links?
I don't feel that explaining this attack is worthwhile, do you?

https://github.com/IETF-OPSAWG-WG/draft-ietf-opsawg-mud-acceptable-urls/pull/5/files

  One problem with these small changes is that malware could still express a
  MUD file that was previously valid, but which should no longer considered
  accurate.
  This is a rollback attack.
  This might result in the malware being able to reach destinations that turned
  out to be a mistake; a security fault.
  In order to combat, this, MUD managers SHOULD keep track of the list of
  MUD-URLs that they have successfully retrieved, and if a device ever
  suggests a URL that was
  previously used, then the MUD manager should suspect that is a rollback attack.
  MUD managers are not typically not particularily constrained, and while the
  list of URLs could grow without bound, it is unlikely to be a burden.
  A site with thousands of similar devices could keep a common list of URLs.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email