Re: [OPSAWG] I-D Action: draft-ietf-opsawg-mud-23.txt
Benjamin Kaduk <kaduk@mit.edu> Mon, 04 June 2018 15:40 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 436E212898C for <opsawg@ietfa.amsl.com>; Mon, 4 Jun 2018 08:40:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95lW-KqO_-gg for <opsawg@ietfa.amsl.com>; Mon, 4 Jun 2018 08:40:54 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C46D7128821 for <opsawg@ietf.org>; Mon, 4 Jun 2018 08:40:53 -0700 (PDT)
X-AuditID: 1209190f-297ff70000002b7e-78-5b155d847164
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id EE.8B.11134.48D551B5; Mon, 4 Jun 2018 11:40:52 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id w54FeoA3007390; Mon, 4 Jun 2018 11:40:51 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w54FekaL016166 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 4 Jun 2018 11:40:49 -0400
Date: Mon, 04 Jun 2018 10:40:46 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Eliot Lear <lear@cisco.com>
Cc: opsawg@ietf.org, EKR <ekr@rtfm.com>
Message-ID: <20180604154046.GF72167@kduck.kaduk.org>
References: <152794661436.529.13303090441907505185@ietfa.amsl.com> <fc713342-1cbf-0ce7-71c7-931f526e88b0@cisco.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="n8g4imXOkfNTN/H1"
Content-Disposition: inline
In-Reply-To: <fc713342-1cbf-0ce7-71c7-931f526e88b0@cisco.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrJKsWRmVeSWpSXmKPExsUixCmqrdsSKxptsL9fx2LF63PsFl//dbBY rDi5mcmB2WPK742sHkuW/GTymPy4jTmAOYrLJiU1J7MstUjfLoEr4/CEBawF8wwr/v+Pa2Cc od7FyMkhIWAiseTnBzYQW0hgMZPEkY31XYxcQPYGRonZaycyQSSuMElc/C4KYrMIqEjs+/Ad LM4GZDd0X2YGsUUE5CVaz+5nBbGZBdQlHnzfDGYLC9hJnOvoBbN5gZa1HOuDWlYq8b71KVRc UOLkzCcsEL1lEvf3vmfsYuQAsqUllv/jAAlzCthKvF+3AKxEVEBZYm/fIfYJjAKzkHTPQtI9 C6EbIqwjsXPrHTYMYW2JZQtfM0PYthLr1r1nWcDIvopRNiW3Sjc3MTOnODVZtzg5MS8vtUjX RC83s0QvNaV0EyM4JiT5dzDOafA+xCjAwajEw9tgIxotxJpYVlyZe4hRkoNJSZQ3WxEoxJeU n1KZkVicEV9UmpNafIhRBWjXow2rLzBKseTl56UqifCetgCq401JrKxKLcqHKZPmYFES581e xBgtJJCeWJKanZpakFoEk5Xh4FCS4C2JAWoULEpNT61Iy8wpQUgzcXAeYpTg4AEaHgZSw1tc kJhbnJkOkT/FqMsxbVlPD7MQ2AVS4rw8IEUCIEUZpXlwc0ApTiJ7f80rRnGgF4V5bUCqeIDp EW7SK6AlTEBLnlUIgywpSURISTUwFpfrKLHNM43RafrnMVN7quMkEZOCT4sX3gv3W/DRf92z U3HPtz3LynvxPGnPqZo1uw/Ez7n2WHSHuuNPe9O4CWc4JaZozleIfCv6rK6ce8nhx50Bq/0l 5u468t7aYY3ps/CeP1f5v4bIXnfgtWz+GSXovXqW/0LOGfGnK7NmSt+az/00VEfIXYmlOCPR UIu5qDgRAFJJlg9MAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/nmDcKhoEIa6DCXdlNQDhU_g2t2U>
Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-mud-23.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jun 2018 15:40:55 -0000
Hi Eliot,
On Sat, Jun 02, 2018 at 03:40:34PM +0200, Eliot Lear wrote:
> This update contains only the following changes:
>
> * A correction (signature -> certificate)
> * Slightly change language to make clear that the certificate subject
> must be the sameas the id-pe-mudsigner
> * Updated dates on the YANG files
>
> At this point, I really hope we're done. Eric, Ben?
I think we're basically done -- I have just one quibble which
hopefully is not problematic, and also noted a handful of editorial
things you can deal with at your leisure. Thanks for going through
the multiple rounds of changes addressing our concerns -- the
document really is much better for it!
At the start of the Security Considerations, we say:
Based on how a MUD URL is emitted, a Thing may be able to lie about
what it is, thus gaining additional network access. This happens
when a device emits a MUD URL using DHCP or LLDP, and is either
inappropriately admitted to a class such as "same-manufacturer" or
given access to a device such as "my-controller", where such access
would otherwise be disallowed.
To me, "[t]his happens when" indicates that the subsequent
enumeration is an exhaustive list. I don't really think we've got
enough experience with this stuff to be able to make such a claim,
and the list should instead be treated as illustrative. I think
that there was some text emailed around that did this nicely,
something like:
% Based on how a MUD URL is emitted, a Thing may be able to lie about
% what it is, thus gaining additional network access. This can happen
% in a number of ways when a device emits a MUD URL using DHCP or
% LLDP, such as being inappropriately admitted to a class such as
% "same-manufacturer", given access to a device such as
% "my-controller", or being permitted access to an Internet resource,
% where such access would otherwise be disallowed.
And, here's the editorial stuff.
Section 1.5
o A DHCP option[RFC2131],[RFC3315] that the DHCP client uses to
inform the DHCP server. The DHCP server may take further actions,
such as act as the MUD manager or otherwise pass it along to the
MUD manager.
nit: We lost the immediately previous "URL" that "it" referred to, so we
may want to specifically say "pass the MUD URL along".
Section 13.2
Prior to processing the rest of a MUD file, the MUD manager MUST
retrieve the MUD signature file by retrieving the value of "mud-
signature" and validating the signature across the MUD file. The Key
Usage Extension in the signing certificate MUST have the bit
digitalSignature(0) set.
nit: do we need to go with "MUST be present and have the bit
digitalsignature(0) set"?
The subject of this certificate MUST be
equal to that of the value of id-pe-mudsigner when that extension is
present in the device certificate. If these conditions are not met,
or if it cannot validate the chain of trust to a known trust anchor,
the MUD manager MUST cease processing the MUD file until an
administrator has given approval.
nit-level as well, I guess: I might wordsmith this differently.
NEW:
When the id-pe-mudsigner extension is present in a device's X.509
certificate, the MUD signature file MUST have been generated by
a certificate whose subject matches the contents of that
id-pe-mudsigner extension. If these conditions are not met,
or if it cannot validate the chain of trust to a known trust anchor,
the MUD manager MUST cease processing the MUD file until an
administrator has given approval.
I might also consider adding something like the following (though
hopefully it would be obvious and thus not necessary to say):
Before the signature has been validated, both the MUD file and
the resource retrived from the "mud-signature" URL are unverified
and should be treated as untrusted input. In particular, MUD
managers can impose a cap on the number of bytes they retrieve
from a "mud-signature" URL, to avoid DoS attacks involving
presenting a large (invalid) signature file or similar scenarios.
Section 16
Implementations SHOULD be configurable to
disallow additive access for devices using MUD-URLs that not emitted
in a secure fashion such as in a certificate.
nit: "that are not emitted".
When certificates are not present, Things claiming to be of a certain
manufacturer SHOULD NOT be included in that manufacturer grouping
without additional validation of some form. This will be relevant
when it makes use of primitives such as "manufacturer" for the
purpose of accessing Things of a particular type.
What is "it" that makes use of primitives such as "manufacturer"?
[...] If the actual MUD file has changed, the MUD
manager MAY check the WHOIS database to see if registration ownership
of a domain has changed.
Do we need a reference for WHOIS?
Appendix C
In this sample extension we augment the core MUD model to indicate
whether the device implements DETNET. If a device claims not to use
NETNET, but then later attempts to do so, a notification or exception
That's also supposed to be 'D'ETNET, right?
-Benjamin
- [OPSAWG] I-D Action: draft-ietf-opsawg-mud-23.txt internet-drafts
- Re: [OPSAWG] I-D Action: draft-ietf-opsawg-mud-23… Eliot Lear
- Re: [OPSAWG] I-D Action: draft-ietf-opsawg-mud-23… Benjamin Kaduk
- Re: [OPSAWG] I-D Action: draft-ietf-opsawg-mud-23… Benjamin Kaduk
- [OPSAWG] Fwd: I-D Action: draft-ietf-opsawg-mud-2… Eliot Lear