Re: [OPSAWG] putting quarantined IoT devices behind a captive portal
John Romkey <romkey@romkey.com> Wed, 10 July 2019 00:58 UTC
Return-Path: <romkey@romkey.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 290C4120141 for <opsawg@ietfa.amsl.com>; Tue, 9 Jul 2019 17:58:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.703
X-Spam-Level:
X-Spam-Status: No, score=-0.703 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=romkey.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id weeOZ2yVe9DS for <opsawg@ietfa.amsl.com>; Tue, 9 Jul 2019 17:58:31 -0700 (PDT)
Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 008D11200CE for <opsawg@ietf.org>; Tue, 9 Jul 2019 17:58:30 -0700 (PDT)
Received: by mail-pg1-x52c.google.com with SMTP id l21so320775pgm.3 for <opsawg@ietf.org>; Tue, 09 Jul 2019 17:58:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=romkey.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=KYxPYYwfJYEg0J6VJZhNj35oQnEjNX56ul0U8vMIFf8=; b=fbpck0y6mzEkuS+cqKzvWUtWPFnglTHmytptimrjYIHyx192jfxaVsF+8lhocUodoa jmBr+ySNKNc2/82FERq+ZUh+83AibvxdKhS8WRPUbb0qxUG3pKfYd6LL8To+ysqQ4Ce6 mvueY0S3jm4NvjFv7Ihly58vESk4HEsBFQsAOC0d3tCPrOn2F+uFhQ41H+0r7HdQY94i /Ep6jdHLyOZcG9PzkOpqpyuSXO88aX75EL9zWX/OO/DHTGVY2B5jgv1M9YJLA7ejYr2Q vdVcV2PqhE1Mqot5Df8aJhmqSMSU/q0n+cITt7hL65InTraEA7QDA1jEu61xpChOj0Nj p9lQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=KYxPYYwfJYEg0J6VJZhNj35oQnEjNX56ul0U8vMIFf8=; b=qOieP+3wllff+VbE8V+G0kTG35olRxyuZt1+MnBDxJeJFdXB3hwnmTtiUvXJgjtSoe B0A0xkSHwT3wuqkjfJrNioaltJjlVaqGDk+/moIVAnVlW2kTtYhp1PEXVRYWTg4jdU8b ljqo8JPFFq4w34UAwki0LXM6q02sPzanVGBTRdfWnUJNvxJowlFdSSZQbWuLJCislKFC 0xfNzFfed9ubowHfZbBFeLWWUeOLPuREUjlQmu9rfxyjoMeaU6YYWklQiZKdZtJTAOHE q6p3pJgKBemLkiASV7smKCMZIFYYR7YGVawe6Js+daVjdDWh0ZvNvrW3JS4RqMeX7yMf yX2g==
X-Gm-Message-State: APjAAAXZ2QjKGWYHejj0fAF6K0YrC6iyJ4kP4YE4vF62PfELM4XrRshu u2hfiIPrdvrUfWXsGYyGCxHQCQ==
X-Google-Smtp-Source: APXvYqzboKQcWA3uXQ9wWP5vDNJTUum17vFMCm8bjI+D9XPyjMMSwlGGvQEZc1A/kkesuVBG2NbGPQ==
X-Received: by 2002:a63:e20a:: with SMTP id q10mr33131317pgh.24.1562720310181; Tue, 09 Jul 2019 17:58:30 -0700 (PDT)
Received: from johns-mbp-3.localdomain ([97.115.131.172]) by smtp.gmail.com with ESMTPSA id e5sm279242pfd.56.2019.07.09.17.58.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Jul 2019 17:58:28 -0700 (PDT)
From: John Romkey <romkey@romkey.com>
Message-Id: <46656FBE-06E8-4E65-AF61-4BDE2F206F00@romkey.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_EABAD983-EB6E-4F93-A1D3-3C6FB9586844"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 09 Jul 2019 17:58:27 -0700
In-Reply-To: <18178.1562719763@localhost>
Cc: Eliot Lear <lear@cisco.com>, captive-portal@ietf.org, "opsawg@ietf.org" <opsawg@ietf.org>, "mud@ietf.org" <mud@ietf.org>
To: Michael Richardson <mcr+ietf@sandelman.ca>
References: <B8F9A780D330094D99AF023C5877DABAA49CD8C1@nkgeml513-mbx.china.huawei.com> <CAFpG3gc4ijy+xH7O_9EzpzwcROu3XcTA4xpSAH9P+oyhWQzMyg@mail.gmail.com> <4486.1562683318@localhost> <7534958E-E1A6-470D-B4BB-6B88CD27B54C@cisco.com> <27334.1562697538@localhost> <EE6AC0E8-0596-4B58-AA38-003078BF4B23@cisco.com> <18178.1562719763@localhost>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/uy1T-4E8vnzAoFrK0z_z0qh-PiI>
Subject: Re: [OPSAWG] putting quarantined IoT devices behind a captive portal
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 00:58:33 -0000
> On Jul 9, 2019, at 5:49 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > > Eliot Lear <lear@cisco.com> wrote: > >>> to retrieve a JSON object telling it that it is captive. At which point, it >>> can flash a LED, or attempt a firmware upgrade, or maybe just reboot if a >>> timer goes off. (%) > >> You are suggesting that a device self-remediate. Some devices may be >> able to eventually do that, but I have my doubts. Were I a hacker, I >> would have the device pretend to do just that. And so this ties >> somewhat to RATS. I think a MUD extension might be able to help in as >> much as one could imagine a “remediation” recommendation. > > Yes, so a full attack on the IoT device would do what you describe. > A partial attack might miss messing this. A reboot might clear out the > malware, or might mitigate it enough (such as going to boot firmware) that > would permit new firmware to be loaded. > > Yes, getting completely out of the quarantine would require either > attestation or human intervention. But, if the device now has good firmware, > it would be able to send the "please unquarantine me" signal. I believe strongly that the only safe thing you can do with a device that’s been in any way compromised is completely isolate it.It shouldn’t be able to send an “unquarantine” signal. You shouldn’t even try to talk to it. Let the firewall which is implementing MUD notify the user about the problem. Let the device’s app or cloud services notify the user that the device is offline. Possibly in a later evolution of MUD the firewall might have a way to notify the device’s cloud service, but I wouldn’t hamstring the initial version of MUD with an attempt to do that. - john romkey https;//romkey.com <http://romkey.com/>
- [OPSAWG] Fwd: New Version Notification for draft-… tirumal reddy
- Re: [OPSAWG] [Mud] New Version Notification for d… Eliot Lear
- Re: [OPSAWG] Fwd: New Version Notification for dr… Qin Wu
- Re: [OPSAWG] [Mud] New Version Notification for d… tirumal reddy
- Re: [OPSAWG] Fwd: New Version Notification for dr… tirumal reddy
- [OPSAWG] putting quarantined IoT devices behind a… Michael Richardson
- Re: [OPSAWG] putting quarantined IoT devices behi… Eliot Lear
- Re: [OPSAWG] putting quarantined IoT devices behi… Michael Richardson
- Re: [OPSAWG] putting quarantined IoT devices behi… Eliot Lear
- Re: [OPSAWG] putting quarantined IoT devices behi… Juergen Schoenwaelder
- Re: [OPSAWG] [Mud] putting quarantined IoT device… M. Ranganathan
- Re: [OPSAWG] [Mud] putting quarantined IoT device… M. Ranganathan
- Re: [OPSAWG] [Mud] putting quarantined IoT device… Montgomery, Douglas (Fed)
- Re: [OPSAWG] putting quarantined IoT devices behi… Michael Richardson
- Re: [OPSAWG] putting quarantined IoT devices behi… Michael Richardson
- Re: [OPSAWG] putting quarantined IoT devices behi… John Romkey
- Re: [OPSAWG] [Mud] putting quarantined IoT device… Michael Richardson
- Re: [OPSAWG] putting quarantined IoT devices behi… Michael Richardson
- Re: [OPSAWG] putting quarantined IoT devices behi… Eliot Lear