Re: [OPSAWG] revisions in draft-ietf-opsawg-mud-iot-dns-considerations-01
tirumal reddy <kondtir@gmail.com> Mon, 08 March 2021 12:01 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B19053A0CBA for <opsawg@ietfa.amsl.com>; Mon, 8 Mar 2021 04:01:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SaDGLEFxZKKS for <opsawg@ietfa.amsl.com>; Mon, 8 Mar 2021 04:01:42 -0800 (PST)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B4863A0CB8 for <opsawg@ietf.org>; Mon, 8 Mar 2021 04:01:42 -0800 (PST)
Received: by mail-lf1-x12c.google.com with SMTP id f1so20582557lfu.3 for <opsawg@ietf.org>; Mon, 08 Mar 2021 04:01:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LzWQE7Y7RvtG/IT3fmkTg7WbpWeNWxiKorPqX6lvG5M=; b=lUW8+d1apPs2SZffFwGreRHuwIoTXC6+3t1h22V1Hm0r42qizqr9qkbquERV5SFc0D fz/1FXbLPzNgy7OgYAoG7U7Y+2rk4KwuJmXsGmgT8WwjoMoXMvHIdCg/EAAs3QtjpGjt t7O4BNyHJ22oQeGVZcc9tAtxU2WE3td60smCioTfhzjHWiOdXkmZtaeM2QVyW/0xgHMR rO4HVhMbBOTyLdxoIB3eYi3lqcLF8wKHpqgiEY07c7HxFYsoj7riYmAOMzbepKBeUeya yUMheA7ngFCa80GcSA2uN28b5cQu56lnEwnJ7CL+4s80SFJGSmJJyjUjE2IjUpj0qmhv 7OIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LzWQE7Y7RvtG/IT3fmkTg7WbpWeNWxiKorPqX6lvG5M=; b=IBQCwcOu22sac58ForElgAomwgOVC5mRdgg127Ep1dwiQpx9wp6kXrPXG2/ACKdmWd QB0su439RPDaDTsECRLuIckQHvjRWXp6uvoz1QrgoTMhbSOgsG3zQcKwi4iw+KKJdsN0 ea6GqwNMj48KGlEg+/mVYG3I15hN3HvlDqYOl/V5Swdwh25cBINrKUx86a/7SS3dM8QS o5Z6R115IS2WloZQ3f4XR0VDpEPoWk3FfmjNIiWKPH1RMIgU0MeSxS1YWvr/Bs49vDaN ncM02hIHZ01fLz+QtGlj4ySE/6wcfUkjfa7y7fM28V56g1fJkomfP3qVgfkzOVlNDmfW awNw==
X-Gm-Message-State: AOAM5335e87z5zebyhG+bnDL3X+p2HI3qACSjfQRaCAUZJpAWvAdFTWg oox5LVavYsL+KeCxtTaC/qwxmgbOqlhZG42D0b8d34UeA7s=
X-Google-Smtp-Source: ABdhPJwu7T3hQpDyOjvnX48eyyMwd4+ywWG8Pva9Qg0URc8C0hxmhps8IoL273B/3lt2KJnsFoz8PzgUHi7yCdyNr7M=
X-Received: by 2002:a19:f81a:: with SMTP id a26mr14004853lff.647.1615204899288; Mon, 08 Mar 2021 04:01:39 -0800 (PST)
MIME-Version: 1.0
References: <ecd58332-3192-7dbf-9685-afddf9a5030e@sit.fraunhofer.de> <CAFpG3gcvsywDwNDEhY_savtp5Rx+JqTPfTcFRjge55x7LsNE_w@mail.gmail.com> <4395.1613948972@localhost>
In-Reply-To: <4395.1613948972@localhost>
From: tirumal reddy <kondtir@gmail.com>
Date: Mon, 08 Mar 2021 17:31:27 +0530
Message-ID: <CAFpG3gfWx4vZThF5GhA0Z57JjBUP0GVZUsuAsC=ST+H2GRmeOw@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: opsawg <opsawg@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000042faad05bd053281"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/vnJLCIe6QIyUqN7zO0ja1yXJigI>
Subject: Re: [OPSAWG] revisions in draft-ietf-opsawg-mud-iot-dns-considerations-01
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2021 12:01:45 -0000
Hi Michael, Please see inline On Mon, 22 Feb 2021 at 04:39, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > Reorganized your comments to bring the discussion to the top. > > > 5) Wildcard certificates are also commonly available which allowed > for > > an infinite number of possible names. > > Comment> https://tools.ietf.org/html/rfc6125#section-6.4.3 does not > Comment> recommend the use of wildcard certificates. > > okay, but they are widely used in Enterprises, and the point here is that > having a unique name for each product model's download server should not > be a > burden. > So, while I'm not trying to disagree with RFC6125, I don't think it > materially > matters here. > > > 6) Where the solution is more complex is when the MUD controller is > > located elsewhere in an Enteprise, or remotely in a cloud such as > when > > a Software Defines Network (SDN) is used to manage the ACLs. The DNS > > servers for a particular device may not be known to the MUD > controller, > > nor the MUD controller be even permitted to make recusive queries > that > > server if it is known. In this case, additional installation > specific > > mechanisms are probably needed to get the right view of DNS. > > Comment> The MUD controller can program the Enterprise DNS resolver to > Comment> enforce the DNS filtering rules. DNS resolvers can enforce > Comment> device specific filtering. > > I think that your comment misses the point. > It isn't about DNS filtering, it's about the MUD controller getting the > same > view of DNS as the device. > I don't think it is possible for the MUD manager to get the same responses to DNS queries as the IoT device even if both of them use the same DNS recursive server (e.g., successive DNS queries may never resolve to the same IP address). > > > tirumal reddy <kondtir@gmail.com> wrote: > > Use of DoT to a local DNS recursive resolver is a preferred choice, > > assuming that the trust anchor for the local DNS server can be > > obtained, such as via [I-D.reddy-dprive-bootstrap-dns-server]. > > Comment> I would replace DoT with "Encrypted DNS connection" > > Done. > > > 2) The use of DoT and DoH eliminates the minimizes threat from > passive > > eavesdropped, but still exposes the list to the operator of the DoT > or > > DoH server. > > Comment> The threat is further minimized by the use of oblivous DNS > Comment> > https://tools.ietf.org/html/draft-pauly-dprive-oblivious-doh-03 > Comment> (see https://blog.cloudflare.com/oblivious-dns/). > > Done. > > > 3) IoT devices that reach out to the manufacturer at regular > intervals > > to check for firmware updates are informing passive eavesdroppers of > > the existence of a specific manufacturer's device being present at > the > > origin location. > > Comment> Identifying the IoT device type empowers the attacker to > launch > Comment> targeted attacks to the IoT device (e.g., Attacker can > advantage > Comment> of the device vulnerability). > > Done. > > However, I don't want to overstate this. > An attacker internal to the network, for which internal ACLs do not work > (because of lack of L2 hairpinning) may be able to fingerprint the device > independantly, and attack it directly. > An attacker external to the network, should not, given appropriate incoming > MUD ACLs, be able to even connect to the device. > > So, I'm really more worried about privacy issues here. > Okay. > > > 4) IoT Devices should prefer doing DNS to the network provided DNS > > servers. Whether this is restricted to Classic DNS (Do53) or also > > includes using DoT/DoH is a local decision, but a locally provided > DoT > > server SHOULD be used, as recommended by > > [I-D.reddy-dprive-bootstrap-dns-server] and [I-D.peterson-doh-dhcp]. > > Comment> ADD WG is currently only focusing on insecure discovery > Comment> mechanisms like DHCP/RA > Comment> (https://tools.ietf.org/html/draft-btw-add-home-10) and DNS > Comment> based discovery mechanisms > Comment> (https://tools.ietf.org/html/draft-pauly-add-deer-00). Secure > Comment> discovery of network provided DoH/DoT resolver is possible > using > Comment> the mechanisms discussed in > Comment> > https://tools.ietf.org/html/draft-reddy-add-enterprise-00#section-4. > > Done. Only, draft-reddy-add-enterprise has expired ... > ADD WG has adopted DDR and DNR drafts (both are insecure discovery mechanisms). I am hoping the WG will discuss secure discovery mechanisms like BRSKI and SZTP for IoT devices. -Tiru > > > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > > > >
- [OPSAWG] 🔔 WG Adoption Call on draft-richardson-o… Henk Birkholz
- Re: [OPSAWG] 🔔 WG Adoption Call on draft-richards… Eliot Lear
- Re: [OPSAWG] 🔔 WG Adoption Call on draft-richards… tirumal reddy
- Re: [OPSAWG] 🔔 WG Adoption Call on draft-richards… Qin Wu
- Re: [OPSAWG] 🔔 WG Adoption Call on draft-richards… Panwei (William)
- Re: [OPSAWG] 🔔 WG Adoption Call on draft-richards… Wubo (lana)
- Re: [OPSAWG] 🔔 WG Adoption Call on draft-richards… Henk Birkholz
- [OPSAWG] revisions in draft-ietf-opsawg-mud-iot-d… Michael Richardson
- Re: [OPSAWG] revisions in draft-ietf-opsawg-mud-i… tirumal reddy
- Re: [OPSAWG] revisions in draft-ietf-opsawg-mud-i… Michael Richardson