Re: [OPSAWG] New Version Notification for draft-reddy-opsawg-mud-tls-02.txt
tirumal reddy <kondtir@gmail.com> Fri, 24 January 2020 12:00 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2B4C1200E6 for <opsawg@ietfa.amsl.com>; Fri, 24 Jan 2020 04:00:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qYPWT786Nfrv for <opsawg@ietfa.amsl.com>; Fri, 24 Jan 2020 04:00:38 -0800 (PST)
Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D57D81200F7 for <opsawg@ietf.org>; Fri, 24 Jan 2020 04:00:37 -0800 (PST)
Received: by mail-il1-x12c.google.com with SMTP id f5so1362097ilq.5 for <opsawg@ietf.org>; Fri, 24 Jan 2020 04:00:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bJKt9Sj9ivI+UKfcumTphS1ohDECOr75TlDK06W/GEM=; b=UOTeyXieSzFhhmON1YecqlvgTDr+ZUUrb0aEwqSnbqSTuuCLGLTebu64rOF1BkQm7N SAQ+U+Ak2xEuek+ZuZ1GxJSqNbaooB46DFxrV7srk82LQD5FSbNj4L4NZ7wU73fP8S1l bYWKffl8qxPiq5KI6qFs1u2uO/bfE25D2V3jo0UO+8KpmUaw0c20AxKaMN+D1VeLJTiH FXsfY4te4PL5m6hQlaXDtoLiRCjgfOD3VsMkc1jBIiNv/vavno4eF1NScsQMpcHh51KO iDreXR6DWcGnDS/T9VQwvl60k9DEhbUFs849YEd/jWa44vMZOJrjRHYbY5jpJ5bKxH6s 57FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bJKt9Sj9ivI+UKfcumTphS1ohDECOr75TlDK06W/GEM=; b=rjO2ST7VyCw8CQc80RjU3lmur9krLSXyz/LZlHyzuezG7VxmckFhdd8x2ngHq0tkXB EDT8qr633rmqspK64zXuBn+gUZBffu1Axlin9Hj0nzNE1QY45pacrVDkK/kELVpuexoo X+Ul+ecRhIsMgwDjJeAKf8VCu/zgUZ2kxhrC6tnOXGG/1cIF9d69/eU9xHa2DriJjFNO IuInU/rVd8yFNxbRAHyIyOtxj2Gbc4sSpwTR47oVerFnAYK0imZ+ldFKhtp/tZnaZzph MCuWWRk3nDarmpsDDrH6ueJa5+HuEmj/aACcfeNxajHxju4HLB/NOjv/5McwbbJZ8xE4 e9Ow==
X-Gm-Message-State: APjAAAU4HtKcIv3KH7tlquON4LNAwGED0dKnfJbTq+1RtFmH38K2Qoue dE1MvvRizJLtXBB4YOJCVPSERswGH/VoakPdRRoYiw==
X-Google-Smtp-Source: APXvYqy++VLkPfhlI7O4/Rd3jNqkOixiVnXTykraRWf+hS6t02oGXhafVD2/0VjdfmvKGESC4QHVD4YyfQPiJl/+bQg=
X-Received: by 2002:a92:84d1:: with SMTP id y78mr2757276ilk.69.1579867237008; Fri, 24 Jan 2020 04:00:37 -0800 (PST)
MIME-Version: 1.0
References: <157918044299.26236.8163535356477976451.idtracker@ietfa.amsl.com> <CAFpG3gehp98VB2RpL6LenRJsV=RRQ=1jCTX7mcrmd27pzkYqfg@mail.gmail.com> <CAFpG3gek8qrHjN5LNQUrRrS9+zFuVQQ4y+XorRrr5xySs2fP1g@mail.gmail.com> <20570.1579314460@localhost> <CAFpG3gd_8ed_Dp1XW8=af_NegwCgkMLk=UZf85KCfRyWtYXQOg@mail.gmail.com> <6891.1579656958@localhost> <CAFpG3gcFBwgJrwHTmeDX2tfxfaoR+uifAZorFhPhLCkG1bbrNg@mail.gmail.com> <31723.1579713946@localhost>
In-Reply-To: <31723.1579713946@localhost>
From: tirumal reddy <kondtir@gmail.com>
Date: Fri, 24 Jan 2020 17:30:24 +0530
Message-ID: <CAFpG3gd+WSoxZcwELEFtn-HRQJpFJcLnHsmww5=tpUc=c5f+_A@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: opsawg@ietf.org
Content-Type: multipart/alternative; boundary="000000000000744ca5059ce181d8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/wE0ZyZSuCon3bmG10YKSQgMxMX4>
Subject: Re: [OPSAWG] New Version Notification for draft-reddy-opsawg-mud-tls-02.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2020 12:00:41 -0000
On Wed, 22 Jan 2020 at 22:55, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > tirumal reddy <kondtir@gmail.com> wrote: > >> It will be easier for vendors to avoid interposing themselves on > >> communications that would present legal problems if this extension > can > >> clearly say hands-off. > >> > > > I don't get the comment. The decision whether to deploy a TLS proxy > for the > > IoT devices/endpoints is up to the organization owning them. The TLS > proxy > > has to meet the organization security and privacy requirements. > Further, > > middle box administrator configure the firewall to bypass > > traffic decryption for a connection destined to a specific service > due to > > privacy compliance requirements. > > In Enterprises that own and control all device that might be true. > In residential situations where the ISP owns the home router, that's not > true. > Yes, TLS proxy approach will not work in home networks. In addition, I don't think in near future home routers will be powerful enough to run a TLS proxy (with the exception of VNF). Alternatively, the middle-box can probe the server to learn the server certificate. We will update the draft to clarify the scope of the deployments where middle-box can act as a TLS proxy. > > >> > Middle boxes from several security vendors acting as TLS proxies > do > >> > keep up with the updates to protocols > >> > >> Well, it's never the good actors that cause the problem. > >> It's the bad ones :-) > >> > > > I don't think organizations who care about security and privacy, and > most > > importantly their reputation and business will deploy such bad TLS > proxies. > > But, those bad ones meant that TLS 1.3 had to adapt to them, rather than > the > other way around. > The bad ones will continue to be non-compliant, see https://tools.ietf.org/html/rfc8446#section-9.3 > > >> The problem here is that the EST mechanism as envisioned by BRSKI > is not > >> intended to be a general trust anchor, but rather to validate items > that > >> are > >> within the same domain. > > mcr> I just don't think that this is a good way to introduce alternate > mcr> trust roots. My recommendation is that you go ahead with the MUD > mcr> profile that describes TLS profiles, without tying that to TLS > proxy mechanisms. > > > Got it, thanks; updated draft to say the mechanism to configure the > IoT > > device with the middlebox's CA certificate is out of scope. > > mcr> The malware will include it's own non-public trust-anchor. > > > If malware uses it's own non-public trust-anchor, it will be > detected by > > the TLS profile (acceptlist-ta-certs and SPKI-pin-sets) and the > > malware flow will be blocked. > > I'm trying to say that the same process is a reasonable way for the device > to > call home for firmware updates. So I suggest that since we have MUD > ACLs, even for devices which might have relative broad connectivity, we > should be able to declare a TLS profile (or anchor profile) for specific > destinations. > Good point, will update draft. Cheers, -Tiru > > -- > ] Never tell me the odds! | ipv6 mesh > networks [ > ] Michael Richardson, Sandelman Software Works | IoT > architect [ > ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on > rails [ > >
- [OPSAWG] Fwd: New Version Notification for draft-… tirumal reddy
- Re: [OPSAWG] New Version Notification for draft-r… tirumal reddy
- Re: [OPSAWG] New Version Notification for draft-r… Michael Richardson
- Re: [OPSAWG] New Version Notification for draft-r… tirumal reddy
- [OPSAWG] how to increase trust in MUD URL Michael Richardson
- Re: [OPSAWG] New Version Notification for draft-r… Michael Richardson
- Re: [OPSAWG] New Version Notification for draft-r… tirumal reddy
- Re: [OPSAWG] New Version Notification for draft-r… Michael Richardson
- Re: [OPSAWG] New Version Notification for draft-r… tirumal reddy