IETF Logo Mail Archive

Re: [OPSAWG] New Version Notification for draft-reddy-opsawg-mud-tls-02.txt

tirumal reddy <kondtir@gmail.com> Fri, 24 January 2020 12:00 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2B4C1200E6 for <opsawg@ietfa.amsl.com>; Fri, 24 Jan 2020 04:00:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qYPWT786Nfrv for <opsawg@ietfa.amsl.com>; Fri, 24 Jan 2020 04:00:38 -0800 (PST)
Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D57D81200F7 for <opsawg@ietf.org>; Fri, 24 Jan 2020 04:00:37 -0800 (PST)
Received: by mail-il1-x12c.google.com with SMTP id f5so1362097ilq.5 for <opsawg@ietf.org>; Fri, 24 Jan 2020 04:00:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bJKt9Sj9ivI+UKfcumTphS1ohDECOr75TlDK06W/GEM=; b=UOTeyXieSzFhhmON1YecqlvgTDr+ZUUrb0aEwqSnbqSTuuCLGLTebu64rOF1BkQm7N SAQ+U+Ak2xEuek+ZuZ1GxJSqNbaooB46DFxrV7srk82LQD5FSbNj4L4NZ7wU73fP8S1l bYWKffl8qxPiq5KI6qFs1u2uO/bfE25D2V3jo0UO+8KpmUaw0c20AxKaMN+D1VeLJTiH FXsfY4te4PL5m6hQlaXDtoLiRCjgfOD3VsMkc1jBIiNv/vavno4eF1NScsQMpcHh51KO iDreXR6DWcGnDS/T9VQwvl60k9DEhbUFs849YEd/jWa44vMZOJrjRHYbY5jpJ5bKxH6s 57FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bJKt9Sj9ivI+UKfcumTphS1ohDECOr75TlDK06W/GEM=; b=rjO2ST7VyCw8CQc80RjU3lmur9krLSXyz/LZlHyzuezG7VxmckFhdd8x2ngHq0tkXB EDT8qr633rmqspK64zXuBn+gUZBffu1Axlin9Hj0nzNE1QY45pacrVDkK/kELVpuexoo X+Ul+ecRhIsMgwDjJeAKf8VCu/zgUZ2kxhrC6tnOXGG/1cIF9d69/eU9xHa2DriJjFNO IuInU/rVd8yFNxbRAHyIyOtxj2Gbc4sSpwTR47oVerFnAYK0imZ+ldFKhtp/tZnaZzph MCuWWRk3nDarmpsDDrH6ueJa5+HuEmj/aACcfeNxajHxju4HLB/NOjv/5McwbbJZ8xE4 e9Ow==
X-Gm-Message-State: APjAAAU4HtKcIv3KH7tlquON4LNAwGED0dKnfJbTq+1RtFmH38K2Qoue dE1MvvRizJLtXBB4YOJCVPSERswGH/VoakPdRRoYiw==
X-Google-Smtp-Source: APXvYqy++VLkPfhlI7O4/Rd3jNqkOixiVnXTykraRWf+hS6t02oGXhafVD2/0VjdfmvKGESC4QHVD4YyfQPiJl/+bQg=
X-Received: by 2002:a92:84d1:: with SMTP id y78mr2757276ilk.69.1579867237008; Fri, 24 Jan 2020 04:00:37 -0800 (PST)
MIME-Version: 1.0
References: <157918044299.26236.8163535356477976451.idtracker@ietfa.amsl.com> <CAFpG3gehp98VB2RpL6LenRJsV=RRQ=1jCTX7mcrmd27pzkYqfg@mail.gmail.com> <CAFpG3gek8qrHjN5LNQUrRrS9+zFuVQQ4y+XorRrr5xySs2fP1g@mail.gmail.com> <20570.1579314460@localhost> <CAFpG3gd_8ed_Dp1XW8=af_NegwCgkMLk=UZf85KCfRyWtYXQOg@mail.gmail.com> <6891.1579656958@localhost> <CAFpG3gcFBwgJrwHTmeDX2tfxfaoR+uifAZorFhPhLCkG1bbrNg@mail.gmail.com> <31723.1579713946@localhost>
In-Reply-To: <31723.1579713946@localhost>
From: tirumal reddy <kondtir@gmail.com>
Date: Fri, 24 Jan 2020 17:30:24 +0530
Message-ID: <CAFpG3gd+WSoxZcwELEFtn-HRQJpFJcLnHsmww5=tpUc=c5f+_A@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: opsawg@ietf.org
Content-Type: multipart/alternative; boundary="000000000000744ca5059ce181d8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/wE0ZyZSuCon3bmG10YKSQgMxMX4>
Subject: Re: [OPSAWG] New Version Notification for draft-reddy-opsawg-mud-tls-02.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2020 12:00:41 -0000

On Wed, 22 Jan 2020 at 22:55, Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> tirumal reddy <kondtir@gmail.com> wrote:
>     >> It will be easier for vendors to avoid interposing themselves on
>     >> communications that would present legal problems if this extension
> can
>     >> clearly say hands-off.
>     >>
>
>     > I don't get the comment. The decision whether to deploy a TLS proxy
> for the
>     > IoT devices/endpoints is up to the organization owning them. The TLS
> proxy
>     > has to meet the organization security and privacy requirements.
> Further,
>     > middle box administrator configure the firewall to bypass
>     > traffic decryption for a connection destined to a specific service
> due to
>     > privacy compliance requirements.
>
> In Enterprises that own and control all device that might be true.
> In residential situations where the ISP owns the home router, that's not
> true.
>

Yes, TLS proxy approach will not work in home networks. In addition, I
don't think in near future home routers will be powerful enough to run a
TLS proxy (with the exception of VNF). Alternatively, the middle-box can
probe the server to learn the server certificate.

We will update the draft to clarify the scope of the deployments where
middle-box can act as a TLS proxy.


>
>     >> > Middle boxes from several security vendors acting as TLS proxies
> do
>     >> > keep up with the updates to protocols
>     >>
>     >> Well, it's never the good actors that cause the problem.
>     >> It's the bad ones :-)
>     >>
>
>     > I don't think organizations who care about security and privacy, and
> most
>     > importantly their reputation and business will deploy such bad TLS
> proxies.
>
> But, those bad ones meant that TLS 1.3 had to adapt to them, rather than
> the
> other way around.
>

The bad ones will continue to be non-compliant, see
https://tools.ietf.org/html/rfc8446#section-9.3


>
>     >> The problem here is that the EST mechanism as envisioned by BRSKI
> is not
>     >> intended to be a general trust anchor, but rather to validate items
> that
>     >> are
>     >> within the same domain.
>
>     mcr> I just don't think that this is a good way to introduce alternate
>     mcr> trust roots.  My recommendation is that you go ahead with the MUD
>     mcr> profile that describes TLS profiles, without tying that to TLS
> proxy mechanisms.
>
>     > Got it, thanks; updated draft to say the mechanism to configure the
> IoT
>     > device with the middlebox's CA certificate is out of scope.
>
>     mcr> The malware will include it's own non-public trust-anchor.
>
>     > If malware uses it's own non-public trust-anchor, it will be
> detected by
>     > the TLS profile (acceptlist-ta-certs and SPKI-pin-sets) and the
>     > malware flow will be blocked.
>
> I'm trying to say that the same process is a reasonable way for the device
> to
> call home for firmware updates.   So I suggest that since we have MUD
> ACLs, even for devices which might have relative broad connectivity, we
> should be able to declare a TLS profile (or anchor profile) for specific
> destinations.
>

Good point, will update draft.

Cheers,
-Tiru


>
> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT
> architect   [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on
> rails    [
>
>

v2.23.0 | Report a Bug | By Email