Re: [OPSAWG] putting quarantined IoT devices behind a captive portal
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 10 July 2019 01:16 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8978A12008F; Tue, 9 Jul 2019 18:16:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lU1pcIyLSn61; Tue, 9 Jul 2019 18:15:58 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B1AB120048; Tue, 9 Jul 2019 18:15:57 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id E05813808A; Tue, 9 Jul 2019 21:13:53 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 9D23B5D0; Tue, 9 Jul 2019 21:15:56 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: John Romkey <romkey@romkey.com>
cc: Eliot Lear <lear@cisco.com>, captive-portals@ietf.org, "opsawg@ietf.org" <opsawg@ietf.org>, "mud@ietf.org" <mud@ietf.org>
In-Reply-To: <46656FBE-06E8-4E65-AF61-4BDE2F206F00@romkey.com>
References: <B8F9A780D330094D99AF023C5877DABAA49CD8C1@nkgeml513-mbx.china.huawei.com> <CAFpG3gc4ijy+xH7O_9EzpzwcROu3XcTA4xpSAH9P+oyhWQzMyg@mail.gmail.com> <4486.1562683318@localhost> <7534958E-E1A6-470D-B4BB-6B88CD27B54C@cisco.com> <27334.1562697538@localhost> <EE6AC0E8-0596-4B58-AA38-003078BF4B23@cisco.com> <18178.1562719763@localhost> <46656FBE-06E8-4E65-AF61-4BDE2F206F00@romkey.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 09 Jul 2019 21:15:56 -0400
Message-ID: <24389.1562721356@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/xIx6M13nO8De5oMubqYmwgJauyM>
Subject: Re: [OPSAWG] putting quarantined IoT devices behind a captive portal
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 01:16:01 -0000
{my appologies for still getting captive-portal vs captive-portals@ wrong}
John Romkey <romkey@romkey.com> wrote:
>> Eliot Lear <lear@cisco.com> wrote:
>>
>>>> to retrieve a JSON object telling it that it is captive. At which point, it
>>>> can flash a LED, or attempt a firmware upgrade, or maybe just reboot if a
>>>> timer goes off. (%)
>>
>>> You are suggesting that a device self-remediate. Some devices may be
>>> able to eventually do that, but I have my doubts. Were I a hacker, I
>>> would have the device pretend to do just that. And so this ties
>>> somewhat to RATS. I think a MUD extension might be able to help in as
>>> much as one could imagine a “remediation” recommendation.
>>
>> Yes, so a full attack on the IoT device would do what you describe.
>> A partial attack might miss messing this. A reboot might clear out the
>> malware, or might mitigate it enough (such as going to boot firmware) that
>> would permit new firmware to be loaded.
>>
>> Yes, getting completely out of the quarantine would require either
>> attestation or human intervention. But, if the device now has good firmware,
>> it would be able to send the "please unquarantine me" signal.
> I believe strongly that the only safe thing you can do with a device
> that’s been in any way compromised is completely isolate it.It
> shouldn’t be able to send an “unquarantine” signal. You shouldn’t even
> try to talk to it.
That's a reasonable view.
The question is: what next?
draft-richardson-shg-un-quarantine-00
tries to discuss this.
> Let the firewall which is implementing MUD notify the user about the
> problem. Let the device’s app or cloud services notify the user that
> the device is offline. Possibly in a later evolution of MUD the
> firewall might have a way to notify the device’s cloud service, but I
> wouldn’t hamstring the initial version of MUD with an attempt to do
> that.
I fully expect any notifications out should be done by the firewall.
There are two issues I'm trying to address:
1) there will be false positives from use of MUD. Manufacturers will
screw up, DNS mappings will be updated out of sync with firmware, etc.
If it is too painful to diagnose and fix, then MUD will get disabled by
operators (ISPs, who will get the call), or by end users.
2) not every user of a device will get the notifications.
So devices with displays (think: thermostats, refridgerators, SIP phones,
TV sets, etc.) whether they have real malware on them, or false
positives should be able to indicate that they are offline.
This matters a lot if you are trying to dial 911 on a broken phone,
and you aren't the person with the app that gets the notifications
from the firewall.
Putting them behind the captive-portal API when quarantined lets them get
exactly the kind of information they want. It also helps them when they
turned on where there really is a captive-portal.
--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
- [OPSAWG] Fwd: New Version Notification for draft-… tirumal reddy
- Re: [OPSAWG] [Mud] New Version Notification for d… Eliot Lear
- Re: [OPSAWG] Fwd: New Version Notification for dr… Qin Wu
- Re: [OPSAWG] [Mud] New Version Notification for d… tirumal reddy
- Re: [OPSAWG] Fwd: New Version Notification for dr… tirumal reddy
- [OPSAWG] putting quarantined IoT devices behind a… Michael Richardson
- Re: [OPSAWG] putting quarantined IoT devices behi… Eliot Lear
- Re: [OPSAWG] putting quarantined IoT devices behi… Michael Richardson
- Re: [OPSAWG] putting quarantined IoT devices behi… Eliot Lear
- Re: [OPSAWG] putting quarantined IoT devices behi… Juergen Schoenwaelder
- Re: [OPSAWG] [Mud] putting quarantined IoT device… M. Ranganathan
- Re: [OPSAWG] [Mud] putting quarantined IoT device… M. Ranganathan
- Re: [OPSAWG] [Mud] putting quarantined IoT device… Montgomery, Douglas (Fed)
- Re: [OPSAWG] putting quarantined IoT devices behi… Michael Richardson
- Re: [OPSAWG] putting quarantined IoT devices behi… Michael Richardson
- Re: [OPSAWG] putting quarantined IoT devices behi… John Romkey
- Re: [OPSAWG] [Mud] putting quarantined IoT device… Michael Richardson
- Re: [OPSAWG] putting quarantined IoT devices behi… Michael Richardson
- Re: [OPSAWG] putting quarantined IoT devices behi… Eliot Lear