IETF Logo Mail Archive

RE: Request for Authenticated but not Encrypted Traffic

"Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org> Fri, 30 September 2022 11:15 UTC

Return-Path: <randy.armstrong@opcfoundation.org>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11B17C14CE2C for <quic@ietfa.amsl.com>; Fri, 30 Sep 2022 04:15:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.109
X-Spam-Level:
X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_RED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=opcfoundation.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LfhAg0T2KnEV for <quic@ietfa.amsl.com>; Fri, 30 Sep 2022 04:15:01 -0700 (PDT)
Received: from NAM02-DM3-obe.outbound.protection.outlook.com (mail-dm3nam02on2070.outbound.protection.outlook.com [40.107.95.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CCFBC14CF19 for <quic@ietf.org>; Fri, 30 Sep 2022 04:15:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UC3CnGiGYjCQjHU0hIDiqmZj/SkGWQvp8qujxJ29eE+I80B8abTGFF2NTEXKmms8HZvt79LxM17Tah8nv5W7MNh7P3x2ydXjJQlD3Ra6Zvq0F8UqTxe2k8WzkxlC39sNu4e6cJNVS3boZtJLzFqqrtCPLSQrcsmHl81QtpkcCUZ5Sn0cdYVXr6/EVF0PeTIW2x+OvwugcSOaxGbzO74zJt2pbPo/aEvGb0U6mwf5vxCAflmGVKyyWidHHx9IC13Zhmx1KlFXhgc+wlDLP1Ah4DRY4Lj6Km5Km4jWX8BPTz0wMaJDOxEHbQb39iQoyqMJMOt19DBU1YRH6JTzKj2+mA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EF9aV3h8B63aIy0IxqcfZbN56tAFVihQ5ZQBEb0Uwno=; b=D+jaHOAbd4Aa6MJ4HkrCfxrIs1RRJZ8Zg75fjCX5VWJz97VpmXv2F5WBJKoSOTRof1n3oqQNTwF3TAQS/qX1dLnf8boAx8BVQKZ3qkY0KQJY0myG1zUfue+KcSWrormcXfM2jcL+g8qhvT9+OQ/picAGv1lFov/ncQQkbeDBHLTxS9X1KE3fWXKYmYoBfkGQRrJOa/GrhG3J3VKrGVGtbrlaPkjA9fAKSKexUQ6AIKOUy0vNcDinHUc3eFy6c9jZ2xrAnQ9vsq/ff7VUeT+DZkULGeLMPjVAf7CZ8rziqbnOURD84b1NxRT/fHFTX1JDyhBaDlWYzyY8YnSH+JFYgw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=opcfoundation.org; dmarc=pass action=none header.from=opcfoundation.org; dkim=pass header.d=opcfoundation.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=opcfoundation.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EF9aV3h8B63aIy0IxqcfZbN56tAFVihQ5ZQBEb0Uwno=; b=GBtuSXwwnYrNVKVCPimMpUYw88IcxwohpH95qPq51pgEp7ZqGgltxxRoVecWwfzAU9ib6RPSCWwsP1leqa64l5FQzqUmnDsqzAF1003ySvmNYBxNjWYrO7YDvfNBSpQuKR5Nf7GPfRVZylnA10hxGxUz36hjqlqB4MMv8WoXhg8=
Received: from SJ0PR08MB8288.namprd08.prod.outlook.com (2603:10b6:a03:41a::13) by CY4PR08MB2903.namprd08.prod.outlook.com (2603:10b6:903:144::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5676.23; Fri, 30 Sep 2022 11:14:58 +0000
Received: from SJ0PR08MB8288.namprd08.prod.outlook.com ([fe80::708f:4a6d:ca77:cef0]) by SJ0PR08MB8288.namprd08.prod.outlook.com ([fe80::708f:4a6d:ca77:cef0%9]) with mapi id 15.20.5676.017; Fri, 30 Sep 2022 11:14:58 +0000
From: "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>
To: Lars Eggert <lars@eggert.org>
CC: Eliot Lear <lear@lear.ch>, Phillip Hallam-Baker <phill@hallambaker.com>, "quic@ietf.org" <quic@ietf.org>
Subject: RE: Request for Authenticated but not Encrypted Traffic
Thread-Topic: Request for Authenticated but not Encrypted Traffic
Thread-Index: AdjT/etteyPc96T0SA+BuKbhQ9/5AQAeZlEAAAE43xAABNiTgAAEnpxwAAGgIwAAAbrB8AAAiVmAAAARkjAAAbLVgAAADSYw
Date: Fri, 30 Sep 2022 11:14:58 +0000
Message-ID: <SJ0PR08MB8288D2E63B9DA69B2753D7CFFA569@SJ0PR08MB8288.namprd08.prod.outlook.com>
References: <SJ0PR08MB8288DD5A44F1E2259E01BA3FFA569@SJ0PR08MB8288.namprd08.prod.outlook.com> <93C70EB8-EAB9-4394-8D9C-8E8EBDAF30F1@lear.ch> <SJ0PR08MB82881B90F6E5B79F9CC56BD7FA569@SJ0PR08MB8288.namprd08.prod.outlook.com> <1CA45FF9-69A0-426D-B09A-F94F60990196@eggert.org>
In-Reply-To: <1CA45FF9-69A0-426D-B09A-F94F60990196@eggert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=opcfoundation.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR08MB8288:EE_|CY4PR08MB2903:EE_
x-ms-office365-filtering-correlation-id: 9e135a95-71cf-4f9f-4678-08daa2d50291
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5m4QPgUIwtwYEluwe4quZxDvtbydw6QPn7ruKUmO+0XJUCiipk+8+Nh8bOLdia1bBWzUkmw2RUQnBassRoBjNVxhPau8INHmQ+7kmyod1qvLe7gQ09vcGFDaes4SJzLB6PiHVvoUCFBYHRS5V6Uu3vvil2jd6iHXPPpJ73HdSLN1tdO49P2YFiqwl8IAWnIKcgptqhIm5rZzR4nZHt+b8Z+V/RauH5kHqZK7WwNR+oEDjlPk2JZK2580Hwu5Uwzsg3/HKRiZyQapqShwmaW7Xa/g9VZD+fnerqwfuUiAQHUCE0FJPnUSiWAEBwo6NqpSJEMoau09a/UOALJgdXkHOP6FzMX/yGldP5SI67Q+SsbCq9fCAWk0g61m79uCWconZrVVF8PQL/8sz9KI/zC4bDTyVc7WlU2Y2NlJePsdhHHaEX9Zp8xYygMbYPNjvErNizmYDQNi6TEnsVvtBIEoS5JIDOImxYLo8RpkiC/yTHHnmCthQmp8ElyyRZXnqIMwQHWw5YuxpwRJJTBrkQ++iIdIalBcxAUlUPsiv03YeDfdVijiN2TJEevdRYyfGKoB7gRX8BGqWpMnEVSxHGaowxFlUaG1lF5KGZ/UIRfH/Uhud7Qt+KSyJP7AFoJqnr+f9+ap8tpfqoGWY9gGTY2fzO8CaoS3SZHYnxLzwfrm5AsIJgoFpLlGWZxG4YQ8DPOe+R00INnOTSKz0uRflMLgjz90/ZGsdhIKzeVMVOqOqYM+4zNicwLB7XED6OMxNxGHsj3eMVUWGRObDExrcnPvme5YKFCX1tHpAUnsgLc4KGk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR08MB8288.namprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(136003)(39830400003)(366004)(396003)(346002)(376002)(451199015)(83380400001)(4001150100001)(2906002)(186003)(33656002)(86362001)(55016003)(38070700005)(122000001)(38100700002)(64756008)(66556008)(66476007)(66446008)(76116006)(66946007)(966005)(66899015)(71200400001)(316002)(52536014)(54906003)(478600001)(6916009)(41300700001)(6506007)(7696005)(53546011)(26005)(9686003)(8936002)(5660300002)(4326008)(8676002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 1TduiD2CGsoyt/zcBKjuqgd6s1QAdt4YZ76UXga21vTgosZdKIAKaQPJCw4Qa0749PTezzw1KMkLFXHgCPc03CgMab1zR8WuJn+u3WFFpf+NQUeD9SDzqxIPrlzGpKaLqUr2d8ciacJHTVInTXxKBeqgL7TcDD78PHq7+WZWo50p61z1mKC3d1KV+oh+pHjfR9d9Reo0ZRWdtO4bpNZIPz3oejcarW11obZW/A2inu3UMwWIfUx+GB5YTHYjzE0dPEcGyiEFgvwPnDkfzun3zq/irwMxFCMCO/VF0iSSKM65s4RyQ0czOgP/DSdR/30lXuOKho0rURh7gtUDZp43rDfIQ1xe6su5dt56Mgp3JelX/8fW8nM3oa1gI63U8j0m86NtMSBmEKMjbfdGJJmv1AaIab5uil5mw7T2d4mc57zQi8p/j1kZrM63gE/65kDzC5Y/s+lcuq21JnfkwNBQC0zgh+llpJcL+6E+XpqBXGjpT6yrzeD/7l3YecNLe4HRueKlimbqpVSmK2c9n/MEv7Kafee7cfzAqDACR9FB348Qnu7sPuHAYxZMCDKZz6HdVy6fwJnWmXLmslti2h8oY8q8LSi+QSUUCOexO0m9vTYkNx3otoxoEEdeSyYM+S/a+CkmUP591pkRmw50ZgGd//GN2Nyz1YhA4OtT9P4p3pTfixCoxRJFLnvC/ppuATytgY141e8FhJF7CvjJKE/6/558YJJRBg5L+b14HDumYEHXpAEKHIg+efqNMEvwGOWgxldktumoW88b/awOOnzYLpC1ulcEQmr1yUkyFRx5NjYhHgw1OnpOGhYKaG5aVMkqO2Fe/c9hoW4ylyzvE1COTskY2wsmqdncTL8/UNt+5guKNv+cdu8BkwuDMdJJH8Q1w+VnXc8sYgz/JXuJdmXTI5gjEZZMUWUCHaryrGL3JtCyifU57bA3rXgvXmeMn53LNDxnR8xabwK/jdCEE1f6vpzfn4QsEVct5oNXpmZsLmDuIof671zkzJYgBgEKFi0H3IDemC0TheidDZyGshSnGPe0pSvEW7Jn0G/nV/PrEFXm8xJWbH1688k6JvIAw+2yDq2OEHgGcjRDptn4SzPA6DSSycGUHNlprVPTPbgnVwmZY6nQp2ByDd89A90/ERGDHguswwB3VF3bBoR6rBV8VR8ckvDi1TSTl2RrNaU3swfrl5e6WFwXhAgBlPQ7isrSISyC+jSWsk4e9ALDkWUvj6LBTuLBJcXOlENtSI+V4DCRPGIav+mis3gJokZTeWtxqpYgpSxAgB9gyhsSk55TGPNWDvHCvx8vySV7JG7xsz61y8SErq5F2PokrTbZvd4QAX34if/1U7xlcd3lHAAESWdxdq05UXBKClWNPeebXT2IRgw/juiiU1VPgpBUu9KoBlHBYtPPt5pYHdBShT2v32rNmA4X3pPsHfBde9hcZj7BNC46p6nl40Ar8b70rhLIfji42YYIopGzBHrLsWA5/2nCQOeATKphi3BKCQwU+1iOh9ftFxEBXJWo4Q1Ge3U8o92QALKARb7ky9lenx+mdyW0i/d0nxS1PADTzsQSXtTE2K4rOhhARKMnPG74jZgzVJplyB2f96ZowzZ1AYPIzHJdxBbOb2Dt/7hX64a9El4=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: opcfoundation.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR08MB8288.namprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9e135a95-71cf-4f9f-4678-08daa2d50291
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Sep 2022 11:14:58.0686 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2d8ef4e4-d41c-489c-8004-bb99304b60fe
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: aOFwC9GXMpm28r8Ay+ICaAGpzEIPNmbYyzAbFWciZx2I81gsx3xVGygGB+Uj/XtoLp687lmL2YO/cQCNEdvONmpQgkjz+GdYo9YEeZNuJWOSx5ptHxfWz2UOpVSRuO/V
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR08MB2903
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/b2gaTmKaAdlvgFaFHDqyfETozO8>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2022 11:15:06 -0000

> This is detectable based on traffic matrix changes, even when all traffic is encrypted.

With good encryption you can only know that A connected to B.
You cannot know that A connected to B and attempted to read configuration data.

> Certificates are typically tied to the identities of devices in ways that are verifiable.

This could be the detected with encrypted traffic since it would have to check the certificates used during key negotiation. 

> Could you explain what a PLC is?

Programmable Logic Controller. It typically is connected to other devices that use non-IP interfaces to control some physical system. e.g. a temperature sensor who current reading is proportional to amount of current that flows in the connecting wire.

> Also, I don't understand how plaintext traffic would prevent writes at inopportune times?

It is not about preventing writes. That has to be handled by access control (i.e. the PLC would reject the attempt to write). But the fact that the write was even attempted is a red flag that needs investigation. The only way to detect these kinds of red flags is if the message contents can be analyzed.

That said, logging on PLC could also be used to detect this particular issues. Doing it with network wide packet analysis is a feature offered by numerous off the shelf threat detection packages (e.g. https://www.dragos.com/platform/threat-detection/) so factory owners often look for solutions that work with these kinds of packages. It is also a lot less intrusive to monitor network traffic in real time than configure all the OT devices to publish their logs to a central location for analysis.

-----Original Message-----
From: Lars Eggert <lars@eggert.org> 
Sent: Friday, September 30, 2022 7:39 PM
To: Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org>
Cc: Eliot Lear <lear@lear.ch>; Phillip Hallam-Baker <phill@hallambaker.com>; quic@ietf.org
Subject: Re: Request for Authenticated but not Encrypted Traffic

Hi,

thanks for describing scenarios!

On 2022-9-30, at 13:32, Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org> wrote:
> Scenario 1) A device with a trusted certificate is compromised and starts probing other devices in the network in ways that make no sense given its role.

This is detectable based on traffic matrix changes, even when all traffic is encrypted.

> Scenario 2) A connection from a device is established using a valid certificate that was not assigned to that device.

Certificates are typically tied to the identities of devices in ways that are verifiable.

> Scenario 3) A device is misconfigured and attempts a valid write to a PLC at a time when the configuration of the PLC should not be changing.

Could you explain what a PLC is?

Also, I don't understand how plaintext traffic would prevent writes at inopportune times?

Thanks,
Lars

v2.23.0 | Report a Bug | By Email