Re: [RTG-DIR] RTG-DIR review of draft-ietf-opsawg-mud-13
"Adrian Farrel" <adrian@olddog.co.uk> Thu, 02 November 2017 00:02 UTC
Return-Path: <adrian@olddog.co.uk>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A077C13FB8A; Wed, 1 Nov 2017 17:02:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sdlSc3-Me2HJ; Wed, 1 Nov 2017 17:02:10 -0700 (PDT)
Received: from asmtp3.iomartmail.com (asmtp3.iomartmail.com [62.128.201.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 046A8138BD6; Wed, 1 Nov 2017 17:02:09 -0700 (PDT)
Received: from asmtp3.iomartmail.com (localhost.localdomain [127.0.0.1]) by asmtp3.iomartmail.com (8.13.8/8.13.8) with ESMTP id vA2025eS005850; Thu, 2 Nov 2017 00:02:05 GMT
Received: from 950129200 (254.196.113.87.dyn.plus.net [87.113.196.254]) (authenticated bits=0) by asmtp3.iomartmail.com (8.13.8/8.13.8) with ESMTP id vA201v2T005817 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Nov 2017 00:02:04 GMT
Reply-To: adrian@olddog.co.uk
From: Adrian Farrel <adrian@olddog.co.uk>
To: 'Eliot Lear' <lear@cisco.com>, rtg-ads@ietf.org
Cc: draft-ietf-opsawg-mud@ietf.org, ietf@ietf.org, rtg-dir@ietf.org
References: <01d501d35342$b90d7450$2b285cf0$@olddog.co.uk> <5f1c796d-3700-cda3-0bce-f5c6e70ffc9a@cisco.com>
In-Reply-To: <5f1c796d-3700-cda3-0bce-f5c6e70ffc9a@cisco.com>
Date: Thu, 02 Nov 2017 00:01:55 -0000
Message-ID: <022901d3536d$d01d7b10$70587130$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-gb
Thread-Index: AQHbXiOVWYUGr+virfAy7t490kIJlgFDRd+PouXvjKA=
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1679-8.1.0.1062-23434.003
X-TM-AS-Result: No--25.587-10.0-31-10
X-imss-scan-details: No--25.587-10.0-31-10
X-TMASE-MatchedRID: yebcs53SkkCnykMun0J1wj4PYxsTKj6OPllq4+7Psp9LjXXGQy6nlCU7 43HF3fJ1O2sF32mXbnzfneWgb0wCfhvMQPGNwEh5nbUZkYTzXIZT4DtiSkMnWHe9QDr8+LTcLHN FiwmJRq9g9QVv4yJoozMqW8WukwCx6xj9tplxe1otR8fVMTBo3eBgp+G3IXxrasEfs27jsmF33U cFnsV9K2Aa4EJHd+lhy2r0pKo9mL2BmL85GH6eoJU7Bltw5qVLLi2dwKiMR9zoN8DSoota+bJVv 13dZNfHed0d4sqKDsNW6DYmWGhh3b0LBwJblWbCiFoorQjboWkt9SM1xCCZI9qqof+gfD6RXdBQ Y13RVu+fHoYNv/tRVd0iK4aOzykGr4Tjl93LJlctMfCdg6KRDdSqEluSYtV7ZD2MRV9hScnGdRf PKx6LHGd012aNXJXONuVfhyZ1UoR/mtiXLG/iqwArNgt5xpQYQPCPzycuBFNrH7R0RhorDICjHI wimOiw41ajEsPwj9r4L3Nr51seQUHQ/pYAwhs64NAJeq9IDSxBAihwNc9u51c/CedjlcvkkJfLp HarHP0ExaFjjiqBlEBd8jXb7PkJVOdT7lcCJT6VSBCoZUyqbEH7wsB5444wGNAPebYwJ/v9aPr9 xdwJWeRMOKt5mOY0mpwWqsTbqy9EbxUbCvHWy7xygpRxo469xNK79ogfIKlO2MZoFipNWxB3/5R 3B1LBPDsVTI/DsCqZ+/AHXHSuX98B+f+wv7x4et6HZsHsM79G/JUd7BvSQp3BT+pdjEe8wr3tCV Ik66rR8zboG6RI6n0EqyYQ2mty6fLaoi+ilkSeAiCmPx4NwFkMvWAuahr8+gD2vYtOFhgqtq5d3 cxkNQP90fJP9eHt
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/DxELHYy6Qw5-lkbNxCVd5EySNH0>
Subject: Re: [RTG-DIR] RTG-DIR review of draft-ietf-opsawg-mud-13
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Nov 2017 00:02:13 -0000
This looks really good, Eliot. Thanks for being so responsive and positive to my peculiar brand of paranoia and pedantry. Just a few bits of discussion remain... >> I know I ranted about privacy before and the authors took some text I wrote >> as the basis of the privacy considerations, but I'm still worried that the default >> will be that devices are MUD-enabled (good) and that users will not be >> protected. It would be sad if the user's only option is to reject MUD devices >> (especially as they might not even know that the devices are MUD-enabled). >> More burble below, but it seems to me that we should make privacy-supporting >> modes of operation at least the default, but possibly the only approach. >> >> Section 15 has... >> >> The release of a MUD URL by a Thing reveals what the Thing is, and >> provides an attacker with guidance on what vulnerabilities may be >> present. >> >> Pleased to see this text: it was a security concern I had. Good to have >> it flagged. However, the mitigation suggested 2 paragraphs later is a >> bit thin and sounds rather optional. I see how an implementer might >> take action, but what can a user do to protect their device? [...] > > While this may not be a *perfect* solve for all of your concerns, I hope > you will find the proposal below Good Enough. Keep in mind that we > are attempting to address a very broad set of devices with a large variety > of capabilities, from energy-harvesting devices that may never encrypt > (think a wall switch) to devices that have heaps of power and memory > (think robots). Many of the devices have very limited privacy concerns, > while others will have quite a few. In addition, whatever capabilities the > device has must intersect the capabilities found in deployments. > > With all that in mind, what I propose is the following: > • Add text that RECOMMENDs that devices make use of TEAP when there > may be privacy concerns and when it is available; and > • In other cases where privacy may be a concern, we should RECOMMEND > that a configuration option be provided, particularly when devices are > designed to be mobile, which is where I think most of your concerns > stem from. This is getting gooder. Thanks. Even when the MUD controller is on the premises (the not mobile case), it contacts an offsite file server, and that act is visible. Suppose my Hi-Fi uses MUD - now you know that my house is worth robbing. Suppose my intruder alarm uses MUD - now you know what security system I have. Of course, when the MUD controller is remote (the mobile case), it's all even more worrying. I know you are trying to trade between perfect and getting something that will be implemented and so make the world a somewhat better place. But just recall that someone implemented those devices that "leak like sieves" and those folk are unlikely to see a Recommendation as anything like a strong hint. Well, I'm not in a position to block the whole effort, and I'm not enough of an expert to suggest a solution to my concern that works for all types of device. >> There seems to be some overlap of terms and definitions in 1.5 and 1.6. > > Can you be more specific? 1.5 and 1.6 both have "manufacturer". 1.5 has "controller" and 1.6 has "MUD controller". The definitions don't match. >> 3.5 has me confused. Looks like a fine idea, but how does it work? A >> Thing reports the MUD URL, and the file that is pulled contains the >> systeminfo URL, and the info that is pulled contains the localised info. >> Have I got that right? > Yes. > >> That means that the MUD URL has to include the correct systeminfo for >> the locality. Presumably we're interested in the locality of the MUD >> controller. > > The intent here is basically to allow for language tags to do their thing > through one level of indirection. That doesn't require any specific change > to the URL itself. I've included some text in response to Mark, but that > text may further shift based on other suggestions Mark may have. I'm missing something, but that's OK, I don't have to understand something for it to be right :-) So long as it is possible for the MUD Controller to be in one locale and the MUD Server in another and all the bits to work right, I'm happy. >> Introduction >> >> Please do NOT use random uppercase words in your text. There's NO >> need: the readers are no more stupid than the average reader of an >> RFC. >> >> Ditto 3.4, 3.6 > > Sorry- I didn't parse this. Sorry I'm being sassy. I mean, please don't capitalise for emphasis. Just limit yourself to 2119 capitalisation. >> Introduction >> >> The key points are that the device itself is expected >> to serve a limited purpose, >> >> I think you mean s/expected/intended/ > > How about "assumed"? We're both being overly passive. Who has the expectation/intention/assumption? By "intended" I meant "intended by the manufacturer". So, actually, any one of the three words is fine, if you can attribute the verb to someone. >> Introduction >> >> o A classifier that a device emits that can be used to locate a >> description; >> >> Classifier or classification? > > Classifier. Oh. A "classifier" is a person or thing that classifies. I don't think the device emits a thing or a person :-) I think it emits a piece of information that allows the device to be classified. Cheers, Adrian
- [RTG-DIR] RTG-DIR review of draft-ietf-opsawg-mud… Adrian Farrel
- Re: [RTG-DIR] RTG-DIR review of draft-ietf-opsawg… Eliot Lear
- Re: [RTG-DIR] RTG-DIR review of draft-ietf-opsawg… Adrian Farrel
- Re: [RTG-DIR] RTG-DIR review of draft-ietf-opsawg… Eliot Lear
- Re: [RTG-DIR] RTG-DIR review of draft-ietf-opsawg… Adrian Farrel
- Re: [RTG-DIR] RTG-DIR review of draft-ietf-opsawg… Eliot Lear