Re: [sacm] ECP question
Jessica Fitzgerald-McKay <jmfmckay@gmail.com> Fri, 26 April 2019 12:52 UTC
Return-Path: <jmfmckay@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2FC1120045; Fri, 26 Apr 2019 05:52:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y4VfBH7Iyysa; Fri, 26 Apr 2019 05:52:40 -0700 (PDT)
Received: from mail-it1-x12f.google.com (mail-it1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC6FC120183; Fri, 26 Apr 2019 05:52:40 -0700 (PDT)
Received: by mail-it1-x12f.google.com with SMTP id y10so5599991itc.1; Fri, 26 Apr 2019 05:52:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nmUPE0TG85bi4JYlzQdNs8jdQPLAfQ9IMNHZspRuMg0=; b=NSftfKcvAGbL26+Xt4dLro3fSfXgeNJyNAGS8Mi0GTgB3vWoJfLi5dGP6HW8Jjtibq oql5WrSZDYAW2uRXrzPDmWQ2rNQE4gSAdYIiwMiXhcSgm7Lpcr58nGiRwVOInpSP8vCp 7dG7LuhlR8yAWB/JeQM3iwadIkF8yEH+qN7tnjGDPUpgxJMnskHUPGCauFQaYXMaqkmF xT3SG9eV3eCZOykaCfQS1hNOzP3iNfRui0TVrbAWUBHf0fXnTawYSV5Ey2SbSJvz2GF+ G+v7084E45I3T5PFD897j/Rf17Wa8SieHxHRmFBR5lPKtti9Lww+eAbeavVbqT8rM3qw QqYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nmUPE0TG85bi4JYlzQdNs8jdQPLAfQ9IMNHZspRuMg0=; b=jK4dYjWof552jZzs5sszhGy562zTe3C5FlyEsJ4LNWL+9PpG3O8eDUACldGD33fJ+Y NtBPOHZ7g5QjCFdwJ0FBjm0uWWnTks9tfGi8caLz0KeTVupaPMRnYTwvD8QOolHlDAXm EUU4dG6+R4+5gkGYTXvuskPHlkzwXKCyDyjc49v/OmPuIs5tzXWZ+JbEbARZwdCh9rV1 LD1+a9h7sJxRyGT4v8Zy5PyCTaScU4VoC0KRCRpPwItaOSSYMfuh+XvqhAcoBPkr++RQ eF4I8UpYYsazeeWO6Oh/rrcrU0wkufx3WEjEJQmX6ZIsf8nl7c5rh5p7AaxnuLM1JY6o Lu0A==
X-Gm-Message-State: APjAAAVDXWCEoN8H40Ty/Z9NwfNc99Eh1tywryRxsEslFe3MkMKe9aaH 8ytlD80/97vz6L7rogqyMgs9eWMucWzVVgqlXuNUJyVu
X-Google-Smtp-Source: APXvYqwEgeTCLT+z0Qy/w4judafO3pblxdOaUDPEpPZYk19RMp0Q2HBeBMNOJhCDidxuce2Tg4R2Ygu9sG4wyQc9DxE=
X-Received: by 2002:a24:22ca:: with SMTP id o193mr7981217ito.131.1556283159925; Fri, 26 Apr 2019 05:52:39 -0700 (PDT)
MIME-Version: 1.0
References: <CAABgnxisAZdgVWH11Rp-6NoNhwDnFUz2Bc3wYez-oCb0LA0JFQ@mail.gmail.com> <CAABgnxjPQL27bth-BwBYaKaKU941XRDRdsbpoZ1WxPcdEpmVhA@mail.gmail.com>
In-Reply-To: <CAABgnxjPQL27bth-BwBYaKaKU941XRDRdsbpoZ1WxPcdEpmVhA@mail.gmail.com>
From: Jessica Fitzgerald-McKay <jmfmckay@gmail.com>
Date: Fri, 26 Apr 2019 08:52:27 -0400
Message-ID: <CAM+R6NXa3WfxYk+unocaUGe=7B_fF0t61GdT3iCFDe0DD0yDFw@mail.gmail.com>
To: Dan Ehrlich <dan=40ehrlichserver.com@dmarc.ietf.org>
Cc: "draft-ietf-sacm-ecp@ietf.org" <draft-ietf-sacm-ecp@ietf.org>, "sacm@ietf.org" <sacm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000eada0c05876e686a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/1PpY5C7aal9rO_E7vlPBSG1yKx8>
Subject: Re: [sacm] ECP question
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2019 12:52:43 -0000
Dan, Thank you for the review! Your understanding of MAC addresses mirrors mine: they are not trustworthy as a sole device identifier. I think that, despite that, they are still worth collection, for two reasons: 1) For device identity correlation-- For some network analytics, the MAC address is what they can see. These analytics should have the capability to correlate the behavior they see from an endpoint with a particular MAC address to a better device identifier. One way to do that is to provide all the identifiers an endpoint has (IP address, MAC address, device certificate, etc.) to the CMDB. For traditional endpoints, the ECP requires IF- IMC and (on the server side) IF-IMV. These interfaces allow endpoints to share multiple forms of identity to the server, and then stored in the CMDB for this sort of use case. 2) For attack identification-- ECP enables event-driven collection of endpoint data. That is, if something changes on the endpoint, ECP enables that change to be immediately (or, close to immediately) sent to the server, and then to the CMDB. An endpoint could share any changes to its MAC address as a part of that event-driven collection, which would help network tools notice a malicious change in near-real-time. Given these reasons, I would like to keep MAC addresses as a type of device identity in the ECP. I wonder if we could resolve your comments by including a note in the security considerations about the trust limitations of MAC addresses. We can say that they really should not be used as a sole device identifier, and, if other identities can be reported, they really ought to be collected at the same time as a MAC address. What do you think? Thanks again for taking the time to share your thoughts! Jess On Fri, Apr 12, 2019 at 8:45 PM Dan Ehrlich <dan= 40ehrlichserver.com@dmarc.ietf.org> wrote: > Link I mentioned: > https://datatracker.ietf.org/doc/draft-ietf-sacm-ecp/?include_text=1 > <https://datatracker.ietf..org/doc/draft-ietf-sacm-ecp/?include_text=1> > > Section 3.2.1 > > On Fri, Apr 12, 2019 at 5:42 PM Dan Ehrlich <dan@ehrlichserver.com> wrote: > >> In the RFC for ECP, there is a section that mentions the potential use of >> MAC addresses for identifying endpoints. >> >> My understanding is that there are many things wrong with MAC addresses >> today, such as that they can now be changed randomly by software, can't >> really be verified, can be spoofed easily, etc. >> >> I cannot find the link I was using from yesterday, but can the MAC >> address mention be removed from ECP? >> >> >> Apologies if I viewed an old draft or if this was previously discussed, >> >> Dan Ehrlich >> Austin, Texas >> https://linkedin.com/in/danehrlich/ >> <https://www.linkedin.com/in/danehrlich/> >> > _______________________________________________ > sacm mailing list > sacm@ietf.org > https://www.ietf.org/mailman/listinfo/sacm >
- [sacm] ECP question Dan Ehrlich
- Re: [sacm] ECP question Dan Ehrlich
- Re: [sacm] ECP question Banghart, Stephen A. (Fed)
- Re: [sacm] ECP question Jessica Fitzgerald-McKay
- Re: [sacm] ECP question Kathleen Moriarty
- Re: [sacm] ECP question Ruben Oliva