Re: [sacm] ECP question

"Banghart, Stephen A. (Fed)" <stephen.banghart@nist.gov> Mon, 15 April 2019 19:45 UTC

Return-Path: <stephen.banghart@nist.gov>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7D2212037F; Mon, 15 Apr 2019 12:45:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ezgz6C89g70b; Mon, 15 Apr 2019 12:45:39 -0700 (PDT)
Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0719.outbound.protection.outlook.com [IPv6:2a01:111:f400:fd00::719]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F117F1201C5; Mon, 15 Apr 2019 12:45:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=52UhCEhWkR0F05c1Gw6jYVVWqoY1NpwMJtx99g/wdI8=; b=OfsoKjvkQjHLCDfIRvJXlWC2nctdfTwzfFyhuP9rVNpUX+lIxuwib3sGBZTjDoIU3cuf6JYPclSyGwSaZ8WLFovShebFUwkbOHbcXyNV2e6BFKSXvcLNTvRU7KzfN+vetFW36y5OA+H5dREuSSi5/VuCrfufKbKSZkDaFTZjMPA=
Received: from BN3PR09MB0609.namprd09.prod.outlook.com (10.160.120.12) by BN3PR09MB0611.namprd09.prod.outlook.com (10.160.120.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1792.19; Mon, 15 Apr 2019 19:45:32 +0000
Received: from BN3PR09MB0609.namprd09.prod.outlook.com ([fe80::1ce5:2c44:3260:75d3]) by BN3PR09MB0609.namprd09.prod.outlook.com ([fe80::1ce5:2c44:3260:75d3%8]) with mapi id 15.20.1792.018; Mon, 15 Apr 2019 19:45:32 +0000
From: "Banghart, Stephen A. (Fed)" <stephen.banghart@nist.gov>
To: Dan Ehrlich <dan=40ehrlichserver.com@dmarc.ietf.org>, "draft-ietf-sacm-ecp@ietf.org" <draft-ietf-sacm-ecp@ietf.org>, "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: [sacm] ECP question
Thread-Index: AQHU8ZHTJVTYrjWYtkWD91mq6GEQnqY5QTgAgARe/YA=
Date: Mon, 15 Apr 2019 19:45:32 +0000
Message-ID: <BN3PR09MB060951DE7B0D504F11BEBCD1F02B0@BN3PR09MB0609.namprd09.prod.outlook.com>
References: <CAABgnxisAZdgVWH11Rp-6NoNhwDnFUz2Bc3wYez-oCb0LA0JFQ@mail.gmail.com> <CAABgnxjPQL27bth-BwBYaKaKU941XRDRdsbpoZ1WxPcdEpmVhA@mail.gmail.com>
In-Reply-To: <CAABgnxjPQL27bth-BwBYaKaKU941XRDRdsbpoZ1WxPcdEpmVhA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=stephen.banghart@nist.gov;
x-originating-ip: [129.6.196.176]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 63be751d-d791-4804-08dd-08d6c1daebfb
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600140)(711020)(4605104)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:BN3PR09MB0611;
x-ms-traffictypediagnostic: BN3PR09MB0611:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <BN3PR09MB0611F8D4C1967B28F321E225F02B0@BN3PR09MB0611.namprd09.prod.outlook.com>
x-forefront-prvs: 000800954F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(346002)(136003)(39860400002)(376002)(199004)(189003)(76176011)(110136005)(478600001)(2501003)(54896002)(446003)(71190400001)(186003)(9686003)(68736007)(53936002)(6306002)(66066001)(316002)(11346002)(45080400002)(229853002)(52536014)(476003)(71200400001)(33656002)(55016002)(486006)(790700001)(3846002)(236005)(6116002)(74316002)(7736002)(2906002)(106356001)(14444005)(99286004)(7696005)(105586002)(8676002)(53546011)(102836004)(86362001)(97736004)(14454004)(6506007)(81156014)(966005)(6436002)(6246003)(8936002)(256004)(26005)(25786009)(606006)(5660300002)(81166006); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR09MB0611; H:BN3PR09MB0609.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 0/HYrsFVZvQ8jdcI/8ksKYnpBjjF70ZuuKnxBLZQ4Pc4Ab+IEaSc7EedPEn5iAFwtejBzZIRWsGhTfZtRB/51iJkeOkoO2TqlqgwzesE54ZuFzt85owxGJr2E7EXKa7V/rGQO0fTRhHtz/T5UQQtuntGDgkozbI1Lf1JM/CSPIH9Zz4Q/LwSU1LqKFXICTrbIsvLW7+sDUUfdrzmpc9kOln9GeYNTBZFkC4vSlCSmrOaMLgBCH5F8dFndEhGwY9ndq9sC1CEv8bpq9E5hNa8CFriX18HkuZXVtkd3s36Hg5R8mza/fl9xEGhGE8Dw0jhpwzZw+rj9E7I55Vw3NA5KKkR63KfPugmkPTvDOnZtuTTJqfhe3ytfQpdPjtCv9Rh6rJPj2PhlpQszjCfdRLognV3QkyuIqGeeP1tKSlZC54=
Content-Type: multipart/alternative; boundary="_000_BN3PR09MB060951DE7B0D504F11BEBCD1F02B0BN3PR09MB0609namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 63be751d-d791-4804-08dd-08d6c1daebfb
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Apr 2019 19:45:32.4000 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR09MB0611
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/uBEbpPBf3GZZb5MF0cuvoeBYJkc>
Subject: Re: [sacm] ECP question
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2019 19:45:44 -0000

Dan,

The link you posted had a small typo, here is a link to the datatracker page for the draft: https://datatracker.ietf.org/doc/draft-ietf-sacm-ecp/

Comments as a non-author:
The reference to MAC Addresses here is only really given as an example, it’s not a requirement or even much of a suggestion. While it’s true that MAC addresses are dubiously useful today, they are still valid to use as identifiers, and are still potentially useful as identifying information in the enterprise endpoint collection scenario (you mostly trust the endpoints in question).

Removing the reference entirely probably wouldn’t hurt anything, but the truth is that people use MAC addresses to track machines today, and pointing out that they can be used in this architecture as an ID is, IMO, worthwhile.

Perhaps a note on MAC addresses (And most hardware IDs) being flimsy could be present in the Security Considerations.

Cheers,
Stephen Banghart


From: sacm <sacm-bounces@ietf.org>; On Behalf Of Dan Ehrlich
Sent: Friday, April 12, 2019 8:45 PM
To: draft-ietf-sacm-ecp@ietf.org; sacm@ietf.org
Subject: Re: [sacm] ECP question

Link I mentioned: https://datatracker.ietf.org/doc/draft-ietf-sacm-ecp/?include_text=1<https://datatracker.ietf..org/doc/draft-ietf-sacm-ecp/?include_text=1>

Section 3.2.1

On Fri, Apr 12, 2019 at 5:42 PM Dan Ehrlich <dan@ehrlichserver.com<mailto:dan@ehrlichserver.com>> wrote:
In the RFC for ECP, there is a section that mentions the potential use of MAC addresses for identifying endpoints.

My understanding is that there are many things wrong with MAC addresses today, such as that they can now be changed randomly by software, can't really be verified, can be spoofed easily, etc.

I cannot find the link I was using from yesterday, but can the MAC address mention be removed from ECP?


Apologies if I viewed an old draft or if this was previously discussed,

Dan Ehrlich
Austin, Texas
https://linkedin.com/in/danehrlich/<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fdanehrlich%2F&data=02%7C01%7Cstephen.banghart%40nist.gov%7C66dbad907299401aacb808d6bfa969cd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636907131693188686&sdata=qn143EolA1Gh%2BU%2FMf6dwEhfP12%2BVXdI8TTn0kEX4zGo%3D&reserved=0>