Re: [secdir] Secdir early review of draft-ietf-opsawg-mud-08

Eliot Lear <> Tue, 29 August 2017 18:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 13F29132941; Tue, 29 Aug 2017 11:31:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id O0tHFZpSSE_u; Tue, 29 Aug 2017 11:31:51 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A7A70132951; Tue, 29 Aug 2017 11:31:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=7095; q=dns/txt; s=iport; t=1504031510; x=1505241110; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=VZG6339rYaHJSnvJ6LZ61yhcCRf6ogtZlbY8zvBrtw8=; b=fsuioizn9Lrtr85g2uOm5Px4o+mUtyCD8+vPZMGKccig0qCSGDkVNlYQ rk31AifWh8/+J47cVn8fnZI8fRiMtjMMykcKS10iEiko04jpoG1BKNgde DGrPToJeQY8Khzge5/KR+w7HNybEZ/Xkqz3sznAM+A1nnmopLUOP6T/UV E=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CeAgD5saVZ/xbLJq1dGgEBAQECAQEBA?= =?us-ascii?q?QgBAQEBiUqLEZB2IpY1ggQHggWDOwKEWBUBAgEBAQEBAQFrKIUYAQEBAQIBIwR?= =?us-ascii?q?EDgULCxgVFQICVwYBDAgBAYolCK5+gW06i18BAQEBAQEBAwEBAQEBAQEBEQ+DK?= =?us-ascii?q?oUzKwuCcoQwLQJVglSCYQEEiXcWiH2FIog8hDeCIY10ghKFZ4NZJIZ1lkI1IoE?= =?us-ascii?q?NMiEIHBVJhROCCj6MCgEBAQ?=
X-IronPort-AV: E=Sophos;i="5.41,445,1498521600"; d="asc'?scan'208";a="696830849"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Aug 2017 18:31:47 +0000
Received: from [] ( []) by (8.14.5/8.14.5) with ESMTP id v7TIVlPu007306; Tue, 29 Aug 2017 18:31:47 GMT
To: Adam Montville <>,
References: <>
From: Eliot Lear <>
Message-ID: <>
Date: Tue, 29 Aug 2017 20:31:46 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="jmgMsA6Cn433PtjGGFebCXJVwkOsEDnT7"
Archived-At: <>
Subject: Re: [secdir] Secdir early review of draft-ietf-opsawg-mud-08
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Aug 2017 18:31:53 -0000

Hi Adam,

Thanks very much for your review.  I'm pleased you like the general
approach.  You hit the nail on the head: this is NOT intended to be a
panacea, but a means by which the device (and its manufacturer) can
enlist the network's protection. Indeed as I mentioned the first time I
presented to SAAG, I will say now again (with feeling):

NOTHING in that draft nor anywhere ELSE should excuse a
manufacturer/developer from best coding practices and updating
software.  The best form of protection will ALWAYS ALWAYS be a well
secured device to begin with.

MUD is simply there to add an additional layer for when the hacker gets
there first...

Please now see below.

On 8/27/17 3:29 PM, Adam Montville wrote:
> Finally, I found myself wondering if this type of appraoch - communicating
> intended use - could be extended to software installed on general purpose
> devices. For example, it would be interesting to consider how a given installed
> software package could communicate not only its intended use, but it's
> preferred configuration.

I'd very much like to pursue this concept, but it seems to me it has to
be rooted in some sort of hardware trust.

> Some questions to consider (these are potential issues):
> At the top of page 9, the draft describes controller behavior for mobile
> devices - configurations should be removed when the device is removed. Does
> this apply also to intermittent devices? 
Well indeed so.  I think the discussion around mobility is confusing. 
I've cleaned that up.

> When would a device be considered
> "removed" instead of simply powered down?

I think the best way to look at this is to view the configuration
information as ephemeral, and since the device provides the information
on connect, or otherwise periodically (eg LLDP), you can regenerate the

>  Also, when reading that paragraph I
> began wondering about the load on Web servers serving MUD files - not that this
> draft should say anything about it, but that it's something manufacturers are
> going to have to consider and account for.
> Is a stronger statement needed on the first bullet of section 4? Should it
> read: Anything not explicitly permitted MUST be denied? Similarly for other
> requirements in MUD file processing. At about this point, I began wondering if
> additional security considerations may be required for the controller.

One of the principles we try to observe is that the administrator owns
the network.  As such we should be somewhat cautious about how we phrase
such things.  From a MUD perspective, what you end up with is an
access-list that an administrator might choose to augment.  For
instance, if he or she is running a special load on a Thing using
802.1AR certificates, he might want to augment the access to accommodate
a new feature.

In fact, it may be possible that a manufacturer writes such a complex
MUD file that the network administrator desires an optimization.  We do
not yet have enough experience to know what sort of normative statement
would cover that ;-)

> Section 9.2 describes DHCP server behavior, and is written in a manner
> presuming the DHCP server knows what's happening with these building blocks. I
> am not a DHCP expert, so there may be something in DHCP instructing a server to
> ignore everything it doesn't understand, but if that is not the case, then what
> is expected to happen when DHCP is not expecting these options and is not going
> to ignore them?

This is not a worry.  DHCP servers are very capable of ignoring unknown
options, and they have to be well bullet proofed today or we have FAR
FAR bigger fish to fry ;-)
> Nits follow:
> First paragraph of section 1.5: s/another example might to follow/another
> example might be to follow/
> Recommend the following for definition of Thing: the device emitting a MUD URL.

> Suggest striking last two sentences of Manufacturer definition, as irrelevant.

Ahhh but this actually is a big deal to system integrators ;-)  They
want to know what their role in the ecosystem is.

> Is there a way to make the ASCII art in section 1.7 a little cleaner? One
> possibility is to move the right side of the bounding box to the left by two or
> three places.

Sure.  Done.
> Also, the arrows to the line text isn't necessary (e.g.
> "----->get URL->" is cleaner as "---get URL--->").

> Second bullet on page 11: s/other otherwise/otherwise/

> Should there be a newline after "<CODE BEGINS>" at the start of section 6?

I'm going to leave that one to the YANG doctors...
> On page 17: s/end(ed)/end(s\/ed)/  Basically, the sentence without "ended"
> should read, "Information about when support ends, and when to refresh."

This will change with the updating of the model, based on YANG doctor
feedback.  That very container is likely to be consolidated away.
> Vertial spacing could be improved for the first bit in section 9, so that the
> look/feel surrounding OPTION_MUD_URL_V4 matches that of OPTION_MUD_URL_v6

Ok.  I think I addressed what you're talking about.
> Section 11, first sentence: s/link layer protocols/link layer protocol/

Good catch.

Best regards and thanks again for your review.