Re: [secdir] Secdir review of draft-ietf-anima-reference-model-06

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 22 August 2018 04:47 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EBC9130DE7; Tue, 21 Aug 2018 21:47:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QHVI4aie7vHr; Tue, 21 Aug 2018 21:47:29 -0700 (PDT)
Received: from mail-pl0-x231.google.com (mail-pl0-x231.google.com [IPv6:2607:f8b0:400e:c01::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 503F412F1A6; Tue, 21 Aug 2018 21:47:29 -0700 (PDT)
Received: by mail-pl0-x231.google.com with SMTP id a4-v6so323782plm.13; Tue, 21 Aug 2018 21:47:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=g5imcK1CEDhNHTQfXHZgzNZXHp5EkJ6KX+Ae579UYrM=; b=uwL3GHftGiqfVncjrYiNTYz7vm3k4oOabpdHD1prHn3rTT73twj2tVh14xrbsbvbIJ A+8iVufCX9IkSgPUY/jBfJfWEgrZ8VvyqKtr+ETj5/kK4Vp9DQAsbadDU9a6jCX5bifP t4y9VKyy7LuXoMg2cQj22+GSoCepTmvQOs8ODuZvnLzqO97jxb+l74FMGqX9u5gg6U05 umS/iduwU1RiYevSHf67XWg23EpStM7K08iL6NtgZyg5wQHrc2giTZ9A9qymNiY8CJeU EzZQt2wFMKjQsYznWQVGFxPBgQNCqN6dkONHJNzlrKeV9iKck7BBl5TUVrexMnVBpwqp i8bA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=g5imcK1CEDhNHTQfXHZgzNZXHp5EkJ6KX+Ae579UYrM=; b=Ywz8zlyEt20jfP7S+Q5P+FUmo0ZTl0Nd+XzVVFSO1NFJybdSnEV56Cic2C5tadi2/3 q/ts2Ayylp7pnPnnEjsIByr3Kk0U32FnbP5Rcsi0rmaZg/aL82OtxiWUv02s6w1vkfmt wwMyQTIfDlx/UtJ+vxT4fjoFntPPLgfzykd7a5vzkCW2ffOPJUiq5YKl7kxpbffVq6Z4 Zx2JR07lPxjSJIINiFN0kNnEhZjsfqE6+hpyWdIWmBjgzCCNxq8H9pAKZi6jqCbaXXFt swxRNAEhPnLvp7iXeTw/b4kEZvnPZ04J0bLp+wCeSqv7s1+C0V/W01CJq+jd8dAVwohw bw5g==
X-Gm-Message-State: AOUpUlFyjT+Bv4pDMlRpkj5UcmujbuFPSlRXAh/DobhgwvZaoLR6D3ET D1r9i2wPe4biZzN8254hdUc=
X-Google-Smtp-Source: AA+uWPwSa33AxUvUa2IiBkmg+GmuFOCBlhUnfPPBg7FEnNGMgnz4xzz7Eea6YXMCxDYdQ2iPRP8Pvw==
X-Received: by 2002:a17:902:b595:: with SMTP id a21-v6mr52687154pls.23.1534913248746; Tue, 21 Aug 2018 21:47:28 -0700 (PDT)
Received: from [192.168.178.30] ([118.148.68.33]) by smtp.gmail.com with ESMTPSA id z11-v6sm674631pfi.4.2018.08.21.21.47.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Aug 2018 21:47:27 -0700 (PDT)
To: Radia Perlman <radiaperlman@gmail.com>, secdir@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-anima-reference-model.all@tools.ietf.org
References: <CAFOuuo4bFw8r2j2UiWwc1GdtwT865q_MnuouD4BtJQCevs+f4w@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <96d16d3e-3a40-1043-87c1-560f087db7bc@gmail.com>
Date: Wed, 22 Aug 2018 16:47:21 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAFOuuo4bFw8r2j2UiWwc1GdtwT865q_MnuouD4BtJQCevs+f4w@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/HTm6MNGMkvsmil3rY-gmMoXDuyA>
Subject: Re: [secdir] Secdir review of draft-ietf-anima-reference-model-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Aug 2018 04:47:33 -0000

Hi Radia,

Thanks for the review.

> This means that
> bringing in the proverbial light bulb into your house could compromise your
> whole house if the light bulb had a Trojan horse installed or some sort of
> bug that allowed it to be compromised.

Indeed. But please note that ANIMA is scoped for professionally managed
networks where there is indeed a form of admission control for new
nodes. If that isn't made clear enough, then it should be. Secure
enrolment is the main topic of two of the other drafts (BRSKI and ACP,
a.k.a. draft-ietf-anima-bootstrapping-keyinfra and draft-ietf-anima-
autonomic-control-plane.) In that context, where for example unknown
BYOD devices simply could not join the autonomic network, because they
are unknown to the registrar, we think we are covered.

So in fact networks like homenets or *unmanaged* IOT edge networks
are not in scope. How malicious nodes can be kept out of those
networks is indeed an enormous challenge.

Regards
   Brian Carpenter

On 2018-08-22 16:29, Radia Perlman wrote:
> I have reviewed this document as part of the security directorate's ongoing
> effort to review all IETF documents being processed by the IESG.
> 
> These comments were written primarily for the benefit of the security area
> directors. Document editors and WG chairs should treat these comments just
> like any other last call comments.
> 
> 
> 
> This document is an overview document (intended as informational)
> introducing a large collection of I-Ds (intended as Proposed) describing
> autonomic networking. Aimed at the Internet of Things with devices with
> very little in the way of user interface other than over the network, the
> design goal is to be maximally auto-configuring. Security is bootstrapped
> using private keys and certificates installed by the manufacturer, where to
> first goal is to join new devices to some sort of domain.
> 
> 
> 
> The most suspicious thing from a security standpoint is that it appears all
> of the devices in a domain implicitly trust one another. This means that
> bringing in the proverbial light bulb into your house could compromise your
> whole house if the light bulb had a Trojan horse installed or some sort of
> bug that allowed it to be compromised. There is some mention of addressing
> this issue in the future, but unless I’m misunderstanding the approach this
> seems like a very dangerous thing to deploy even initially. It makes much
> more sense for each installed device to first become manageable by a single
> other device in the domain. That first management device could cautiously
> expand trust further.
> 
> 
> 
> The dangers are well summarized in Section 9 (Security Considerations).
> Section 9.2 includes this text:
> 
> 
> 
> The above threats are in principle comparable to other solutions: In
> the presence of design, implementation or operational errors,
> security is no longer guaranteed. However, the distributed nature of
>  AN, specifically the Autonomic Control Plane, increases the threat
> surface significantly. For example, a compromised device may have
> full IP reachability to all other devices inside the ACP, and can use
> all AN methods and protocols.
> 
> 
> 
> For the next phase of the ANIMA work it is therefore recommended to
> introduce a sub-domain security model, to reduce the attack surface
> and not expose a full domain to a potential intruder. Furthermore,
> additional security mechanisms on the ASA level should be considered
> for high-risk autonomic functions.
>