Re: [secdir] Secdir review of draft-ietf-anima-reference-model-06
Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 24 August 2018 20:10 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79330130DDF for <secdir@ietfa.amsl.com>; Fri, 24 Aug 2018 13:10:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0GjZk075kQH5 for <secdir@ietfa.amsl.com>; Fri, 24 Aug 2018 13:10:09 -0700 (PDT)
Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DDF4130DDA for <secdir@ietf.org>; Fri, 24 Aug 2018 13:10:09 -0700 (PDT)
Received: by mail-pf1-x42f.google.com with SMTP id l9-v6so5013596pff.9 for <secdir@ietf.org>; Fri, 24 Aug 2018 13:10:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:organization:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=64+5jnxl25Q6Ly4sWPzK+r5fVqbSYKmHHdrOuVi5eFw=; b=fi0Ttt1s3c+qd/b1s45OWfykpxCzuH4kNmX/QRZ8/b4jrMDLbAuqe6dS/SjgAJC6WE 6hCC1CW48mJK8Mtov6bFQ2jiESuqFjLLbTmMpIgOsnWGmJv60rV5juo1x7pcJXM5DXZd WTUEDEijU8DAOaSFI9Tay5buaDn5MwNs5pGTe1t5wySEhC9WHZYEJVsEtXRNbOD02oG1 RRH6olVLpOJ3WkZSXejzAfMGIXVE+A4Vcog652oSH+1vWAR/FJuoc5iS3fmtKqGaJ7sB 0yeM/x22VXr9icuEl3b4ZZc7Uha925SfWnTv2CBMm695ABvkXysQyqtrRxIyV/VfD7oR RX8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=64+5jnxl25Q6Ly4sWPzK+r5fVqbSYKmHHdrOuVi5eFw=; b=lD50AE1ihiszUJjp+9UUeZjS4wb+1CUVUsU5NEIxS3nwSjwUnwFuheve1TIRvXFDQU tU5GUz4s6Nc4EgPjiFq9qpR6LFAfKtOV1Yf4xPtuwp+juOO9uwx0GVNaTriZ76fRrgZx brBZR3BXov/TYI2Fl9TbUigr0ctb89cGG5Rp7ry7q1YsQdT2zi7QDLD2ZrhMET80MIF1 bYqA9a7i80jM1l6ApN97ROW73X6yCwAeDo2FhOkQuxOXlmRQMqTvWxls3rsIlnjrQu9C Bmr9zpneaqxdtvEKCVaYgt/l25uiXCE9UdY+m+7mfN3lh3WIMeAYiDMOl5qJZcWY9qt8 CJvg==
X-Gm-Message-State: APzg51A+9Kg5Tg/jYaHn388nxSWULNrSAUuCPJfGIEdeRcpuwx61MPSs 6/xmO4j9X8u/7MNEnwVOtas=
X-Google-Smtp-Source: ANB0VdbJDgl95NbZvLAR7Ny4mSAAiIOFgzWKouOk99qXZWRmjQ6mhHtr7Xx9JVrTu97eaBjXgCpRmw==
X-Received: by 2002:a63:e949:: with SMTP id q9-v6mr3003478pgj.4.1535141408656; Fri, 24 Aug 2018 13:10:08 -0700 (PDT)
Received: from [192.168.178.22] ([118.148.68.33]) by smtp.gmail.com with ESMTPSA id y18-v6sm10369015pfl.90.2018.08.24.13.10.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Aug 2018 13:10:07 -0700 (PDT)
To: Radia Perlman <radiaperlman@gmail.com>, secdir@ietf.org, draft-ietf-anima-reference-model.all@tools.ietf.org
References: <CAFOuuo4bFw8r2j2UiWwc1GdtwT865q_MnuouD4BtJQCevs+f4w@mail.gmail.com> <96d16d3e-3a40-1043-87c1-560f087db7bc@gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <79f32b5b-256a-6dcd-5257-7155c638a508@gmail.com>
Date: Sat, 25 Aug 2018 08:10:03 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <96d16d3e-3a40-1043-87c1-560f087db7bc@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/qSzMdYg-vh9OBa3cLkkVzrkEUVI>
Subject: Re: [secdir] Secdir review of draft-ietf-anima-reference-model-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Aug 2018 20:10:12 -0000
Radia,
We've added this in version -07. It was definitely needed:
The scope of this model is therefore limited to networks that are to
some extent managed by skilled human operators, loosely referred to
as "professionally managed" networks. Unmanaged networks raise
additional security and trust issues that this model does not cover.
Regards
Brian
On 2018-08-22 16:47, Brian E Carpenter wrote:
> Hi Radia,
>
> Thanks for the review.
>
>> This means that
>> bringing in the proverbial light bulb into your house could compromise your
>> whole house if the light bulb had a Trojan horse installed or some sort of
>> bug that allowed it to be compromised.
>
> Indeed. But please note that ANIMA is scoped for professionally managed
> networks where there is indeed a form of admission control for new
> nodes. If that isn't made clear enough, then it should be. Secure
> enrolment is the main topic of two of the other drafts (BRSKI and ACP,
> a.k.a. draft-ietf-anima-bootstrapping-keyinfra and draft-ietf-anima-
> autonomic-control-plane.) In that context, where for example unknown
> BYOD devices simply could not join the autonomic network, because they
> are unknown to the registrar, we think we are covered.
>
> So in fact networks like homenets or *unmanaged* IOT edge networks
> are not in scope. How malicious nodes can be kept out of those
> networks is indeed an enormous challenge.
>
> Regards
> Brian Carpenter
>
> On 2018-08-22 16:29, Radia Perlman wrote:
>> I have reviewed this document as part of the security directorate's ongoing
>> effort to review all IETF documents being processed by the IESG.
>>
>> These comments were written primarily for the benefit of the security area
>> directors. Document editors and WG chairs should treat these comments just
>> like any other last call comments.
>>
>>
>>
>> This document is an overview document (intended as informational)
>> introducing a large collection of I-Ds (intended as Proposed) describing
>> autonomic networking. Aimed at the Internet of Things with devices with
>> very little in the way of user interface other than over the network, the
>> design goal is to be maximally auto-configuring. Security is bootstrapped
>> using private keys and certificates installed by the manufacturer, where to
>> first goal is to join new devices to some sort of domain.
>>
>>
>>
>> The most suspicious thing from a security standpoint is that it appears all
>> of the devices in a domain implicitly trust one another. This means that
>> bringing in the proverbial light bulb into your house could compromise your
>> whole house if the light bulb had a Trojan horse installed or some sort of
>> bug that allowed it to be compromised. There is some mention of addressing
>> this issue in the future, but unless I’m misunderstanding the approach this
>> seems like a very dangerous thing to deploy even initially. It makes much
>> more sense for each installed device to first become manageable by a single
>> other device in the domain. That first management device could cautiously
>> expand trust further.
>>
>>
>>
>> The dangers are well summarized in Section 9 (Security Considerations).
>> Section 9.2 includes this text:
>>
>>
>>
>> The above threats are in principle comparable to other solutions: In
>> the presence of design, implementation or operational errors,
>> security is no longer guaranteed. However, the distributed nature of
>> AN, specifically the Autonomic Control Plane, increases the threat
>> surface significantly. For example, a compromised device may have
>> full IP reachability to all other devices inside the ACP, and can use
>> all AN methods and protocols.
>>
>>
>>
>> For the next phase of the ANIMA work it is therefore recommended to
>> introduce a sub-domain security model, to reduce the attack surface
>> and not expose a full domain to a potential intruder. Furthermore,
>> additional security mechanisms on the ASA level should be considered
>> for high-risk autonomic functions.
>>
>
- [secdir] Secdir review of draft-ietf-anima-refere… Radia Perlman
- Re: [secdir] Secdir review of draft-ietf-anima-re… Brian E Carpenter
- Re: [secdir] Secdir review of draft-ietf-anima-re… Toerless Eckert
- Re: [secdir] Secdir review of draft-ietf-anima-re… Brian E Carpenter