IETF Logo Mail Archive

Re: [Secdispatch] Appropriate WG for secure communication between networks and unknown clients

Mohit Sethi M <mohit.m.sethi@ericsson.com> Tue, 04 August 2020 09:15 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 362C33A101E for <secdispatch@ietfa.amsl.com>; Tue, 4 Aug 2020 02:15:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.15
X-Spam-Level:
X-Spam-Status: No, score=-1.15 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.949, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PN3G9CJ45UBl for <secdispatch@ietfa.amsl.com>; Tue, 4 Aug 2020 02:15:00 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2073.outbound.protection.outlook.com [40.107.20.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D94E93A101D for <secdispatch@ietf.org>; Tue, 4 Aug 2020 02:14:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bqVxCsR+0cWzWD0pXsmwPrs5ToGnTu8LhdXc+81alXn8ywgRBn3e9Jm71Rd6Sxg3QQKldGsvZ5hH9vTnl3mAvX4TNLqNkiYpsIDQZn2dGAcYg8WkKUm+8zMVB+xKdq/tNaUd1PjyDvqmjIWilDkYwsqHso9CYRmDkK89MWXAnTHh4u+FkTxK9GvhrrmXsoHW8di4FjCKtzgvfFguvfo9giluyd9Bd7Cldw/U94gmS1cR60C5Ojf8++4MGvqfmdSkdSi3N6E19Y+rsLCJ2UjuDSr8sVEi1/9S8lMtw3pvhrKU+K8hHhVptuHgPFZ0nRrjeQtxm5060yQtjVnTQd7u/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P7QqP5WW+x2svbpDOukUqL8Km1Jt3C8wj/TkycMSIlA=; b=Ob95t1CEMwEHrYq+UQE4hgocxzTVnrPn5DnOe2O2u75cmLIk1NJWou6NNooG3nMxa+jowuYLAUFEaS059tND8IcQdRshRbEMou6jo86lR3CMe+g1DWCEJRQCJx3SR5vMqV0BKyZLfqNdgf6raYO2DV0CxMvFPMMfaZm21hWTvUkBbwV4aJUEUdI5SiWy2LFqgEfxGOcSToQHq+FSpWCul6szEfHuOHOR8ZpAQAMIT4oNyWlhNg+O7zFcNt15oytMlPhx23ocqliMMaoC7DTFoGopBvoB7TCJ4nKocz03xy8xgDTAxq2AGDFUWVi68aGEPXxErmxyLkQmWg1VIdgUYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P7QqP5WW+x2svbpDOukUqL8Km1Jt3C8wj/TkycMSIlA=; b=p0bLGvCcffdH/uIoNHp886YzWe8xXwNsvrv2qtegb3N76E9VW+dS+XtVzRPwMDs2UxSYr0ORVMM3xH2FzJOYupfvZi7GZ8QOTKgj88rAmoj4bcpvYRlxVGYgUI46mQ3oxwD/uxmpcGqNoQcFIrjQkhXNKUxtTua5lmyJTeVZLUo=
Received: from HE1PR07MB3386.eurprd07.prod.outlook.com (2603:10a6:7:2d::25) by HE1PR0701MB2444.eurprd07.prod.outlook.com (2603:10a6:3:74::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.13; Tue, 4 Aug 2020 09:14:57 +0000
Received: from HE1PR07MB3386.eurprd07.prod.outlook.com ([fe80::e01c:9809:43db:67d3]) by HE1PR07MB3386.eurprd07.prod.outlook.com ([fe80::e01c:9809:43db:67d3%6]) with mapi id 15.20.3261.015; Tue, 4 Aug 2020 09:14:57 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Richard Barnes <rlb@ipv.sx>, Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>
CC: "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: [Secdispatch] Appropriate WG for secure communication between networks and unknown clients
Thread-Index: AQHWaj+4Q94W82SDX0uDRvo9NBjbvg==
Date: Tue, 04 Aug 2020 09:14:57 +0000
Message-ID: <c069bc56-e0d8-0bd3-ec12-1a0937de2b78@ericsson.com>
References: <DM6PR00MB0781A2E5741B0C0D4CC5D2B3FA4D0@DM6PR00MB0781.namprd00.prod.outlook.com> <CAL02cgQPxWBY7dL5ft6dQPVnJfCfhwMTHoRvOfujfZBszC89xw@mail.gmail.com>
In-Reply-To: <CAL02cgQPxWBY7dL5ft6dQPVnJfCfhwMTHoRvOfujfZBszC89xw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
authentication-results: ipv.sx; dkim=none (message not signed) header.d=none;ipv.sx; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:14bb:190:1611:c268:154d:c886:2d7]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: de0779e4-b73c-4f4a-8dce-08d83856dbb3
x-ms-traffictypediagnostic: HE1PR0701MB2444:
x-microsoft-antispam-prvs: <HE1PR0701MB24443A5CF36DB6BA2A5D5FD1D04A0@HE1PR0701MB2444.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UU75vdWymudd1HHB/2ps7rAYXqplepHGaW0tnpt69AoPpCX0JHyE+sZn/omRyey3MB8yJBNw9uxXNDTUCo0L1MYvygLqEDR/6NUeBebMxIVfSmx7a0nJlqnPzw2F/ORKoaXhlJ0HtW9nU6uO/9KoqSOSzilGYqMlQ+rX1NNLzhljRUnj7lKaBig19G/yHXItLOx+RBfwlPhhQLMlTET4AN1heielfKjuOr6bf6H0DlSN+vsvCDUIw0xal84hmXBcxV4LNq7DMxhlKkg3wNuyi2Izj7OwzoQdazb65/PUCAQ1dOOIVh4idhqcSf9BxemMGv+XoKS14ZH9wOtnOoD/7O5ghp+OIoLY8hbYrHEqrcnq00CsEXS88MF0RWbmilEIwuD2CoXDKQaOPAS1A6XGCOOLSFwcrdjsAqAxgOLImLYOplHtyPB7008XRY3YiPMzeOwIxlj4U4L7aovFtkgSSA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3386.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(39860400002)(136003)(346002)(366004)(376002)(8676002)(2906002)(186003)(316002)(31686004)(83380400001)(31696002)(2616005)(86362001)(6486002)(166002)(110136005)(71200400001)(478600001)(966005)(8936002)(53546011)(6512007)(6506007)(76116006)(4326008)(66476007)(66556008)(64756008)(66446008)(36756003)(66946007)(5660300002)(43740500002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: d05n0wGKC/XWg6by8Eb8FPuSgYN7AU+XMM7lLi7N4E3lCiTv59tUUsvA6OJi6GdrjRu8ZtxG2HeNIk1XzJR0GcHd6qJQLG28EEIkCOtIZ93EZxn/hXPCGdOePAad0AA+6zEGpig5QAlWHL+hNwYBJZUZSbiR7fYEqPJi2EvlGEF7njE3LEJ8yu2zTDI2fMlyg6GqCM5Lggm7rMjUNsmmPQmeMDbfIEM4mC4/86cyZllcNnc/G2RuGWsf0pgBnexSLBcocYOZCJVQ8OinfmfqbTqQEHOg+0ymitEBQPF/R8mhqjWK7/VjRyy1o7RVxQ1aOMFnJkSieaVwzqiIfV8cuRIhEO+xM686fEJ9bjeYPNHZuBM/owl4M7fozv76l1F9vwzaBqjGdavDXzpccDsZhpj9aWveK0kFa9qgpZLTgRHgREtFR7yvfyYTMUh+3UcYfxuFi9sceYjfOkBFtWuwCfWgCbeAHIUusjSnKt0AA+eRfJG9hWpMUNwedGFzEyypITcViQFE3ItzVidD9YedBxuIbWPBK9rKtPhGyiadCmc+SBGo+ehBZj7UBxQ7OE9MQs0+mOowwdx5OGqQNL0lXpg8Wc8/F+evKBeEPZb2MQjyU0zpts8Nj8Itg+4Q5YOJ7EJuvJz3STq40zPA6Z5i56UgC9yCHEkpGk7zspLkfw0RcaZO5FQWjUl4lUdxUrjnXClUoMGoHVPS4tqx0/8AAg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_c069bc56e0d80bd3ec121a0937de2b78ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3386.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: de0779e4-b73c-4f4a-8dce-08d83856dbb3
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Aug 2020 09:14:57.5786 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: I9T3JPXyFVkKmhCtjvPWUA9xMV+RHf/xPpOBUYBzgUmDEW3sjfSx/3xZAWTMPraiQrYQJFR2SXzNV8TMOL9G3qn6xAALpfIkb7OPq+EV9+I=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2444
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/-ABNYv1CgWAeZI9wlTHv1iBoWJo>
Subject: Re: [Secdispatch] Appropriate WG for secure communication between networks and unknown clients
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2020 09:15:02 -0000

Hi,

I agree that it would be nice to solve this problem. However, I would like us to resist the temptation of designing yet-another-protocol.

As Richard mentioned, IEEE 802.1X is a great tool box which can provide:
- per-device individual credentials (vs. network-wide secrets)
- over 52 EAP authentication methods to choose from
- revocation of access of individual devices is straightforward
- possibility of device isolation into separate VLANs.

The popular 4 (windows, iOS, android, and linux) support it natively. It is widely deployed in enterprise networks.

Why not reuse it in the networks that you have in mind? And as someone said on the ADD mailing list, home is the new office and home networks are the new enterprise networks. Admittedly, there are some stumbling blocks that make the deployment of 802.1x challenging for ordinary users. It would be great if we could solve that.

--Mohit

On 8/3/20 10:36 PM, Richard Barnes wrote:
Hey Tommy,

Good question.  It seems like there's a threshold question here of how the endpoint gets configured so that it can authenticate the network.  In that regard, I don't think you're going to be able to avoid *some* out of band configuration.  The silver lining seems to be, though, that there are lots of existing OOB-configured things available that one could imagine relying on -- from full 802.1X to simple WEP passwords.  Also, if we can get a robust mechanism here, it would be useful for multiple things (just like DHCP is); for example, you could distribute captive portal / network access information that way.

All of which sounds like a big enough piece of work to merit its own working group.  Between the multiplicity of bootstrapping approachs you'll want to cover and the generality of the solution.  Honestly, it might not even belong in the SEC area, since a lot of the considerations are more INT-like -- one way to read this is as S-DHCP.

But this is a problem I would like to see solved.

--Richard


On Mon, Aug 3, 2020 at 1:59 PM Tommy Jensen <Jensen.Thomas=40microsoft..com@dmarc.ietf.org<mailto:40microsoft.com@dmarc.ietf.org>> wrote:
Hey SECDISPATCH,

In the ADD WG, there's been a lot of discussion on the topic of secure communication between networks and clients that aren't preconfigured. The context is how a network can convince a client, which has no out-of-channel configuration to use for confirming network identity, that it has recommendations that can be distinguished from an attacker on the network.

This was brought up in our WG as part of the "Network A recommends DNS server B" which is done over DHCP or RAs today. With encrypted DNS protocols now available, we want to allow a network to advertise its own encrypted DNS servers. However, if we use DHCP or RAs as they are defined today, this can be hijacked by an attacker to convince clients to setup secure connection to an attacker's server.

We know secured network configuration without out-of-band configuration is a hard problem but want to discuss it in a larger context than just DNS so we don't try to define a mechanism that cannot be reused by other scenarios.. This mailing list was recommended in our IETF 108 WG session as a good contact for helping us find the right audience for this discussion. Any thoughts?

Thanks,
Tommy Jensen
_______________________________________________
Secdispatch mailing list
Secdispatch@ietf.org<mailto:Secdispatch@ietf.org>
https://www.ietf.org/mailman/listinfo/secdispatch



_______________________________________________
Secdispatch mailing list
Secdispatch@ietf.org<mailto:Secdispatch@ietf.org>
https://www.ietf.org/mailman/listinfo/secdispatch

v2.23.0 | Report a Bug | By Email