IETF Logo Mail Archive

Re: [Secdispatch] [Iot-onboarding] DANE IOT proposed outcome

Mohit Sethi M <mohit.m.sethi@ericsson.com> Wed, 18 November 2020 12:58 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B3343A1873; Wed, 18 Nov 2020 04:58:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fH629TaBkfbQ; Wed, 18 Nov 2020 04:58:40 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00086.outbound.protection.outlook.com [40.107.0.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8B8F3A0995; Wed, 18 Nov 2020 04:58:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Sisl7VhZkqoct3J2zd1Se4CztL4ZYzK1GALxpkRFvZx7gi+e7BApsob3FhxkpY6WhMXrJSfsEoXbmrb7k7Dm4BRWyEEOcFrdTNLP0mw6m791QOnGZWjJoXVIilfxTSSBqh6+i6rzQETiJmBEUB+fMtUpcRSgf7FMQcRUr9vZTy+c/l68to9gBPdu5v/SPBe/fqCEm2p7UomVqXZpOBNIgcmLb6rDCPjcrg/eROvfk+ohh1uQIAQTuDF8E0+/doTn1mcpV6YxIgYM3a36IF5R2EL35Nz8vTmMAGxgBLNoy5xxvDxQ7K9wWD2a8PQAWRU32vdHbGIVoKiBJPaO8vd8IA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iIKED9aTtifi03BoaTX5DM3hRd90t5I9sZkuHmyWy8o=; b=E9vPyCUE4YPaY1SgERbRHu3jsRDUQE1+AKJ0MK1Kyvm+aoC8whcXVkiWi0d2OnmrbJJuJ7mJKzOgjUHb9Ppdo6m7hyXnrZCmIFIOvFMcWtJCCE/ywYclnEihgIZy9Cr22YHIo4qDQ/pBZ3pM0v3iFrddPRCm6l2D7+J+lTP3Z2EzxC0P5xtp8vWSNTRY94n2yvKtsdFrGu97CatS1dRqFgwNhg+By87DonIjgC1h78EI6EVRRJB62YCKgMx7ID0XiOpDCpT+BKQ1zgtdv+Hym8Gj7smsdAc+/Yt3IPivh9qk0NPO0hDmaF9hge68Tvt1jKv+V5Gi9TcUw0ks/OF5ww==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iIKED9aTtifi03BoaTX5DM3hRd90t5I9sZkuHmyWy8o=; b=jQ/fOlS3m6SIl6hY1audM/6Zqnc17ycIHCxPU7FFZj1g5oFqjCwa4gTv+MlAL36g4EZ7sV7q9Cwe+JuwBmkZz5tggAWTAo45qqKE2F9Kc/uD2M9klDelrc/4nn+vAwqL0aCZ6dppNdBqycqnC3AwB5sKEtsM93Qt1iq93zmlLuw=
Received: from VI1PR07MB3215.eurprd07.prod.outlook.com (2603:10a6:802:1c::21) by VI1PR07MB3360.eurprd07.prod.outlook.com (2603:10a6:802:1c::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.16; Wed, 18 Nov 2020 12:58:35 +0000
Received: from VI1PR07MB3215.eurprd07.prod.outlook.com ([fe80::a926:3f37:978b:e40e]) by VI1PR07MB3215.eurprd07.prod.outlook.com ([fe80::a926:3f37:978b:e40e%6]) with mapi id 15.20.3589.017; Wed, 18 Nov 2020 12:58:34 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>, IETF SecDispatch <secdispatch@ietf.org>
Thread-Topic: [Iot-onboarding] [Secdispatch] DANE IOT proposed outcome
Thread-Index: AQHWvaqFnnGKZdDDOEyooCaxxNmdOQ==
Date: Wed, 18 Nov 2020 12:58:34 +0000
Message-ID: <dedb5fb7-f0bc-7e35-4f90-fddc2d093873@ericsson.com>
References: <2786E31F-2A4F-4901-8ECC-7AEF4B4D81E2@cisco.com> <b178d5066d6b4371a59ffe59bb6d6447@huawei.com> <CAHPuVdXo1o0d_WzLqTZ5s9+JNG=3kbNdTO1BrS7BdEBDd2F1Lw@mail.gmail.com> <CAEfM=vRotGf-SuYz8PKNop8zdCCA_-x+3xU81rMS6Le6EUOOFw@mail.gmail.com>
In-Reply-To: <CAEfM=vRotGf-SuYz8PKNop8zdCCA_-x+3xU81rMS6Le6EUOOFw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:14bb:150:569:3e8c:ae9:d0ae:34c]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ce6eef9a-911d-4911-a587-08d88bc1a8c5
x-ms-traffictypediagnostic: VI1PR07MB3360:
x-microsoft-antispam-prvs: <VI1PR07MB3360C326E8FD4DBC2AB91D9DD0E10@VI1PR07MB3360.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: s1HJbgz5pD8c4IWMxBrGqnkpQRKfb/BDYBIq4Q+iwVin0N6RuNY6cTvTcIvH3At+S59grCHaL3cRAM7uwZ1qRKQmqMRVbUAnyz3njSqlJjgC998O94VMvxGAJodfUU9rlANUPK+R7OjG++kjcYj8f7Uan2YMJNF1QXPC+XnSi/xKm6dnbUfirbPiTqib7mwv2t5AS7LqU+iYc5eZZFqpboc0wVftv5Nuzc2eWbnEDy4AQ0GPZ6NPc3l54/HUjHjNoi+x55Y0bcsiSIPF56ePTMN3A0imtMIMUkIEuGYLsZzkPtsr5s+84K0GlyCrd6KFY8GGLB24atD4ppSwZENLjbkrZ+xn8oGlQyEH53jyHuwUO9g5K7O5sNb6HHaEKl4x5ZG0EuwIq+LMvRiZHNktWImiiC3Ds032GvvpyNw/AMTUdZ1jSdkgpT9p6Pomv9t9Kh4Y/5SHMu1J1jUsr/iFqg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB3215.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(366004)(39860400002)(376002)(346002)(966005)(110136005)(6512007)(450100002)(86362001)(53546011)(316002)(166002)(36756003)(31696002)(71200400001)(76116006)(5660300002)(6486002)(66446008)(478600001)(66946007)(66574015)(64756008)(66476007)(91956017)(83380400001)(6506007)(2616005)(66556008)(8676002)(8936002)(31686004)(2906002)(186003)(43740500002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: E4WwN7GWDg/dTfM0PHSLJ5s4Lp/ocAb8DDPgBfq3jEGFwYcXDjIXhb+zUalqq2amJ0S47IhfRwSQJdo8BffVblglVyt0ELo01S42mDVWhe/hL8aeH4AFiKE6hV44fXgnHLuGVNQhgbu5JV/sL//F/f+OPzDoV1I2jIn7c9MLNhMxZdgGGhcEJfzMSerWMOysF01mS6qyqYgWapFCP11cN13WLZlVTOSMYPZHSOk/l0pcXJOMDGAPNiO2CtLWUT4D1+7RMQOyZLZOm6XG+3wHL0bdP7D/QZBnsxfrO5CABsifLIsNfSluEOnF7c95rmds/oZnmSCsK5xRl3/RaDCjyi+7J0Big736PIIqruqREczJAESiIv9mCPM0ZBajuJbWJVr0keJN8Bt0cDoiYxLpAwJsczOqIs1+pT5fP4rM4jACCzG5EkCbmLzbMSJp3z14QVLnFuKRAz+xDfM0U5MOJd6Q0Jod7fGaBEr9wJXTsQTNJ31dJhvgUXs6c1vRXkdeMR0bNQqdm5bo+78Up9iWxQikGTv+BNmkKKLxXJqAnojeNZef03xJ3/CGJf/0+2Udm/yvQnzU4rm1ObYt6o9MUGI08RvuU3RAEAcAbrGNEzuUbiRQBG68jy74RGq3W+G/gLnV9D4GS7t4RLWefePYniGNOeAuB9YdKtlccxPzc5ugWnkL/EcAM7Zz0QHBCWyrDkjmqhrpLRdEL6auMv8+7c1u7EYutpsNTRzx7psyOh9+CuKlAfc90dY96ilrEy7ZEAaHqRbCGbrV8zYDbmfx9fY5lMCoY3dcbyTYlPkIsF2fSufW05wGGB88NWALiZF/TGS4ND+O0bLOiJ8Pdj6vqjN37oNPO3ZCjtZRcanE5NvEl9UFW5fRZQoFtvNeXaWmDduPFhfPJrtTAQAIP6L/g4dzuuLc1g+uuARuvGuSObnCcE3HSrU/Qsujit37KkDXYwZPo8aMtBDHyjl372VS1g==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_dedb5fb7f0bc7e354f90fddc2d093873ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB3215.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ce6eef9a-911d-4911-a587-08d88bc1a8c5
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Nov 2020 12:58:34.8719 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hf2kDjKAq8ywiTkH9fEz8aq8fkUcYFHLsw/3KoVPbKppGZ0o8ryFDW2712GG/WNsayvUHVReJKtnft0PYi9JENV+aVuguCEHhEokrUNj4w8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB3360
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/Ai1YXrdlm71Z8FndSGdrkj2ZYxs>
Subject: Re: [Secdispatch] [Iot-onboarding] DANE IOT proposed outcome
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2020 12:58:43 -0000

Hi Ash and Shumon,

My understanding is that your solution is applicable to any scenario that uses client certificates. Obviously IoT might be one application area for this, but there are many other uses of client authentication with certificates. I don't have any strong opinions about whether this is useful or not. But it might be good to have a separate focused DANE working group for these drafts if there is strong demand for such a solution. Your presentation also highlighted your intention of defining new RRtype and/or expanding the scope of TLSA. These things (along with DANE light etc.) would require the input of DNS and TLS folks (in addition to the IoT requirements).

Also, I didn't understand how would server authentication work? I probably did not listen to your presentation carefully enough but I suppose you cannot use DANE for server authentication in scenarios where the client device does not yet have Internet connectivity. So how would server authentication work in EAP-TLS/SIM card/IoT bootstrapping scenarios you discussed?

--Mohit

On 11/16/20 9:13 PM, Ash Wilson wrote:
Hi Wei Pan,
The process of bootstrapping the device's identity is outside the scope of our drafts, but I completely agree that getting the bootstrapping process right is important. We think that using DANE like this doesn't conflict with other bootstrapping processes; it just adds a DNS-discoverable public key to the identity of the device when it is provisioned.

One of the processes we are seeking to simplify is that of establishing trust directly between devices in the field, both of which may have only a keypair, and not the benefit of PKI that chains to a publicly trusted CA. Supporting x.509 certificates is in the interest of providing broad protocol compatibility (including the support of other adjacent standards like MUD: https://tools.ietf.org/id/draft-ietf-opsawg-mud-22.html#mudx509). By using TLSA for client auth, we allow devices with only a raw public key in DNS, as well as devices with metadata-rich x.509 certificates, to mutually authenticate without requiring the distribution of CA certificates, just based on knowledge of the communicating peer's DNS name.

SIM/UICC identity providers may provision public keys in DNS, and leave a record of the device's DNS name in the SIM card (likely to be found in the certificate). This gives the device that receives the SIM card the ability to do all the things that the PKI ecosystem supports now, with the additional benefit of being able to mutually authenticate without the other side of the handshake needing to possess and trust the CA certificate used to sign the certificate that ships with the SIM card. Naming collisions are prevented by binding the public key to the DNS name- only the possessor of the private key corresponding to the TLSA record is the 'real' identity holder.

In a similar fashion, device manufacturers may provision a DANE identity for devices before they ship. These device identities may reside in a DNS zone under the manufacturer's control, or the implementer may present the device certificates in a DNS zone under the implementer's control. This allows the identity to more naturally indicate the party responsible for the device's behavior, and can make the mitigation of some types of network abuse a little more straightforward.


On Mon, Nov 16, 2020 at 8:04 AM Shumon Huque <shuque@gmail.com<mailto:shuque@gmail.com>> wrote:
Hi Wei Pan,

I'll ask Ash (who is more plugged into the IOT ecosystem than I am) to confirm .. but yes, our use case expects devices to have IDevID or some other preconfigured unique value, so it should be possible to work with BRSKI. For the DNS record format naming, we were initially looking at the formats defined in draft-friel-pki-for-devices, specifically the LDevID organization managed form, but have a slightly simpler form currently specified in the draft.

Shumon.

On Mon, Nov 16, 2020 at 7:02 AM Panwei (William) <william.panwei@huawei.com<mailto:william.panwei@huawei.com>> wrote:
Thanks to Eliot for summarizing these.

I think the core concept of using DANE in IoT scenario is to get rid of certificates and PKIX. The solution of how to securely onboard the IoT devices and allocate the DNS domain name, both with and without initial certificates, is the key part to figure out.
If the IoT devices have no initial certificates, such as 802.1AR IDevID certificate, as their initial identity, then the BRSKI mechanism won’t be appropriate for these devices because BRSKI has a requirement of IDevID.
If the IoT devices have an IDevID certificate, I think it can still use BRSKI to onboard, but it won’t use EST to request a certificate any more, instead, it will apply for a DNS domain name by using some protocols.

That’s my preliminary thoughts, maybe not right.

Regards & Thanks!
Wei Pan

From: Secdispatch [mailto:secdispatch-bounces@ietf.org<mailto:secdispatch-bounces@ietf.org>] On Behalf Of Eliot Lear
Sent: Monday, November 16, 2020 6:55 PM
To: secdispatch@ietf.org<mailto:secdispatch@ietf.org>
Subject: [Secdispatch] DANE IOT proposed outcome

Thanks to Shumon for presenting the DANE use case for IOT.

We discussed taking this to the iot-onboarding@ietf.org<mailto:iot-onboarding@ietf.org> list as there were a number of rather big open issues that people wanted to discuss.

We also discussed a non-WG forming BOF to look at, as Ted put it, the broader context for onboarding.  To give people a feel for the sort of related work that is available, here are a list of related activities:


  *   draft-ietf-anima-bootstrapping-keyinfra (BRSKI) is a request/response mechanism that uses RFC 8366 vouchers to introduce devices and network infrastructure.
  *   Intel’s SDO provides an application level introduction using vouchers as well.  This work has been taken up by the FIDO alliance.
  *   The Wifi Alliance has Device Provisioning Protocol (DPP) which does not attach to a global name space prior to provisioning having occurred, but does represent a minimum case (just public keys).
  *   draft-friel-eap-tls-eap-dpp borrows from DPP, intended mostly for wired use, where DPP is focused on 802.11 networks.
  *   There are a number of BRSKI related drafts by Owen as well, relating to cloud-based registrars.
  *   There is also work by Michael Richardson and Peter Van Der Stock on constrained vouchers.  That work is taking place in ACE.

Understanding the landscape might help us understand where DANE fits in.

Regards,

Eliot
_______________________________________________
Secdispatch mailing list
Secdispatch@ietf.org<mailto:Secdispatch@ietf.org>
https://www.ietf.org/mailman/listinfo/secdispatch
--
Iot-onboarding mailing list
Iot-onboarding@ietf.org<mailto:Iot-onboarding@ietf.org>
https://www.ietf.org/mailman/listinfo/iot-onboarding


--
Ash Wilson | Technical Director
e: ash.wilson@valimail.com<mailto:ash.wilson@valimail.com>

[https://lh5.googleusercontent.com/_vs__6iRjfmT2Ae5LLNBb8nEopl2M5Tl5QlpS6LS0Lh0vv4TYnZu-Mff2kDFOqe0LhbnSXprAx4yoaTvq_Tc_7n1b8yzGIqoxuhedthDxYQansg8ChT2x5EcZV3rjz19-Dx9rESL]


This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email