Re: [Secdispatch] Appropriate WG for secure communication between networks and unknown clients
Mohit Sethi M <mohit.m.sethi@ericsson.com> Tue, 04 August 2020 09:14 UTC
Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D05E03A101A for <secdispatch@ietfa.amsl.com>; Tue, 4 Aug 2020 02:14:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.15
X-Spam-Level:
X-Spam-Status: No, score=-1.15 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.949, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TS1TlX7RRYuQ for <secdispatch@ietfa.amsl.com>; Tue, 4 Aug 2020 02:14:25 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150082.outbound.protection.outlook.com [40.107.15.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6DE33A0C9D for <secdispatch@ietf.org>; Tue, 4 Aug 2020 02:14:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WgKrlx3uY30N2W/jRe8Db3x+P0AIjl0D0ozeQIOZhHmRfOuSvfD69rbVso2dKMMxMZYH2B8CYUOssJdQvUEvs0hw7YY9AcRWZHXoVUxwhRwm5SV6VlyaI0Sn+YZM/WpSld7o7LCe7lQFPrCdGmXUTX607e91eKysOwtsqhhn5qu9YFaEGJJvKBP9ACV/ARzw9w4Mec82Ub3a6gaXGk3jlkXxo6SBkG+2CcPRJ1ZM5/ox3QLO1B50jHvkH48UjrgMSQUhizf2iB+BZsKc1qIx5JIodni7BNEefMlup5pqog1uIy7jEZ1rbKs9AVBPlHcS2czYjbmc1CPVKZLzydf6pg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CzR3VTIKee+Pmkh1AQwOyTWClbHBwBV4HYvHP0qWLgg=; b=GTg1celnmN5aL3F1dUpYe9el4vMEFcyajZagnM+nWBBimwedrkVEhxhZEsiSWUqw3b36LmNa0/BOYHw2NtDGQfCjM+IMMck5ohmawQXedfGGzfDY9nSSCO5sp048WoVnbOmmRd11sVsJ4b3Xq4LGlnYM8sx72pmlDMcqn4oysNh8Em5c5a2aQUPKX4En/S0qNarl4IU5LZ0OgQWDnsUm0HS+mp91do6mdJMC5WCIVyYq3whnrJLCKQeWVb5zPqIiJtIVaeOhEDYuIsFc6adwvA9qtYAQa9F1xmgO4ez8e+DtJqHNRbGDtCrIbvDFwkxWkGF8rC2UlCfdwlejm9dfNA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CzR3VTIKee+Pmkh1AQwOyTWClbHBwBV4HYvHP0qWLgg=; b=cAvghm7wRctVVmMxkvUWzmCCDx4e2NnPviqNa8zxFhTcL+qz57ZRWsOAq68h/DPQHhGp5SIaPUHRZOzjHI3J9PnnEEsiczyEeem2SD/1QO06De9/IUSzT4PfnoZZAHJZU6RuoumnV561FKNaprINz2BbvbLrGkMCrGkNJN5Wbn0=
Received: from HE1PR07MB3386.eurprd07.prod.outlook.com (2603:10a6:7:2d::25) by HE1PR0701MB2444.eurprd07.prod.outlook.com (2603:10a6:3:74::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.13; Tue, 4 Aug 2020 09:14:22 +0000
Received: from HE1PR07MB3386.eurprd07.prod.outlook.com ([fe80::e01c:9809:43db:67d3]) by HE1PR07MB3386.eurprd07.prod.outlook.com ([fe80::e01c:9809:43db:67d3%6]) with mapi id 15.20.3261.015; Tue, 4 Aug 2020 09:14:22 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>, "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: [Secdispatch] Appropriate WG for secure communication between networks and unknown clients
Thread-Index: AQHWaj+jQ94W82SDX0uDRvo9NBjbvg==
Date: Tue, 04 Aug 2020 09:14:22 +0000
Message-ID: <d6e4b41f-032e-5325-bed8-e5454f7a5c83@ericsson.com>
References: <DM6PR00MB0781A2E5741B0C0D4CC5D2B3FA4D0@DM6PR00MB0781.namprd00.prod.outlook.com>
In-Reply-To: <DM6PR00MB0781A2E5741B0C0D4CC5D2B3FA4D0@DM6PR00MB0781.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:14bb:190:1611:c268:154d:c886:2d7]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 53af6559-998b-4310-08ed-08d83856c6c9
x-ms-traffictypediagnostic: HE1PR0701MB2444:
x-microsoft-antispam-prvs: <HE1PR0701MB24447BBC954647CE64BBD127D04A0@HE1PR0701MB2444.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: aqDgw1/3XUP7CcrBIwmQXVWuw2cPnSCLRq4wT9jq7EiXlJHlQs1DWrAB/ohTESS3fr0qHIVak9sWmFRgzU0IyPyjG4x1g21A79rZx5zDhC7d7oZIpa+U+W9W2IoMARQhz9zdFwEYemoDtuFSHmGPiz/Vprvc3GlU0ii6H2u7TUV3sCkkUpm6JpQx7AvH0V0g3hRA5lC/kXAH5OqfNFQguMS9y7GStJQCzG4GRahiahdU/sv+3jDLxO2dOK/k3laJhCGuhGBZkFXFKUG5TFI5/ot/LCwAYtTkZcww5j2wxg30oTZL6EXYNzF/HN5PBczgek/7dYqcUTK3GazL4bVYo1519OMv/ZB2hyW9VOIcB/7CXzJJLL1q5ZrGsKGVQSqS5NUZ6XafEkj24z7bmz/jJWk4GOGQaQQAQvB6i3T7AesvZAJ2vH5YmLQq8+6SAgxuUHx/ET+cIRiyNJlZy2uJRA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3386.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(39860400002)(136003)(346002)(366004)(376002)(8676002)(2906002)(186003)(316002)(31686004)(83380400001)(31696002)(2616005)(86362001)(6486002)(166002)(110136005)(71200400001)(478600001)(966005)(8936002)(53546011)(6512007)(6506007)(76116006)(66476007)(66556008)(64756008)(66446008)(36756003)(66946007)(19627405001)(5660300002)(43740500002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: a14Dl8B9KXa8Q4YPREoUfJwjfdRRmm46FTBFrkEMx8hKE0AXIJhmKTNFmdmuFzLQZrJfAXgciSOIVwBxHDmiioa2Fav2Wx8KVpSaTw15HYvibmIBKzTLPxPTh3k3glq0++hky7/sLbKaASbJ0OxMtjuq1U0/TmA0LB2pxkLNcyXuXdrRjCkOkyx8sebjV8a9mKOEjTuSJdINQ3qlzliJCSZ8cSM/J4Bm6OOVghyjalLTvxbthu6X9ROmIRgFeVHtZRnZfyCiW1NhrazfnScuEioLDGIvCO9H3Lw5nRmeFUvrnUKtCP52+3u5yewv5Lh/iKDzUFvsLvVbKPt/xoxCgVzvHe67UkG+f9DM4lNXAS6wkm26UPkRK/EbzzPaWJ5kPal+5sYlnF9dx4IJc1/AUZJA98cNofAEQ2cGcENGE+aRZyJFZKYNldBdQMQKX2Jb2oQNCBhtgIcwkjdRttaY/Kf47XONiylagcP5mNXxV/PSF5wj04OvAhhTWtLVZZ7SSi8HEGZT9aZjnu5PZnLHSwwPsygPmqJjbeE638ocZR1CXOX3Qktxj7Ktn9BwioDM8GE8Z4VXzJDwfsEMsPttgOACk27F7b0RZIj7OPqbQcw3k+pRIadXZZ/zKUg6FtfmZpXe589afzcsjgwo1rWTgQzr2JcArDk289qjks6UqeYwCW39Dmlur+4rmv61He+m3uE7dkLvpn8xtyu4vJ5KeQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_d6e4b41f032e5325bed8e5454f7a5c83ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3386.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 53af6559-998b-4310-08ed-08d83856c6c9
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Aug 2020 09:14:22.4452 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: UBuHhQ2R+bOZdNejdNnzW4mi/+tOvq1t1QqMKbbkKbymBttarl39v7UinMGv9TQD6jAg+4Hp2KhPds5nE3G0IbWU7ifcEeGa4WRtgi05XJI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2444
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/udRcLXDkR5IasasEyrqMBG2Gfc4>
Subject: Re: [Secdispatch] Appropriate WG for secure communication between networks and unknown clients
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2020 09:14:27 -0000
Hi Tommy, Would it be fair to summarize your requirements as: - Client devices don't have any pre-configured credentials or information about the network - No out-of-band configuration of any sort is possible In that case, I guess I don't have any black magic to offer. The only techniques that I am aware of are in research literature: see secure in-band pairing: https://www.usenix.org/legacy/events/sec11/tech/full_papers/Gollakota.pdf --Mohit On 8/3/20 8:58 PM, Tommy Jensen wrote: Hey SECDISPATCH, In the ADD WG, there's been a lot of discussion on the topic of secure communication between networks and clients that aren't preconfigured. The context is how a network can convince a client, which has no out-of-channel configuration to use for confirming network identity, that it has recommendations that can be distinguished from an attacker on the network. This was brought up in our WG as part of the "Network A recommends DNS server B" which is done over DHCP or RAs today. With encrypted DNS protocols now available, we want to allow a network to advertise its own encrypted DNS servers. However, if we use DHCP or RAs as they are defined today, this can be hijacked by an attacker to convince clients to setup secure connection to an attacker's server. We know secured network configuration without out-of-band configuration is a hard problem but want to discuss it in a larger context than just DNS so we don't try to define a mechanism that cannot be reused by other scenarios.. This mailing list was recommended in our IETF 108 WG session as a good contact for helping us find the right audience for this discussion. Any thoughts? Thanks, Tommy Jensen _______________________________________________ Secdispatch mailing list Secdispatch@ietf.org<mailto:Secdispatch@ietf.org> https://www.ietf.org/mailman/listinfo/secdispatch
- [Secdispatch] Appropriate WG for secure communica… Tommy Jensen
- Re: [Secdispatch] Appropriate WG for secure commu… Richard Barnes
- Re: [Secdispatch] Appropriate WG for secure commu… Mohit Sethi M
- Re: [Secdispatch] Appropriate WG for secure commu… Mohit Sethi M
- Re: [Secdispatch] Appropriate WG for secure commu… Töma Gavrichenkov