Re: [lamps] Call for adoption of draft-housley-lamps-3g-nftypes
tirumal reddy <kondtir@gmail.com> Wed, 10 August 2022 06:55 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37080C157B55 for <spasm@ietfa.amsl.com>; Tue, 9 Aug 2022 23:55:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AsY5iP4ulxgS for <spasm@ietfa.amsl.com>; Tue, 9 Aug 2022 23:55:35 -0700 (PDT)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7907C14F73F for <spasm@ietf.org>; Tue, 9 Aug 2022 23:55:35 -0700 (PDT)
Received: by mail-lf1-x134.google.com with SMTP id r17so19918452lfm.11 for <spasm@ietf.org>; Tue, 09 Aug 2022 23:55:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=eqwNL9SYM0Q2cR440GvgeIMYMEDkFAONgK4lndKeBD8=; b=IstzfGq84TnxYU6vHjZyTcUzv06rJU+3zmRvvLMvl+Q8joIvaMqGHWAIBqdqaG7CfE WnLHWQAwSJ0QsZwWQvZ/fm9moEBkgofxVFGCdGsQY50G7oSQJIUz+IGDtDbDo8iMAnGt RjQPRtmT5fFBrmZpFkpaXcWivD8QhWqL78+Me0EDJ3rw25lfDo5FlJo4YgFb1scTjYq9 IX7QQlZW1TP6wolMZBSgT7XDAwPpc2oVToIWiggFVO6d0J/Fuvs+dJ/k4TMt1NSpj+WL XYqKX6JOIP8YNR1VfEZ8oLcPlLhpmW9N5Db340JlBbF2+346h44enohaPdmbaSA0TdPx 9PKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=eqwNL9SYM0Q2cR440GvgeIMYMEDkFAONgK4lndKeBD8=; b=YPhWsW5DL91BgyWLOGT9yAb3H8TqbAFidsdRjY/Dzg9LjAlMAqtMQssS0FIMitJSxU 7AWpHq2kk9wA1jj/8KMf6bM7byIUAfO+fUI4wQ1inB+o19h65mdG+Z2dGaCuJjl7bScc 8H8GfRKoyqGsey0hw6F6fkrnSgauo3pRT2XI1hn6WW66UaQwYNmPOXVrbQenjzhzG45O RafG/rzUnoFtdH3sdukRwRIwcaoUZjKMuCYg3ZzhQfcOJG64EA+2AYzhKPGOxBDRVRgi gAy7Q2S0QjweMpKwRzZa/PcaZFiDrwIztQ/FxQGamjHpbzCfycFVRteH6owl5dSRl0bA WL8A==
X-Gm-Message-State: ACgBeo12p3WI4HMKhJVe79BsyophxRzmC6m8goKJq5xmEPMs9hwcl4cK yDcs7ZiIj1JIAtYjAQ6BVjnSEwXYu4KcSiQ32XE=
X-Google-Smtp-Source: AA6agR5YjGE+SS/K+VZnNGxjRZgyarjoSx3D8kOxnC75nfiHVswh08VD+NobRUrjYBq5/XJF21GzOUXX3S6TJRm45e4=
X-Received: by 2002:a19:7513:0:b0:48b:1d77:aa75 with SMTP id y19-20020a197513000000b0048b1d77aa75mr8768756lfe.330.1660114533623; Tue, 09 Aug 2022 23:55:33 -0700 (PDT)
MIME-Version: 1.0
References: <DM8PR14MB52376D8E7F6F414563238A18839F9@DM8PR14MB5237.namprd14.prod.outlook.com> <CAFpG3gciz2h+wTCnWy0Uazn+CLSKhWaCRnk6tNtptZriVtvseA@mail.gmail.com> <E1C193C7-F876-4F18-8AD8-8548F4BFA983@vigilsec.com> <CAFpG3geF2jxoMZfeXO9hLM+9z6Ovsn59eBhYYmEez7A=AfF4eA@mail.gmail.com> <2404FB76-F49E-4DBE-A8F9-7655EE210440@vigilsec.com> <CAFpG3gdq-O7-bqXFyLkQ0Rd8YW_G9WZkaii-__rBuA3MFbnPRg@mail.gmail.com> <DU0PR03MB86963D63921A321097313CDE86659@DU0PR03MB8696.eurprd03.prod.outlook.com>
In-Reply-To: <DU0PR03MB86963D63921A321097313CDE86659@DU0PR03MB8696.eurprd03.prod.outlook.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Wed, 10 Aug 2022 12:25:21 +0530
Message-ID: <CAFpG3gddN0QaiBiGoQL1Qja_gc14JRz_BncaHXdZLMSRjMUDPQ@mail.gmail.com>
To: Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>
Cc: Russ Housley <housley@vigilsec.com>, LAMPS <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000102bae05e5dd895d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/aVp4hRnHSnL877BUFkKtPZEre-8>
Subject: Re: [lamps] Call for adoption of draft-housley-lamps-3g-nftypes
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Aug 2022 06:55:40 -0000
On Wed, 10 Aug 2022 at 12:02, Tomas Gustavsson < Tomas.Gustavsson@keyfactor.com> wrote: > I don't think 3GPP networks will make use of certificate transparency > logs. These are internal telco networks and will not use publicly trusted > WebPKI CAs for issuing TLS certificates. I don't think publicly trusted CAs > could even issue these certificates as it may contain other information > than what's allowed by Baseline Requirements, such as internal > hostnames/IPs. > Thanks. Please update the draft to say the deployment model uses an internal CA and not a public WebPKI CA. > > There are some guards against malicious network functions built into the > 3GPP specification, by the usage of vendor certificates for authenticating > the network functions the MNO plans to put into it's network. > A pointer to the relevant document will be helpful. -Tiru > > Cheers, > Tomas > > ------------------------------ > *From:* Spasm <spasm-bounces@ietf.org> on behalf of tirumal reddy < > kondtir@gmail.com> > *Sent:* Wednesday, August 10, 2022 7:22 AM > *To:* Russ Housley <housley@vigilsec.com> > *Cc:* LAMPS <spasm@ietf.org> > *Subject:* Re: [lamps] Call for adoption of draft-housley-lamps-3g-nftypes > > CAUTION: External Sender - Be cautious when clicking links or opening > attachments. Please email InfoSec@keyfactor.com with any questions. > > Hi Russ, > > Please see inline > > On Mon, 8 Aug 2022 at 21:01, Russ Housley <housley@vigilsec.com> wrote: > > Tiru: > > 1. Yes, this is a good topic to expand the Security Considerations. > > 2. This seems pretty obvious to me, but I will think about a sentence or > two for a more complete explanation. > > > Thanks. You may want to also discuss the privacy and security implications > of using NFType in the certificate extension for RBAC. For example (1) If > TLS 1.2 is used by network functions, pervasive monitoring is possible for > an attacker to identify the NFTypes visible in the TLS handshake and can > potentially target a specific NFType (e.g., subject to DDoS or launch a > targeted attack). (3) Misuse of NFType to gain additional privileges and > what are the potential remediation techniques ? > > > Yes, the certificate is plaintext when TLS 1.2 is used, and it it > encrypted when TLS 1.3 or IKEv2 is used. > > > In TLS 1.3 (without encrypted client hello), SNI will not be encrypted and > it is possible for an attacker to get the certificate content from > certificate transparency logs to identify the NFTypes associated with the > FQDN. > > > > I'm not sure what you mean about misuse of the NFType. Are you talking > about the trusted CA putting the wrong NFType in the certificate? > > > No, trusted CA may not inject a wrong NFType and it can be validated by > the network function sending the CSR to the CA. > I meant the NFTypes and FQDN of network functions will be available in the > certificate transparency logs. It exposes the internal/external network > functions details to anyone on the Internet. It may also be possible for an > internal attacker to host a malicious network function and misuse the > NFType to gain additional privileges. > > Cheers, > -Tiru > > > Russ > >
- [lamps] Call for adoption of draft-housley-lamps-… Tim Hollebeek
- Re: [lamps] Call for adoption of draft-housley-la… Daniel Migault
- Re: [lamps] Call for adoption of draft-housley-la… Corey Bonnell
- Re: [lamps] Call for adoption of draft-housley-la… Joseph Mandel
- Re: [lamps] Call for adoption of draft-housley-la… Tomas Gustavsson
- Re: [lamps] Call for adoption of draft-housley-la… tirumal reddy
- Re: [lamps] Call for adoption of draft-housley-la… Russ Housley
- Re: [lamps] Call for adoption of draft-housley-la… tirumal reddy
- Re: [lamps] Call for adoption of draft-housley-la… Russ Housley
- Re: [lamps] Call for adoption of draft-housley-la… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-housley-la… tirumal reddy
- Re: [lamps] Call for adoption of draft-housley-la… Tomas Gustavsson
- Re: [lamps] Call for adoption of draft-housley-la… tirumal reddy
- Re: [lamps] Call for adoption of draft-housley-la… Tomas Gustavsson
- Re: [lamps] Call for adoption of draft-housley-la… Peinado, German (Nokia - PL/Wroclaw)
- Re: [lamps] Call for adoption of draft-housley-la… Russ Housley
- Re: [lamps] Call for adoption of draft-housley-la… Russ Housley
- Re: [lamps] Call for adoption of draft-housley-la… Peinado, German (Nokia - PL/Wroclaw)
- Re: [lamps] Call for adoption of draft-housley-la… Sean Turner
- Re: [lamps] Call for adoption of draft-housley-la… Russ Housley
- Re: [lamps] Call for adoption of draft-housley-la… Peinado, German (Nokia - PL/Wroclaw)
- Re: [lamps] Call for adoption of draft-housley-la… Russ Housley
- Re: [lamps] Call for adoption of draft-housley-la… Tim Hollebeek