Re: [lamps] Call for adoption of draft-housley-lamps-3g-nftypes
tirumal reddy <kondtir@gmail.com> Wed, 10 August 2022 05:22 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ED72C157B5B for <spasm@ietfa.amsl.com>; Tue, 9 Aug 2022 22:22:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0wa4P7zHU6bg for <spasm@ietfa.amsl.com>; Tue, 9 Aug 2022 22:22:16 -0700 (PDT)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7FFBC157B55 for <spasm@ietf.org>; Tue, 9 Aug 2022 22:22:16 -0700 (PDT)
Received: by mail-lj1-x22a.google.com with SMTP id bx38so14974139ljb.10 for <spasm@ietf.org>; Tue, 09 Aug 2022 22:22:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=QJBHShzECDutrJRwgale6OA+6frhc3jaYWpTX0UTPds=; b=a/7bNPCOQJQrx6npJLvEM8+T2wkNhLpMpngW4Dg6Q83AzkCQhrr8SKYlNRAgmpEelD n/tzqKOAcgfVNPQ/yIUpO44W7KvU7K5sgGEGyT4PEetI/KyvV5u/YVdA88Cmrf1Vx/TJ a0SFdyzhbDGe/VTw7hn4NRxnhhPCENU1WhUjazXcBDy7EHqUXRrABBGWkECoLZA1jc03 dWmxRRW3+PATlp+lHc1Db4QTYtii/NGehYMnNjrkd/YrqUswuuM15Td2/IjaFgSmVNI7 IeJ5Wp6ugTI/ScICEpsL+w3QQ+2E6b0mctI91JdOU1ERIAj5gc+WvbSZ0zXg0W2Uxvyq I79g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=QJBHShzECDutrJRwgale6OA+6frhc3jaYWpTX0UTPds=; b=v9T6hjLWS41fvQJc9AmMcVxPzI1kCa065a0j4eGOYbJ6xfBZxUyJTlhGZmww8cuDwM 29gSXTd6GmJMMdEe7a0XkJE/Pugy0AClZTeUCd3NwvJc9BpE1sKKdsKj+9s/AJ3M9IZ0 jXy9J2Fp/13tGtXgoQQ7uuSJcpWYYTkynSqE0DtaULTOhn3Nu+N40UpuCJRLQo64r29S vqbSyLywXOsWU1EtBvEYNniFCBJQeKP7snLfnr+4cDMU8GRImvivYGdTB/8vERzRZ2Us myOcBE/UEOS135iDqpLz5Du+iEVKHSgvyffPrEqzywmTsRPyOIoFavb0WTsAZVEL/X8A /FGw==
X-Gm-Message-State: ACgBeo0xa7unLNCqjZ9bITkPvWbGL96ITf+kXDkdUIzp9gOf1nEAMKd/ m0pjPrp3BO1OJlhDp+gYhCe2Sf+x7q7GWjOxsRtJCcy2gK8=
X-Google-Smtp-Source: AA6agR4QuKWVBRj7HLfbnuqlTvFubx6PF37b01vZ0dFWqzzbiT0fOjP28YsR0jhpIPGyErf/hY1jHZ7IxXJ+3PSONTg=
X-Received: by 2002:a2e:8e89:0:b0:25e:9fe8:726 with SMTP id z9-20020a2e8e89000000b0025e9fe80726mr6271432ljk.142.1660108934472; Tue, 09 Aug 2022 22:22:14 -0700 (PDT)
MIME-Version: 1.0
References: <DM8PR14MB52376D8E7F6F414563238A18839F9@DM8PR14MB5237.namprd14.prod.outlook.com> <CAFpG3gciz2h+wTCnWy0Uazn+CLSKhWaCRnk6tNtptZriVtvseA@mail.gmail.com> <E1C193C7-F876-4F18-8AD8-8548F4BFA983@vigilsec.com> <CAFpG3geF2jxoMZfeXO9hLM+9z6Ovsn59eBhYYmEez7A=AfF4eA@mail.gmail.com> <2404FB76-F49E-4DBE-A8F9-7655EE210440@vigilsec.com>
In-Reply-To: <2404FB76-F49E-4DBE-A8F9-7655EE210440@vigilsec.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Wed, 10 Aug 2022 10:52:02 +0530
Message-ID: <CAFpG3gdq-O7-bqXFyLkQ0Rd8YW_G9WZkaii-__rBuA3MFbnPRg@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: LAMPS <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000053e60e05e5dc3b3f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/ay4arCVj0n-bGMGU9KcEY-5ZQ2g>
Subject: Re: [lamps] Call for adoption of draft-housley-lamps-3g-nftypes
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Aug 2022 05:22:17 -0000
Hi Russ, Please see inline On Mon, 8 Aug 2022 at 21:01, Russ Housley <housley@vigilsec.com> wrote: > Tiru: > > 1. Yes, this is a good topic to expand the Security Considerations. >> >> 2. This seems pretty obvious to me, but I will think about a sentence or >> two for a more complete explanation. >> > > Thanks. You may want to also discuss the privacy and security implications > of using NFType in the certificate extension for RBAC. For example (1) If > TLS 1.2 is used by network functions, pervasive monitoring is possible for > an attacker to identify the NFTypes visible in the TLS handshake and can > potentially target a specific NFType (e.g., subject to DDoS or launch a > targeted attack). (3) Misuse of NFType to gain additional privileges and > what are the potential remediation techniques ? > > > Yes, the certificate is plaintext when TLS 1.2 is used, and it it > encrypted when TLS 1.3 or IKEv2 is used. > In TLS 1.3 (without encrypted client hello), SNI will not be encrypted and it is possible for an attacker to get the certificate content from certificate transparency logs to identify the NFTypes associated with the FQDN. > > I'm not sure what you mean about misuse of the NFType. Are you talking > about the trusted CA putting the wrong NFType in the certificate? > No, trusted CA may not inject a wrong NFType and it can be validated by the network function sending the CSR to the CA. I meant the NFTypes and FQDN of network functions will be available in the certificate transparency logs. It exposes the internal/external network functions details to anyone on the Internet. It may also be possible for an internal attacker to host a malicious network function and misuse the NFType to gain additional privileges. Cheers, -Tiru > > Russ > >
- [lamps] Call for adoption of draft-housley-lamps-… Tim Hollebeek
- Re: [lamps] Call for adoption of draft-housley-la… Daniel Migault
- Re: [lamps] Call for adoption of draft-housley-la… Corey Bonnell
- Re: [lamps] Call for adoption of draft-housley-la… Joseph Mandel
- Re: [lamps] Call for adoption of draft-housley-la… Tomas Gustavsson
- Re: [lamps] Call for adoption of draft-housley-la… tirumal reddy
- Re: [lamps] Call for adoption of draft-housley-la… Russ Housley
- Re: [lamps] Call for adoption of draft-housley-la… tirumal reddy
- Re: [lamps] Call for adoption of draft-housley-la… Russ Housley
- Re: [lamps] Call for adoption of draft-housley-la… Kampanakis, Panos
- Re: [lamps] Call for adoption of draft-housley-la… tirumal reddy
- Re: [lamps] Call for adoption of draft-housley-la… Tomas Gustavsson
- Re: [lamps] Call for adoption of draft-housley-la… tirumal reddy
- Re: [lamps] Call for adoption of draft-housley-la… Tomas Gustavsson
- Re: [lamps] Call for adoption of draft-housley-la… Peinado, German (Nokia - PL/Wroclaw)
- Re: [lamps] Call for adoption of draft-housley-la… Russ Housley
- Re: [lamps] Call for adoption of draft-housley-la… Russ Housley
- Re: [lamps] Call for adoption of draft-housley-la… Peinado, German (Nokia - PL/Wroclaw)
- Re: [lamps] Call for adoption of draft-housley-la… Sean Turner
- Re: [lamps] Call for adoption of draft-housley-la… Russ Housley
- Re: [lamps] Call for adoption of draft-housley-la… Peinado, German (Nokia - PL/Wroclaw)
- Re: [lamps] Call for adoption of draft-housley-la… Russ Housley
- Re: [lamps] Call for adoption of draft-housley-la… Tim Hollebeek