IETF Logo Mail Archive

Re: [Suit] [Last-Call] Opsdir last call review of draft-ietf-suit-mud-06

Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 26 December 2023 17:17 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CEF4C14F6A4; Tue, 26 Dec 2023 09:17:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K3v98xRv8U3y; Tue, 26 Dec 2023 09:17:51 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A9BDC14F6A2; Tue, 26 Dec 2023 09:17:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1703611064; x=1704215864; i=hannes.tschofenig@gmx.net; bh=E1vciZpVdNGSId+mcGVSPa1ZTmuLXiCoKivaAvkxUVg=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From: In-Reply-To; b=Q47CWgm2Nzbh6cri+3J3BOfuss7Vbi2duQk4OZh9SWo+7sGHk2CckrvH3OZfMpTK ac7DZA35GvjqpmTzwyPrvwtI2PCwfuVM+1QMgBPHeD73dlJ3Ad2Hz+h5xUBOwU90C F2MwKnqhBVxmL5+WhqEj6VDrA+dXdCcuT8DgPfTWCJE4RlgVCm6jdKZ4L5XA3o3W/ JtKFHpy6rtzFCCkjvl65n0SoIVPrhRsP2kfmDUBpY9Mb9bK997OxBFExiyMNVGCgK Gs2He5o4/aoBclp1kdbIG/m6U9/fdk82eFY4JnVU9MrYQWLnYQxnhOzztIkbofUTD +a4WLrAmAbByXyydkg==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [172.16.254.186] ([185.176.157.173]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MWici-1rkt4x3Sfo-00X7jf; Tue, 26 Dec 2023 18:17:43 +0100
Content-Type: multipart/alternative; boundary="------------ZQiSVk5kvFJUwEP9Dy4bSnOT"
Message-ID: <ac79007d-f88d-4f29-a95d-3c92f3bf5948@gmx.net>
Date: Tue, 26 Dec 2023 18:17:43 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: sarikaya@ieee.org, Eliot Lear <lear@lear.ch>
Cc: Susan Hares <shares@ndzh.com>, ops-dir@ietf.org, draft-ietf-suit-mud.all@ietf.org, last-call@ietf.org, suit@ietf.org
References: <170170315182.17411.11522235103450951717@ietfa.amsl.com> <e92a87df-5554-4dda-b5aa-47155f3c4614@gmx.net> <ef80cde4-027a-463d-8b6b-21df80fa9d8e@lear.ch> <aca7f406-ba0e-4f66-ae27-1e34d97cc28c@gmx.net> <983b4f20-fc7c-44ac-943f-100253653d4e@lear.ch> <CAC8QAcc2FsRCvhTk1x3JxOaCDNUABY0kHeZAiMSnm0_xfadGQQ@mail.gmail.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <CAC8QAcc2FsRCvhTk1x3JxOaCDNUABY0kHeZAiMSnm0_xfadGQQ@mail.gmail.com>
X-Provags-ID: V03:K1:2szadF4M+vxQgqO51TSXcYaEv6CqUNtYg5FXOjdmLwe/1fl7UYN p/FSlCzXG5a2FB2Fo29uVqXBq6+LWCLbG9R0hjUbY44VhRhJLTuukfrLShbb3ynXgWBQBPX 0kadESeHpMsQ1TLQ3dTiEKY7xSeNmcTbVyCyslv94Prvv3GT7r414/rNXbEf2cGjJkyJA3o Y/bZwpOdiA8JBQz+0arsg==
UI-OutboundReport: notjunk:1;M01:P0:uAjZ37sX4iQ=;3mVZG/DvOIicxCC/y9qxOumvQcZ VWzivOLsCFV5B3HOTezl7xq2aLgjUBbzwR/o5AKz1bAlLOTsv+FCstBvsLovDsvQnDUIhdH+V FBjlrSLbDtAlB2cIe8zIU0icP9JLrDxU2D8hNfnnfn61R9T/ukmXIVNY3GLVUJPw4Pp8mjceZ Yxt6eFaiQbR6Fcvg0oryX6XbYWt1td3/XsfcBB/4peVmiQwvvqwQrjDmKxakVlKaLGMO4GNef BYG4izj8sBuwSZiXQImPNNKEcS450m4acAvEB9sSGmtz0NHpboD5Ipm83f8hgDiZ+LQVoxffi WSAHDa+/KhT2tvP+mO6FxwzDYYoDbM+GyLb5Ri2Jxo8nz4oseA/s1D2xfZMfIS9h/4qRt3ztN 5u8K6DxbWuqisbU0RzmdD/S9Etr1Sxfi77zIZsA/oejWHabdJsowLb3tR5pdeJ89ysy+k7Ycq P0uUiT6XXTSNnxmHokVf4YbsOwbOJ21YyjhrPcPHMTr7C5cAglEIfW3436F2Rdk0+hTwLQgYA pttw3BPCxoOqEV8Ee5SlaNgYlYGNZv20AyEajoOA1zZqiW7xOiYcgrhCc9F7p/ocmn4WLuhHX 39iWeEdxRDVjWBxZS3fS8xdPebi+nrQBIpeF2MjF9iJKIUUkRhHyaR0hqbxBxvVwWac7q/PEL rImd7gs2ViWzGynEouHiWMRisZB00ARGrnMEqTTClE9tSEEReq3xRXPDLJ5SUCnBcswH0NG9Q AN7o/Pl0r8vqts6bTOMPbmCVkAGWzVJX8pa5hfjiUaXy/DSZJcHOzvwQlzrZ7faqaqVrpffvd it18bo75jKV8ntXmenMa1Wpz98+PAwWqFZTQlMI3GdCOFlud14Go5FAL5oXXrC1kWAQDcKA+D YGSRcBiaUCP2zKcobRVVC0kdrWBW9BvDiBGLyL27t7/XAw/zQ7CTx6D1WaGg3BGLy6/Rk+Cgv X41nM42TsduBJqucee8BJQDa7pM=
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/5j7f9oAkJoy6aGz2DPDtSddCCwI>
Subject: Re: [Suit] [Last-Call] Opsdir last call review of draft-ietf-suit-mud-06
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Dec 2023 17:17:55 -0000

Thanks for your review, Behcet. I have addressed also your comments with
version -07.

FWIW there is still another update coming based on the following PR:

https://github.com/bremoran/suit-mud/pull/8


Ciao

Hannes


Am 26.12.2023 um 18:00 schrieb Behcet Sarikaya:
> Folks,
> It seems like Ref -07 of suit-mud draft is out. I read it, it resolves
> my issues. I think, maybe the takeaway from Sue's review is
> what Eliot said:
> We don't have a YANG model for the MUD manager itself with operational
> state.  I think that might be a possible next step.
>
> Regards,
> Behcet
> On Thu, Dec 21, 2023 at 5:50 AM Eliot Lear <lear@lear.ch> wrote:
>
>     We don't have a YANG model for the MUD manager itself with
>     operational state.  I think that might be a possible next step.
>
>     On 21.12.2023 12:06, Hannes Tschofenig wrote:
>>
>>     Hi Eliot,
>>
>>
>>     thanks for the quick response.
>>
>>
>>     That's good to hear but I haven't read how any error cases are
>>     reported to some central device management system to take some
>>     actions.
>>
>>     Is that functionality documented somewhere as well? For example,
>>     some YANG modules for use with Netconf?
>>
>>
>>     Ciao
>>
>>     Hannes
>>
>>
>>     Am 21.12.2023 um 11:35 schrieb Eliot Lear:
>>>
>>>     Hi Hannes and thanks Sue
>>>
>>>     The MUD Manager always has the responsibility to "consider the
>>>     source" and then to consider the context.  The information
>>>     provided in MUD files *can *be used to automate access control
>>>     to their associated devices.  I think this is pretty well
>>>     covered in RFC 8520, but I am starting to think about an update
>>>     to that document.
>>>
>>>     Eliot
>>>
>>>     On 21.12.2023 11:08, Hannes Tschofenig wrote:
>>>>     Hi Susan,
>>>>
>>>>     thanks for your detailed review.
>>>>
>>>>     You are correct that this document does not address operational
>>>>     aspects of the MUD Manager and this is certainly something the
>>>>     OPSAWG working group should address since this document is a
>>>>     tiny extension to the already existing MUD RFC. Along these
>>>>     lines you are also correct that the document does not define
>>>>     any mechanism for the MUD Manager to notify the operator about
>>>>     any error situations with the processing of MUD files and/or
>>>>     SUIT manifests. I will reach out to Eliot and the OPSAWG
>>>>     working group to think about standardization work in this
>>>>     direction.
>>>>
>>>>     I have updated the draft to better explain how the different
>>>>     URIs are passed around. I also added a figure to illustrate it
>>>>     graphically. Attestation Evidence, which is used to convey
>>>>     information about the MUD URL, also allows the network to
>>>>     double-check the firmware/software (and other properties of the
>>>>     device). We didn't go into any details about how Evidence is
>>>>     processed because this is part of different documents, like the
>>>>     RATS architecture RFC. I hope the updated text clarified these
>>>>     aspects.
>>>>
>>>>     Regarding the CDDL I had a chat with Brendan and we will make
>>>>     an update.
>>>>
>>>>     Ciao
>>>>     Hannes
>>>>
>>>>
>>>>     Am 04.12.2023 um 16:19 schrieb Susan Hares via Datatracker:
>>>>>     Reviewer: Susan Hares
>>>>>     Review result: Has Issues
>>>>>
>>>>>     Overall comment:
>>>>>     Qualifications: I am not an expert on SUIT implementations or
>>>>>     an operator of
>>>>>     networks using SUIT. Therefore, my issues may be covered by
>>>>>     some general
>>>>>     security considerations in a document I am not aware of.
>>>>>
>>>>>     General comments to authors:  This feature is clearly
>>>>>     described in this
>>>>>     document. Brendan and Hannes did an excellent job of writing
>>>>>     the document.
>>>>>
>>>>>     Security/Operational Issues:
>>>>>
>>>>>     The security of MUD URLs may move the attacks from individual
>>>>>     devices to the
>>>>>     MUD Manager. (Instead of a single lemming going over the
>>>>>     cliff, a MUD manager
>>>>>     may send many lemmings over the cliff). This document does not
>>>>>     seem to consider
>>>>>     the operational issues in the MUD Manager or provide
>>>>>     mechanisms on how to check
>>>>>     for these attacks (e.g. Yang modules with operational state).
>>>>>
>>>>>     1. An Attack on the MUD Manager can shut down or subvert the
>>>>>     entire network.
>>>>>
>>>>>     It is not clear how the operator knows an attack on the MUD
>>>>>     Manager is happening
>>>>>     or occurred. If the MUD Manager pulls in broken SUIT manifests
>>>>>     and
>>>>>     then pulls in broken software/firmware based on the SUIT
>>>>>     manifests
>>>>>     how does the operator know?  In other words what device watches
>>>>>     that the MUD Manager is not subverted via a management protocol?
>>>>>
>>>>>     I do not see any operational state in the MUD Yang module
>>>>>     [RFC8620 section 2.1]
>>>>>     It would seem natural to have some operational state in the
>>>>>     MUD Manager reports
>>>>>     manifest state. Yang's notif protocols could report any
>>>>>     manifest state change
>>>>>     (over secure TLS connections) to a centralized security server.
>>>>>
>>>>>     2. For secure URLs transmitted by 802.1X with certificates,
>>>>>     Why are these not a "double-check" on the validity of the
>>>>>     software?
>>>>>
>>>>>     Again, it would seem natural to utilize these secure
>>>>>     certificates as
>>>>>     "double-checks" on the MUD Manager being "in-sync"  with the
>>>>>     devices.
>>>>>
>>>>>     3. As a less secure double-check on being "in-sync", is the
>>>>>     reporting of
>>>>>       MUD URL sent via MUD Devices via DHCP or LLDAP that is not
>>>>>     what is in the
>>>>>       manifest.
>>>>>
>>>>>     These reporting features are useful in transition scenarios as
>>>>>     well as
>>>>>     detecting attacks on the MUD manager.
>>>>>
>>>>>     Editorial nits:
>>>>>
>>>>>     1. section 1, last paragraph, sentence 2
>>>>>
>>>>>     Old text: /can get/
>>>>>     New text: /has/
>>>>>
>>>>>     English grammar
>>>>>
>>>>>     2. Just for my sanity, would you check the following text is
>>>>>     correct
>>>>>
>>>>>     $$SUIT_severable-members-extensions //= (
>>>>>        suit-manifest-mud => bstr .cbor SUIT_MUD_container
>>>>>     )
>>>>>     It appears you are looking to define a CBOR Type for the
>>>>>     the SUIT_MOD_container is defined in the text.
>>>>>
>>>>>     What I think I'm missing is the .cbor value for SUIT.
>>>>>     It looks correct, but I could  not derive this from
>>>>>     draft-ietf-suit-manifest-24:
>>>>>
>>>>>     SUIT_Severable_Manifest_Members = (
>>>>>        ? suit-payload-fetch => bstr .cbor SUIT_Command_Sequence,
>>>>>        ? suit-install => bstr .cbor SUIT_Command_Sequence,
>>>>>        ? suit-text => bstr .cbor SUIT_Text_Map,
>>>>>        * $$SUIT_severable-members-extensions,
>>>>>     )
>>>>>
>>>>>     And your IANA definitions of:
>>>>>
>>>>>     IANA is requested to add a new value to the SUIT envelope
>>>>>     elements registry
>>>>>     created with [I-D.ietf-suit-manifest]: Label: TBD2 [[Value
>>>>>     allocated from the
>>>>>     standards action address range]]
>>>>>
>>>>>     Name: Manufacturer Usage Description (MUD)
>>>>>     Reference: [[TBD: This document]]
>>>>>
>>>>>     Again, this may be due to my incomplete understanding.
>>>>>     This is why this is a NIT rather than an Issue.
>>>>>
>>>>>
>>>>>
>>>>
>     --
>     last-call mailing list
>     last-call@ietf.org
>     https://www.ietf.org/mailman/listinfo/last-call
>
>
> _______________________________________________
> Suit mailing list
> Suit@ietf.org
> https://www.ietf.org/mailman/listinfo/suit

v2.23.0 | Report a Bug | By Email