Re: [Suit] [Last-Call] Opsdir last call review of draft-ietf-suit-mud-06
Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 26 December 2023 17:17 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CEF4C14F6A4; Tue, 26 Dec 2023 09:17:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K3v98xRv8U3y; Tue, 26 Dec 2023 09:17:51 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A9BDC14F6A2; Tue, 26 Dec 2023 09:17:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1703611064; x=1704215864; i=hannes.tschofenig@gmx.net; bh=E1vciZpVdNGSId+mcGVSPa1ZTmuLXiCoKivaAvkxUVg=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From: In-Reply-To; b=Q47CWgm2Nzbh6cri+3J3BOfuss7Vbi2duQk4OZh9SWo+7sGHk2CckrvH3OZfMpTK ac7DZA35GvjqpmTzwyPrvwtI2PCwfuVM+1QMgBPHeD73dlJ3Ad2Hz+h5xUBOwU90C F2MwKnqhBVxmL5+WhqEj6VDrA+dXdCcuT8DgPfTWCJE4RlgVCm6jdKZ4L5XA3o3W/ JtKFHpy6rtzFCCkjvl65n0SoIVPrhRsP2kfmDUBpY9Mb9bK997OxBFExiyMNVGCgK Gs2He5o4/aoBclp1kdbIG/m6U9/fdk82eFY4JnVU9MrYQWLnYQxnhOzztIkbofUTD +a4WLrAmAbByXyydkg==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [172.16.254.186] ([185.176.157.173]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MWici-1rkt4x3Sfo-00X7jf; Tue, 26 Dec 2023 18:17:43 +0100
Content-Type: multipart/alternative; boundary="------------ZQiSVk5kvFJUwEP9Dy4bSnOT"
Message-ID: <ac79007d-f88d-4f29-a95d-3c92f3bf5948@gmx.net>
Date: Tue, 26 Dec 2023 18:17:43 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: sarikaya@ieee.org, Eliot Lear <lear@lear.ch>
Cc: Susan Hares <shares@ndzh.com>, ops-dir@ietf.org, draft-ietf-suit-mud.all@ietf.org, last-call@ietf.org, suit@ietf.org
References: <170170315182.17411.11522235103450951717@ietfa.amsl.com> <e92a87df-5554-4dda-b5aa-47155f3c4614@gmx.net> <ef80cde4-027a-463d-8b6b-21df80fa9d8e@lear.ch> <aca7f406-ba0e-4f66-ae27-1e34d97cc28c@gmx.net> <983b4f20-fc7c-44ac-943f-100253653d4e@lear.ch> <CAC8QAcc2FsRCvhTk1x3JxOaCDNUABY0kHeZAiMSnm0_xfadGQQ@mail.gmail.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <CAC8QAcc2FsRCvhTk1x3JxOaCDNUABY0kHeZAiMSnm0_xfadGQQ@mail.gmail.com>
X-Provags-ID: V03:K1:2szadF4M+vxQgqO51TSXcYaEv6CqUNtYg5FXOjdmLwe/1fl7UYN p/FSlCzXG5a2FB2Fo29uVqXBq6+LWCLbG9R0hjUbY44VhRhJLTuukfrLShbb3ynXgWBQBPX 0kadESeHpMsQ1TLQ3dTiEKY7xSeNmcTbVyCyslv94Prvv3GT7r414/rNXbEf2cGjJkyJA3o Y/bZwpOdiA8JBQz+0arsg==
UI-OutboundReport: notjunk:1;M01:P0:uAjZ37sX4iQ=;3mVZG/DvOIicxCC/y9qxOumvQcZ VWzivOLsCFV5B3HOTezl7xq2aLgjUBbzwR/o5AKz1bAlLOTsv+FCstBvsLovDsvQnDUIhdH+V FBjlrSLbDtAlB2cIe8zIU0icP9JLrDxU2D8hNfnnfn61R9T/ukmXIVNY3GLVUJPw4Pp8mjceZ Yxt6eFaiQbR6Fcvg0oryX6XbYWt1td3/XsfcBB/4peVmiQwvvqwQrjDmKxakVlKaLGMO4GNef BYG4izj8sBuwSZiXQImPNNKEcS450m4acAvEB9sSGmtz0NHpboD5Ipm83f8hgDiZ+LQVoxffi WSAHDa+/KhT2tvP+mO6FxwzDYYoDbM+GyLb5Ri2Jxo8nz4oseA/s1D2xfZMfIS9h/4qRt3ztN 5u8K6DxbWuqisbU0RzmdD/S9Etr1Sxfi77zIZsA/oejWHabdJsowLb3tR5pdeJ89ysy+k7Ycq P0uUiT6XXTSNnxmHokVf4YbsOwbOJ21YyjhrPcPHMTr7C5cAglEIfW3436F2Rdk0+hTwLQgYA pttw3BPCxoOqEV8Ee5SlaNgYlYGNZv20AyEajoOA1zZqiW7xOiYcgrhCc9F7p/ocmn4WLuhHX 39iWeEdxRDVjWBxZS3fS8xdPebi+nrQBIpeF2MjF9iJKIUUkRhHyaR0hqbxBxvVwWac7q/PEL rImd7gs2ViWzGynEouHiWMRisZB00ARGrnMEqTTClE9tSEEReq3xRXPDLJ5SUCnBcswH0NG9Q AN7o/Pl0r8vqts6bTOMPbmCVkAGWzVJX8pa5hfjiUaXy/DSZJcHOzvwQlzrZ7faqaqVrpffvd it18bo75jKV8ntXmenMa1Wpz98+PAwWqFZTQlMI3GdCOFlud14Go5FAL5oXXrC1kWAQDcKA+D YGSRcBiaUCP2zKcobRVVC0kdrWBW9BvDiBGLyL27t7/XAw/zQ7CTx6D1WaGg3BGLy6/Rk+Cgv X41nM42TsduBJqucee8BJQDa7pM=
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/5j7f9oAkJoy6aGz2DPDtSddCCwI>
Subject: Re: [Suit] [Last-Call] Opsdir last call review of draft-ietf-suit-mud-06
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Dec 2023 17:17:55 -0000
Thanks for your review, Behcet. I have addressed also your comments with version -07. FWIW there is still another update coming based on the following PR: https://github.com/bremoran/suit-mud/pull/8 Ciao Hannes Am 26.12.2023 um 18:00 schrieb Behcet Sarikaya: > Folks, > It seems like Ref -07 of suit-mud draft is out. I read it, it resolves > my issues. I think, maybe the takeaway from Sue's review is > what Eliot said: > We don't have a YANG model for the MUD manager itself with operational > state. I think that might be a possible next step. > > Regards, > Behcet > On Thu, Dec 21, 2023 at 5:50 AM Eliot Lear <lear@lear.ch> wrote: > > We don't have a YANG model for the MUD manager itself with > operational state. I think that might be a possible next step. > > On 21.12.2023 12:06, Hannes Tschofenig wrote: >> >> Hi Eliot, >> >> >> thanks for the quick response. >> >> >> That's good to hear but I haven't read how any error cases are >> reported to some central device management system to take some >> actions. >> >> Is that functionality documented somewhere as well? For example, >> some YANG modules for use with Netconf? >> >> >> Ciao >> >> Hannes >> >> >> Am 21.12.2023 um 11:35 schrieb Eliot Lear: >>> >>> Hi Hannes and thanks Sue >>> >>> The MUD Manager always has the responsibility to "consider the >>> source" and then to consider the context. The information >>> provided in MUD files *can *be used to automate access control >>> to their associated devices. I think this is pretty well >>> covered in RFC 8520, but I am starting to think about an update >>> to that document. >>> >>> Eliot >>> >>> On 21.12.2023 11:08, Hannes Tschofenig wrote: >>>> Hi Susan, >>>> >>>> thanks for your detailed review. >>>> >>>> You are correct that this document does not address operational >>>> aspects of the MUD Manager and this is certainly something the >>>> OPSAWG working group should address since this document is a >>>> tiny extension to the already existing MUD RFC. Along these >>>> lines you are also correct that the document does not define >>>> any mechanism for the MUD Manager to notify the operator about >>>> any error situations with the processing of MUD files and/or >>>> SUIT manifests. I will reach out to Eliot and the OPSAWG >>>> working group to think about standardization work in this >>>> direction. >>>> >>>> I have updated the draft to better explain how the different >>>> URIs are passed around. I also added a figure to illustrate it >>>> graphically. Attestation Evidence, which is used to convey >>>> information about the MUD URL, also allows the network to >>>> double-check the firmware/software (and other properties of the >>>> device). We didn't go into any details about how Evidence is >>>> processed because this is part of different documents, like the >>>> RATS architecture RFC. I hope the updated text clarified these >>>> aspects. >>>> >>>> Regarding the CDDL I had a chat with Brendan and we will make >>>> an update. >>>> >>>> Ciao >>>> Hannes >>>> >>>> >>>> Am 04.12.2023 um 16:19 schrieb Susan Hares via Datatracker: >>>>> Reviewer: Susan Hares >>>>> Review result: Has Issues >>>>> >>>>> Overall comment: >>>>> Qualifications: I am not an expert on SUIT implementations or >>>>> an operator of >>>>> networks using SUIT. Therefore, my issues may be covered by >>>>> some general >>>>> security considerations in a document I am not aware of. >>>>> >>>>> General comments to authors: This feature is clearly >>>>> described in this >>>>> document. Brendan and Hannes did an excellent job of writing >>>>> the document. >>>>> >>>>> Security/Operational Issues: >>>>> >>>>> The security of MUD URLs may move the attacks from individual >>>>> devices to the >>>>> MUD Manager. (Instead of a single lemming going over the >>>>> cliff, a MUD manager >>>>> may send many lemmings over the cliff). This document does not >>>>> seem to consider >>>>> the operational issues in the MUD Manager or provide >>>>> mechanisms on how to check >>>>> for these attacks (e.g. Yang modules with operational state). >>>>> >>>>> 1. An Attack on the MUD Manager can shut down or subvert the >>>>> entire network. >>>>> >>>>> It is not clear how the operator knows an attack on the MUD >>>>> Manager is happening >>>>> or occurred. If the MUD Manager pulls in broken SUIT manifests >>>>> and >>>>> then pulls in broken software/firmware based on the SUIT >>>>> manifests >>>>> how does the operator know? In other words what device watches >>>>> that the MUD Manager is not subverted via a management protocol? >>>>> >>>>> I do not see any operational state in the MUD Yang module >>>>> [RFC8620 section 2.1] >>>>> It would seem natural to have some operational state in the >>>>> MUD Manager reports >>>>> manifest state. Yang's notif protocols could report any >>>>> manifest state change >>>>> (over secure TLS connections) to a centralized security server. >>>>> >>>>> 2. For secure URLs transmitted by 802.1X with certificates, >>>>> Why are these not a "double-check" on the validity of the >>>>> software? >>>>> >>>>> Again, it would seem natural to utilize these secure >>>>> certificates as >>>>> "double-checks" on the MUD Manager being "in-sync" with the >>>>> devices. >>>>> >>>>> 3. As a less secure double-check on being "in-sync", is the >>>>> reporting of >>>>> MUD URL sent via MUD Devices via DHCP or LLDAP that is not >>>>> what is in the >>>>> manifest. >>>>> >>>>> These reporting features are useful in transition scenarios as >>>>> well as >>>>> detecting attacks on the MUD manager. >>>>> >>>>> Editorial nits: >>>>> >>>>> 1. section 1, last paragraph, sentence 2 >>>>> >>>>> Old text: /can get/ >>>>> New text: /has/ >>>>> >>>>> English grammar >>>>> >>>>> 2. Just for my sanity, would you check the following text is >>>>> correct >>>>> >>>>> $$SUIT_severable-members-extensions //= ( >>>>> suit-manifest-mud => bstr .cbor SUIT_MUD_container >>>>> ) >>>>> It appears you are looking to define a CBOR Type for the >>>>> the SUIT_MOD_container is defined in the text. >>>>> >>>>> What I think I'm missing is the .cbor value for SUIT. >>>>> It looks correct, but I could not derive this from >>>>> draft-ietf-suit-manifest-24: >>>>> >>>>> SUIT_Severable_Manifest_Members = ( >>>>> ? suit-payload-fetch => bstr .cbor SUIT_Command_Sequence, >>>>> ? suit-install => bstr .cbor SUIT_Command_Sequence, >>>>> ? suit-text => bstr .cbor SUIT_Text_Map, >>>>> * $$SUIT_severable-members-extensions, >>>>> ) >>>>> >>>>> And your IANA definitions of: >>>>> >>>>> IANA is requested to add a new value to the SUIT envelope >>>>> elements registry >>>>> created with [I-D.ietf-suit-manifest]: Label: TBD2 [[Value >>>>> allocated from the >>>>> standards action address range]] >>>>> >>>>> Name: Manufacturer Usage Description (MUD) >>>>> Reference: [[TBD: This document]] >>>>> >>>>> Again, this may be due to my incomplete understanding. >>>>> This is why this is a NIT rather than an Issue. >>>>> >>>>> >>>>> >>>> > -- > last-call mailing list > last-call@ietf.org > https://www.ietf.org/mailman/listinfo/last-call > > > _______________________________________________ > Suit mailing list > Suit@ietf.org > https://www.ietf.org/mailman/listinfo/suit
- [Suit] Opsdir last call review of draft-ietf-suit… Susan Hares via Datatracker
- Re: [Suit] Opsdir last call review of draft-ietf-… Hannes Tschofenig
- Re: [Suit] Opsdir last call review of draft-ietf-… Hannes Tschofenig
- Re: [Suit] Opsdir last call review of draft-ietf-… Eliot Lear
- Re: [Suit] Opsdir last call review of draft-ietf-… Eliot Lear
- Re: [Suit] [Last-Call] Opsdir last call review of… Behcet Sarikaya
- Re: [Suit] [Last-Call] Opsdir last call review of… Hannes Tschofenig