IETF Logo Mail Archive

Re: [Suit] AD Review of draft-ietf-suit-mud-04

hannes.tschofenig@gmx.net Wed, 11 October 2023 06:14 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91CC9C14CEE3 for <suit@ietfa.amsl.com>; Tue, 10 Oct 2023 23:14:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.804
X-Spam-Level:
X-Spam-Status: No, score=-2.804 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RJ4xIeOC1DDJ for <suit@ietfa.amsl.com>; Tue, 10 Oct 2023 23:14:09 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BE17C14CE29 for <suit@ietf.org>; Tue, 10 Oct 2023 23:14:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1697004839; x=1697609639; i=hannes.tschofenig@gmx.net; bh=7Ke5Y498W3WuNFIBa+7umFMdXgOnaZp5CFauEVagtBw=; h=X-UI-Sender-Class:From:To:References:In-Reply-To:Subject:Date; b=rFdnoo+Ly5+4eu7NzvLVbju9zgFPs5v/l1mP7LhuXs6DzqVT+YRpWqovygS2J2fJ7UUjLjy0ecB tG92h+zhSULClJgDbTrdg9UW/Y+XRgDpqjpLKOK35u94wCPbTIJq7QB7ZfSmYb5ibCCCPaX3z/BmA QF6FWupg9MIgVI6w9imXvpxFfpqqnFCdSjuyeytsTvAQ6HfriBO6b11xqR1orU7LVInWHUak4H1hg hwM6Ahb69cYSoKI3volubFiIFVsl6i/E5c6Z6dnKdkNvk9eX+T3Irdk1DNtIggi/8DRwJnK+Xa9sf 5Knfy4bcGlAT+uVL2MK5U5+cjeGPDuKe4vpA==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from Surface ([213.142.96.35]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MtwUm-1riY6V1mKy-00uErD; Wed, 11 Oct 2023 08:13:59 +0200
From: hannes.tschofenig@gmx.net
To: 'Roman Danyliw' <rdd@cert.org>, suit@ietf.org
References: <BN2P110MB1107855C16B88C7F809FAA53DCECA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <316958dd-341c-3b52-af9b-b8a71ab64101@gmx.net> <BN2P110MB1107B68DE1124C5B571D06CEDCFFA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <00be016c-4af2-4412-b589-00901767406f@gmx.net> <PH1P110MB11169EC0F949A37A877633C5DCCDA@PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <PH1P110MB11169EC0F949A37A877633C5DCCDA@PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM>
Date: Wed, 11 Oct 2023 08:13:54 +0200
Message-ID: <003301d9fc0a$1ed41bb0$5c7c5310$@gmx.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGDaHNSaBXKGOVwGpL4hzzq0juDFgFzbLcZAkYHZRwBxeHSAAIH5jocsLUB8OA=
Content-Language: de-at
X-Provags-ID: V03:K1:Yg4HsJxNe4tDn5SJ3jVS23hQ3FZleOCBlq3TE5HWNs0Ut640rEG EtFtnxUl+l6zrysjYipfpSjFp3B4Yfd1jmMhvBBEX8nzTN6NkRC3anh9cox7j+sQAvaSGA9 Y5kuHaWX6e+w5IfskpcZcPaZcXWdoLDLCjBPUcqLfCBLwKMHTVX37OhHT/prwzA9ms+gUXb mf7bB1gQf3B6nH89uOx2Q==
UI-OutboundReport: notjunk:1;M01:P0:lxgZ5KTdZhc=;3ag6YE2ClA/e8lr139u7R/+PNCW BIAEiBN+RwsC0z+UvoM/fqbBnRltz9rfsPVJgy9lvwsb3IRML/zR9STP9TG8gqUPlvyA41o6V wuplgVPlhBL/Tx295QkjI/fruPVMbNYGzBWOGbRRHr/wxE0eXYlMBnPfhRl6gjN1rzl8Yj9/m sii/BsXYCt9/NCgr9FmeUd8GrcTZhiYumq+wgswJ3sTPgFCH3rSbFOs7neWeWGbH3C6JZr/ed +ni3OCYpOP3Vn0MrWe3qfWXVn7IYXE4iKdu7wgl4DmiEK7hQPLOsbZy0MAwEGIM1ia0KXz2U7 l1Gdauyr313MdqoMBpyDBQwbPodLwkjF82Ks8ToD9Bxb4bi2Dk3qCU3QYdE6ylGT2oSnjxCjW Iklq+aP9PhpZMhDidXFAplLp5eFZlKfxRaODTUxXeRdekEPuCH4ZAjqwAIqWrg+5gIfPB6K1Y BkHRw/w1+4aecAyHssjnRelA3Ep/OopTYSJZD/k3QZJmKvrxSd+EZw6EwnTV+X0125Ab964Ml GNO4aAkP3c6mVU59tNiobTmzgrLeVNsZkFO8qZZ9g6EvWbUXKxp2wSQjxzphbszbQcuInv0p9 i+AfHUAPHQoAP6m7x8aSJsRFUdd6J15NHx6lHPAMjg+Rm6FY9Z6Yxb0eOHIp1sYcR8j2LL8fJ oJkDO802dN4o1NH7M8GvzYiE2kR7kXnrs1z46KWh+5c6/F1qN3GM9v1zteAKIOxyiPBYeXmb0 S2/QNw5S3xFbh75Sk6y2CWVtNXlWqh9CQvpLrOmiuG/+XGPKHEgGf9R6pSLaS0pf1T1WPkqni 04mMS8XDJS6Y5wHbWEjX7sViAvavMVQmkSg1uK2l11+pI1Rpc7NwpuVT7y5Fh1CwVnJdk8kuU Fll79mshHr61E+y7CE7fI41BxS/8jmBzna8AjPF5oMgirW1LNTRJGTOCsMiMVvL1PGvN1l8Sa pL9lyankfmEqS+GCMx3Pdh0dJfk=
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/Hgg9WiYkPKtS2R7d-iA8yNHdV-w>
Subject: Re: [Suit] AD Review of draft-ietf-suit-mud-04
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Oct 2023 06:14:13 -0000

Thanks for the text suggestion, Roman.

I am fine with the text to remove the normative dependency.

Ciao
Hannes


-----Original Message-----
From: Suit <suit-bounces@ietf.org> On Behalf Of Roman Danyliw
Sent: Dienstag, 10. Oktober 2023 23:45
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>; suit@ietf.org
Subject: Re: [Suit] AD Review of draft-ietf-suit-mud-04

Hi Hannes!

> -----Original Message-----
> From: Suit <suit-bounces@ietf.org> On Behalf Of Hannes Tschofenig
> Sent: Saturday, September 23, 2023 3:24 PM
> To: Roman Danyliw <rdd@cert.org>; suit@ietf.org
> Subject: Re: [Suit] AD Review of draft-ietf-suit-mud-04
> 
> Hi Roman,
> 
> 
> thanks for the extra feedback. Responses inline:
> 
> 
> Am 23.09.2023 um 00:41 schrieb Roman Danyliw:
> > Hi Hannes!
> >
> > Thanks so much for publishing -05.  My remaining line of feedback is 
> > around
> my original questions about Section 3 –- the normative guidance around 
> the workflow.  The new text in Section 3 on the steps in the workflow 
> are much clearer, and I very much appreciated the pro/con write-up of 
> the design in Section 4.  Not many specifications will write-up the cons.
> >
> > If I read things correctly, the Section 3 workflow is trying to 
> > mirror a new
> MUD conveyance approach like DHCP or LLDP.  What I’m grappling with is 
> how interoperable is this attestation step as currently scoped?  EAT 
> is cited normatively, but there are no other normative details on how 
> this attestation should occur.
> >
> > Are there any requirements other than an “EAT token with a manifest 
> > claim is
> somehow passed”?
> >
> > Is there any guidance on conveyance?  For example, EAP is mentioned 
> > (as an
> example).  Is there a pointer on how an EAT can be carried by an EAP method?
> 
> Currently, this attestation step is not interoperable. While there is 
> the need to convey an EAT token in an EAP method exchange, I haven't 
> seen such an EAP method yet.
> 
> Theoretically, one could argue that the work in 
> <draft-fossati-tls-attestation> could be applied to an EAP-TLS-based 
> method but nobody has done this work yet.

If we both agree that the current guidance is not interoperable, then it isn't clear how it can be normatively required.  As written, it seems underspecified.  I'm assert that it is "normatively required" because [I-D.ietf-rats-eat] is cited normatively.

Would it be acceptable to the WG to suggest a workflow using attestation but not normatively describe?  For example:

OLD
   The intended workflow is as follows:

   *  At the time of onboarding, devices report their manifest in use to
      the MUD Manager via attestation evidence in the Entity Attestation
      Token (EAT) [I-D.ietf-rats-eat].

      -  Among other claims, the device will report its software
         digest(s), and the manifest URI in the EAT "manifests" claim to
         the MUD Manager.  This approach assumes that attestation
         evidence includes a link to the SUIT manifest via the
         "manifests" claim (see Section 4.2.15 of [I-D.ietf-rats-eat])
         and that this evidence can be carried in either a network
         access authentication protocol (for eample an EAP method) or
         some onboarding protocol like FIDO Device Onboard (FDO).

NEW (rough text)
   The intended workflow is as follows, and assumes an attestation mechanism between the device and the MUD Manager:

   *  At the time of onboarding, devices report their manifest in use to the MUD Manager via some form of attestation evidence and a conveyance protocol.  The normative specification of these mechanisms is out of scope for this document. 
.
      -  An example of an attestation evidence format is the Entity Attestation Token (EAT) [I-D.ietf-rats-eat].  Among other claims, the device could report its software digest(s), and the manifest URI in the EAT "manifests" claim to the MUD Manager.  This approach assumes that attestation evidence includes a link to the SUIT manifest via the "manifests" claim (see Section 4.2.15 of [I-D.ietf-rats-eat]) and that this evidence can be carried in either a network access authentication protocol (for eample an EAP method) or some onboarding protocol like FIDO Device Onboard (FDO).
 
Regards,
Roman


> >
> > Related to what “attestation” means, is the subsequent text in Section 4:
> “The device does not report the MUD URL, so the device cannot tamper 
> with the MUD URL.”  I took that to mean that there is a distinction 
> being made between TEE and a REE; and the “device” here is the REE. Is 
> that intended interpretation?
> 
> I think the text needs a picture. There is the underlying assumption 
> with the use of attestation technology that some low-level 
> software/hardware is able to collect measurements from about its 
> environment. When that software generates the attestation evidence for 
> use with remote attestation then it includes information about the 
> manifest. When using the SUIT manifest, the attester will hopefully verify also the firmware the SUIT manifest describes.
> 
> 
> >
> > If accurate, I recommend explicitly clarifying this.  Section 1.1 of 
> > draft-ietf-
> rats-eat-21 seems to lay out uses of EAT which are not TEE based.  A 
> quick scan of draft-ietf-suit-architecture found definitions for TEE 
> and REE, but (with using a keyword search only) REE is never used 
> after it is defined, and TEE is used once in Section 6 without direct guidance on use.
> 
> 
> The RATS architecture does not say where some of the functionality is 
> implemented. The attester-functionality needs to be provided by some 
> low- level software, which would be close to a TEE in the TEEP terminology.
> 
> 
> To summarize, this document is something you could describe as more 
> forward looking than the other SUIT items.
> 
> 
> Ciao
> Hannes
> 
> 
> >
> > Thanks,
> > Roman
> >
> >> -----Original Message-----
> >> From: Suit <suit-bounces@ietf.org> On Behalf Of Hannes Tschofenig
> >> Sent: Sunday, September 10, 2023 10:59 AM
> >> To: Roman Danyliw <rdd@cert.org>; suit@ietf.org
> >> Subject: Re: [Suit] AD Review of draft-ietf-suit-mud-04
> >>
> >> Hi Roman,
> >>
> >>
> >> those are great review comments.
> >>
> >>
> >> I have started to address them, see
> >> https://github.com/bremoran/suit-mud/pull/5
> >>
> >>
> >> You have certainly discovered the weakness of this proposal. It 
> >> relies on a number of technologies to be in place before it can 
> >> actually be deployed. When those conditions are met, there are 
> >> security and operational benefits. I made this more clear in the write-up.
> >>
> >>
> >> Ciao
> >>
> >> Hannes
> >>
> >>
> >> PS: Only the MUD URL is included in the manifest and not the MUD 
> >> file
> itself.
> >> Your reading of the CDDL was correct.
> >>
> >>
> >> Am 09.09.2023 um 22:18 schrieb Roman Danyliw:
> >>> Hi!
> >>>
> >>> I performed an AD review of draft-ietf-suit-mud-04.  Thanks for 
> >>> this
> >> document.  Below is my feedback.
> >>> ** Section 1 and 6 assert that a MUD file can be included by 
> >>> reference or
> >> value.  How does one include a MUD file by value?  Excuse my 
> >> familiarity with CDDL but my read of SUIT_MUD_container is that is 
> >> contains only a URL and associate SKI.  All of the other CDDL in 
> >> Section 5 by my read is about integrating the SUIT_MUD_container 
> >> data structure so it can be as a manifest member or be severable.
> >>> ** Section 3.  I was confused on how to read this section.  I was 
> >>> expecting this document to primarily discuss how to embed MUD 
> >>> information into a SUIT manifest.  However, this section seems to 
> >>> define attestation behavior and functionality on the end-point 
> >>> that is outside the SUIT workflow and more rigorous than required 
> >>> in the core SUIT manifest document.  Is this section normative or 
> >>> just an
> example?
> >>> [I-D.ietf-rats-eat] being cited normatively here suggests the 
> >>> section is also normative.  If this is an example, please make 
> >>> that clearer and don’t make EAT a normative reference.  If not, 
> >>> then please be more specification about these attestation 
> >>> mechanisms (more below)
> >>>
> >>> ** Section 3.
> >>>
> >>>      *  At the time of onboarding, devices report their manifest in use to
> >>>         the MUD manager via attestation evidence.
> >>>
> >>> Can a pointer please be provided on the normative mechanism for 
> >>> sharing
> >> attestation evidence with the MUD manager?  I ask because RFC8520 
> >> doesn’t mention attestation as an activity done by the MUD manager.
> >>>      *  If the SUIT_MUD_container, see Section 5, has been severed, the
> >>>         MUD manager can use the suit-reference-uri to retrieve the
> >>>         complete SUIT manifest.
> >>>
> >>> What happens if suit-reference-uri is not included?  If my reading 
> >>> of draft-
> >> ietf-suit-manifest-22 is correct, this field is optional.
> >>>      *  Each time a device is updated, rebooted, or otherwise
> >>>         substantially changed, it will execute an attestation.
> >>>
> >>> Is this new requirement on any device including this MUD extension?
> >>>
> >>>         -  Among other claims in the Entity Attestation Token (EAT)
> >>>            [I-D.ietf-rats-eat], the device will report its software
> >>>            digest(s), configuration digest(s), manifest URI, and manifest
> >>>            digest to the MUD manager.
> >>>
> >>> What is the profile of the EAT claims needed?  How is it conveying 
> >>> this EAT
> >> token?
> >>>      *  If the MUD manager does not already have a full copy of the
> >>>         manifest, it can be acquired using the reference URI.
> >>>
> >>> When the manifest was retrieved in step #2 is was verified in step 
> >>> #3.  Here,
> >> there is no explicit language about verification.
> >>>      *  Once a full copy of the manifest is provided, the MUD manager can
> >>>         verify the device attestation report
> >>>
> >>> Wouldn’t the device have to emit the device attestation report?
> >>>
> >>> ** Section 5.  To be clear, suit-mud-ski is the subject key 
> >>> identifier for the key
> >> used in the MUD signature file described in Section 13.2 of RFC8520?
> >> If so, editorial, I would have benefited from an explicit statement 
> >> to that
> effect.
> >>> ** Section 6.  Do any Security Considerations from suit-manifest 
> >>> or MUD
> >> apply here?
> >>> ** Reference
> >>>
> >>> --  [I-D.isobe-cose-key-thumbprint] is now adopted by the WG and 
> >>> is
> >>> draft-
> >> ietf-cose-key-thumbprint.  Please replace it.
> >>> -- feedback from idnits:
> >>>     == Unused Reference: 'RFC7093' is defined on line 288, but no explicit
> >>>        reference was found in the text
> >>>
> >>>     ** Downref: Normative reference to an Informational RFC: RFC
> >>> 7093
> >>>
> >>> Please drop it.
> >>>
> >>> Regards,
> >>> Roman
> >>> _______________________________________________
> >>> Suit mailing list
> >>> Suit@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/suit
> >> _______________________________________________
> >> Suit mailing list
> >> Suit@ietf.org
> >> https://www.ietf.org/mailman/listinfo/suit
> > _______________________________________________
> > Suit mailing list
> > Suit@ietf.org
> > https://www.ietf.org/mailman/listinfo/suit
> 
> _______________________________________________
> Suit mailing list
> Suit@ietf.org
> https://www.ietf.org/mailman/listinfo/suit
_______________________________________________
Suit mailing list
Suit@ietf.org
https://www.ietf.org/mailman/listinfo/suit

v2.23.0 | Report a Bug | By Email