Re: [Suit] Opsdir last call review of draft-ietf-suit-mud-06
Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 21 December 2023 10:08 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96D52C09036F; Thu, 21 Dec 2023 02:08:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.806
X-Spam-Level:
X-Spam-Status: No, score=-2.806 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DMxKDARXPg_d; Thu, 21 Dec 2023 02:08:43 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E70EBC090371; Thu, 21 Dec 2023 02:08:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1703153315; x=1703758115; i=hannes.tschofenig@gmx.net; bh=xp8qo0sa/dOpf9dRtFD2fKE5xfHPaxxgFj/sJuaFb2A=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From: In-Reply-To; b=S3xivkLOYCVGaD/BETcmfeCCKcGCeZGqBq75XkYig7MYRwfgSnSSfP90F//OvsUR zZieicqvDslwffreTLWteoNJbkTPCl1QrZXfiaNeNG0MIVRaNGz9qrptltaCX5P5L 2Ve3wl8X73OKVFrnC9cii1+k5AXZ7DJ/T0g5IsluIc32GV5s2cHjwT1C2LpkEvnMu hA3v14wyvQymlpdyP+TDACcA19TDBPMTDuULTgee312OIPl9A36SobpqaBh8jy7g3 EhNYqTAl4ap8IydoO4ucbIR1oXGPLs/6JqJt/WuAo45Et7ACoaTZrzAaqW5awbTDf GrAthkWxCH4xewqVGg==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [172.16.254.186] ([185.176.157.173]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MryTF-1qtcP93Nh7-00nv0y; Thu, 21 Dec 2023 11:08:34 +0100
Message-ID: <e92a87df-5554-4dda-b5aa-47155f3c4614@gmx.net>
Date: Thu, 21 Dec 2023 11:08:35 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Susan Hares <shares@ndzh.com>, ops-dir@ietf.org
Cc: draft-ietf-suit-mud.all@ietf.org, last-call@ietf.org, suit@ietf.org, Eliot Lear <lear@lear.ch>
References: <170170315182.17411.11522235103450951717@ietfa.amsl.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <170170315182.17411.11522235103450951717@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K1:3UNzpeiYMZSrUrUBB6FznX9YBRPdtTUKXsjNkx6vVEGtJUdMKRC UoA5UduxJMP86A/gByMFOi1BO/jCwjSnUBFIw8bGEaMAd6f9ho5045NsJQ37yF33yCzkcJ1 fJ8ol2JOpPXQcasIrR87QXjVWJdvXh1UWT3IZ7gLLFvxBbK2ItWZA+nIZTjfYFYbzQHG3DI XEfj4U53+U0kE0DvjPqDw==
UI-OutboundReport: notjunk:1;M01:P0:rPxU0oVO9jA=;Tdcsm5FRPrEfh6gRrNARMNgQzWE 9TOKF2thsPCA7gtMwLDNlaL7H9+vyHEr4EPlR8LARSnXN/jZ6XFzN6lHpBfMMAWnvRWIOuFo9 MOjJvF3Ak0lFwMJ3pdPYBA8zY5zyX3JJAXPRzxuH8U1qWwGK/sicaJ5jpZDUMYnXs3AtSc/gg DmWMboiYZiPfsFY/RGP3iFqrZReJ6UkLDOg6bvNOfbNdGzQ65Cod+5F8YZHgWZRhZwj85sq4R pTRNIXyiZjikoPGiq11jfBzh1krfWPxbIDeSwLbG+GZcZaNxE2aMTKwZ9GGkgVHjhz2sPOke4 rk1Tfm+KcmPZAMuucOWuOrJ4SyNNIv7M+Wu9NwnmcgCrg1IJEUz4Du2vJ1cvBB+PjissmZhp0 Lz3RHBVtPn8I6sSm9COwoFEz9gMbvJzyZohUPJWwxoCCOr44g3+bfTIVMAASJTFmL069zmOJY ev7Ri2eJLpbh11n4/0v3Zs+rwmCxqfq0CTSm4dx5+YJY8TKzMYufg+QFFXpPEUMMxepaeaGzP 8qxWdzrzFAD9VkulH6Px8Ge8v72uw2AMEF4K91lns+rVb9Foa6vrfTsk1RED8xVslJTMCxy8J T9Fux+zlLKdl4FScNUKr9AyIM462vP2hhamryT2XTXM4kjmkCIkf7NouAC75D9I49baVpYPLD 2t4thkNjq6WUeZqHnl+pQLttDPZRycSZOpc0r0/1f1Gc+v4n5ZW4L8w/3UPexFueIQgVQT0G9 h+0KLmHdLx5yIMC5qfv0A7xQO6RFGRVZ2c2fldG9aXwZuPp4j/r4ONeGfqIxp/+mwYdpju8Cp Yiq7lBKhYTOLScQ0Tgm/5DHxXmq30OEjnkBRnc/zqrG6g+Cy7svU+tlUMCDoAArrzJDT1YNWi MsKAezxzEwuPhKMaXtBh1BMgeRasnLAMyAlu55MZxrfpzrjqGN+5uHPCjkn3zYjzzsRiZwgF7 e74nEzkba72o9ZFkRxfy+o5WQEs=
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/iJJ6PbjHoGk_MZzMDW6YPUX14G8>
Subject: Re: [Suit] Opsdir last call review of draft-ietf-suit-mud-06
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Dec 2023 10:08:45 -0000
Hi Susan, thanks for your detailed review. You are correct that this document does not address operational aspects of the MUD Manager and this is certainly something the OPSAWG working group should address since this document is a tiny extension to the already existing MUD RFC. Along these lines you are also correct that the document does not define any mechanism for the MUD Manager to notify the operator about any error situations with the processing of MUD files and/or SUIT manifests. I will reach out to Eliot and the OPSAWG working group to think about standardization work in this direction. I have updated the draft to better explain how the different URIs are passed around. I also added a figure to illustrate it graphically. Attestation Evidence, which is used to convey information about the MUD URL, also allows the network to double-check the firmware/software (and other properties of the device). We didn't go into any details about how Evidence is processed because this is part of different documents, like the RATS architecture RFC. I hope the updated text clarified these aspects. Regarding the CDDL I had a chat with Brendan and we will make an update. Ciao Hannes Am 04.12.2023 um 16:19 schrieb Susan Hares via Datatracker: > Reviewer: Susan Hares > Review result: Has Issues > > Overall comment: > Qualifications: I am not an expert on SUIT implementations or an operator of > networks using SUIT. Therefore, my issues may be covered by some general > security considerations in a document I am not aware of. > > General comments to authors: This feature is clearly described in this > document. Brendan and Hannes did an excellent job of writing the document. > > Security/Operational Issues: > > The security of MUD URLs may move the attacks from individual devices to the > MUD Manager. (Instead of a single lemming going over the cliff, a MUD manager > may send many lemmings over the cliff). This document does not seem to consider > the operational issues in the MUD Manager or provide mechanisms on how to check > for these attacks (e.g. Yang modules with operational state). > > 1. An Attack on the MUD Manager can shut down or subvert the entire network. > > It is not clear how the operator knows an attack on the MUD Manager is happening > or occurred. If the MUD Manager pulls in broken SUIT manifests and > then pulls in broken software/firmware based on the SUIT manifests > how does the operator know? In other words what device watches > that the MUD Manager is not subverted via a management protocol? > > I do not see any operational state in the MUD Yang module [RFC8620 section 2.1] > It would seem natural to have some operational state in the MUD Manager reports > manifest state. Yang's notif protocols could report any manifest state change > (over secure TLS connections) to a centralized security server. > > 2. For secure URLs transmitted by 802.1X with certificates, > Why are these not a "double-check" on the validity of the software? > > Again, it would seem natural to utilize these secure certificates as > "double-checks" on the MUD Manager being "in-sync" with the devices. > > 3. As a less secure double-check on being "in-sync", is the reporting of > MUD URL sent via MUD Devices via DHCP or LLDAP that is not what is in the > manifest. > > These reporting features are useful in transition scenarios as well as > detecting attacks on the MUD manager. > > Editorial nits: > > 1. section 1, last paragraph, sentence 2 > > Old text: /can get/ > New text: /has/ > > English grammar > > 2. Just for my sanity, would you check the following text is correct > > $$SUIT_severable-members-extensions //= ( > suit-manifest-mud => bstr .cbor SUIT_MUD_container > ) > It appears you are looking to define a CBOR Type for the > the SUIT_MOD_container is defined in the text. > > What I think I'm missing is the .cbor value for SUIT. > It looks correct, but I could not derive this from draft-ietf-suit-manifest-24: > > SUIT_Severable_Manifest_Members = ( > ? suit-payload-fetch => bstr .cbor SUIT_Command_Sequence, > ? suit-install => bstr .cbor SUIT_Command_Sequence, > ? suit-text => bstr .cbor SUIT_Text_Map, > * $$SUIT_severable-members-extensions, > ) > > And your IANA definitions of: > > IANA is requested to add a new value to the SUIT envelope elements registry > created with [I-D.ietf-suit-manifest]: Label: TBD2 [[Value allocated from the > standards action address range]] > > Name: Manufacturer Usage Description (MUD) > Reference: [[TBD: This document]] > > Again, this may be due to my incomplete understanding. > This is why this is a NIT rather than an Issue. > > >
- [Suit] Opsdir last call review of draft-ietf-suit… Susan Hares via Datatracker
- Re: [Suit] Opsdir last call review of draft-ietf-… Hannes Tschofenig
- Re: [Suit] Opsdir last call review of draft-ietf-… Hannes Tschofenig
- Re: [Suit] Opsdir last call review of draft-ietf-… Eliot Lear
- Re: [Suit] Opsdir last call review of draft-ietf-… Eliot Lear
- Re: [Suit] [Last-Call] Opsdir last call review of… Behcet Sarikaya
- Re: [Suit] [Last-Call] Opsdir last call review of… Hannes Tschofenig