IETF Logo Mail Archive

Re: [Suit] AD Review of draft-ietf-suit-mud-04

Hannes Tschofenig <hannes.tschofenig@gmx.net> Sat, 23 September 2023 19:23 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47F6BC14CEFC for <suit@ietfa.amsl.com>; Sat, 23 Sep 2023 12:23:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AxPgo3ivm3rl for <suit@ietfa.amsl.com>; Sat, 23 Sep 2023 12:23:58 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3A4BC14F749 for <suit@ietf.org>; Sat, 23 Sep 2023 12:23:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1695497028; x=1696101828; i=hannes.tschofenig@gmx.net; bh=A0pboQ+Hig+t5UXin746ZzRkDDGwdbK3f7oNhc8qnQo=; h=X-UI-Sender-Class:Date:Subject:To:References:From:In-Reply-To; b=PsYwg8IFwqV8EQt0XScg7liX4cuUi5eNu3KVCviKyv6HhOG+lzSaXxPlXWBbMLyyzfrU9QxSC2f ppTMs/b+tMhEdN6485osZU6HghylHHXaEFPwmLl6awHpMyBhuEBg86koWAco+2+yvLkmom26TDETS O+Xc0033foR9hI9oNDhB/tAckOkTej3aOTKKammBL1uMRG46AZMs4DjeanOK6+KFQsxIoCtJzmT1m oa1MDQMZRNi/ZRaVjJJwjBj/+ZRAIvohapvBKmnJdBcy5RenMafLjTuTqtcQcUEs7gFuccvRChas7 S66vDZVfSILrqexYGpLmvNWxv0qnfGQaDbGQ==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [172.16.254.186] ([195.149.218.225]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1Msq6C-1rYvV61ZgO-00tC2F; Sat, 23 Sep 2023 21:23:48 +0200
Message-ID: <00be016c-4af2-4412-b589-00901767406f@gmx.net>
Date: Sat, 23 Sep 2023 21:23:45 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Roman Danyliw <rdd@cert.org>, "suit@ietf.org" <suit@ietf.org>
References: <BN2P110MB1107855C16B88C7F809FAA53DCECA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <316958dd-341c-3b52-af9b-b8a71ab64101@gmx.net> <BN2P110MB1107B68DE1124C5B571D06CEDCFFA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <BN2P110MB1107B68DE1124C5B571D06CEDCFFA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:U2kVBexxhZn+d3u+VRKriAItDdYJyMbDsHdQt9BwhGvDxsm2p6T x9/BcfF+y6gwWmrCOinlWIkDK7VwOlBMQeWYvU5R0hREFCh9719ZmKrihmBvbO9DGGoJkdu kvDDO/oNcWdCA0SDLr5TW1cjrWqZHs6qrbEAoTON4Vb9t+iaBQz4RiiAKxlhhkTtzQndzt+ FWNoaBkQkyyxxO81kdORg==
UI-OutboundReport: notjunk:1;M01:P0:NVQxZrQuL6U=;XkcGhlRLC4Gjz5tMyuxA366kdLn 0+P5NA4xWgvsiQ6W+dfov1TUByqJUDjKIddoNBNamAEXbfVv3LFslkGFI0bCdFjzER+1ZRoRT pWSdEt715UMferLxzABuIQwUGnKHsQdHmWghZr+kHou4SjTHrU0CWJuOmLqwmaDAdOG+RE4q0 W3nzjYuKFa6OwX1dIQOjCUrWujOJ//aH2lQNDgxtgnvT0MhfekQd2SscC8iV6iPmBqYsn5gzu qWxjT/pQxf/LbzhGMOlngkFlS1lrS+D6EXVntIgy79u90saYQrIZm1rn05P67pRF0+I2TE8gU YeIaX3iiAkkmR1KIkVbh0awI8TUJgtmysrha2+AmpCqJHrIoG+jm0CSFHbsUXeNRH1qipMQDt rE7Jbf3BPdGlRfms4j7WKtekJE6d7+hMhVNaZbhlcXROT4iYeKckxOisG9DEZI8ZJY6ZV3fvk 5v9PxgbHxDsCXYuM3XnYdf5FfFBxiWeiskO+jQeec2MRPf2OA1jLLPT6PSLsjgEi13jrrXitc ovirgIvguZbQkhIkdAIhghTd9y/hLEqd0z+N80glOIXdm/7xBB4Z3l8kxcej28m7bJky0Y4wq eT18MtNhZ3tGRTwrnHWMJbr4ZDxrhA7i/b8tow29p7cfbXw5NyjF5r6oObcypDorZE88KFxbb I24I8/otF2HX5SNduFf0ACi9X8CzJIrErmFpE9MmaZV3N8xp4vczRbwV6yvAzj0eEdsStyN9l SQ2LGsZ878dtFUyyXvCUWdD+WNtelpNnLEGlXDUyJf8PfbgSNtrlkF5349xTDA/9BiWalW9x8 8nmrA84s3otXTDP9OeYg9zBlfWNH6GUyVxV/jVpvAc9cAdIdlfAUetEk+eXlvkFd7Dxb4Vf4b ZeXVjBdqmQbaxcQ7WAnIyTyfaFBdqpuJFtIeFJWqFW9BsvPxScl0AUOWiVaA5Vup9FpGahL88 h2F0qOy4jColjCU+IVJLk0Wg/l0=
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/xRT55NR6fAQuuSYmApXAdC-zO8U>
Subject: Re: [Suit] AD Review of draft-ietf-suit-mud-04
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Sep 2023 19:23:59 -0000

Hi Roman,


thanks for the extra feedback. Responses inline:


Am 23.09.2023 um 00:41 schrieb Roman Danyliw:
> Hi Hannes!
>
> Thanks so much for publishing -05.  My remaining line of feedback is around my original questions about Section 3 –- the normative guidance around the workflow.  The new text in Section 3 on the steps in the workflow are much clearer, and I very much appreciated the pro/con write-up of the design in Section 4.  Not many specifications will write-up the cons.
>
> If I read things correctly, the Section 3 workflow is trying to mirror a new MUD conveyance approach like DHCP or LLDP.  What I’m grappling with is how interoperable is this attestation step as currently scoped?  EAT is cited normatively, but there are no other normative details on how this attestation should occur.
>
> Are there any requirements other than an “EAT token with a manifest claim is somehow passed”?
>
> Is there any guidance on conveyance?  For example, EAP is mentioned (as an example).  Is there a pointer on how an EAT can be carried by an EAP method?

Currently, this attestation step is not interoperable. While there is
the need to convey an EAT token in an EAP method exchange, I haven't
seen such an EAP method yet.

Theoretically, one could argue that the work in
<draft-fossati-tls-attestation> could be applied to an EAP-TLS-based
method but nobody has done this work yet.


>
> Related to what “attestation” means, is the subsequent text in Section 4: “The device does not report the MUD URL, so the device cannot tamper with the MUD URL.”  I took that to mean that there is a distinction being made between TEE and a REE; and the “device” here is the REE. Is that intended interpretation?

I think the text needs a picture. There is the underlying assumption
with the use of attestation technology that some low-level
software/hardware is able to collect measurements from about its
environment. When that software generates the attestation evidence for
use with remote attestation then it includes information about the
manifest. When using the SUIT manifest, the attester will hopefully
verify also the firmware the SUIT manifest describes.


>
> If accurate, I recommend explicitly clarifying this.  Section 1.1 of draft-ietf-rats-eat-21 seems to lay out uses of EAT which are not TEE based.  A quick scan of draft-ietf-suit-architecture found definitions for TEE and REE, but (with using a keyword search only) REE is never used after it is defined, and TEE is used once in Section 6 without direct guidance on use.


The RATS architecture does not say where some of the functionality is
implemented. The attester-functionality needs to be provided by some
low-level software, which would be close to a TEE in the TEEP terminology.


To summarize, this document is something you could describe as more
forward looking than the other SUIT items.


Ciao
Hannes


>
> Thanks,
> Roman
>
>> -----Original Message-----
>> From: Suit <suit-bounces@ietf.org> On Behalf Of Hannes Tschofenig
>> Sent: Sunday, September 10, 2023 10:59 AM
>> To: Roman Danyliw <rdd@cert.org>; suit@ietf.org
>> Subject: Re: [Suit] AD Review of draft-ietf-suit-mud-04
>>
>> Hi Roman,
>>
>>
>> those are great review comments.
>>
>>
>> I have started to address them, see
>> https://github.com/bremoran/suit-mud/pull/5
>>
>>
>> You have certainly discovered the weakness of this proposal. It relies on a
>> number of technologies to be in place before it can actually be deployed. When
>> those conditions are met, there are security and operational benefits. I made
>> this more clear in the write-up.
>>
>>
>> Ciao
>>
>> Hannes
>>
>>
>> PS: Only the MUD URL is included in the manifest and not the MUD file itself.
>> Your reading of the CDDL was correct.
>>
>>
>> Am 09.09.2023 um 22:18 schrieb Roman Danyliw:
>>> Hi!
>>>
>>> I performed an AD review of draft-ietf-suit-mud-04.  Thanks for this
>> document.  Below is my feedback.
>>> ** Section 1 and 6 assert that a MUD file can be included by reference or
>> value.  How does one include a MUD file by value?  Excuse my familiarity with
>> CDDL but my read of SUIT_MUD_container is that is contains only a URL and
>> associate SKI.  All of the other CDDL in Section 5 by my read is about
>> integrating the SUIT_MUD_container data structure so it can be as a manifest
>> member or be severable.
>>> ** Section 3.  I was confused on how to read this section.  I was
>>> expecting this document to primarily discuss how to embed MUD
>>> information into a SUIT manifest.  However, this section seems to
>>> define attestation behavior and functionality on the end-point that is
>>> outside the SUIT workflow and more rigorous than required in the core
>>> SUIT manifest document.  Is this section normative or just an example?
>>> [I-D.ietf-rats-eat] being cited normatively here suggests the section
>>> is also normative.  If this is an example, please make that clearer
>>> and don’t make EAT a normative reference.  If not, then please be more
>>> specification about these attestation mechanisms (more below)
>>>
>>> ** Section 3.
>>>
>>>      *  At the time of onboarding, devices report their manifest in use to
>>>         the MUD manager via attestation evidence.
>>>
>>> Can a pointer please be provided on the normative mechanism for sharing
>> attestation evidence with the MUD manager?  I ask because RFC8520 doesn’t
>> mention attestation as an activity done by the MUD manager.
>>>      *  If the SUIT_MUD_container, see Section 5, has been severed, the
>>>         MUD manager can use the suit-reference-uri to retrieve the
>>>         complete SUIT manifest.
>>>
>>> What happens if suit-reference-uri is not included?  If my reading of draft-
>> ietf-suit-manifest-22 is correct, this field is optional.
>>>      *  Each time a device is updated, rebooted, or otherwise
>>>         substantially changed, it will execute an attestation.
>>>
>>> Is this new requirement on any device including this MUD extension?
>>>
>>>         -  Among other claims in the Entity Attestation Token (EAT)
>>>            [I-D.ietf-rats-eat], the device will report its software
>>>            digest(s), configuration digest(s), manifest URI, and manifest
>>>            digest to the MUD manager.
>>>
>>> What is the profile of the EAT claims needed?  How is it conveying this EAT
>> token?
>>>      *  If the MUD manager does not already have a full copy of the
>>>         manifest, it can be acquired using the reference URI.
>>>
>>> When the manifest was retrieved in step #2 is was verified in step #3.  Here,
>> there is no explicit language about verification.
>>>      *  Once a full copy of the manifest is provided, the MUD manager can
>>>         verify the device attestation report
>>>
>>> Wouldn’t the device have to emit the device attestation report?
>>>
>>> ** Section 5.  To be clear, suit-mud-ski is the subject key identifier for the key
>> used in the MUD signature file described in Section 13.2 of RFC8520?  If so,
>> editorial, I would have benefited from an explicit statement to that effect.
>>> ** Section 6.  Do any Security Considerations from suit-manifest or MUD
>> apply here?
>>> ** Reference
>>>
>>> --  [I-D.isobe-cose-key-thumbprint] is now adopted by the WG and is draft-
>> ietf-cose-key-thumbprint.  Please replace it.
>>> -- feedback from idnits:
>>>     == Unused Reference: 'RFC7093' is defined on line 288, but no explicit
>>>        reference was found in the text
>>>
>>>     ** Downref: Normative reference to an Informational RFC: RFC 7093
>>>
>>> Please drop it.
>>>
>>> Regards,
>>> Roman
>>> _______________________________________________
>>> Suit mailing list
>>> Suit@ietf.org
>>> https://www.ietf.org/mailman/listinfo/suit
>> _______________________________________________
>> Suit mailing list
>> Suit@ietf.org
>> https://www.ietf.org/mailman/listinfo/suit
> _______________________________________________
> Suit mailing list
> Suit@ietf.org
> https://www.ietf.org/mailman/listinfo/suit

v2.23.0 | Report a Bug | By Email