Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls
tirumal reddy <kondtir@gmail.com> Fri, 11 September 2020 11:52 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78B383A0F41; Fri, 11 Sep 2020 04:52:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d22hZACLwgr6; Fri, 11 Sep 2020 04:52:05 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B32D13A0F3A; Fri, 11 Sep 2020 04:52:05 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id z25so10648933iol.10; Fri, 11 Sep 2020 04:52:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=s/JxAiHVTxF7PHn2Wfqm4oKsi9DguBpTsJoeHL8lurM=; b=MwiztCZgd6pEM50I0NYthLwwYAprCngsv/i4Bek9afp9d1ix8KBHK3toGDq7bSPkm9 ZMrkBMiy5rFMAWtzhfOP4LgwzC7H0SqF16nKlI1+n3hsznX3C+lGOwpX4lr/D+RQKfbH +caB5GS4hMuCBFtziVF/hbFybNymw9NLYwiEdF8gEorWPDwzTBhQRadTrsLZLthe0U9S cC4LTAfIJeW9cuPBUc3uwJuaSUOQsUx74Gb/tsBaoar8pFd01qlTjikb817DZ5waaOti c4+RnUFJJjHgbXK7jz1wT8LQU6sZAAI+vLG+IwuKLhG5njKUZ5rU4hfc3IBucP1AB6T9 EJpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=s/JxAiHVTxF7PHn2Wfqm4oKsi9DguBpTsJoeHL8lurM=; b=TIn4MAHcOmzeP6hlHV0Ff22hkDT/DDwzdZvIamF0sfoA9qdwqAWyj/j+2DtVdXKcFM aQT3RCZTg7Or/oEVTYkepWp0gzxVLrm0fZmNx3NszDE5sHfOvlbDywFzbTh1gD9/iO0+ wLwyKfKmG2tHSJgifspkkFHJTOzWnj80LCgORUPnkk5jGrTH2kuS9MTsNYtVRAIYqG88 HEK3vEzAiko26zP34oXEayB4mn6FSNkIpaa4MMZC7++m6w4mFoN2oAaO3cgNjkcvIBy6 1w6xVPeG5AHiinoyFSes3MPEtefm0IIFxqaMDhXAHp/KO91vfVW4fWTsXOqa29jlV9GV QTTQ==
X-Gm-Message-State: AOAM533lyw/1iz1aFbT9a2N8y1hl0ZMI63AemOTjNi/1jmBwc4Q7igpV tqoXXg0cF3sZcCf3i7JZeSyVu8rNAYxQcz2pYRhFZLZc79BP3WmO
X-Google-Smtp-Source: ABdhPJzeu0UOsxup+cm0Vg2kLrJQNdxOd42fdKTVgAjbVd/kLOdmswnIIPoZfv/rTPZ/YxJB2B6svoiqes25yxQyxPQ=
X-Received: by 2002:a02:9986:: with SMTP id a6mr1564801jal.28.1599825124879; Fri, 11 Sep 2020 04:52:04 -0700 (PDT)
MIME-Version: 1.0
References: <21BA8D05-DD83-44DE-81B9-457692484CAD@cisco.com> <053b286e-4780-1818-a79d-71b9c967bbd2@sandelman.ca> <CAHbrMsANEA4omTm5dPYLN9zGde2YdT_71ujpBcCEer_xSkPhbw@mail.gmail.com> <CAFpG3gepojPJoK8W+o9Qr66gPSUqHY+sDX-v+-fuwcM9Y56C_g@mail.gmail.com> <20200911114054.184988dc@totoro.tlrmx.org>
In-Reply-To: <20200911114054.184988dc@totoro.tlrmx.org>
From: tirumal reddy <kondtir@gmail.com>
Date: Fri, 11 Sep 2020 17:21:53 +0530
Message-ID: <CAFpG3gdRUAAYmvV1+m=+4_0GUd_SDS0hZHhpSXa2qQ6Civtf-g@mail.gmail.com>
To: Nick Lamb <njl@tlrmx.org>
Cc: opsawg <opsawg@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000045728705af0850b1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FG8GoWfMyhdXjkgwvxrqwP9zS4s>
Subject: Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 11:52:08 -0000
On Fri, 11 Sep 2020 at 16:11, Nick Lamb <njl@tlrmx.org> wrote: > On Fri, 11 Sep 2020 12:32:03 +0530 > tirumal reddy <kondtir@gmail.com> wrote: > > > The MUD URL is encrypted and shared only with the authorized > > components in the network. An attacker cannot read the MUD URL and > > identify the IoT device. Otherwise, it provides the attacker with > > guidance on what vulnerabilities may be present on the IoT device. > > RFC 8520 envisions that the MUD URL is broadcast as a DHCP option and > over LLDP without - so far as I was able to see - any mechanism by which > it should be meaningfully "encrypted" as to prevent an attacker on your > network from reading it. > RFC 8520 allows other means (see sections 1.5 and 1.8) like 802.1X (for example, TEAP (it does not allow TLS cipher suites without encryption). The client identity (certificate carrying the MUD URL) is encrypted and not visible to eavesdroppers. Further, RFC8520 discusses IoT devices may not even omit the URL. It recommends to use a proxy to retrieve the MUD file for privacy reasons. -Tiru > > Nick. >
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Michael Richardson
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Ben Schwartz
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… tirumal reddy
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Nick Lamb
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… tirumal reddy
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Ben Schwartz
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Eliot Lear
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Eric Rescorla
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Ben Schwartz
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Eliot Lear
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… tirumal reddy
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Ben Schwartz
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Eliot Lear
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Watson Ladd
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Nick Harper
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… tirumal reddy
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… tirumal reddy
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Nick Harper
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Dan Wing
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Eric Rescorla
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Michael Richardson
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Eric Rescorla
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Michael Richardson
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Eric Rescorla
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Eliot Lear
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… tirumal reddy
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… tirumal reddy
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Ben Schwartz
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… tirumal reddy
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Eliot Lear
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Eric Rescorla
- Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy… Nick Lamb