IETF Logo Mail Archive

Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls

tirumal reddy <kondtir@gmail.com> Fri, 11 September 2020 11:52 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78B383A0F41; Fri, 11 Sep 2020 04:52:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d22hZACLwgr6; Fri, 11 Sep 2020 04:52:05 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B32D13A0F3A; Fri, 11 Sep 2020 04:52:05 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id z25so10648933iol.10; Fri, 11 Sep 2020 04:52:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=s/JxAiHVTxF7PHn2Wfqm4oKsi9DguBpTsJoeHL8lurM=; b=MwiztCZgd6pEM50I0NYthLwwYAprCngsv/i4Bek9afp9d1ix8KBHK3toGDq7bSPkm9 ZMrkBMiy5rFMAWtzhfOP4LgwzC7H0SqF16nKlI1+n3hsznX3C+lGOwpX4lr/D+RQKfbH +caB5GS4hMuCBFtziVF/hbFybNymw9NLYwiEdF8gEorWPDwzTBhQRadTrsLZLthe0U9S cC4LTAfIJeW9cuPBUc3uwJuaSUOQsUx74Gb/tsBaoar8pFd01qlTjikb817DZ5waaOti c4+RnUFJJjHgbXK7jz1wT8LQU6sZAAI+vLG+IwuKLhG5njKUZ5rU4hfc3IBucP1AB6T9 EJpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=s/JxAiHVTxF7PHn2Wfqm4oKsi9DguBpTsJoeHL8lurM=; b=TIn4MAHcOmzeP6hlHV0Ff22hkDT/DDwzdZvIamF0sfoA9qdwqAWyj/j+2DtVdXKcFM aQT3RCZTg7Or/oEVTYkepWp0gzxVLrm0fZmNx3NszDE5sHfOvlbDywFzbTh1gD9/iO0+ wLwyKfKmG2tHSJgifspkkFHJTOzWnj80LCgORUPnkk5jGrTH2kuS9MTsNYtVRAIYqG88 HEK3vEzAiko26zP34oXEayB4mn6FSNkIpaa4MMZC7++m6w4mFoN2oAaO3cgNjkcvIBy6 1w6xVPeG5AHiinoyFSes3MPEtefm0IIFxqaMDhXAHp/KO91vfVW4fWTsXOqa29jlV9GV QTTQ==
X-Gm-Message-State: AOAM533lyw/1iz1aFbT9a2N8y1hl0ZMI63AemOTjNi/1jmBwc4Q7igpV tqoXXg0cF3sZcCf3i7JZeSyVu8rNAYxQcz2pYRhFZLZc79BP3WmO
X-Google-Smtp-Source: ABdhPJzeu0UOsxup+cm0Vg2kLrJQNdxOd42fdKTVgAjbVd/kLOdmswnIIPoZfv/rTPZ/YxJB2B6svoiqes25yxQyxPQ=
X-Received: by 2002:a02:9986:: with SMTP id a6mr1564801jal.28.1599825124879; Fri, 11 Sep 2020 04:52:04 -0700 (PDT)
MIME-Version: 1.0
References: <21BA8D05-DD83-44DE-81B9-457692484CAD@cisco.com> <053b286e-4780-1818-a79d-71b9c967bbd2@sandelman.ca> <CAHbrMsANEA4omTm5dPYLN9zGde2YdT_71ujpBcCEer_xSkPhbw@mail.gmail.com> <CAFpG3gepojPJoK8W+o9Qr66gPSUqHY+sDX-v+-fuwcM9Y56C_g@mail.gmail.com> <20200911114054.184988dc@totoro.tlrmx.org>
In-Reply-To: <20200911114054.184988dc@totoro.tlrmx.org>
From: tirumal reddy <kondtir@gmail.com>
Date: Fri, 11 Sep 2020 17:21:53 +0530
Message-ID: <CAFpG3gdRUAAYmvV1+m=+4_0GUd_SDS0hZHhpSXa2qQ6Civtf-g@mail.gmail.com>
To: Nick Lamb <njl@tlrmx.org>
Cc: opsawg <opsawg@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000045728705af0850b1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FG8GoWfMyhdXjkgwvxrqwP9zS4s>
Subject: Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 11:52:08 -0000

On Fri, 11 Sep 2020 at 16:11, Nick Lamb <njl@tlrmx.org> wrote:

> On Fri, 11 Sep 2020 12:32:03 +0530
> tirumal reddy <kondtir@gmail.com> wrote:
>
> > The MUD URL is encrypted and shared only with the authorized
> > components in the network. An  attacker cannot read the MUD URL and
> > identify the IoT device. Otherwise, it provides the attacker with
> > guidance on what vulnerabilities may be present on the IoT device.
>
> RFC 8520 envisions that the MUD URL is broadcast as a DHCP option and
> over LLDP without - so far as I was able to see - any mechanism by which
> it should be meaningfully "encrypted" as to prevent an attacker on your
> network from reading it.
>

RFC 8520 allows other means (see sections 1.5 and 1.8) like 802.1X (for
example, TEAP (it does not allow TLS cipher suites without encryption).
The client identity (certificate carrying the MUD URL) is encrypted and not
visible to eavesdroppers. Further, RFC8520 discusses IoT devices may not
even omit the URL. It recommends to use a proxy to retrieve the MUD file
for privacy reasons.

-Tiru


>
> Nick.
>

v2.23.0 | Report a Bug | By Email