Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls

Eliot Lear <> Mon, 14 September 2020 15:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0267F3A0B52; Mon, 14 Sep 2020 08:09:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pnjv9MGkSM25; Mon, 14 Sep 2020 08:09:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E152E3A0B2D; Mon, 14 Sep 2020 08:08:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=7347; q=dns/txt; s=iport; t=1600096133; x=1601305733; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=qABoPbcHK6r/F+Gbmu5O0xq6yKiVXbt08FUZ5aQFvKI=; b=DstEvdLrmCQyu4EZ+ZqHJWaFwp16GVgfuSbsh0Oc8CUzuyIhbUR2D4JW xK24vYayA9YH+YdOIT1ymVfxfN8suUrcKcnQmaGYWwzUb5quPCLYM+g34 xdnPdy4nWRhlY0zEGn8dEvvmgZqD+9cczsJQ+/E4goUNcYEuq1BIJAVho 0=;
X-Files: signature.asc : 488
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.76,426,1592870400"; d="asc'?scan'208,217";a="27157491"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-SEED-SHA; 14 Sep 2020 15:08:48 +0000
Received: from ( []) by (8.15.2/8.15.2) with ESMTPS id 08EF8lpM018639 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 14 Sep 2020 15:08:48 GMT
From: Eliot Lear <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_817C7DD1-5A82-491A-ADB4-2E944A071C03"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Mon, 14 Sep 2020 17:08:45 +0200
In-Reply-To: <>
Cc: tirumal reddy <>, Nick Lamb <>, opsawg <>, "<>" <>
To: Ben Schwartz <>
References: <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Sep 2020 15:09:16 -0000

Hi Ben,

Much of this relitigates RFC 8520, but IMHO it is worth reviewing assumptions from time to time.  Remember, the purpose of MUD is to identify an authorization profile for a device to a network so that either access can be granted based on that profile or an anomaly can be detected.  The primary, but not exclusive, focus is on IOT.

Please see below.

> This design treats the MUD file as a "widely shared secret", which is a fragile arrangement.  It does not appear to match the main conceptual model of MUD, which describes MUD files as being "published", i.e. generally public.

We should separate the MUD URL from the MUD file.  The MUD file is absolutely 100% public, and consists of information that is observable – or should be observable – from the device.  So if you are a Meddler In The Middle (;-) (MITM) you get this information anyway.

The MUD URL gives up device type information.  This is different in character, but often but not always easily gotten.  I would say that if a manufacturer is taking steps to prevent fingerprinting, then they should take steps to protect the MUD URL.  That’s an active area of interest for some.

> I also think this proposal is likely to seriously impede the ability of IoT vendors to adopt new versions of TLS, or new protocols such as QUIC.  Such updates would be delayed by (1) the need to add entries to this YANG model, and then (2) the time for MUD gateways to develop and deploy the new entries.  Delaying protocol upgrades reduces security, contrary to the goals of this draft.

One can deploy a MUD file update in advance of a code update.  The latter takes a whole lot longer than the former.  No IoT manufacturer is going to put out something in less than the default time of 48 hours, lest they brick millions of devices.  Is this more work for an IoT manufacturer?  Sure.  One thing the draft might do is discuss how to incorporate something into unit testing to write out the change.