Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls

Nick Lamb <njl@tlrmx.org> Fri, 11 September 2020 10:41 UTC

Return-Path: <njl@tlrmx.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34ED93A0E49; Fri, 11 Sep 2020 03:41:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tlrmx.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TbZ4qmhjGBcP; Fri, 11 Sep 2020 03:41:05 -0700 (PDT)
Received: from cheetah.birch.relay.mailchannels.net (cheetah.birch.relay.mailchannels.net [23.83.209.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EC7A3A0E37; Fri, 11 Sep 2020 03:41:04 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|njl@tlrmx.org
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 2E0933417C2; Fri, 11 Sep 2020 10:41:03 +0000 (UTC)
Received: from pdx1-sub0-mail-a49.g.dreamhost.com (100-96-5-150.trex.outbound.svc.cluster.local [100.96.5.150]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 8862B34177B; Fri, 11 Sep 2020 10:41:02 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|njl@tlrmx.org
Received: from pdx1-sub0-mail-a49.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.9); Fri, 11 Sep 2020 10:41:02 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|njl@tlrmx.org
X-MailChannels-Auth-Id: dreamhost
X-Cooperative-Eight: 5145455861071a8d_1599820862804_1830565371
X-MC-Loop-Signature: 1599820862804:3176221744
X-MC-Ingress-Time: 1599820862804
Received: from pdx1-sub0-mail-a49.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a49.g.dreamhost.com (Postfix) with ESMTP id 1962E8331F; Fri, 11 Sep 2020 03:41:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=tlrmx.org; h=date:from:to :cc:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=tlrmx.org; bh=pxs24e1 BgXBJxZwh1K1DK0bVtCw=; b=HOGrClHfZO1j/nhL55PXtxhsqYfv9DGTyRMCx3N UUFoG4NjNWpnT5nGoyVhLxjVahCBwrkkI2O7kvhIC21hJgS061Qvek0eSjZtYvuj aT69BGfMiTCt6X9njor9/fgHWK3PFg6pz6codH/UzncuaP+5xZaIQ6s1O+5st5aC yoII=
Received: from totoro.tlrmx.org (124.89.2.81.in-addr.arpa [81.2.89.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: njl@tlrmx.org) by pdx1-sub0-mail-a49.g.dreamhost.com (Postfix) with ESMTPSA id 091FA83319; Fri, 11 Sep 2020 03:40:58 -0700 (PDT)
Date: Fri, 11 Sep 2020 11:40:54 +0100
X-DH-BACKEND: pdx1-sub0-mail-a49
From: Nick Lamb <njl@tlrmx.org>
To: tirumal reddy <kondtir@gmail.com>
Cc: opsawg <opsawg@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <20200911114054.184988dc@totoro.tlrmx.org>
In-Reply-To: <CAFpG3gepojPJoK8W+o9Qr66gPSUqHY+sDX-v+-fuwcM9Y56C_g@mail.gmail.com>
References: <21BA8D05-DD83-44DE-81B9-457692484CAD@cisco.com> <053b286e-4780-1818-a79d-71b9c967bbd2@sandelman.ca> <CAHbrMsANEA4omTm5dPYLN9zGde2YdT_71ujpBcCEer_xSkPhbw@mail.gmail.com> <CAFpG3gepojPJoK8W+o9Qr66gPSUqHY+sDX-v+-fuwcM9Y56C_g@mail.gmail.com>
X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: 0
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduiedrudehledgfeefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkjghfofggtgfgsehtjeertdertddvnecuhfhrohhmpefpihgtkhcunfgrmhgsuceonhhjlhesthhlrhhmgidrohhrgheqnecuggftrfgrthhtvghrnhepteejledufedvtdekfffggfdugfevffffgedtueelffekvdevvdefvdejvdelleeunecukfhppeekuddrvddrkeelrdduvdegnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhppdhhvghlohepthhothhorhhordhtlhhrmhigrdhorhhgpdhinhgvthepkedurddvrdekledruddvgedprhgvthhurhhnqdhprghthheppfhitghkucfnrghmsgcuoehnjhhlsehtlhhrmhigrdhorhhgqedpmhgrihhlfhhrohhmpehnjhhlsehtlhhrmhigrdhorhhgpdhnrhgtphhtthhopehtlhhssehivghtfhdrohhrgh
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/U_hIEq8vcBsx47HyuU_49Z-KL2c>
Subject: Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 10:41:07 -0000

On Fri, 11 Sep 2020 12:32:03 +0530
tirumal reddy <kondtir@gmail.com> wrote:

> The MUD URL is encrypted and shared only with the authorized
> components in the network. An  attacker cannot read the MUD URL and
> identify the IoT device. Otherwise, it provides the attacker with
> guidance on what vulnerabilities may be present on the IoT device.

RFC 8520 envisions that the MUD URL is broadcast as a DHCP option and
over LLDP without - so far as I was able to see - any mechanism by which
it should be meaningfully "encrypted" as to prevent an attacker on your
network from reading it.

Nick.