Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls

Eliot Lear <> Tue, 15 September 2020 09:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 647343A0BB1; Tue, 15 Sep 2020 02:21:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.601
X-Spam-Status: No, score=-9.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id v1cOSblXjczD; Tue, 15 Sep 2020 02:21:56 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D50D23A0C06; Tue, 15 Sep 2020 02:21:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=2488; q=dns/txt; s=iport; t=1600161716; x=1601371316; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=g1+NKIIoD4nkGpn5Gj2xP+wu51WUKKm7E0PQ2P2S+9o=; b=DOuH5CwhgNhxeKj5MEFMwyiKSUr5+cs5Ltvk90nwsFw8vNBC+G9vii5J dLnzf9twJkFa8+R4ap95lTU6dfb54lV/Qa7AoXNfexo6obij2zrN0jXTP CJo3nWfDj+INjdop2FVE/QjYPzhOXdSO9Ub3dhEVqyVG9nOrutrrEi5HF Q=;
X-Files: signature.asc : 488
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.76,429,1592870400"; d="asc'?scan'208";a="27186044"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-SEED-SHA; 15 Sep 2020 09:21:51 +0000
Received: from [] ([]) by (8.15.2/8.15.2) with ESMTPS id 08F9Lpq6008295 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 15 Sep 2020 09:21:51 GMT
From: Eliot Lear <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_FDC4E405-DA15-4D16-B0BB-DE91FACB4ADF"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Tue, 15 Sep 2020 11:21:50 +0200
In-Reply-To: <>
Cc: tirumal reddy <>, Nick Lamb <>, opsawg <>, "<>" <>
To: Ben Schwartz <>
References: <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3608.
X-Outbound-SMTP-Client:, []
Archived-At: <>
Subject: Re: [TLS] [OPSAWG] CALL FOR ADOPTION: draft-reddy-opsawg-mud-tls
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Sep 2020 09:21:58 -0000

Hi Ben

Thanks for the response.  Please see below.

> Agreed ... but this proposal appears to be predicated on a contrary assumption.  It assumes that it is difficult for malware to learn the TLS profile of the device, and then proceeds to place this profile information in the (public) MUD file, where malware can easily retrieve it.

Ok, I didn’t take that from this discussion.

> I'm not thinking of the hours-days timescale of MUD file updates; I'm thinking of the months-years timescale of updating standards to support new features.  How long does a device have to wait after a new protocol revision comes out before it can start using the new protocol?

Ok, I see what you are saying.  Thanks for getting me there.

The question is what to do when you start seeing something you don’t understand.  Let’s take a TLS extension, for instance.  If the TLS extension is unknown to the f/w but is declared somehow, that tells the firewall that they have some coding to do, and should be conservative about complaining over something that is out of profile.  I don’t see that as a show stopper.  What I do see as a showstopper would be if, as is written and you rightly observe, a new rev of a YANG model is required to introduce the TLS extension, so that part would need to be described in a more flexible manner (e.g, an IANA registration or similar).  I’d suggest the authors consider that.