[Last-Call] Re: Opsdir last call review of draft-ietf-opsawg-mud-tls-13
tirumal reddy <kondtir@gmail.com> Thu, 11 July 2024 14:03 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91DB1C14F6AA; Thu, 11 Jul 2024 07:03:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MEQg05OPau0K; Thu, 11 Jul 2024 07:03:27 -0700 (PDT)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3C41C14F60E; Thu, 11 Jul 2024 07:03:26 -0700 (PDT)
Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-a6f3b629b4dso5829866b.3; Thu, 11 Jul 2024 07:03:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720706605; x=1721311405; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=PcdMgwBn/hbevI0gkrxmjI8Ijk4ERS65rD8XL9dLCiY=; b=gP/Opv24FixAHcQ0ReLr/r/Itd2NtjAuZbXoOdaR3M4h/t8GTCnFJBXDUVBJjlR5vE fqgnU5E8ldVwCoGYqljGtQpb9OkyLdZK7ctNbipu1KK3dOqxvOEIZOAN91Ds4itU3mIk EPn7L9EaleZZ8e05A4NS0cbT6hQ4UpKE0tOgkZpRZi+j1+gBeSaa22zrPoJOgx2tSVdF lrYciSOSfdiPhm/JzRV2NwkOu0hoPq9hlfMr1N3q1AvXRG5r4kix0GEEbucToN9h2ofK TB3FykOm40U5DbSg9qgi4ZNFn0PsAYKV7dCHwInRah9W9RGU57GXV8nOqxO/Gbf5h3V7 Sm5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720706605; x=1721311405; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=PcdMgwBn/hbevI0gkrxmjI8Ijk4ERS65rD8XL9dLCiY=; b=IxspoYQUoBlPgqMeGlcUMBCta0+SgDxkIw4E0Y8tbJ+hlNQ4RKlqGp4Wr4oS4v0zui EeIkpeEsPt29nw4l0qV2xPEwRpz48WX55RiwFb/1Ph9zVl9NWl81rzaWVf3CUMSp+TAB Ds0QQS5R265tv2C89UiIXQaBY9wsbZ4SXapECQ0KbRm2lnE+OmHkUI57xgxLV8w2lZKf ZUbS7a5MCWQpXt8eFXwAN0FNqf5SsEsZGOuKtHdyYK12rd9m3FBvTJ1J/URg3jZF+GHP qHAqz3s1WD12TgDK1iTwC6o1dx0GYnszi6GLb5czVUflA7zNNvjQrwnfI4ilb3IOMFbZ dfyQ==
X-Forwarded-Encrypted: i=1; AJvYcCUEsmM4BmW3iJEtr2C8dIb1xCBCq7oYH8GnICOGUxVSEaye4X3aVWHKgm6NbL0quJyU/FbLwHlUkoGxX9uLVy0uXWBS3KCu2TPNz0/yoqTXxMz+g6yr+jw2JgSs3wGZmui5w0E8487V6K9VzBuJ4040lgTBJRDFyhUlkPalHF0psHnGwnDFDjGTFkXo2Ic=
X-Gm-Message-State: AOJu0YwVQjmaUQpApi8sVB90Mdd0xo3NIcq62ZO9Hrl9s+7YSMBPZzHB Ma+fTSwE1F73ijmyu8xo4TXtFkUr8TGfT2Ic9Jo+pW3KFOLuxG+y2C4XqSCAg+yKVUegMQ0RsqA PLtrMCznRHm62DQVkOdOfwecE/T4=
X-Google-Smtp-Source: AGHT+IFstsdLbHbApoij7fXWZrSgKkWEpbEe3VmCpf/ce45ZR7x2K0+DqtHxXkdr6f5ZuLuC+vNIhh8VM5C2u/llN+o=
X-Received: by 2002:a17:906:54d:b0:a77:abf0:ed6c with SMTP id a640c23a62f3a-a798b535f58mr154786066b.6.1720706604244; Thu, 11 Jul 2024 07:03:24 -0700 (PDT)
MIME-Version: 1.0
References: <170911456815.56034.16625649085052714919@ietfa.amsl.com> <CAFpG3gcjoB9u=uf4LC8-9yFS9nMVNottOoAEwJRbaX7XeWhG-A@mail.gmail.com> <DU2PR02MB10160AB77209FA332F57EE9B788A42@DU2PR02MB10160.eurprd02.prod.outlook.com>
In-Reply-To: <DU2PR02MB10160AB77209FA332F57EE9B788A42@DU2PR02MB10160.eurprd02.prod.outlook.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Thu, 11 Jul 2024 19:32:46 +0530
Message-ID: <CAFpG3gfkoun+yLFgkv6==pHoV05QyiXWJfnKKmRgWqMhdydEmw@mail.gmail.com>
To: mohamed.boucadair@orange.com
Content-Type: multipart/alternative; boundary="000000000000e8a6e7061cf939eb"
Message-ID-Hash: SGKII374HUVEGKQZ3ZL4STQNFEFMNGJJ
X-Message-ID-Hash: SGKII374HUVEGKQZ3ZL4STQNFEFMNGJJ
X-MailFrom: kondtir@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Qin Wu <bill.wu@huawei.com>, "ops-dir@ietf.org" <ops-dir@ietf.org>, "draft-ietf-opsawg-mud-tls.all@ietf.org" <draft-ietf-opsawg-mud-tls.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Last-Call] Re: Opsdir last call review of draft-ietf-opsawg-mud-tls-13
List-Id: IETF Last Calls <last-call.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/nMUcIKdrFdjhPSSfscbe2Cg3tfs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Owner: <mailto:last-call-owner@ietf.org>
List-Post: <mailto:last-call@ietf.org>
List-Subscribe: <mailto:last-call-join@ietf.org>
List-Unsubscribe: <mailto:last-call-leave@ietf.org>
On Wed, 10 Jul 2024 at 14:10, <mohamed.boucadair@orange.com> wrote: > Hi Tiru, > > > > Please see one comment inline. > > > > Cheers, > > Med > > > > *De :* tirumal reddy <kondtir@gmail.com> > *Envoyé :* dimanche 7 juillet 2024 07:24 > *À :* Qin Wu <bill.wu@huawei.com> > *Cc :* ops-dir@ietf.org; draft-ietf-opsawg-mud-tls.all@ietf.org; > last-call@ietf.org; opsawg@ietf.org > *Objet :* [Last-Call] Re: Opsdir last call review of > draft-ietf-opsawg-mud-tls-13 > > > > Hi Qin, > > > > Thanks for the review. Please see inline > > > > On Wed, 28 Feb 2024 at 15:33, Qin Wu via Datatracker <noreply@ietf.org> > wrote: > > Reviewer: Qin Wu > Review result: Has Issues > > I have reviewed this document as part of the Operational directorate's > ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written with the intent of improving the operational aspects > of > the IETF drafts. Comments that are not addressed in last call may be > included > in AD reviews during the IESG review. Document editors and WG chairs > should > treat these comments just like any other last call comments. > > This draft defines 3 YANG modules and specifies TLS profile for IoT device. > This TLS or DTLS profile can be used to detect unexpected TLS usage and > prevent > malware download, block access to malicious domains, etc. > > This document is on the right track and almost ready for publication. > However I > have a few comments, especially to security section and IANA section, on > the > latest version v-13: Major issues: None > > Minor issues > 1. Abstract said: > " > This memo extends the Manufacturer Usage Description (MUD) > specification to incorporate (D)TLS profile parameters. > " > This draft defines 3 YANG data modules, do you think all these 3 YANG > modules > extend MUD specification? > > > > The YANG module defined in Section 5.4 of the draft extends the MUD > specification. > > > > > 2. Section 5.3 IANA (D)TLS profile YANG Module > Section 5.3 seems a little bit overdesign, see the section 2 of RFC7224, I > think the first 5 paragraphs in section 5.3 can be moved or consolidated > into > IANA subsection for specific IANA maintained module. > > > > IANA subsection is referencing section 5.3, please see > https://www.ietf.org/archive/id/draft-ietf-opsawg-mud-tls-13.html#section-10.1 > > > > > > 3. Section 6 Processing of the MUD (D)TLS Profile > As for processing of the MUD TLS profile, I am wondering when the MUL DTLS > profile is not compliant, e.g., some TLS parameters are not defined in the > MUD > TLS profile, do we need to define Error handling and standard Error code, > report specific error code to the management system? If it is not in the > scope, > I think it will be nice to call out explicitly. Otherwise it seems like a > not > complete solution. > > > > It is discussed in Section 6 that an alert would be triggered. > > > > > 4. Section 6 said: > " > If the (D)TLS parameter observed in a (D)TLS session is not > specified in the MUD (D)TLS profile and the (D)TLS parameter is > not recognized by the firewall, it can ignore the unrecognized > parameter and the correct behavior is not to block the (D)TLS > session. > " > Regarding DTLS parameters not recognized by the firewall, I am wondering > there > still is potential security risk. Is there needed to report these > unrecognized > parameters associated with some security context information to the > management > system for further investigation. > > > > This rule ensures that the network security service will ignore the GREASE > values advertised by TLS peers and interoperate with the implementations > advertising GREASE values. GREASE is introduced to generate random > extensions to check and prevent extensibility failures in the TLS, see > https://www.rfc-editor.org/rfc/rfc8701.html for more details. > > > > > 5. Section 6 also said: > " > * Deployments update at different rates, so an updated MUD (D)TLS > profile may support newer parameters. If the firewall does not > recognize the newer parameters, an alert should be triggered to > the firewall vendor and the IoT device owner or administrator. > " > I believe this alert is necessary for security protection or further > investigation, do you think the same alert should be used to remind IoT > Device > owner or administrators to update device software or firmware? > > > > Good point, Section 6 is updated in the latest version of the draft with > the following change: > > > > If the MUD (D)TLS profile includes any parameters that are susceptible to > attacks (e.g., weaker cryptographic parameters), an alert should be > triggered to the firewall vendor and the IoT device owner or administrator. > > > > > 6 Section 8 Security Section > This draft defines three YANG modules, ietf-acl-tls.yang, > iana-tls-profile.yang, ietf-mud-tls. ietf-acl-tls.yang is extended from ACL > module defined in RFC8519, iana-tls-profile.yang is standalone module, the > third module draft-mud-tls is extended from MUD module defined in RFC8520. > Following the structure of section 5 of > draft-ietf-netconf-ssh-client-server, I > think security consideration should be specified for each YANG data module. > > > > The YANG modules are not intended to be accessed via NETCONF. The security > considerations mentioned in RFC8407 are not applicable in this case. > > *[Med] I think Qin has a point here. FWIW, the only exceptions to not use > the template as called in draft-ietf-netmod-rfc8407bis are:* > > > > * Unless the modules comply with [RFC8791] or define YANG extensions* > > * (e.g., [RFC7952]), the security section MUST be patterned after the* > > * latest approved template * > > > > *I know that the base mud spec does not follow the template (it points to > 8519, however), but the reasoning for not following the template is not > valid IMO. I’d like to clarify that the template is not specific to > NETCONF. As a general note, YANG (not only mud models) can be used > independent of NETCONF. I suggest you look at the latest version at > https://datatracker.ietf.org/doc/html/draft-ietf-netmod-rfc8407bis-14#name-security-considerations-sect > <https://datatracker.ietf.org/doc/html/draft-ietf-netmod-rfc8407bis-14#name-security-considerations-sect> > and pick parts that apply to your modules.* > Got it, Thanks. We will update the draft. Cheers, -Tiru > > > > Secondly, since the first YANG module ietf-acl-tls.yang is extended from > ACL > YANG data module defined in RFC85219 therefore I still think security > considerations mentioned in Section 3.7 of [RFC8407]still apply. Please > follow > example in section 5.7 of draft-ietf-netconf-ssh-client-server. > > > 7. Section 8 Security consideration > s/anomaly detection/network anomaly detection > > > > Fixed in the latest version. > > > > > 8. Section 10 IANA consideration > Similarly, since this draft defines three YANG data modules, I think IANA > consideration should be specified for each YANG data module. You can > follow the > example in section 6.3, 6.4 of draft-ietf-netconf-ssh-client-server. > > > > I don't see any such considerations discussed in the base MUD > specification, see https://datatracker.ietf.org/doc/rfc8520/. MUD YANG > Modules are not supposed to be used > > via RESTCONF or NETCONF. > > *[Med] but still used for “network management” :-) * > > > > -Tiru > > > > > 9. Section 10 IANA consideration said: > " > IANA is requested to create an the initial version of the IANA- > maintained YANG Module called "iana-tls-profile", based on the > contents of Section 5.3, which will allow for new (D)TLS parameters and > (D)TLS > versions to be added. IANA is requested to add this note: " Please follow > the > template defined in Section 4.30.3.1 of [I-D.ietf-netmod-rfc8407bis] for > IANA > maintained YANG modules and consolidate the text described in section 5.3. > See > example in section 6.4 of draft-ietf-netconf-ssh-client-server. > > > > > > ____________________________________________________________________________________________________________ > Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. > Thank you. > >
- [Last-Call] Opsdir last call review of draft-ietf… Qin Wu via Datatracker
- [Last-Call] Re: Opsdir last call review of draft-… tirumal reddy
- [Last-Call] Re: Opsdir last call review of draft-… mohamed.boucadair
- [Last-Call] Re: Opsdir last call review of draft-… tirumal reddy