Hi Qin, Please see inline
On Tue, 9 Jul 2019 at 08:30, Qin Wu <[email protected]> wrote: > Interesting work, three questions: > > 1. Can the IoT device (D)TLS profile be disclosed to malicious agent or > IoT device? If not, how do you prevent these sensitive information leaking? > > It is not sensitive information, on-path network devices can inspect or monitor the TLS handshake without acting as a TLS proxy. In TLS 1.3, ClientHello message is not encrypted and few parameters in the ServerHello message are still visible (such as the chosen cipher). > 2. Do you frequently update DTLS profile disclosed to IoT device to > prevent malicious agent from snooping? > > No, Malware frequently uses its own libraries (SSL config) for its activities, and malware developers will have to develop malicious agents per IoT device type, manufacturer and model (which will be several thousands and practically not possible). > 3. How does enterprise firewal use DTLS profile to detect malicious > flow or legitimate flow? > > If (D)TLS session from the IoT device violates MUD (D)TLS profile, firewall detects the flow is malicious and blocks it. As you may know, Enterprise firewalls inspect TLS handshake and are capable of acting as a (D)TLS proxy (please see https://tools.ietf.org/html/draft-camwinget-tls-use-cases-05). Cheers, -Tiru -Qin > > *发件人:* OPSAWG [mailto:[email protected]] *代表 *tirumal reddy > *发送时间:* 2019年7月8日 22:03 > *收件人:* [email protected]; [email protected] > *主题:* [OPSAWG] Fwd: New Version Notification for > draft-reddy-opswg-mud-tls-00.txt > > > > This draft https://tools.ietf.org/html/draft-reddy-opswg-mud-tls-00 > discusses Manufacturer Usage Description (MUD) extension to model (D)TLS > profile on IoT devices. This allows a firewall to notice abnormal DTLS or > TLS usage, which has been a strong indicator of other software running on > the endpoint, typically malware. > > > Comments, suggestions, and questions are more than welcome. > > Cheers, > -Tiru > > > > ---------- Forwarded message --------- > From: <[email protected]> > Date: Mon, 8 Jul 2019 at 19:18 > Subject: New Version Notification for draft-reddy-opswg-mud-tls-00.txt > To: Tirumaleswar Reddy <[email protected]>, Dan Wing <[email protected]> > > > > > A new version of I-D, draft-reddy-opswg-mud-tls-00.txt > has been successfully submitted by Tirumaleswar Reddy and posted to the > IETF repository. > > Name: draft-reddy-opswg-mud-tls > Revision: 00 > Title: MUD (D)TLS profiles for IoT devices > Document date: 2019-07-08 > Group: Individual Submission > Pages: 16 > URL: > https://www.ietf.org/internet-drafts/draft-reddy-opswg-mud-tls-00.txt > Status: > https://datatracker.ietf.org/doc/draft-reddy-opswg-mud-tls/ > Htmlized: https://tools.ietf.org/html/draft-reddy-opswg-mud-tls-00 > Htmlized: > https://datatracker.ietf.org/doc/html/draft-reddy-opswg-mud-tls > > > Abstract: > This memo extends Manufacturer Usage Description (MUD) to model DTLS > and TLS usage. This allows a network element to notice abnormal DTLS > or TLS usage which has been strong indicator of other software > running on the endpoint, typically malware. > > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat >
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
