draft-reddy-opsawg-mud-tls-02 proposes to describe TLS profile options in a MUD file in order to help middle boxes (Intrusion Detection Systems) to identify malware.
I wrote an email about issues related to the idea, but this email is about the way in which MUD files become trusted, and how they should be updated. Michael Richardson <[email protected]> wrote: > I see two advantages of this work, which mitigates my concern slightly. > (but, only slightly) > 1) if it's gonna get done by IDS vendors, then IoT device manufacturers > might as well provide a way to help them *get it right* A tussle that I thought I put into a document, but it seems that I did not yet do that, is whether to update the MUD URL to a firmware specific value, or whether to update the MUD file place. I thought I was going to cover that in draft-richardson-opsawg-securehomegateway-mud-02 and I said so in the introduction, and I thought I decided that was a poor place to put that discussion, and I wrote some text in some document, but it seems that was a delusion :-) I guess I wrote this in email to mud@ actually. The issue is that if you update the MUD file in place without changing the URL then it will apply to older firmware revisions as well as new ones. If a vendor is going to put very specific information relating to TLS libraries into a MUD file, then it is going to be critical that any updates to the firmware (such as BUG FIXES) result in updates to the MUD TLS profile. Updating the URL that the firmware emits via DHCP or LLDP is relatively easy, but not very secure. An IDS system should *not* trust updates to that URL as malware could trivially update the URL as well. But, updating the URL in IDevID is difficult to do. Quite reasonably it might be impossible without a device recall. The IDevID version is much easier to invest trust into. And it clearly links back to the manufacturer. If relatively ephemeral things like a TLS profile are going to go into a MUD file, then I think that we need to think again about the update issue. [this draft sits in outbox for a week] I've now written: https://datatracker.ietf.org/doc/draft-richardson-opsawg-mud-acceptable-urls/ -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] [email protected] http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
