[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00

OPSWG                                                            J. Yang
Internet-Draft                                                    L. Xia
Intended status: Standards Track                                  Huawei
Expires: September 7, 2020                                March 06, 2020


                Active-Scanning profiles for IoT devices
            draft-yang-opsawg-iot-devices-active-scanning-00

Abstract

   This draft extends MUD [RFC8520] model for the active scanning during
   the end host device on-boarding.  The according features include TCP/
   UDP port scanning, weak password detection, mandatory and hazardous
   services detection, etc, which can help administrator to discover
   system security vulnerabilities in advance.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 7, 2020.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Yang & Xia              Expires September 7, 2020               [Page 1]


Internet-Draft       Active scanning for IoT devices          March 2020


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Overview of Active Scanning IoT devices . . . . . . . . . . .   2
     2.1.  Port-Scanning . . . . . . . . . . . . . . . . . . . . . .   2
     2.2.  Service Discovery . . . . . . . . . . . . . . . . . . . .   3
     2.3.  Weak-password Cracking  . . . . . . . . . . . . . . . . .   4
     2.4.  Frequency and Result of active scanning . . . . . . . . .   4
   3.  The ietf-mud-active-scanning model extension  . . . . . . . .   5
     3.1.  The mud-active-scanning YANG model  . . . . . . . . . . .   5
   4.  MUD File Example  . . . . . . . . . . . . . . . . . . . . . .  10
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  11
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  11
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  11
   8.  Informative References  . . . . . . . . . . . . . . . . . . .  12
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  12

1.  Introduction

   IoT devices use a large number of open-source software and
   application components, and the system iteration is fast.  Therefore,
   various security vulnerabilities may exist.  When an IoT device is on
   boarding, the network administrator can quickly learn about the
   security settings and technical support services of the device
   through active scanning, detect security vulnerabilities in a timely
   manner, objectively evaluate the network risk level, and rectify
   network security vulnerabilities and incorrect configurations to
   prevent hacker attacks.  If we look firewalls and network monitoring
   systems as passive means of defense, then security scanning can look
   as an active preventive measure, which can effectively prevent hacker
   attacks.

   This document extends MUD RFC8520 to model the functions and
   parameters of active scanning, including TCP/UDP port scanning, weak
   password detection, mandatory and hazardous services detection, etc.
   By using this scanning profile, the MUD-enabled active scanner can
   obtain a lot of useful information to discover system security
   vulnerabilities.

2.  Overview of Active Scanning IoT devices

2.1.  Port-Scanning

   A port is a potential communication channel, that is, an intrusion
   channel.  Port scanning on IoT devices can obtain a lot of useful
   information, which can be used to discover system security
   vulnerabilities.  The following scanning types are widely used:




Yang & Xia              Expires September 7, 2020               [Page 2]


Internet-Draft       Active scanning for IoT devices          March 2020


   o  TCP SYN scanning: also called half-open scanning.  In this mode,
      the SYN packet is sent to the destination port.  If the SYN/ACK
      response is received, the port is open.  If an RST packet is
      received, it indicates that the port is disabled.  If no reply is
      received, it is determined that the port is filtered (Filtered).
      In this mode, SYN packets are sent only to specific ports of the
      target host, but no complete TCP connection is established.
      Therefore, this mode is relatively covert and efficient.  On a
      fast network without intrusion firewalls, thousands of ports can
      be scanned per second, and this mode is widely applicable.

   o  TCP connect scanning: Use the system network API to connect to the
      port of the target device.  If the connection fails, the port is
      disabled.  This scanning speed is slow.  In addition, because the
      complete TCP session will leave the connection information on the
      target device, so this scanning mode is not hidden.  Therefore,
      TCP connect is considered only when TCP SYN cannot be used.

   o  UDP scanning: used to determine the UDP port status.  Send a probe
      packet to the UDP port of the target device.  If the "ICMP port
      unreachable" message is returned, the port is disabled.  If no
      reply is received, the UDP port may be open or blocked.
      Therefore, the reverse exclusion method is used to determine which
      UDP ports may be open.  Although major services on the Internet
      run over TCP, but there are still many UDP services, like DNS,
      SNMP, and DHCP (the registered ports are 53, 16, 162, and 67/68),
      and network attacks will not ignore these protocols.

   The port scanning range can be selected or specified based on service
   requirements, and widely be divided into the following modes:

   o  Standard: 4K port range, and usually the default mode.

   o  Fast: port range including all mainstreamed ports, including
      21(ftp), 22(ssh), ...

   o  All: the port range of 0 to 65535.

   o  Specified: the customized port range, for example, 22 and 1100 to
      1124

2.2.  Service Discovery

   When a IoT device is installed, some necessary services are usually
   enabled for supporting the later use.  For example, if the IoT device
   need to access the Internet, HTTPS service must be enabled.  In
   addition, due to device performance or service requirements, some
   services must be disabled.  By MUD extension of scanning services



Yang & Xia              Expires September 7, 2020               [Page 3]


Internet-Draft       Active scanning for IoT devices          March 2020


   running on the device, the administrator have a knowledge of the
   devices' services, which are mandatory and hazardous, furtherly to
   discover the potential vulnerabilities.

2.3.  Weak-password Cracking

   A weak password is a password that contains only digits and letters,
   for example, 123456, abcdef, 123abc, admin, and root, which can be
   guessed or cracked easily.  If the IoT device uses these weak
   passwords, it is like putting the door key under the mat of the door.
   This behavior is very dangerous.

   Well-known protocols and databases, such as Telnet, FTP, SSH, POP3,
   SNMP, Oracle, MySQL, DB2, and MongoDB, have massive default password
   dictionaries, even we can also upload a customized dictionary
   library.  By active scanning these passwords of dictionaries, the
   administrator can identify vulnerabilities and risks of IoT devices
   in advance.

   The password dictionary refers to the dictionary library for weak
   password scanning.  There are three types of dictionary: single user-
   name mode, single password mode, and combination user-name-and-
   password mode, which can be applied based-on customer's requirements:

   o  Single user-name mode: only scan the user name based-on user's
      dictionary.  For example: telnet_user_dictionary.txt contain
      "root; admin; test; guest;"

   o  Single password mode: only scan the password based-on password's
      dictionary.  For example: telnet_password_dictionary.txt contain
      "111111; 112233; 123123; 123321; 123456; abcdef; admin; password;"

   o  Combination mode: scan the user name and password together based-
      on combination's dictionary.  For example,
      telnet_conbination_dictionary.txt contain "root:test; root:admin;
      root:private; root:1234; root:root;"

2.4.  Frequency and Result of active scanning

   The execution mode of the active scanning, can be set with the
   following:

   o  Immediate: active scanning will be executed immediately.

   o  Scheduled: active scanning will be executed in the scheduled time.

   o  Daily: active scanning will be executed periodically every day in
      the scheduled time.



Yang & Xia              Expires September 7, 2020               [Page 4]


Internet-Draft       Active scanning for IoT devices          March 2020


   o  Weekly: active scanning will be executed periodically every week
      in the scheduled time.

   o  Monthly: active scanning will be executed periodically every month
      in the scheduled time.

   In addition, the scanning results can be saved with logs, and the
   ending notification can be sent to somebody by email or SMS message,
   which can notify the scanning completion to administrators in time.

3.  The ietf-mud-active-scanning model extension

   This document augments the "ietf-mud" MUD YANG module defined in
   [RFC8520] for signaling the IoT device active scanning profile.  This
   document defines the YANG module "ietf-mud-active-scanning", which
   has the following tree structure:

   module: ietf-mud-active-scanning
      augment /ietf-mud:mud:
         +--rw active-scanning
            +--rw log-save-uri                  inet:uri
            +--rw scanning-frequency?           scanning-frequency
            +--rw start-time?                   yang:timestamp
            +--rw notification-receiver-email?  string
            +--rw notification-receiver-sms?    string
            +--rw port-scanning* \[scanning-type\]
               +--rw scanning-type              port-scanning-type
               +--rw scanning-mode?             port-scanning-mode
               +--rw scanning-range?            uint16
            +--rw mandatory_service-scanning*   string
            +--rw hazardous_service-scanning*   string
            +--rw weak-login-scanning* \[service-name\]
               +--rw service-name               string
               +--rw dictionary-type?           dictionary-type
               +--rw user-dictionary?           string
               +--rw password-dictionary?       string
               +--rw combination-dictionary?    string

3.1.  The mud-active-scanning YANG model

  module ietf-mud-active-scanning {
     yang-version 1.1;
     namespace
        "urn:ietf:params:xml:ns:yang:ietf-mud-active-scanning";
     prefix ietf-mud-active-scanning;

     import ietf-mud {
        prefix mud;



Yang & Xia              Expires September 7, 2020               [Page 5]


Internet-Draft       Active scanning for IoT devices          March 2020


        reference
           "RFC 8520";
     }

     import ietf-inet-types {
        prefix inet;
        reference
           "RFC 6991";
     }

     import ietf-yang-types {
        prefix yang;
        reference
           "RFC 6991";
     }

     organization
        "IETF OPSAWG (Ops Area) Working Group";
     contact
        "WG Web: http://tools.ietf.org/wg/opsawg/
         WG List: opsawg@ietf.org
         Author: Jie Yang
         jay.yang@huawei.com
        ";

     description
        "This module contains YANG definition for the IoT device
        active scanning profile.

        Copyright (c) 2019 IETF Trust and the persons identified as
        authors of the code. All rights reserved.

        Redistribution and use in source and binary forms, with or
        without modification, is permitted pursuant to, and subject
        to the license terms contained in, the Simplified BSD License
        set forth in Section 4.c of the IETF Trust's Legal Provisions
        Relating to IETF Documents
        (http://trustee.ietf.org/license-info).

        This version of this YANG module is part of RFC XXXX; see
        the RFC itself for full legal notices.";

     revision 2020-03-12 {
        description
           "Initial proposed standard.";
     }

     typedef scanning-frequency {



Yang & Xia              Expires September 7, 2020               [Page 6]


Internet-Draft       Active scanning for IoT devices          March 2020


        type enumeration {
           enum immediate {
              description
                 "Immediate scanning.";
           }
           enum daily {
              description
                 "Scanning at an accurate time of every day.";
           }
           enum weekly {
              description
                 "Scanning at an accurate time of every week.";
           }
           enum monthly {
              description
                 "Scanning at an accurate time of every month.";
           }
        }
        default "monthly";
        description
           "The execution mode of the active scanning,
            called with the scanning frequency.";
     }

     typedef port-scanning-type {
        type enumeration {
           enum tcp-syn;
           enum tcp-connect;
           enum udp;
        }
        default "tcp-syn";
        description
           "Widest port scanning type.";
     }

     typedef port-scanning-mode {
        type enumeration {
           enum standard {
              description
                 "Standard mode with scanning the ports
                  in range 0..4096.";
           }
           enum fast {
              description
                 "Fast mode with sanning the ports in
                  range 20|21|23|25|37|53|67|68|69|80|110
                  |115|123|143|161|443|873.";
           }



Yang & Xia              Expires September 7, 2020               [Page 7]


Internet-Draft       Active scanning for IoT devices          March 2020


           enum all {
              description
                 "All mode with scanning all ports in range 0..65535";
           }
           enum specified {
              description
                 "Specified mode with scanning the ports customized,
                  like in range 22|50..66|110";
           }
        }
        default "standard";
        description
           "Widest port scanning mode.";
     }

     typedef dictionary-type {
        type enumeration {
           enum only-user-name;
           enum only-password;
           enum user-name-and-password;
        }
        default "user-name-and-password";
        description
           "Widest type of weak login dictionary.";
     }

     augment "/mud:mud/mud:" {
        container active-scanning {
           description
              "Active scanning profiles supported by the device";
           leaf log-save-uri {
              type inet:uri;
              description
                 "Log URI where saving active scanning results.";
           }
           leaf scanning-frequency {
              type scanning-frequency;
              description
                 "Active scanning frequency.";
           }
           leaf start-time {
              type yang:timestamp;
              description
                 "The accurate scanning time.
                  For example, scanning-frequency with monthly like
                  xxxx-03-12T02:00:00.00+08:00";
           }
           leaf receiver-email-notification {



Yang & Xia              Expires September 7, 2020               [Page 8]


Internet-Draft       Active scanning for IoT devices          March 2020


              type string;
              description
                 "E-mail address which receive the ending notification
                  of active scanning.";
           }
           leaf receiver-sms-notification {
              type string;
              description
                 "SMS address which receive the ending notification
                  of active scanning.";
           }
           list port-scanning {
              key "scanning-type";
              description
                 "Active scanning ports.";
              leaf scanning-type {
                 type port-scanning-type;
                 description
                    "Port scanning type.";
              }
              leaf scanning-mode {
                 type port-scanning-mode;
                 description
                    "Port scanning mode.";
              }
              leaf scanning-range {
                 type uint16;
                 description
                    "Port scanning range. For example, scanning-mode
                     with standard is 0..4096";
              }
           }
           leaf mandatory_service-scanning {
              type string;
              description
                 "Scanning mandatory services on the devices,
                  which must be installed.";
           }
           leaf hazardous_service-scanning {
              type string;
              description
                 "Scanning hazardous services on the devices,
                  which mustn't be installed.";
           }
           list weak-login-scanning {
              key "service-name";
              description
                 "Active scanning weak login with user's name



Yang & Xia              Expires September 7, 2020               [Page 9]


Internet-Draft       Active scanning for IoT devices          March 2020


                  and/or password.";
              leaf service-name {
                 type string;
                 description
                    "The name of service on the device.";
              }
              leaf dictionary-type {
                 type dictionary-type;
                 description
                    "The dictionary type for scanning weak login.";
              }
              leaf user-dictionary {
                 when "./dictionary-type=only-user-name";
                 type string;
                 description
                    "The context in user-name's dictionary.
                     For example: root,admin,test,guest, ";
              }
              leaf password-dictionary {
                 when "./dictionary-type=only-password";
                 type string;
                 description
                    "The context in password's dictionary.
                     For example: 111111, 112233, admin, password,";
              }
              leaf combination-dictionary {
              while "./dictionary-type=user-name-and-password";
              type string;
                 description
                    "The context in user-name-and-password's dictionary.
                     For example: root:test, root:admin, root:1234,";
              }
           }
        }
     }
  }

4.  MUD File Example













Yang & Xia              Expires September 7, 2020              [Page 10]


Internet-Draft       Active scanning for IoT devices          March 2020


  This example below contains active scanning for a IoT
  device. JSON encoding of YANG modelled data {{RFC7951}} is used to
  illustrate the example.
  {
     "ietf-mud:mud": {
     "mud-version": 1,
     "mud-url": "https://example.com/IoTDevice",
     "last-update": "2020-03-12T02:00:00.00+08:00",
     "cache-validity": 100,
     "is-supported": true,
     "systeminfo": "IoT device name",
     "active-scanning": {
        "log-save-uri" : "d:/mud-scanning-log/",
        "scanning-frequency" : immediate,
        "receiver-email-notification" : "admin@device.com,
                                         123@device.com,",
        "receiver-sms-notification" : "008613812345679,
                                       0086133123456,",
        "port-scanning" : {
           "scanning-type" : tcp-syn,
           "scanning-mode" : standard,
        }
        "weak-login-scanning" : {
           "service-name" : "telnet",
           "dictionary-type" : user-name-and-password,
           "combination-dictionary" : "root:test; root:1234; root:root;"
        }
     }
  }

5.  Security Considerations

   Security considerations in [RFC8520] need to be taken into
   consideration.

6.  IANA Considerations

   The IANA is requested to add "active-scanning" to the MUD extensions
   registry as follows: Extension Name: Active-Scanning Standard
   reference: This document

7.  Acknowledgements

   Thanks to ...







Yang & Xia              Expires September 7, 2020              [Page 11]


Internet-Draft       Active scanning for IoT devices          March 2020


8.  Informative References

   [RFC7951]  Lhotka, L., "JSON Encoding of Data Modeled with YANG",
              RFC 7951, DOI 10.17487/RFC7951, August 2016,
              <https://www.rfc-editor.org/info/rfc7951>.

   [RFC8520]  Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage
              Description Specification", RFC 8520,
              DOI 10.17487/RFC8520, March 2019,
              <https://www.rfc-editor.org/info/rfc8520>.

Authors' Addresses

   Jie Yang
   Huawei
   101 Software Avenue, Yuhuatai District
   Nanjing, Jiangsu  210012
   China

   Email: jay.yang@huawei.com


   Liang Xia (Frank)
   Huawei
   101 Software Avenue, Yuhuatai District,
   Nanjing, Jiangsu  210012
   China

   Email: frank.xialiang@huawei.com






















Yang & Xia              Expires September 7, 2020              [Page 12]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/