draft-ietf-opsawg-mud-tls-00.txt   draft-ietf-opsawg-mud-tls-01.txt 
OPSWG WG T. Reddy OPSAWG WG T. Reddy
Internet-Draft McAfee Internet-Draft McAfee
Intended status: Standards Track D. Wing Intended status: Standards Track D. Wing
Expires: March 26, 2021 Citrix Expires: April 8, 2021 Citrix
B. Anderson B. Anderson
Cisco Cisco
September 22, 2020 October 5, 2020
MUD (D)TLS profiles for IoT devices Manufacturer Usage Description (MUD) (D)TLS Profiles for IoT Devices
draft-ietf-opsawg-mud-tls-00 draft-ietf-opsawg-mud-tls-01
Abstract Abstract
This memo extends Manufacturer Usage Description (MUD) to incorporate This memo extends the Manufacturer Usage Description (MUD)
(D)TLS profile parameters. This allows a network element to identify specification to incorporate (D)TLS profile parameters. This allows
unexpected (D)TLS usage, which can indicate the presence of a network security service to identify unexpected (D)TLS usage, which
unauthorized software or malware on an endpoint. can indicate the presence of unauthorized software or malware on an
endpoint.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 26, 2021. This Internet-Draft will expire on April 8, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 12 skipping to change at page 2, line 13
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Overview of MUD (D)TLS profiles for IoT devices . . . . . . . 5 3. Overview of MUD (D)TLS profiles for IoT devices . . . . . . . 5
4. (D)TLS 1.3 handshake . . . . . . . . . . . . . . . . . . . . 5 4. (D)TLS 1.3 Handshake . . . . . . . . . . . . . . . . . . . . 6
4.1. Full (D)TLS 1.3 handshake inspection . . . . . . . . . . 6 4.1. Full (D)TLS 1.3 Handshake Inspection . . . . . . . . . . 6
4.2. Encrypted SNI . . . . . . . . . . . . . . . . . . . . . . 6 4.2. Encrypted DNS . . . . . . . . . . . . . . . . . . . . . . 6
5. (D)TLS profile YANG module . . . . . . . . . . . . . . . . . 7 5. (D)TLS Profile YANG Module . . . . . . . . . . . . . . . . . 7
5.1. Tree Structure . . . . . . . . . . . . . . . . . . . . . 9 5.1. Tree Structure . . . . . . . . . . . . . . . . . . . . . 9
5.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 10 5.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 10
6. MUD File Example . . . . . . . . . . . . . . . . . . . . . . 15 6. Processing of the MUD (D)TLS Profile . . . . . . . . . . . . 16
7. Security Considerations . . . . . . . . . . . . . . . . . . . 17 7. MUD File Example . . . . . . . . . . . . . . . . . . . . . . 17
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 17 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 19
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20
11.1. Normative References . . . . . . . . . . . . . . . . . . 18 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 20
11.2. Informative References . . . . . . . . . . . . . . . . . 19 12.1. Normative References . . . . . . . . . . . . . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 12.2. Informative References . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction 1. Introduction
Encryption is necessary to protect the privacy of end users using IoT Encryption is necessary to enhance the privacy of end users using IoT
devices. In a network setting, TLS [RFC8446] and DTLS devices. TLS [RFC8446] and DTLS [I-D.ietf-tls-dtls13] are the
[I-D.ietf-tls-dtls13] are the dominant protocols providing encryption dominant protocols providing encryption for IoT device traffic.
for IoT device traffic. Unfortunately, in conjunction with IoT Unfortunately, in conjunction with IoT applications' rise of
applications' rise of encryption, malware is also using encryption encryption, malware is also using encryption which thwarts network-
which thwarts network-based analysis such as deep packet inspection based analysis such as deep packet inspection (DPI). Other
(DPI). Other mechanisms are needed to notice malware is running on mechanisms are needed to detect malware running on an IoT device.
the IoT device.
Malware frequently uses its own libraries for its activities, and Malware frequently uses its own libraries for its activities, and
those libraries are re-used much like any other software engineering those libraries are re-used much like any other software engineering
project. Research [malware] indicates there are observable project. [malware] indicates that there are observable differences in
differences in how malware uses encryption compared with how non- how malware uses encryption compared with how non-malware uses
malware uses encryption. There are several interesting findings encryption. There are several interesting findings specific to
specific to DTLS and TLS which were found common to malware: (D)TLS which were found common to malware:
o Older and weaker cryptographic parameters (e.g., o Older and weaker cryptographic parameters (e.g.,
TLS_RSA_WITH_RC4_128_SHA). TLS_RSA_WITH_RC4_128_SHA).
o TLS SNI and server certificates are composed of subjects with o TLS server name indication (SNI) extension and server certificates
characteristics of a domain generation algorithm (DGA) (e.g., are composed of subjects with characteristics of a domain
www.33mhwt2j.net). generation algorithm (DGA) (e.g., www.33mhwt2j.net).
o Higher use of self-signed certificates compared with typical o Higher use of self-signed certificates compared with typical
legitimate software. legitimate software.
o Discrepancies in the server name indication (SNI) TLS extension in o Discrepancies in the SNI TLS extension and the DNS names in the
the ClientHello message and the DNS names in the SubjectAltName (SAN) X.509 extension in the server certificate
SubjectAltName(SAN) X.509 extension in the server certificate
message. message.
o Discrepancies in the key exchange algorithm and the client public o Discrepancies in the key exchange algorithm and the client public
key length in comparison with legitimate flows. As a reminder, key length in comparison with legitimate flows. As a reminder,
Client Key Exchange message has been removed from TLS 1.3. the Client Key Exchange message has been removed from TLS 1.3.
o Lower diversity in TLS client advertised TLS extensions compared o Lower diversity in TLS client advertised extensions compared to
to legitimate clients. legitimate clients.
o Malware using privacy enhancing technologies like Tor, Psiphon and o Using privacy enhancing technologies like Tor, Psiphon, Ultrasurf
Ultrasurf (see [malware-tls]) and, evasion techniques such as (see [malware-tls]), and evasion techniques such as ClientHello
ClientHello randomization to evade detection in order to continue randomization.
exploiting the end user.
o Malware using DNS-over-HTTPS [RFC8484] to avoid detection by o Using DNS-over-HTTPS (DoH) [RFC8484] to avoid detection by malware
malware DNS filtering service ([malware-doh]). Malware agent may DNS filtering services [malware-doh]. Specifically, malware may
not use the DNS-over-HTTPS server provided by the local network. not use the DoH server provided by the local network.
If observable (D)TLS profile parameters are used, the following If observable (D)TLS profile parameters are used, the following
functions are possible which have a favorable impact on network functions are possible which have a positive impact on the local
security: network security:
o Permit intended DTLS or TLS use and block malicious DTLS or TLS o Permit intended DTLS or TLS use and block malicious DTLS or TLS
use. This is superior to the layer 3 and layer 4 ACLs of use. This is superior to the layers 3 and 4 ACLs of Manufacturer
Manufacturer Usage Description Specification (MUD) [RFC8520] which Usage Description Specification (MUD) [RFC8520] which are not
are not suitable for broad communication patterns. suitable for broad communication patterns.
o Ensure TLS certificates are valid. Several TLS deployments have o Ensure TLS certificates are valid. Several TLS deployments have
been vulnerable to active Man-In-The-Middle (MITM) attacks because been vulnerable to active Man-In-The-Middle (MITM) attacks because
of the lack of certificate validation or vulnerability in the of the lack of certificate validation or vulnerability in the
certificate validation function (see [cryto-vulnerability]). By certificate validation function (see [cryto-vulnerability]). By
observing (D)TLS profile parameters, a network element can detect observing (D)TLS profile parameters, a network element can detect
when the TLS SNI mismatches the SubjectAltName and when the when the TLS SNI mismatches the SubjectAltName and when the
server's certificate is invalid. In TLS 1.2, the ClientHello, server's certificate is invalid. In TLS 1.2, the ClientHello,
ServerHello and Certificate messages are all sent in clear-text, ServerHello and Certificate messages are all sent in clear-text.
however in TLS 1.3, the Certificate message is encrypted thereby This check is not possible with TLS 1.3, which encrypts the
hiding the server identity from any intermediary. In TLS 1.3, the Certificate message thereby hiding the server identity from any
middle-box needs to act as a TLS proxy to validate the server intermediary. In TLS 1.3, the server certificate validation
certificate and to detect TLS SNI mismatch with the server functions should be executed within an on-path TLS proxy, if such
certificate. a proxy exists.
o Support new communication patterns. An IoT device can learn a new o Support new communication patterns. An IoT device can learn a new
capability, and the new capability can change the way the IoT capability, and the new capability can change the way the IoT
device communicates with other devices located in the local device communicates with other devices located in the local
network and Internet. There would be an inaccurate policy if an network and Internet. There would be an inaccurate policy if an
IoT device rapidly changes the IP addresses and domain names it IoT device rapidly changes the IP addresses and domain names it
communicates with while the MUD ACLs were slower to update. In communicates with while the MUD ACLs were slower to update. In
such a case, observable (D)TLS profile parameters can be used to such a case, observable (D)TLS profile parameters can be used to
permit intended use and to block malicious behaviour from the IoT permit intended use and to block malicious behavior from the IoT
device. device.
This document extends MUD [RFC8520] to model observable (D)TLS This document extends MUD [RFC8520] to model observable (D)TLS
profile parameters. Using these (D)TLS profile parameters, an active profile parameters. Using these (D)TLS profile parameters, an active
MUD-enforcing firewall can identify MUD non-compliant (D)TLS behavior MUD-enforcing network security service (e.g., firewall) can identify
indicating outdated cryptography or malware. This detection can MUD non-compliant (D)TLS behavior indicating outdated cryptography or
prevent malware downloads, block access to malicious domains, enforce malware. This detection can prevent malware downloads, block access
use of strong ciphers, stop data exfiltration, etc. In addition, to malicious domains, enforce use of strong ciphers, stop data
organizations may have policies around acceptable ciphers and exfiltration, etc. In addition, organizations may have policies
certificates on the websites the IoT devices connect to. Examples around acceptable ciphers and certificates for the websites the IoT
include no use of old and less secure versions of TLS, no use of devices connect to. Examples include no use of old and less secure
self-signed certificates, deny-list or accept-list of Certificate versions of TLS, no use of self-signed certificates, deny-list or
Authorities, valid certificate expiration time, etc. These policies accept-list of Certificate Authorities, valid certificate expiration
can be enforced by observing the (D)TLS profile parameters. time, etc. These policies can be enforced by observing the (D)TLS
Enterprise firewalls can use the IoT device's (D)TLS profile profile parameters. Network security services can use the IoT
parameters to identify legitimate flows by observing (D)TLS sessions, device's (D)TLS profile parameters to identify legitimate flows by
and can make inferences to permit legitimate flows and to block observing (D)TLS sessions, and can make inferences to permit
malicious or insecure flows. The proposed technique is also suitable legitimate flows and to block malicious or insecure flows. The
in deployments where decryption techniques are not ideal due to proposed technique is also suitable in deployments where decryption
privacy concerns, non-cooperating end-points and expense. techniques are not ideal due to privacy concerns, non-cooperating
end-points, and expense.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119][RFC8174] when, and only when, they appear in all 14 [RFC2119][RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
"(D)TLS" is used for statements that apply to both Transport Layer "(D)TLS" is used for statements that apply to both Transport Layer
Security [RFC8446] and Datagram Transport Layer Security [RFC6347]. Security [RFC8446] and Datagram Transport Layer Security [RFC6347].
Specific terms are used for any statement that applies to either Specific terms are used for any statement that applies to either
protocol alone. protocol alone.
'DoH/DoT' refers to DNS-over-HTTPS and/or DNS-over-TLS. 'DoH/DoT' refers to DNS-over-HTTPS and/or DNS-over-TLS.
3. Overview of MUD (D)TLS profiles for IoT devices 3. Overview of MUD (D)TLS profiles for IoT devices
In Enterprise networks, protection and detection are typically done In Enterprise networks, protection and detection are typically done
both on end hosts and in the network. Host agents have deep both on end hosts and in the network. Host security agents have deep
visibility on the devices where they are installed, whereas the visibility on the devices where they are installed, whereas the
network has broader visibility. Installing host agents may not be a network has broader visibility. Installing host security agents may
viable option on IoT devices, and network-based security is an not be a viable option on IoT devices, and network-based security is
efficient means to protect such IoT devices. (D)TLS profile an efficient means to protect such IoT devices. If the IoT device
parameters of IoT device can be used by middle-boxes to detect and supports a MUD (D)TLS profile, the (D)TLS profile parameters of the
block malware communication, while at the same time preserving the IoT device can be used by a middlebox to detect and block malware
privacy of legitimate uses of encryption. Middle-boxes need not communication, while at the same time preserving the privacy of
proxy (D)TLS but can passively observe the parameters of (D)TLS legitimate uses of encryption. The middlebox need not proxy (D)TLS
handshakes from IoT devices and gain good visibility into TLS 1.0 to but can passively observe the parameters of (D)TLS handshakes from
1.2 parameters and partial visibility into TLS 1.3 parameters. IoT devices and gain visibility into TLS 1.2 parameters and partial
Malicious agents can try to use the (D)TLS profile parameters of visibility into TLS 1.3 parameters. Malicious agents can try to use
legitimate agents to evade detection, but it becomes a challenge to the (D)TLS profile parameters of legitimate agents to evade
mimic the behavior of various IoT device types and IoT device models detection, but it becomes a challenge to mimic the behavior of
from several manufacturers. In other words, malware developers will various IoT device types and IoT device models from several
have to develop malicious agents per IoT device type, manufacturer manufacturers. In other words, malware developers will have to
and model, infect the device with the tailored malware agent and will develop malicious agents per IoT device type, manufacturer and model,
have keep up with updates to the device's (D)TLS profile parameters infect the device with the tailored malware agent and will have keep
over time. Further, the malware's command and control server up with updates to the device's (D)TLS profile parameters over time.
certificates need to be signed by the same certifying authorities Furthermore, the malware's command and control server certificates
trusted by the IoT devices. Typically, IoT devices have an need to be signed by the same certifying authorities trusted by the
infrastructure that supports a rapid deployment of updates, and IoT devices. Typically, IoT devices have an infrastructure that
malware agents will have a near-impossible task of similarly supports a rapid deployment of updates, and malware agents will have
deploying updates and continuing to mimic the TLS behavior of the IoT a near-impossible task of similarly deploying updates and continuing
device it has infected. to mimic the TLS behavior of the IoT device it has infected.
However, if the IoT device has reached end-of-life and the IoT
manufcaturer will not issue a firmware or software update to the
Thing or will not update the MUD file, the "is-supported" attribute
defined in Section 3.6 of [RFC8520] can be used by the MUD manager to
identify the IoT manufcaturer no longer supports the device. The
end-of-life of a device does not necessarily mean that it is
defective; rather, it denotes a need to replace and upgrade the
network to next-generation devices for additional functionality. The
network security service will have to rely on other techniques
discussed in Section 8 to identify malicious connections until the
device is replaced.
The compromised IoT devices are typically used for launching DDoS Compromised IoT devices are typically used for launching DDoS attacks
attacks (Section 3 of [RFC8576]). Some of the DDoS attacks like (Section 3 of [RFC8576]). For example, DDoS attacks like Slowloris
Slowloris and Transport Layer Security (TLS) re-negotiation can be and Transport Layer Security (TLS) re-negotiation can be blocked if
detected by observing the (D)TLS profile parameters. For example, the victim's server certificate is not be signed by the same
the victim's server certificate need not be signed by the same
certifying authorities trusted by the IoT device. certifying authorities trusted by the IoT device.
4. (D)TLS 1.3 handshake 4. (D)TLS 1.3 Handshake
In (D)TLS 1.3, full (D)TLS handshake inspection is not possible since In (D)TLS 1.3, full (D)TLS handshake inspection is not possible since
all (D)TLS handshake messages excluding the ClientHello message are all (D)TLS handshake messages excluding the ClientHello message are
encrypted. (D)TLS 1.3 has introduced new extensions in the handshake encrypted. (D)TLS 1.3 has introduced new extensions in the handshake
record layers called Encrypted Extensions. Using these extensions record layers called Encrypted Extensions. Using these extensions
handshake messages will be encrypted and network devices (such as a handshake messages will be encrypted and network security services
firewall) are incapable deciphering the handshake, thus cannot view (such as a firewall) are incapable to decipher the handshake, and
the server certificate. However, the ClientHello and ServerHello thus cannot view the server certificate. However, the ClientHello
still have some fields visible, such as the list of supported and ServerHello still have some fields visible, such as the list of
versions, named groups, cipher suites, signature algorithms and supported versions, named groups, cipher suites, signature algorithms
extensions in ClientHello and, chosen cipher in the ServerHello. For and extensions in ClientHello, and chosen cipher in the ServerHello.
instance, if the malware uses evasion techniques like ClientHello For instance, if the malware uses evasion techniques like ClientHello
randomization, the observable list of cipher suites and extensions randomization, the observable list of cipher suites and extensions
offered by the malware agent in the ClientHello message will not offered by the malware agent in the ClientHello message will not
match the list of cipher suites and extensions offered by the match the list of cipher suites and extensions offered by the
legitimate client in the ClientHello message, and the middle-box can legitimate client in the ClientHello message, and the middlebox can
block malicious flows without acting as a (D)TLS 1.3 proxy. block malicious flows without acting as a (D)TLS 1.3 proxy.
4.1. Full (D)TLS 1.3 handshake inspection 4.1. Full (D)TLS 1.3 Handshake Inspection
To obtain more visibility into negotiated TLS 1.3 parameters, a To obtain more visibility into negotiated TLS 1.3 parameters, a
middle-box can act as a (D)TLS 1.3 proxy. A middle-box can act as a middlebox can act as a (D)TLS 1.3 proxy. A middlebox can act as a
(D)TLS proxy for the IoT devices owned and managed by the IT team in (D)TLS proxy for the IoT devices owned and managed by the IT team in
the Enterprise network and the (D)TLS proxy must meet the security the Enterprise network and the (D)TLS proxy must meet the security
and privacy requirements of the organization. In other words, the and privacy requirements of the organization. In other words, the
scope of middle-box acting as a (D)TLS proxy is restricted to scope of middlebox acting as a (D)TLS proxy is restricted to
Enterprise network owning and managing the IoT devices. The middle- Enterprise network owning and managing the IoT devices. The
box MUST follow the behaviour explained in Section 9.3 of [RFC8446] middlebox would have to follow the behaviour detailed in Section 9.3
to act as a compliant (D)TLS 1.3 proxy. of [RFC8446] to act as a compliant (D)TLS 1.3 proxy.
To function as a (D)TLS proxy the middle-box creates a signed
certificate using itself as a certificate authority. That
certificate authority has to be trusted by the (D)TLS client. The
IoT device needs to be configured with the middle-box's CA
certificate as Explicit Trust Anchor database entry to validate the
server certificate. The mechanism to configure the IoT device with
the middle-box's CA certificate is out of scope. The middle-box uses
the "supported_versions" TLS extension (defined in TLS 1.3 to
negotiate the supported TLS versions between client and server) to
determine the TLS version. During the (D)TLS handshake, If (D)TLS
version 1.3 is used, the middle-box ((D)TLS proxy) modifies the
certificate provided by the server and signs it with the private key
from the local CA certificate. The middle-box has visibility into
further exchanges between the IoT device and server which enables it
to inspect the (D)TLS 1.3 handshake, enforce the MUD (D)TLS profile
and can inspect subsequent network traffic. The IoT device uses the
Explicit Trust Anchor database to validate the server certificate.
4.2. Encrypted SNI
To increase privacy, encrypted SNI (ESNI, To further increase privacy, encrypted client hello
[I-D.ietf-tls-sni-encryption]) prevents passive observation of the [I-D.ietf-tls-esni] prevents passive observation of the TLS Server
TLS Server Name Indication extension. To effectively provide that Name Indication extension. To effectively provide that privacy
privacy protection, SNI encryption needs to be used in conjunction protection, SNI encryption needs to be used in conjunction with DNS
with DNS encryption (e.g., DNS-over-TLS (DoT) [RFC7858] or DNS-over- encryption (e.g., DoH). A middlebox (e.g., firewall) passively
HTTPS (DoH) [RFC8484]). A middle-box (e.g., firewall) passively
inspecting an encrypted SNI (D)TLS handshake cannot observe the inspecting an encrypted SNI (D)TLS handshake cannot observe the
encrypted SNI nor observe the encrypted DNS traffic. If an IoT encrypted SNI nor observe the encrypted DNS traffic.
device is pre-configured to use public DoH/DoT servers, that middle-
box needs to act as a DoH/DoT proxy and replace the ECH configuration 4.2. Encrypted DNS
in the "echconfig" SvcParamKey (Section 6.3 of
[I-D.ietf-dnsop-svcb-https]) with the middle box's ECH configuration.
Instead of an unappealing DoH/DoT proxy, the IoT device can be
bootstrapped to discover and authenticate DoH/DoT servers provided by
a local network by making use of one of the mechanisms described in
Section 4 of [I-D.reddy-add-enterprise]. The local DoH/DoT server
replaces the ECH configuration in the "echconfig" SvcParamKey with
the middle box's ECH configuration.
A common usage pattern for certain type of IoT devices (e.g., light A common usage pattern for certain type of IoT devices (e.g., light
bulb) is for it to "call home" to a service that resides on the bulb) is for it to "call home" to a service that resides on the
public Internet, where that service is referenced through a domain public Internet, where that service is referenced through a domain
name (A or AAAA record). As discussed in Manufacturer Usage name (A or AAAA record). As discussed in Manufacturer Usage
Description Specification [RFC8520], because these devices tend to Description Specification [RFC8520], because these devices tend to
require access to very few sites, all other access should be require access to very few sites, all other access should be
considered suspect. If an IoT device is pre-configured to use public considered suspect. If an IoT device is pre-configured to use public
DoH/DoT server, the MUD policy enforcement point is moved to that DoH/DoT server, the MUD policy enforcement point is moved to that
public server, which cannot enforce the MUD policy based on domain public server, which cannot enforce the MUD policy based on domain
names (Section 8 of [RFC8520]). If the DNS query is not accessible names (Section 8 of [RFC8520]). If the DNS query is not accessible
for inspection, it becomes quite difficult for the infrastructure to for inspection, it becomes quite difficult for the infrastructure to
suspect anything. Thus the use of a public DoH/DoT server is suspect anything. Thus the use of a public DoH/DoT server is
incompatible with MUD in general. A local DoH/DoT server is incompatible with MUD in general. A local DoH/DoT server is
necessary to allow MUD policy enforcement on the local network. necessary to allow MUD policy enforcement on the local network
[I-D.reddy-add-enterprise].
5. (D)TLS profile YANG module 5. (D)TLS Profile YANG Module
This document specifies a YANG module for representing (D)TLS This document specifies a YANG module for representing (D)TLS
profile. The (D)TLS profile YANG module provides a method for profile. The (D)TLS profile YANG module provides a method for
firewall to observe the (D)TLS profile parameters in the (D)TLS network security services to observe the (D)TLS profile parameters in
handshake to permit intended use and to block malicious behavior. the (D)TLS handshake to permit intended use and to block malicious
This module uses the common YANG types defined in [RFC6991] , rules behavior. This module uses the common YANG types defined in
defined in [RFC8519] and cryptographic types defined in [RFC6991], the rules defined in [RFC8519], and the cryptographic
[I-D.ietf-netconf-crypto-types]. types defined in [I-D.ietf-netconf-crypto-types]. See [RFC7925] for
(D)TLS 1.2 and [I-D.ietf-uta-tls13-iot-profile] for DTLS 1.3
recommendations related to IoT devices, and [RFC7525] for additional
(D)TLS 1.2 recommendations.
The (D)TLS profiles and the parameters in each (D)TLS profile include The (D)TLS parameters in each (D)TLS profile include the following:
the following:
o Profile name o Profile name
o (D)TLS version in ClientHello.legacy_version o (D)TLS versions supported by the IoT device.
o (D)TLS versions supported by the IoT device. As a reminder,
"supported_versions" extension defined in (D)TLS 1.3 is used by
the client to indicate which versions of (D)TLS it supports and a
client is considered to be attempting to negotiate (D)TLS 1.3 if
the ClientHello contains a "supported_versions" extension with
0x0304 contained in its body.
o If GREASE [RFC8701] (Generate Random Extensions And Sustain
Extensibility) values are offered by the client or not.
o List of supported symmetric encryption algorithms. TLS 1.3
defines five cipher suites (Appendix B.4 of [RFC8446]), but most
clients are continuing to offer TLS 1.2 compatible cipher suites
for backwards compatibility.
o List of supported compression methods for data compression. In o List of supported cipher suites. For (D)TLS1.2, [RFC7925]
TLS 1.3, only the "null" compression method is allowed recommends AEAD ciphers for IoT devices.
(Section 4.1.2 of [RFC8446]).
o List of supported extension types o List of supported extension types
o List of trust anchor certificates used by the IoT device. If the o List of trust anchor certificates used by the IoT device. If the
server certificate is signed by one of the trust anchors, the server certificate is signed by one of the trust anchors, the
middle-box continues with the connection as normal. Otherwise, middlebox continues with the connection as normal. Otherwise, the
the middle-box will react as if the server certificate validation middlebox will react as if the server certificate validation has
has failed and takes appropriate action (e.g, block the (D)TLS failed and takes appropriate action (e.g, block the (D)TLS
session). An IoT device can use a private trust anchor to session). An IoT device can use a private trust anchor to
validate a server's certificate (e.g., the private trust anchor validate a server's certificate (e.g., the private trust anchor
can be preloaded at manufacturing time on the IoT device and the can be preloaded at manufacturing time on the IoT device and the
IoT device fetches the firmware image from the Firmware server IoT device fetches the firmware image from the Firmware server
whose certificate is signed by the private CA). whose certificate is signed by the private CA). This empowers the
middlebox to reject TLS sessions to servers that the IoT device
does not trust.
o List of SPKI pin set pre-configured on the client to validate o List of SPKI pin set pre-configured on the client to validate
self-signed server certificates or raw public keys. A SPKI pin self-signed server certificates or raw public keys. A SPKI pin
set is a cryptographic digest to "pin" public key information in a set is a cryptographic digest to "pin" public key information in a
manner similar to HTTP Public Key Pinning (HPKP) [RFC7469]. If manner similar to HTTP Public Key Pinning (HPKP) [RFC7469]. If
SPKI pin set is present in the (D)TLS profile of a IoT device and SPKI pin set is present in the (D)TLS profile of a IoT device and
the server certificate does not pass the PKIX certification path the server certificate does not pass the PKIX certification path
validation, the middle-box computes the SPKI Fingerprint for the validation, the middlebox computes the SPKI Fingerprint for the
public key found in the server's certificate (or in the raw public public key found in the server's certificate (or in the raw public
key, if the server provides that instead). If a computed key, if the server provides that instead). If a computed
fingerprint exactly matches one of the SPKI pin sets in the (D)TLS fingerprint exactly matches one of the SPKI pin sets in the (D)TLS
profile, the middle-box continues with the connection as normal. profile, the middlebox continues with the connection as normal.
Otherwise, the middle-box will act on the SPKI validation failure Otherwise, the middlebox will act on the SPKI validation failure
and takes appropriate action. and takes appropriate action.
o Cryptographic hash algorithm used to generate the SPKI pinsets o Cryptographic hash algorithm used to generate the SPKI pinsets
o List of pre-shared key exchange modes o List of pre-shared key exchange modes
o List of named groups (DHE or ECDHE) supported by the client o List of named groups (DHE or ECDHE) supported by the client
o List signature algorithms the client can validate in X.509 server o List signature algorithms the client can validate in X.509 server
certificates certificates
skipping to change at page 9, line 22 skipping to change at page 8, line 42
o List of supported application protocols (e.g., h3, h2, http/1.1 o List of supported application protocols (e.g., h3, h2, http/1.1
etc.) etc.)
o List of certificate compression algorithms (defined in o List of certificate compression algorithms (defined in
[I-D.ietf-tls-certificate-compression]) [I-D.ietf-tls-certificate-compression])
o List of the distinguished names [X501] of acceptable certificate o List of the distinguished names [X501] of acceptable certificate
authorities, represented in DER-encoded format [X690] (defined in authorities, represented in DER-encoded format [X690] (defined in
Section 4.2.4 of [RFC8446]) Section 4.2.4 of [RFC8446])
o List of client key exchange algorithms and the client public key GREASE [RFC8701] sends random values on TLS parameters to ensure
lengths in versions prior to (D)TLS 1.3 future extensibility of TLS extensions. Similar random values might
be extended to other TLS parameters. Thus, the (D)TLS profile
The (D)TLS profile parameters include the GREASE values for extension parameters defined in the YANG module by this document MUST NOT
types, named groups, signature algorithms, (D)TLS versions, pre- include the GREASE values for extension types, named groups,
shared key exchange modes and cipher suites, but normalized to the signature algorithms, (D)TLS versions, pre-shared key exchange modes,
value 0x0a to preserve ordering information. Note that the GREASE cipher suites and for any other TLS parameters defined in future
values are random but their positions are deterministic (Section 5 of RFCs.
[RFC8701]) and peers will ignore these values and interoperate.
If the (D)TLS profile parameters are not observed in a (D)TLS session The (D)TLS profile does not include parameters like compression
from the IoT device, the default behaviour is to block the (D)TLS methods for data compression, [RFC7525] recommends disabling TLS-
session. level compression to prevent compression-related attacks. In TLS
1.3, only the "null" compression method is allowed (Section 4.1.2 of
[RFC8446]).
Note: The TLS and DTLS IANA registries are available from Note: The TLS and DTLS IANA registries are available from
<https://www.iana.org/assignments/tls-parameters/tls-parameters.txt>. <https://www.iana.org/assignments/tls-parameters/tls-parameters.txt>
and <https://www.iana.org/assignments/tls-extensiontype-values/tls-
extensiontype-values.txt>. The values for all the parameters in the
YANG module excluding the supported_versions parameter are defined in
the TLS and DTLS IANA registries. The TLS and DTLS IANA registry
does not maintain (D)TLS version numbers.
5.1. Tree Structure 5.1. Tree Structure
This document augments the "ietf-mud" MUD YANG module defined in This document augments the "ietf-mud" MUD YANG module defined in
[RFC8520] for signaling the IoT device (D)TLS profile. This document [RFC8520] for signaling the IoT device (D)TLS profile. This document
defines the YANG module "reddy-opsawg-mud-tls-profile", which has the defines the YANG module "iana-opsawg-mud-tls-profile", which has the
following tree structure: following tree structure:
module: reddy-opsawg-mud-tls-profile module: iana-opsawg-mud-tls-profile
augment /acl:acls/acl:acl/acl:aces/acl:ace/acl:matches: augment /acl:acls/acl:acl/acl:aces/acl:ace/acl:matches:
+--rw client-profile +--rw client-profile
+--rw tls-profiles* [profile-name] +--rw tls-dtls-profiles* [profile-name]
+--rw profile-name string +--rw profile-name string
+--rw protocol-version? uint16 +--rw supported_tls_versions* tls-version
+--rw supported_versions* uint16 +--rw supported_dtls_versions* dtls-version
+--rw grease_extension? boolean +--rw cipher-suites* [cipher aead]
+--rw encryption-algorithms* encryption-algorithm | +--rw cipher cipher-algorithm
+--rw compression-methods* compression-method | +--rw aead aead-algorithm
+--rw extension-types* extension-type +--rw extension-types* extension-type
+--rw acceptlist-ta-certs* ct:trust-anchor-cert-cms +--rw acceptlist-ta-certs* ct:trust-anchor-cert-cms
+--rw SPKI-pin-sets* SPKI-pin-set +--rw SPKI
+--rw SPKI-hash-algorithm? iha:hash-algorithm-type | +--rw SPKI-pin-sets* SPKI-pin-set
+--rw psk-key-exchange-modes* psk-key-exchange-mode | +--rw SPKI-hash-algorithm? iha:hash-algorithm-type
+--rw supported-groups* supported-group +--rw psk-key-exchange-modes* psk-key-exchange-mode {tls-1_3 or dtls-1_3}?
+--rw signature-algorithms-cert* signature-algorithm +--rw supported-groups* supported-group
+--rw signature-algorithms* signature-algorithm +--rw signature-algorithms-cert* signature-algorithm {tls-1_3 or dtls-1_3}?
+--rw application-protocols* application-protocol +--rw signature-algorithms* signature-algorithm
+--rw cert-compression-algorithms* cert-compression-algorithm +--rw application-protocols* application-protocol
+--rw certificate_authorities* certificate_authorities +--rw cert-compression-algorithms* cert-compression-algorithm {tls-1_3 or dtls-1_3}?
+--rw client-public-keys +--rw certificate_authorities* certificate_authority {tls-1_3 or dtls-1_3}?
+--rw key-exchange-algorithms* key-exchange-algorithm
+--rw client-public-key-lengths* client-public-key-length
5.2. YANG Module 5.2. YANG Module
module reddy-opsawg-mud-tls-profile { <CODE BEGINS> file "iana-opsawg-mud-tls-profile@2020-09-25.yang"
module iana-opsawg-mud-tls-profile {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:reddy-opsawg-mud-tls-profile"; namespace "urn:ietf:params:xml:ns:yang:iana-opsawg-mud-tls-profile";
prefix mud-tls-profile; prefix mud-tls-profile;
import ietf-crypto-types { import ietf-crypto-types {
prefix ct; prefix ct;
reference "draft-ietf-netconf-crypto-types-01: reference "draft-ietf-netconf-crypto-types-01:
Common YANG Data Types for Cryptography"; Common YANG Data Types for Cryptography";
} }
import iana-hash-algs { import iana-hash-algs {
prefix iha; prefix iha;
skipping to change at page 11, line 27 skipping to change at page 11, line 4
Copyright (c) 2019 IETF Trust and the persons identified as Copyright (c) 2019 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2019-06-12 { revision 2019-06-12 {
description description
"Initial revision"; "Initial revision";
} }
typedef compression-method {
type uint8;
description "Compression method";
}
typedef extension-type { typedef extension-type {
type uint16; type uint16;
description "Extension type"; description "Extension type";
} }
typedef encryption-algorithm { typedef supported-group {
type uint16;
description "Encryption algorithm";
}
typedef supported-group {
type uint16; type uint16;
description "Named group (DHE or ECDHE)"; description "Named group (DHE or ECDHE)";
} }
typedef SPKI-pin-set { typedef SPKI-pin-set {
type binary; type binary;
description "Subject Public Key Info pin set"; description "Subject Public Key Info pin set";
} }
typedef signature-algorithm { typedef signature-algorithm {
type uint16; type uint16;
description "Signature algorithm"; description "Signature algorithm";
} }
typedef key-exchange-algorithm {
type uint8;
description "key exchange algorithm";
}
typedef psk-key-exchange-mode { typedef psk-key-exchange-mode {
type uint8; type uint8;
description "pre-shared key exchange mode"; description "pre-shared key exchange mode";
} }
typedef client-public-key-length { typedef client-public-key-length {
type uint8; type uint8;
description "client public key length"; description "client public key length";
} }
typedef application-protocol { typedef application-protocol {
type string; type string;
description "application protocol"; description "application protocol";
} }
typedef cert-compression-algorithm { typedef cert-compression-algorithm {
type uint8; type uint16;
description "certificate compression algorithm"; description "certificate compression algorithm";
} }
typedef certificate_authority { typedef certificate_authority {
type binary; type binary;
description "Distinguished Name of Certificate authority"; description "Distinguished Name of Certificate authority";
} }
typedef cipher-algorithm {
type uint8;
description "Cipher Algorithm";
}
typedef aead-algorithm {
type uint8;
description "AEAD Algorithm";
}
typedef tls-version {
type enumeration {
enum tls-1.2 {
value 1;
description
"TLS Protocol Version 1.2.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
enum tls-1.3 {
value 2;
description
"TLS Protocol Version 1.3.";
reference
"RFC 8446: The Transport Layer Security (TLS) Protocol
Version 1.3";
}
}
description
"Indicates the TLS version.";
}
typedef dtls-version {
type enumeration {
enum dtls-1.2 {
value 1;
description
"DTLS Protocol Version 1.2.";
reference
"RFC 6346: Datagram Transport Layer Security 1.2";
}
enum dtls-1.3 {
value 2;
description
"DTLS Protocol Version 1.3.";
reference
"draft-ietf-tls-dtls13: Datagram Transport Layer Security 1.3";
}
}
description
"Indicates the DTLS version.";
}
feature tls-1_2 {
description
"TLS Protocol Version 1.2 is supported.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
feature tls-1_3 {
description
"TLS Protocol Version 1.3 is supported.";
reference
"RFC 8446: The Transport Layer Security (TLS) Protocol
Version 1.3";
}
feature dtls-1_2 {
description
"DTLS Protocol Version 1.2 is supported.";
reference
"RFC 6346: Datagram Transport Layer Security Version 1.2";
}
feature dtls-1_3 {
description
"DTLS Protocol Version 1.3 is supported.";
reference
"draft-ietf-tls-dtls13: Datagram Transport Layer Security 1.3";
}
grouping client-profile { grouping client-profile {
description description
"A grouping for (D)TLS profiles."; "A grouping for (D)TLS profiles.";
container client-profile { container client-profile {
list tls-profiles { list tls-dtls-profiles {
key "profile-name"; key "profile-name";
description description
"A list of (D)TLS version profiles supported by the client."; "A list of (D)TLS version profiles supported by the client.";
leaf profile-name { leaf profile-name {
type string { type string {
length "1..64"; length "1..64";
} }
description description
"The name of (D)TLS profile; space and special "The name of (D)TLS profile; space and special
characters are not allowed."; characters are not allowed.";
} }
leaf protocol-version {
type uint16;
description "(D)TLS version in ClientHello.legacy_version";
}
leaf-list supported_versions { leaf-list supported_versions {
type uint16; type uint16;
description description
"TLS versions supported by the client indicated "(D)TLS versions supported by the client";
in the supported_versions extension in (D)TLS 1.3.";
}
leaf grease_extension {
type boolean;
description
"If set to 'true', Grease extension values are offered by
the client.";
}
leaf-list encryption-algorithms {
type encryption-algorithm;
description "Encryption algorithms";
} }
leaf-list compression-methods { list cipher-suites {
type compression-method; key "cipher aead";
description "Compression methods"; leaf cipher {
type cipher-algorithm;
description "Cipher";
}
leaf aead {
type aead-algorithm;
description "AEAD";
}
description "Cipher Suites";
} }
leaf-list extension-types { leaf-list extension-types {
type extension-type; type extension-type;
description "Extension Types"; description "Extension Types";
} }
leaf-list acceptlist-ta-certs { leaf-list acceptlist-ta-certs {
type ct:trust-anchor-cert-cms; type ct:trust-anchor-cert-cms;
description description
"A list of trust anchor certificates used by the client."; "A list of trust anchor certificates used by the client.";
} }
leaf-list SPKI-pin-sets { container SPKI {
type SPKI-pin-set; leaf-list SPKI-pin-sets {
description type SPKI-pin-set;
"A list of SPKI pin sets pre-configured on the client description
to validate self-signed server certificate or "A list of SPKI pin sets pre-configured on the client
raw public key."; to validate self-signed server certificate or
} raw public key.";
leaf SPKI-hash-algorithm { }
type iha:hash-algorithm-type; leaf SPKI-hash-algorithm {
description type iha:hash-algorithm-type;
"cryptographic hash algorithm used to generate the description
SPKI pinset."; "cryptographic hash algorithm used to generate the
SPKI pinset.";
}
} }
leaf-list psk-key-exchange-modes { leaf-list psk-key-exchange-modes {
if-feature "tls-1_3 or dtls-1_3";
type psk-key-exchange-mode; type psk-key-exchange-mode;
description description
"pre-shared key exchange modes"; "pre-shared key exchange modes";
} }
leaf-list supported-groups { leaf-list supported-groups {
type supported-group; type supported-group;
description description
"A list of named groups supported by the client."; "A list of named groups supported by the client.";
} }
leaf-list signature-algorithms-cert { leaf-list signature-algorithms-cert {
if-feature "tls-1_3 or dtls-1_3";
type signature-algorithm; type signature-algorithm;
description description
"A list signature algorithms the client can validate "A list signature algorithms the client can validate
in X.509 certificates."; in X.509 certificates.";
} }
leaf-list signature-algorithms { leaf-list signature-algorithms {
type signature-algorithm; type signature-algorithm;
description description
"A list signature algorithms the client can validate "A list signature algorithms the client can validate
in the CertificateVerify message."; in the CertificateVerify message.";
} }
leaf-list application-protocols { leaf-list application-protocols {
type application-protocol; type application-protocol;
description description
"A list application protocols supported by the client"; "A list application protocols supported by the client";
} }
leaf-list cert-compression-algorithms { leaf-list cert-compression-algorithms {
if-feature "tls-1_3 or dtls-1_3";
type cert-compression-algorithm; type cert-compression-algorithm;
description description
"A list certificate compression algorithms "A list certificate compression algorithms
supported by the client"; supported by the client";
} }
leaf-list certificate_authorities { leaf-list certificate_authorities {
if-feature "tls-1_3 or dtls-1_3";
type certificate_authority; type certificate_authority;
description description
"A list of the distinguished names of certificate authorities "A list of the distinguished names of certificate authorities
acceptable to the client"; acceptable to the client";
}
container client-public-keys {
leaf-list key-exchange-algorithms {
type key-exchange-algorithm;
description
"Key exchange algorithms supported by the client";
}
leaf-list client-public-key-lengths {
type client-public-key-length;
description
"client public key lengths";
}
} }
} }
} }
} }
augment "/acl:acls/acl:acl/acl:aces/acl:ace/acl:matches" { augment "/acl:acls/acl:acl/acl:aces/acl:ace/acl:matches" {
description description
"MUD (D)TLS specific matches."; "MUD (D)TLS specific matches.";
uses client-profile; uses client-profile;
} }
} }
6. MUD File Example 6. Processing of the MUD (D)TLS Profile
This example below contains (D)TLS profile parameters for a IoT The following text outlines the rules for a network security service
device used to reach servers listening on port 443 using TCP (e.g., firewall) to follow to process the MUD (D)TLS Profile:
transport. JSON encoding of YANG modelled data [RFC7951] is used to
illustrate the example. o If the (D)TLS parameter observed in a (D)TLS session is not
specified in the MUD (D)TLS profile and the parameter is
recognized by the firewall, it can identify unexpected (D)TLS
usage, which can indicate the presence of unauthorized software or
malware on an endpoint. The firewall can take several actions
like block the (D)TLS session or raise an alert to quarantine and
remediate the compromised device. For example, if the cipher
suite TLS_RSA_WITH_AES_128_CBC_SHA in the ClientHello message is
not specified in the MUD (D)TLS profile and the cipher suite is
recognized by the firewall, it can identify unexpected TLS usage.
o If the (D)TLS parameter observed in a (D)TLS session is not
specified in the MUD (D)TLS profile and the (D)TLS parameter is
not recognized by the firewall, it can ignore the unrecognized
parameter and the correct behavior is not to block the (D)TLS
session. The behaviour is functionally equivalent to the
description in Section 9.3 of [RFC8446] to ignore all unrecognized
cipher suites, extensions, and other parameters. For example, if
the cipher suite TLS_CHACHA20_POLY1305_SHA256 in the ClientHello
message is not specified in the MUD (D)TLS profile and the cipher
suite is not recognized by the firewall, it can ignore the
unrecognized cipher suite.
o Deployments update at different rates, so an updated MUD (D)TLS
profile may support newer parameters. If the firewall does not
recognize the newer parameters, an alert should be triggered to
the firewall vendor and the IoT device owner or administrator. A
firewall must be readily updatable, so that when ossification
problems are discovered, they can be addressed quickly. Most
importantly, if the firewall is not readily updatable, its
efficacy to identify emerging malware will decrease with time.
For example, if the cipher suite TLS_AES_128_CCM_8_SHA256 in the
ClientHello message is specified in the MUD (D)TLS profile and the
cipher suite is not recognized by the firewall, an alert will be
triggered.
7. MUD File Example
The example below contains (D)TLS profile parameters for a IoT device
used to reach servers listening on port 443 using TCP transport.
JSON encoding of YANG modelled data [RFC7951] is used to illustrate
the example.
{ {
"ietf-mud:mud": { "ietf-mud:mud": {
"mud-version": 1, "mud-version": 1,
"mud-url": "https://example.com/IoTDevice", "mud-url": "https://example.com/IoTDevice",
"last-update": "2019-18-06T03:56:40.105+10:00", "last-update": "2019-18-06T03:56:40.105+10:00",
"cache-validity": 100, "cache-validity": 100,
"is-supported": true, "is-supported": true,
"systeminfo": "IoT device name", "systeminfo": "IoT device name",
"from-device-policy": { "from-device-policy": {
skipping to change at page 16, line 23 skipping to change at page 17, line 49
"ipv6": { "ipv6": {
"protocol": 6 "protocol": 6
}, },
"tcp": { "tcp": {
"ietf-mud:direction-initiated": "from-device", "ietf-mud:direction-initiated": "from-device",
"destination-port": { "destination-port": {
"operator": "eq", "operator": "eq",
"port": 443 "port": 443
} }
}, },
"reddy-opsawg-mud-tls-profile:client-profile" : { "iana-opsawg-mud-tls-profile:client-profile" : {
"tls-profiles" : [ "tls-dtls-profiles" : [
{ {
"protocol-version" : 771, "supported-tls-versions" : [2],
"supported_versions_ext" : "FALSE", "cipher-suites" : [
"encryption-algorithms" : {
[31354, 4865, 4866, 4867], "cipher": 19,
"extension-types" : [10], "aead": 1
},
{
"cipher": 19,
"aead": 2
}
],
"extension-types" : [10,11,13,16,24],
"supported-groups" : [29] "supported-groups" : [29]
} }
] ]
}, },
"actions": { "actions": {
"forwarding": "accept" "forwarding": "accept"
} }
} }
} }
] ]
} }
} }
] ]
} }
} }
} }
7. Security Considerations The following illustrates the example scenarios for processing the
above profile:
o If the extension type "encrypt_then_mac" (code point 22) [RFC7366]
in the ClientHello message is recognized by the firewall, it can
identify unexpected TLS usage.
o If the extension type "token_binding" (code point 24) [RFC8472] in
the ClientHello message is not recognized by the firewall, it can
ignore the unrecognized extension. Because the extension type
token_binding is specified in the profile, an alert will be
triggered to the firewall vendor and the IoT device owner or
administrator to notify the firewall is not up to date.
8. Security Considerations
Security considerations in [RFC8520] need to be taken into Security considerations in [RFC8520] need to be taken into
consideration. Although it is challenging for a malware to mimic the consideration. Although it is challenging for a malware to mimic the
TLS behavior of various IoT device types and IoT device models from TLS behavior of various IoT device types and IoT device models from
several manufacturers, malicious agents have a very low probabilty of several manufacturers, malicious agents have a very low probability
using the same (D)TLS profile parameters as legitimate agents on the of using the same (D)TLS profile parameters as legitimate agents on
IoT device to evade detection. Network security services should also the IoT device to evade detection. Network security services should
rely on contextual network data to detect false negatives. In order also rely on contextual network data to detect false negatives. In
to detect such malicious flows, anomaly detection (deep learning order to detect such malicious flows, anomaly detection (deep
techniques on network data) can be used to detect malicious agents learning techniques on network data) can be used to detect malicious
using the same (D)TLS profile parameters as legitimate agent on the agents using the same (D)TLS profile parameters as legitimate agent
IoT device. In anomaly detection, the main idea is to maintain on the IoT device. In anomaly detection, the main idea is to
rigorous learning of "normal" behavior and where an "anomaly" (or an maintain rigorous learning of "normal" behavior and where an
attack) is identified and categorized based on the knowledge about "anomaly" (or an attack) is identified and categorized based on the
the normal behavior and a deviation from this normal behavior. knowledge about the normal behavior and a deviation from this normal
behavior.
8. Privacy Considerations 9. Privacy Considerations
The middle-box acting as a (D)TLS proxy must immediately delete the Privacy considerations discussed in Section 16 of [RFC8520] to not
reveal the MUD URL to an atacker need to be taken into consideration.
The MUD URL can be stored in Trusted Execution Environment (TEE) for
secure operation, enhanced data security, and prevent exposure to
unauthorized software.
The middlebox acting as a (D)TLS proxy must immediately delete the
decrypted data upon completing any necessary inspection functions. decrypted data upon completing any necessary inspection functions.
TLS proxy potentially has access to a user's PII (Personally TLS proxy potentially has access to a user's PII (Personally
identifiable information) and PHI (Protected Health Information). identifiable information) and PHI (Protected Health Information).
The TLS proxy must not store, process or modify PII data. For The TLS proxy must not store, process or modify PII data. For
example, IT administrator can configure firewall to bypass payload example, IT administrator can configure the middlebox to bypass
inspection for a connection destined to a specific service due to payload inspection for a connection destined to a specific service
privacy compliance requirements. due to privacy compliance requirements. In addition, mechanisms
based on object security can be used by IoT devices to enable end-to-
end security and the middlebox will not have any access to the packet
data. For example, Object Security for Constrained RESTful
Environments (OSCORE) [RFC8613] is a proposal that protects CoAP
messages by wrapping them in the COSE format [RFC8152].
9. IANA Considerations 10. IANA Considerations
Each normative YANG module MUST be registered in both the "IETF XML
Registry" [RFC3688] and the "YANG Module Names" registry [RFC6020].
This document requests IANA to register the following URIs in the This document requests IANA to register the following URIs in the
"ns" subregistry within the "IETF XML Registry" [RFC3688]: "ns" subregistry within the "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:reddy-opsawg-mud-tls-profile URI: urn:ietf:params:xml:ns:yang:iana-opsawg-mud-tls-profile
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
10. Acknowledgments This document requests IANA to register the following YANG modules in
the "YANG Module Names" subregistry [RFC6020] within the "YANG
Parameters" registry. IANA is requested to create an IANA-maintained
YANG Module called "iana-opsawg-mud-tls-profile", based on the
contents of Section 5, which will allow for new (D)TLS parameters and
(D)TLS versions. The registration procedure will be Expert Review or
Specification Required, as defined by [RFC8126].
name: iana-opsawg-mud-tls-profile
namespace: urn:ietf:params:xml:ns:yang:iana-opsawg-mud-tls-profile
maintained by IANA: Y
prefix: mud-tls-profile
reference: RFC XXXX
11. Acknowledgments
Thanks to Flemming Andreasen, Shashank Jain, Michael Richardson, Thanks to Flemming Andreasen, Shashank Jain, Michael Richardson,
Piyush Joshi and Harsha Joshi for the discussion and comments. Piyush Joshi, Eliot Lear, Harsha Joshi, Qin Wu, Mohamed Boucadair,
Ben Schwartz, Eric Rescorla, Panwei William, Nick Lamb and Nick
Harper for the discussion and comments.
11. References 12. References
11.1. Normative References
12.1. Normative References
[I-D.ietf-netconf-crypto-types] [I-D.ietf-netconf-crypto-types]
Watsen, K., "YANG Data Types and Groupings for Watsen, K., "YANG Data Types and Groupings for
Cryptography", draft-ietf-netconf-crypto-types-18 (work in Cryptography", draft-ietf-netconf-crypto-types-18 (work in
progress), August 2020. progress), August 2020.
[I-D.ietf-tls-certificate-compression] [I-D.ietf-tls-certificate-compression]
Ghedini, A. and V. Vasiliev, "TLS Certificate Ghedini, A. and V. Vasiliev, "TLS Certificate
Compression", draft-ietf-tls-certificate-compression-10 Compression", draft-ietf-tls-certificate-compression-10
(work in progress), January 2020. (work in progress), January 2020.
skipping to change at page 19, line 15 skipping to change at page 21, line 36
[RFC8701] Benjamin, D., "Applying Generate Random Extensions And [RFC8701] Benjamin, D., "Applying Generate Random Extensions And
Sustain Extensibility (GREASE) to TLS Extensibility", Sustain Extensibility (GREASE) to TLS Extensibility",
RFC 8701, DOI 10.17487/RFC8701, January 2020, RFC 8701, DOI 10.17487/RFC8701, January 2020,
<https://www.rfc-editor.org/info/rfc8701>. <https://www.rfc-editor.org/info/rfc8701>.
[X690] ITU-T, "Information technology - ASN.1 encoding Rules: [X690] ITU-T, "Information technology - ASN.1 encoding Rules:
Specification of Basic Encoding Rules (BER), Canonical Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules Encoding Rules (CER) and Distinguished Encoding Rules
(DER)", ISO/IEC 8825-1:2002, 2002. (DER)", ISO/IEC 8825-1:2002, 2002.
11.2. Informative References 12.2. Informative References
[cryto-vulnerability] [cryto-vulnerability]
Perez, B., "Exploiting the Windows CryptoAPI Perez, B., "Exploiting the Windows CryptoAPI
Vulnerability", January 2020, Vulnerability", January 2020,
<https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/ <https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/
CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF>. CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF>.
[I-D.ietf-dnsop-svcb-https] [I-D.ietf-tls-esni]
Schwartz, B., Bishop, M., and E. Nygren, "Service binding Rescorla, E., Oku, K., Sullivan, N., and C. Wood, "TLS
and parameter specification via the DNS (DNS SVCB and Encrypted Client Hello", draft-ietf-tls-esni-07 (work in
HTTPS RRs)", draft-ietf-dnsop-svcb-https-01 (work in progress), June 2020.
progress), July 2020.
[I-D.ietf-tls-sni-encryption] [I-D.ietf-uta-tls13-iot-profile]
Huitema, C. and E. Rescorla, "Issues and Requirements for Tschofenig, H. and T. Fossati, "TLS/DTLS 1.3 Profiles for
SNI Encryption in TLS", draft-ietf-tls-sni-encryption-09 the Internet of Things", draft-ietf-uta-tls13-iot-
(work in progress), October 2019. profile-00 (work in progress), June 2020.
[I-D.reddy-add-enterprise] [I-D.reddy-add-enterprise]
Reddy.K, T. and D. Wing, "DNS-over-HTTPS and DNS-over-TLS Reddy.K, T. and D. Wing, "DNS-over-HTTPS and DNS-over-TLS
Server Deployment Considerations for Enterprise Networks", Server Deployment Considerations for Enterprise Networks",
draft-reddy-add-enterprise-00 (work in progress), June draft-reddy-add-enterprise-00 (work in progress), June
2020. 2020.
[malware] Anderson, B., Paul, S., and D. McGrew, "Deciphering [malware] Anderson, B., Paul, S., and D. McGrew, "Deciphering
Malware's use of TLS (without Decryption)", July 2016, Malware's use of TLS (without Decryption)", July 2016,
<https://arxiv.org/abs/1607.01639>. <https://arxiv.org/abs/1607.01639>.
skipping to change at page 20, line 11 skipping to change at page 22, line 27
new DoH (DNS over HTTPS) protocol", July 2019, new DoH (DNS over HTTPS) protocol", July 2019,
<https://www.zdnet.com/article/first-ever-malware-strain- <https://www.zdnet.com/article/first-ever-malware-strain-
spotted-abusing-new-doh-dns-over-https-protocol/>. spotted-abusing-new-doh-dns-over-https-protocol/>.
[malware-tls] [malware-tls]
Anderson, B. and D. McGrew, "TLS Beyond the Browser: Anderson, B. and D. McGrew, "TLS Beyond the Browser:
Combining End Host and Network Data to Understand Combining End Host and Network Data to Understand
Application Behavior", October 2019, Application Behavior", October 2019,
<https://dl.acm.org/citation.cfm?id=3355601>. <https://dl.acm.org/citation.cfm?id=3355601>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>.
[RFC7366] Gutmann, P., "Encrypt-then-MAC for Transport Layer
Security (TLS) and Datagram Transport Layer Security
(DTLS)", RFC 7366, DOI 10.17487/RFC7366, September 2014,
<https://www.rfc-editor.org/info/rfc7366>.
[RFC7469] Evans, C., Palmer, C., and R. Sleevi, "Public Key Pinning [RFC7469] Evans, C., Palmer, C., and R. Sleevi, "Public Key Pinning
Extension for HTTP", RFC 7469, DOI 10.17487/RFC7469, April Extension for HTTP", RFC 7469, DOI 10.17487/RFC7469, April
2015, <https://www.rfc-editor.org/info/rfc7469>. 2015, <https://www.rfc-editor.org/info/rfc7469>.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., [RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre,
and P. Hoffman, "Specification for DNS over Transport "Recommendations for Secure Use of Transport Layer
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May Security (TLS) and Datagram Transport Layer Security
2016, <https://www.rfc-editor.org/info/rfc7858>. (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May
2015, <https://www.rfc-editor.org/info/rfc7525>.
[RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer
Security (TLS) / Datagram Transport Layer Security (DTLS)
Profiles for the Internet of Things", RFC 7925,
DOI 10.17487/RFC7925, July 2016,
<https://www.rfc-editor.org/info/rfc7925>.
[RFC7951] Lhotka, L., "JSON Encoding of Data Modeled with YANG", [RFC7951] Lhotka, L., "JSON Encoding of Data Modeled with YANG",
RFC 7951, DOI 10.17487/RFC7951, August 2016, RFC 7951, DOI 10.17487/RFC7951, August 2016,
<https://www.rfc-editor.org/info/rfc7951>. <https://www.rfc-editor.org/info/rfc7951>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
[RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)",
RFC 8152, DOI 10.17487/RFC8152, July 2017,
<https://www.rfc-editor.org/info/rfc8152>.
[RFC8472] Popov, A., Ed., Nystroem, M., and D. Balfanz, "Transport
Layer Security (TLS) Extension for Token Binding Protocol
Negotiation", RFC 8472, DOI 10.17487/RFC8472, October
2018, <https://www.rfc-editor.org/info/rfc8472>.
[RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
(DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
<https://www.rfc-editor.org/info/rfc8484>. <https://www.rfc-editor.org/info/rfc8484>.
[RFC8520] Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage [RFC8520] Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage
Description Specification", RFC 8520, Description Specification", RFC 8520,
DOI 10.17487/RFC8520, March 2019, DOI 10.17487/RFC8520, March 2019,
<https://www.rfc-editor.org/info/rfc8520>. <https://www.rfc-editor.org/info/rfc8520>.
[RFC8576] Garcia-Morchon, O., Kumar, S., and M. Sethi, "Internet of [RFC8576] Garcia-Morchon, O., Kumar, S., and M. Sethi, "Internet of
Things (IoT) Security: State of the Art and Challenges", Things (IoT) Security: State of the Art and Challenges",
RFC 8576, DOI 10.17487/RFC8576, April 2019, RFC 8576, DOI 10.17487/RFC8576, April 2019,
<https://www.rfc-editor.org/info/rfc8576>. <https://www.rfc-editor.org/info/rfc8576>.
[RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security for Constrained RESTful Environments
(OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019,
<https://www.rfc-editor.org/info/rfc8613>.
[X501] "Information Technology - Open Systems Interconnection - [X501] "Information Technology - Open Systems Interconnection -
The Directory: Models", ITU-T X.501, 1993. The Directory: Models", ITU-T X.501, 1993.
Authors' Addresses Authors' Addresses
Tirumaleswar Reddy Tirumaleswar Reddy
McAfee, Inc. McAfee, Inc.
Embassy Golf Link Business Park Embassy Golf Link Business Park
Bangalore, Karnataka 560071 Bangalore, Karnataka 560071
India India
Email: kondtir@gmail.com Email: kondtir@gmail.com
Dan Wing Dan Wing
Citrix Systems, Inc. Citrix Systems, Inc.
4988 Great America Pkwy 4988 Great America Pkwy
Santa Clara, CA 95054 Santa Clara, CA 95054
USA USA
Email: danwing@gmail.com Email: danwing@gmail.com
Blake Anderson Blake Anderson
Cisco Systems, Inc. Cisco Systems, Inc.
 End of changes. 90 change blocks. 
347 lines changed or deleted 505 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/