idnits 2.17.1 draft-richardson-opsawg-securehomegateway-mud-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 8, 2020) is 1326 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-45) exists of draft-ietf-anima-bootstrapping-keyinfra-43 == Outdated reference: A later version (-03) exists of draft-richardson-opsawg-mud-acceptable-urls-01 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 OPS Area Working Group M. Richardson 3 Internet-Draft Sandelman Software Works 4 Intended status: Informational J. Latour 5 Expires: March 12, 2021 CIRA Labs 6 H. Habibi Gharakheili 7 UNSW Sydney 8 September 8, 2020 10 On loading MUD URLs from QR codes 11 draft-richardson-opsawg-securehomegateway-mud-05 13 Abstract 15 This informational document details the mechanism used by the CIRA 16 Secure Home Gateway (SHG) to load MUD definitions for devices which 17 have no integrated MUD (RFC8520) support. 19 RFCEDITOR please remove: Pull requests and edit welcome at: 20 https://github.com/CIRALabs/securehomegateway-mud/tree/ietf 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on March 12, 2021. 39 Copyright Notice 41 Copyright (c) 2020 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 46 license-info) in effect on the date of publication of this document. 47 Please review these documents carefully, as they describe your rights 48 and restrictions with respect to this document. Code Components 49 extracted from this document must include Simplified BSD License text 50 as described in Section 4.e of the Trust Legal Provisions and are 51 provided without warranty as described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 3. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 4 58 3.1. The SQRL protocol . . . . . . . . . . . . . . . . . . . . 4 59 3.2. Manufacturer Usage Descriptions in SQRL . . . . . . . . . 5 60 3.2.1. B000 Company Name . . . . . . . . . . . . . . . . . . 5 61 3.2.2. B001 Product Name . . . . . . . . . . . . . . . . . . 5 62 3.2.3. B002 Model Number . . . . . . . . . . . . . . . . . . 5 63 3.2.4. MUD URL Data Record . . . . . . . . . . . . . . . . . 5 64 3.2.5. MUD device MAC address . . . . . . . . . . . . . . . 5 65 4. Generic URL or Version Specific URL . . . . . . . . . . . . . 6 66 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 67 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 68 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 69 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 70 9. History . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 71 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 72 10.1. Normative References . . . . . . . . . . . . . . . . . . 7 73 10.2. Informative References . . . . . . . . . . . . . . . . . 7 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 76 1. Introduction 78 The Manufacturer Usage Description (MUD) [RFC8520] defines a YANG 79 data model to express what sort of access a device requires to 80 operate correctly. The document additionally defines three ways for 81 the device to communicate the URL of the resulting JSON [RFC8259] 82 format file to a network enforcement point: DHCP, within an X.509 83 certificate extension, and via LLDP. 85 Each of the above mechanism conveys the MUD URL in-band, and requires 86 modifications to the device firmware. Most small IoT devices do not 87 have LLDP, and often have very restricted DHCP clients. Adding the 88 LLDP or DHCP options requires at least some minimal configuration 89 change, and possibly entire new subsystems. Meanwhile, use of the 90 PKIX certification extension only makes sense as part of a larger 91 IDevID based [ieee802-1AR] deployment such as 92 [I-D.ietf-anima-bootstrapping-keyinfra]. 94 In the above cases these mechanisms can only be implemented by 95 persons with access to modify and update the firmware of the device. 96 The MUD system was designed to be implemented by Manufacturers after 97 all! 99 In the meantime there is a chicken or egg problem ([chickenegg]): no 100 manufacturers include MUD URLs in their products as there are no 101 gateways that use them. No gateways include code that processes MUD 102 URLs as no products produce them. 104 The mechanism described here allows any person with physical access 105 to the device to affix a reference to a MUD URL that can later be 106 scanned by an end user. 108 Such an action can be done by * the marketing department of the 109 Manufacturer, * an outsourced assembler plant, * value added 110 resellers (perhaps in response to a local RFP), * a company importing 111 the product (possibly to comply with a local regulation), * a network 112 administrator (perhaps before sending devices home with employees, or 113 to remote sites), * a retailer as a value added service. 115 The mechanism described herein uses a QRcode, which is informally 116 described in [qrcode], but specifically leverages the data format 117 from Reverse Logistics Association's [SQRL] system. This is an 118 application of the 12N Data Identifier system specified by the ANSI 119 MH10.8.2 Committee in a format appropriate for QRcodes as well as 120 other things like NFCs transmissions. 122 QR code generators are available as web services 123 ([qrcodewebservice]), or as programs such as [qrencode]. They are 124 formally defined in [isoiec18004]. 126 Section {#genericfirmware} summarizes the recommendations 127 [I-D.richardson-opsawg-mud-acceptable-urls] section 2 ("Updating MUD 128 URLs vs Updating MUD files"). The question as to whether the MUD 129 file should be specific to a specific version of the device firmware 130 is considered in the context of affixed external labels. 132 A third issue is that an intermediary (ISP, or third-party security 133 service) may want to extend or amend a MUD file received from a 134 manufacturer. In order to maintain an audit trail of changes, a way 135 to encode the previous MUD URL and signature file (and status) is 136 provided. (FOR DISCUSSION) 138 2. Terminology 140 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 141 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 142 "OPTIONAL" in this document are to be interpreted as described in 143 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 144 capitals, as shown here. 146 3. Protocol 148 This QRcode protocol builds upon the work by [SQRL]. That protocol 149 is very briefly described in the next section. Then the list of 150 needed Data Records to be filled in is explained. 152 3.1. The SQRL protocol 154 [SQRL] documents an octet protocol that can be efficiently encoded 155 into QRcodes using a sequence of ASCII bytes, plus five control codes 156 (see section 3.1 of [SQRL]): * Record Separator (ASCII 30) * 157 End of Transmission (ASCII 4) * Field Separator (ASCII 28) 158 * Group Separator (ASCII 29) * Unit Separator (ASCII 31), * 159 Concatenation Operator (ASCII 43: "+"). 161 Section 7.2 of [SQRL] gives the details, which can be summarized as: 163 1. The QR code header starts with: 165 "[)>" <RS> "06" <GS> "12N" 167 1. Include one or more Data Records. This consists of a four letter 168 Field Identifiers followed by ASCII characters terminated with a 169 . 171 2. End with: 173 <RS><EoT> 175 There are, additionally optional flags that may be present in every 176 Data Record as described in section 7.4. As there is little use for 177 this in the context of MUD URLs, they can likely be ignored by 178 parsers that are not parsing any of the rest of the information. A 179 parser that sees a Field Separator in the stream SHOULD ignore the 180 characters collected so far and then continue parsing to get the user 181 data. 183 Environment records, as described in section 7.4, look and act 184 exactly as fields, with a special Field Identifier. They serve no 185 purpose when looking for MUD information, and MAY be ignored. 187 3.2. Manufacturer Usage Descriptions in SQRL 189 3.2.1. B000 Company Name 191 The B000 Data Record is mandatory in [SQRL]. It should be an ASCII 192 representation of the company or brand name. It should match the 193 ietf-mud/mud/mfg-name in the MUD file. 195 3.2.2. B001 Product Name 197 The B001 Data Record is optional. It is the Product Name in ASCII. 198 It's presence is strongly RECOMMENDED. 200 3.2.3. B002 Model Number 202 The B002 Data Record is optional in [SQRL], but is MANDATORY in this 203 profile. It is the Model Name in ASCII. It should match the ietf- 204 mud/mud/model-name in the MUD file, if it is present. 206 3.2.4. MUD URL Data Record 208 A new Field Identifier has been request from the RLA, which is "UXXX" 209 (probably "U087") This record should be filled with the MUD URL. 210 Shorter is better. Section 8.1 of [SQRL] has some good advice on 211 longevity concerns with URLs. 213 The URL provided MUST NOT have a query (?) portion present. 215 3.2.5. MUD device MAC address 217 In order for the MUD controller to associate the above policy with a 218 specific device, then some unique identifier must be provided to the 219 MUD controller. The most actionable identifier is the Ethernet MAC 220 address. [SQRL] section 9.10 defines the Data Record: "M06C" as the 221 MAC address. No format for the MAC address is provided in the 222 document. 224 The recommended format in order to conserve space is 12 or 16 hex 225 octets. (16 octets for the newer IEEE OUI-64 format used in 802.15.4, 226 and some next generation Ethernet proposals) 228 The parser SHOULD be tolerant of extra characters: colons (":"), 229 dashes ("-"), and white space. 231 4. Generic URL or Version Specific URL 233 MUD URLs which are communicated in-band by the device, and which are 234 programmed into the device's firmware may provide a firmware specific 235 version of the MUD URL. This has the advantage that the resulting 236 ACLs implemented are specific to the needs of that version of the 237 firmware. 239 A MUD URL which is affixed to the device with a sticker, or etched 240 into the case can not be changed. 242 Given the considerations of 243 [I-D.richardson-opsawg-mud-acceptable-urls] section 2.1 ("Updating 244 the MUD file in place"), it is prudent to use a MUD URL which points 245 to a MUD file which will only have new features added over time, and 246 never removed. 248 When the firmware eventually receives built-in MUD URL support, then 249 a more specific URL may be used. 251 Note that in many cases it will be third parties who are generating 252 these QRcodes, so the MUD file may be hosted by the third party. 254 5. Privacy Considerations 256 The presence of the MUD URL in the QR code reveals the manufacturer 257 of the device, the type or model of the device, and possibly the 258 firmware version of the device. 260 The MAC address of the device will also need to be present, and this 261 is potentially Personally Identifiable Information (PII). Such 262 QRcodes should not be placed on the outside of the packaging, and 263 only on the device itself, ideally on a non-prominent part of the 264 device. (e.g., the bottom). 266 The QR code sticker should not placed on any part of the device that 267 might become visible to machine vision systems in the same area. 268 This includes security systems, robotic vacuum cleaners, anyone 269 taking a picture with a camera. Such systems may store the 270 picture(s) in such a way that a future viewer of the image will be 271 able to decode the QR code, possibly through assembly of multiple 272 pictures. Of course, the QR code is not, however, a certain 273 indicator that the device is present, only that the QR code sticker 274 that came with the device is present. 276 6. Security Considerations 278 To Be Determined. 280 7. IANA Considerations 282 This document makes no IANA actions. 284 8. Acknowledgements 286 This work was supported by the Canadian Internet Registration 287 Authority (cira.ca). 289 9. History 291 Previous versions of this work leveraged the QRcode format from the 292 WiFi Alliance DPP specification. This document no longer uses that. 294 10. References 296 10.1. Normative References 298 [qrcode] Wikipedia, "QR Code", December 2019, 299 . 301 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 302 Requirement Levels", BCP 14, RFC 2119, 303 DOI 10.17487/RFC2119, March 1997, 304 . 306 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 307 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 308 May 2017, . 310 [RFC8520] Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage 311 Description Specification", RFC 8520, 312 DOI 10.17487/RFC8520, March 2019, 313 . 315 [SQRL] Reverse Logistics Association, "SQRL Codes: Standardized 316 Quick Response for Logistics, Using the 12N Data 317 Identifier", February 2017, 318 . 320 10.2. Informative References 322 [chickenegg] 323 Wikipedia, "Chicken or the egg", December 2019, 324 . 326 [I-D.ietf-anima-bootstrapping-keyinfra] 327 Pritikin, M., Richardson, M., Eckert, T., Behringer, M., 328 and K. Watsen, "Bootstrapping Remote Secure Key 329 Infrastructures (BRSKI)", Work in Progress, Internet- 330 Draft, draft-ietf-anima-bootstrapping-keyinfra-43, August 331 7, 2020, . 334 [I-D.richardson-opsawg-mud-acceptable-urls] 335 Richardson, M., Pan, W., and E. Lear, "Authorized update 336 to MUD URLs", Work in Progress, Internet-Draft, draft- 337 richardson-opsawg-mud-acceptable-urls-01, June 16, 2020, 338 . 341 [ieee802-1AR] 342 IEEE Standard, "IEEE 802.1AR Secure Device Identifier", 343 2009, . 346 [isoiec18004] 347 ISO/IEC, "Information technology - Automatic 348 identification and data capture techniques - QR Code bar 349 code symbology specification (ISO/IEC 18004)", February 350 2015. 352 [qrcodewebservice] 353 Internet, "QR Code Generators", December 2019, 354 . 356 [qrencode] Fukuchi, K., "QR encode", December 2019, 357 . 359 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 360 Interchange Format", STD 90, RFC 8259, 361 DOI 10.17487/RFC8259, December 2017, 362 . 364 Authors' Addresses 366 Michael Richardson 367 Sandelman Software Works 369 Email: mcr+ietf@sandelman.ca 370 Jacques Latour 371 CIRA Labs 373 Email: Jacques.Latour@cira.ca 375 Hassan Habibi Gharakheili 376 UNSW Sydney 378 Email: h.habibi@unsw.edu.au