idnits 2.17.1 draft-yang-opsawg-iot-devices-active-scanning-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC8520]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 06, 2020) is 1504 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC7951' is defined on line 520, but no explicit reference was found in the text Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 OPSWG J. Yang 3 Internet-Draft L. Xia 4 Intended status: Standards Track Huawei 5 Expires: September 7, 2020 March 06, 2020 7 Active-Scanning profiles for IoT devices 8 draft-yang-opsawg-iot-devices-active-scanning-00 10 Abstract 12 This draft extends MUD [RFC8520] model for the active scanning during 13 the end host device on-boarding. The according features include TCP/ 14 UDP port scanning, weak password detection, mandatory and hazardous 15 services detection, etc, which can help administrator to discover 16 system security vulnerabilities in advance. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on September 7, 2020. 35 Copyright Notice 37 Copyright (c) 2020 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Overview of Active Scanning IoT devices . . . . . . . . . . . 2 54 2.1. Port-Scanning . . . . . . . . . . . . . . . . . . . . . . 2 55 2.2. Service Discovery . . . . . . . . . . . . . . . . . . . . 3 56 2.3. Weak-password Cracking . . . . . . . . . . . . . . . . . 4 57 2.4. Frequency and Result of active scanning . . . . . . . . . 4 58 3. The ietf-mud-active-scanning model extension . . . . . . . . 5 59 3.1. The mud-active-scanning YANG model . . . . . . . . . . . 5 60 4. MUD File Example . . . . . . . . . . . . . . . . . . . . . . 10 61 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 62 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 63 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 64 8. Informative References . . . . . . . . . . . . . . . . . . . 12 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 67 1. Introduction 69 IoT devices use a large number of open-source software and 70 application components, and the system iteration is fast. Therefore, 71 various security vulnerabilities may exist. When an IoT device is on 72 boarding, the network administrator can quickly learn about the 73 security settings and technical support services of the device 74 through active scanning, detect security vulnerabilities in a timely 75 manner, objectively evaluate the network risk level, and rectify 76 network security vulnerabilities and incorrect configurations to 77 prevent hacker attacks. If we look firewalls and network monitoring 78 systems as passive means of defense, then security scanning can look 79 as an active preventive measure, which can effectively prevent hacker 80 attacks. 82 This document extends MUD RFC8520 to model the functions and 83 parameters of active scanning, including TCP/UDP port scanning, weak 84 password detection, mandatory and hazardous services detection, etc. 85 By using this scanning profile, the MUD-enabled active scanner can 86 obtain a lot of useful information to discover system security 87 vulnerabilities. 89 2. Overview of Active Scanning IoT devices 91 2.1. Port-Scanning 93 A port is a potential communication channel, that is, an intrusion 94 channel. Port scanning on IoT devices can obtain a lot of useful 95 information, which can be used to discover system security 96 vulnerabilities. The following scanning types are widely used: 98 o TCP SYN scanning: also called half-open scanning. In this mode, 99 the SYN packet is sent to the destination port. If the SYN/ACK 100 response is received, the port is open. If an RST packet is 101 received, it indicates that the port is disabled. If no reply is 102 received, it is determined that the port is filtered (Filtered). 103 In this mode, SYN packets are sent only to specific ports of the 104 target host, but no complete TCP connection is established. 105 Therefore, this mode is relatively covert and efficient. On a 106 fast network without intrusion firewalls, thousands of ports can 107 be scanned per second, and this mode is widely applicable. 109 o TCP connect scanning: Use the system network API to connect to the 110 port of the target device. If the connection fails, the port is 111 disabled. This scanning speed is slow. In addition, because the 112 complete TCP session will leave the connection information on the 113 target device, so this scanning mode is not hidden. Therefore, 114 TCP connect is considered only when TCP SYN cannot be used. 116 o UDP scanning: used to determine the UDP port status. Send a probe 117 packet to the UDP port of the target device. If the "ICMP port 118 unreachable" message is returned, the port is disabled. If no 119 reply is received, the UDP port may be open or blocked. 120 Therefore, the reverse exclusion method is used to determine which 121 UDP ports may be open. Although major services on the Internet 122 run over TCP, but there are still many UDP services, like DNS, 123 SNMP, and DHCP (the registered ports are 53, 16, 162, and 67/68), 124 and network attacks will not ignore these protocols. 126 The port scanning range can be selected or specified based on service 127 requirements, and widely be divided into the following modes: 129 o Standard: 4K port range, and usually the default mode. 131 o Fast: port range including all mainstreamed ports, including 132 21(ftp), 22(ssh), ... 134 o All: the port range of 0 to 65535. 136 o Specified: the customized port range, for example, 22 and 1100 to 137 1124 139 2.2. Service Discovery 141 When a IoT device is installed, some necessary services are usually 142 enabled for supporting the later use. For example, if the IoT device 143 need to access the Internet, HTTPS service must be enabled. In 144 addition, due to device performance or service requirements, some 145 services must be disabled. By MUD extension of scanning services 146 running on the device, the administrator have a knowledge of the 147 devices' services, which are mandatory and hazardous, furtherly to 148 discover the potential vulnerabilities. 150 2.3. Weak-password Cracking 152 A weak password is a password that contains only digits and letters, 153 for example, 123456, abcdef, 123abc, admin, and root, which can be 154 guessed or cracked easily. If the IoT device uses these weak 155 passwords, it is like putting the door key under the mat of the door. 156 This behavior is very dangerous. 158 Well-known protocols and databases, such as Telnet, FTP, SSH, POP3, 159 SNMP, Oracle, MySQL, DB2, and MongoDB, have massive default password 160 dictionaries, even we can also upload a customized dictionary 161 library. By active scanning these passwords of dictionaries, the 162 administrator can identify vulnerabilities and risks of IoT devices 163 in advance. 165 The password dictionary refers to the dictionary library for weak 166 password scanning. There are three types of dictionary: single user- 167 name mode, single password mode, and combination user-name-and- 168 password mode, which can be applied based-on customer's requirements: 170 o Single user-name mode: only scan the user name based-on user's 171 dictionary. For example: telnet_user_dictionary.txt contain 172 "root; admin; test; guest;" 174 o Single password mode: only scan the password based-on password's 175 dictionary. For example: telnet_password_dictionary.txt contain 176 "111111; 112233; 123123; 123321; 123456; abcdef; admin; password;" 178 o Combination mode: scan the user name and password together based- 179 on combination's dictionary. For example, 180 telnet_conbination_dictionary.txt contain "root:test; root:admin; 181 root:private; root:1234; root:root;" 183 2.4. Frequency and Result of active scanning 185 The execution mode of the active scanning, can be set with the 186 following: 188 o Immediate: active scanning will be executed immediately. 190 o Scheduled: active scanning will be executed in the scheduled time. 192 o Daily: active scanning will be executed periodically every day in 193 the scheduled time. 195 o Weekly: active scanning will be executed periodically every week 196 in the scheduled time. 198 o Monthly: active scanning will be executed periodically every month 199 in the scheduled time. 201 In addition, the scanning results can be saved with logs, and the 202 ending notification can be sent to somebody by email or SMS message, 203 which can notify the scanning completion to administrators in time. 205 3. The ietf-mud-active-scanning model extension 207 This document augments the "ietf-mud" MUD YANG module defined in 208 [RFC8520] for signaling the IoT device active scanning profile. This 209 document defines the YANG module "ietf-mud-active-scanning", which 210 has the following tree structure: 212 module: ietf-mud-active-scanning 213 augment /ietf-mud:mud: 214 +--rw active-scanning 215 +--rw log-save-uri inet:uri 216 +--rw scanning-frequency? scanning-frequency 217 +--rw start-time? yang:timestamp 218 +--rw notification-receiver-email? string 219 +--rw notification-receiver-sms? string 220 +--rw port-scanning* \[scanning-type\] 221 +--rw scanning-type port-scanning-type 222 +--rw scanning-mode? port-scanning-mode 223 +--rw scanning-range? uint16 224 +--rw mandatory_service-scanning* string 225 +--rw hazardous_service-scanning* string 226 +--rw weak-login-scanning* \[service-name\] 227 +--rw service-name string 228 +--rw dictionary-type? dictionary-type 229 +--rw user-dictionary? string 230 +--rw password-dictionary? string 231 +--rw combination-dictionary? string 233 3.1. The mud-active-scanning YANG model 235 module ietf-mud-active-scanning { 236 yang-version 1.1; 237 namespace 238 "urn:ietf:params:xml:ns:yang:ietf-mud-active-scanning"; 239 prefix ietf-mud-active-scanning; 241 import ietf-mud { 242 prefix mud; 243 reference 244 "RFC 8520"; 245 } 247 import ietf-inet-types { 248 prefix inet; 249 reference 250 "RFC 6991"; 251 } 253 import ietf-yang-types { 254 prefix yang; 255 reference 256 "RFC 6991"; 257 } 259 organization 260 "IETF OPSAWG (Ops Area) Working Group"; 261 contact 262 "WG Web: http://tools.ietf.org/wg/opsawg/ 263 WG List: opsawg@ietf.org 264 Author: Jie Yang 265 jay.yang@huawei.com 266 "; 268 description 269 "This module contains YANG definition for the IoT device 270 active scanning profile. 272 Copyright (c) 2019 IETF Trust and the persons identified as 273 authors of the code. All rights reserved. 275 Redistribution and use in source and binary forms, with or 276 without modification, is permitted pursuant to, and subject 277 to the license terms contained in, the Simplified BSD License 278 set forth in Section 4.c of the IETF Trust's Legal Provisions 279 Relating to IETF Documents 280 (http://trustee.ietf.org/license-info). 282 This version of this YANG module is part of RFC XXXX; see 283 the RFC itself for full legal notices."; 285 revision 2020-03-12 { 286 description 287 "Initial proposed standard."; 288 } 290 typedef scanning-frequency { 291 type enumeration { 292 enum immediate { 293 description 294 "Immediate scanning."; 295 } 296 enum daily { 297 description 298 "Scanning at an accurate time of every day."; 299 } 300 enum weekly { 301 description 302 "Scanning at an accurate time of every week."; 303 } 304 enum monthly { 305 description 306 "Scanning at an accurate time of every month."; 307 } 308 } 309 default "monthly"; 310 description 311 "The execution mode of the active scanning, 312 called with the scanning frequency."; 313 } 315 typedef port-scanning-type { 316 type enumeration { 317 enum tcp-syn; 318 enum tcp-connect; 319 enum udp; 320 } 321 default "tcp-syn"; 322 description 323 "Widest port scanning type."; 324 } 326 typedef port-scanning-mode { 327 type enumeration { 328 enum standard { 329 description 330 "Standard mode with scanning the ports 331 in range 0..4096."; 332 } 333 enum fast { 334 description 335 "Fast mode with sanning the ports in 336 range 20|21|23|25|37|53|67|68|69|80|110 337 |115|123|143|161|443|873."; 338 } 339 enum all { 340 description 341 "All mode with scanning all ports in range 0..65535"; 342 } 343 enum specified { 344 description 345 "Specified mode with scanning the ports customized, 346 like in range 22|50..66|110"; 347 } 348 } 349 default "standard"; 350 description 351 "Widest port scanning mode."; 352 } 354 typedef dictionary-type { 355 type enumeration { 356 enum only-user-name; 357 enum only-password; 358 enum user-name-and-password; 359 } 360 default "user-name-and-password"; 361 description 362 "Widest type of weak login dictionary."; 363 } 365 augment "/mud:mud/mud:" { 366 container active-scanning { 367 description 368 "Active scanning profiles supported by the device"; 369 leaf log-save-uri { 370 type inet:uri; 371 description 372 "Log URI where saving active scanning results."; 373 } 374 leaf scanning-frequency { 375 type scanning-frequency; 376 description 377 "Active scanning frequency."; 378 } 379 leaf start-time { 380 type yang:timestamp; 381 description 382 "The accurate scanning time. 383 For example, scanning-frequency with monthly like 384 xxxx-03-12T02:00:00.00+08:00"; 385 } 386 leaf receiver-email-notification { 387 type string; 388 description 389 "E-mail address which receive the ending notification 390 of active scanning."; 391 } 392 leaf receiver-sms-notification { 393 type string; 394 description 395 "SMS address which receive the ending notification 396 of active scanning."; 397 } 398 list port-scanning { 399 key "scanning-type"; 400 description 401 "Active scanning ports."; 402 leaf scanning-type { 403 type port-scanning-type; 404 description 405 "Port scanning type."; 406 } 407 leaf scanning-mode { 408 type port-scanning-mode; 409 description 410 "Port scanning mode."; 411 } 412 leaf scanning-range { 413 type uint16; 414 description 415 "Port scanning range. For example, scanning-mode 416 with standard is 0..4096"; 417 } 418 } 419 leaf mandatory_service-scanning { 420 type string; 421 description 422 "Scanning mandatory services on the devices, 423 which must be installed."; 424 } 425 leaf hazardous_service-scanning { 426 type string; 427 description 428 "Scanning hazardous services on the devices, 429 which mustn't be installed."; 430 } 431 list weak-login-scanning { 432 key "service-name"; 433 description 434 "Active scanning weak login with user's name 435 and/or password."; 436 leaf service-name { 437 type string; 438 description 439 "The name of service on the device."; 440 } 441 leaf dictionary-type { 442 type dictionary-type; 443 description 444 "The dictionary type for scanning weak login."; 445 } 446 leaf user-dictionary { 447 when "./dictionary-type=only-user-name"; 448 type string; 449 description 450 "The context in user-name's dictionary. 451 For example: root,admin,test,guest, "; 452 } 453 leaf password-dictionary { 454 when "./dictionary-type=only-password"; 455 type string; 456 description 457 "The context in password's dictionary. 458 For example: 111111, 112233, admin, password,"; 459 } 460 leaf combination-dictionary { 461 while "./dictionary-type=user-name-and-password"; 462 type string; 463 description 464 "The context in user-name-and-password's dictionary. 465 For example: root:test, root:admin, root:1234,"; 466 } 467 } 468 } 469 } 470 } 472 4. MUD File Example 473 This example below contains active scanning for a IoT 474 device. JSON encoding of YANG modelled data {{RFC7951}} is used to 475 illustrate the example. 476 { 477 "ietf-mud:mud": { 478 "mud-version": 1, 479 "mud-url": "https://example.com/IoTDevice", 480 "last-update": "2020-03-12T02:00:00.00+08:00", 481 "cache-validity": 100, 482 "is-supported": true, 483 "systeminfo": "IoT device name", 484 "active-scanning": { 485 "log-save-uri" : "d:/mud-scanning-log/", 486 "scanning-frequency" : immediate, 487 "receiver-email-notification" : "admin@device.com, 488 123@device.com,", 489 "receiver-sms-notification" : "008613812345679, 490 0086133123456,", 491 "port-scanning" : { 492 "scanning-type" : tcp-syn, 493 "scanning-mode" : standard, 494 } 495 "weak-login-scanning" : { 496 "service-name" : "telnet", 497 "dictionary-type" : user-name-and-password, 498 "combination-dictionary" : "root:test; root:1234; root:root;" 499 } 500 } 501 } 503 5. Security Considerations 505 Security considerations in [RFC8520] need to be taken into 506 consideration. 508 6. IANA Considerations 510 The IANA is requested to add "active-scanning" to the MUD extensions 511 registry as follows: Extension Name: Active-Scanning Standard 512 reference: This document 514 7. Acknowledgements 516 Thanks to ... 518 8. Informative References 520 [RFC7951] Lhotka, L., "JSON Encoding of Data Modeled with YANG", 521 RFC 7951, DOI 10.17487/RFC7951, August 2016, 522 . 524 [RFC8520] Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage 525 Description Specification", RFC 8520, 526 DOI 10.17487/RFC8520, March 2019, 527 . 529 Authors' Addresses 531 Jie Yang 532 Huawei 533 101 Software Avenue, Yuhuatai District 534 Nanjing, Jiangsu 210012 535 China 537 Email: jay.yang@huawei.com 539 Liang Xia (Frank) 540 Huawei 541 101 Software Avenue, Yuhuatai District, 542 Nanjing, Jiangsu 210012 543 China 545 Email: frank.xialiang@huawei.com