OPS Area Working Group                                     M. Richardson
Internet-Draft                                  Sandelman Software Works
Intended status: Informational                                 J. Latour
Expires: 7 September 2020                                      CIRA Labs
                                                   H. Habibi Gharakheili
                                                             UNSW Sydney
                                                            6 March 2020

                     Loading MUD URLs from QR codes


   This informational document details the mechanism used by the CIRA
   Secure Home Gateway (SHG) to load MUD definitions for devices which
   have no integrated MUD (RFC8520) support.

   The document describes extensions to the WiFi Alliance DPP QR code to
   support the use of MUD URLs.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 7 September 2020.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components

Richardson, et al.      Expires 7 September 2020                [Page 1]

Internet-Draft                   SHG-MUD                      March 2020

   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Protocol  . . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Generic URL or Version Specific URL . . . . . . . . . . . . .   4
   5.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .   5
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   6
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   The Manufacturer Usage Description (MUD) [RFC8520] defines a YANG
   data model to express what sort of access a device requires to
   operate correctly.  The document additionally defines three ways for
   the device to communicate the URL of the resulting JSON [RFC8259]
   format file to a network enforcement point: DHCP, within an X.509
   certificate extension, and via LLDP.

   Each of the above mechanism conveys the MUD URL inband, and requires
   modifications to the device firmware.  Most small IoT devices do not
   have LLDP, and have very restricted DHCP clients.  Adding the LLDP or
   DHCP options requires at least some minimal configuration change, and
   possibly entire new subsystems.  The X.509 certificateion extension
   only makes sense to deploy as part of a larger IDevID based
   [ieee802-1AR] system such as [I-D.ietf-anima-bootstrapping-keyinfra].

   In all cases these mechanisms can only be implemented by persons with
   access to modify and update the firmware of the device.  The MUD
   system was designed to be implemented by Manufacturers afterall!

   In the meantime there is a chicken or egg problem ([chickenegg]): no
   manufacturers include MUD URLs in their products as there are no
   gateways that use them.  No gateways include code that processes MUD
   URLs as no products produce them.

   The mechanism described here allows any person with physical access
   to the device to affix a reference to a MUD URL that can later be
   scanned by an end user.  This can be done by the (marketing

Richardson, et al.      Expires 7 September 2020                [Page 2]

Internet-Draft                   SHG-MUD                      March 2020

   department) of the Manufacturer, by an outsourced assembler plant, by
   value added resellers, by a company importing the product (possibly
   to comply with a local regulation), by a network administrator
   (perhaps before sending devices home with employees), or even by a
   retailer as a value added service.

   The mechanism uses the QRcode, which is informally described in
   [qrcode].  QR code generators are available as web services
   ([qrcodewebservice]), or as programs such as [qrencode].  They are
   formally defined in [isoiec18004].

   This document details how the CIRALabs Secure Home Gateway encode MUD
   URLs as QR codes.

   Section {#genericfirmware} addresses the question of whether and when
   the MUD file should be specific to a specific version of the device

   The third issue is that an intermediary (ISP, or third-party security
   service) may want to extend or amend a MUD file received from a
   manufacturer.  In order to maintain an audit trail of changes, a way
   to encode the previous MUD URL and signature file (and status) is
   provided.  (FOR DISCUSSION)

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  Protocol

   The [dpp] specification from the Wi-Fi Alliance has created a base
   for a QRcode based enrollment system.  This specification extends it
   to include a MUD URL.

   The QR code is as specified in section 5.2.1 of [dpp] is repeated

       dpp-qr = “DPP:” [channel-list “;”] [mac “;”]
                       [information “;”] public-key “;;”

   This is amended as follows:

Richardson, et al.      Expires 7 September 2020                [Page 3]

Internet-Draft                   SHG-MUD                      March 2020

       dpp-qr = “DPP:” [channel-list “;”] [channel-list “;”]
                [mac “;”] [information “;”] public-key
                [";" mudurl ] “;;”
       mudurl      = "D:" *(%x20-3A / %x3C-7E) ; semicolon not allowed

   While the ABNF defined in the [dpp] document assumes a specific order
   (C:, M:, I:, K:), this specification relaxes this so that the tags
   can come in any order.  However, in order to make interoperation with
   future DPP-only clients as seamless as possible, the MUD extension
   suggested here are placed after those defined in [dpp].

   This document establishes an IANA registry for DPP attributes.

   The syntax of the QR code definition given above does not permit a
   semicolon to be included.  Semicolons (";") would otherwise be
   permitted in MUD URLs.  This restriction on the content the URL is
   not considered a concern as it is uncommon to use them in a URL.

   The URL provided MUST NOT have a query (?) portion present.

   An IANA registry is created for the attributes below.

4.  Generic URL or Version Specific URL

   MUD URLs which are communicated inband by the device, and which are
   programmed into the device's firmware may provide a firmware specific
   version of the MUD URL.  This has the advantage that the resulting
   ACLs implemented are specific to the needs of that version of the

   If the device evolves, requiring new entries then a failure to use
   the correct version may result in the device cause false positives in
   the enforcement point audit trail.  This can be a serious problem, as
   repeated false positives train users/owners to ignore reports.

   If an older firmware device is described by a newer MUD file, then
   the possibility is that the device may have permissions that it can
   never use.  Unless those permissions result in the device being open
   to an attacker, this is not a problem.  If the new MUD file has
   removed or changed permissions (such as because the name of an
   external resource has changed), then the older device will not be
   able to access the resource under the old name.

   The QR code is updated when the device firmware is updated.  The URL
   given in the QR code SHOULD be a reference to the latest version of
   the MUD file, with no firmware version information.  A symbolic name
   like "/model/latest.json" which is updated by the manufacturer when
   revisions to the MUD file are made is most appropriate.  The

Richardson, et al.      Expires 7 September 2020                [Page 4]

Internet-Draft                   SHG-MUD                      March 2020

   manufacturer should be careful to never remove important access
   rights that older device may need, as the QRcode provided MUD URL is
   what a freshly unpacked device will use.  Such a device will point to
   the latest MUD URL, but having been a in box for some time, will have
   an ancient version of the firmware.

5.  Privacy Considerations

   The presence of the MUD URL in the QR code reveals the manufacturer
   of the device, the type or model of the device, and possibly the
   firmware version of the device.

   If the QR code is printed on a sticker and is affixed to the device
   itself, then the QR code does not reveal anything that a human could
   not have determined by simply examining the device.  (Save perhaps
   the firmware version).  The QR code however, may be visible my
   machine vision systems in the same area.  This includes security
   systems, robotic vacuum cleaners, anyone taking a picture with a
   camera.  Such systems may store the picture(s) in such a way that a
   future viewer of the image will be able to decode the QR code,
   possibly through assembly of multiple pictures.  The QR code is not,
   however, a certain indicator that the device is present, only that
   the QR code sticker that came with the device is present.

6.  Security Considerations

   The security of the Device Provisioning Protocol is enhanced when the
   public key for a device is not available without physical access to
   the device.  Placement of a QR code for use by a MUD controller has
   no such dependancy, and so such QR codes may be affixed in prominant
   places on the outside of packaging.  This is not a recommended
   practice as future versions of the sticker may include full DPP

   The QRcode described in this document is identical for all instances
   of the device, and the stickers may be mass produced.  The situation
   is not the same when a full DPP content is present: each sticker is
   unique.  A manufacturing plant designed to affix MUD URLs may get
   confused and not be ready for the full DPP.

   It is recommended that the manufacturing process be designed with the
   full DPP process -- unique QR codes per device -- initially so that
   no changes are necessary when/if DPP is introduced.

Richardson, et al.      Expires 7 September 2020                [Page 5]

Internet-Draft                   SHG-MUD                      March 2020

7.  IANA Considerations

   IANA is requested to create a new Registry entitled: "Device
   Provisioning Protocol Attributes".  New items can be added to using
   Specification Required.  In order to conserve space, registrations
   are expected to be single upper-case ASCII letters, but the Expert
   Reviewer MAY make exceptions.  No entry may contain a colon.  All
   entries beginning with "X" are reserved as Private-Use values.

   The following items are to be added to the initial table:

                | Letter |     Name     |        Document |
                | C      | channel-list |           [dpp] |
                | M      | MAC address  |           [dpp] |
                | I      | information  |           [dpp] |
                | K      |  public key  |           [dpp] |
                | D      |   MUD URL    | [This document] |

                                  Table 1

   (EDITORIAL NOTE: the authors of the DPP specification have consented
   to seeding control to IANA)

8.  Acknowledgements

   This work was supported by the Canadian Internet Registration
   Authority (cira.ca).

9.  References

9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,

   [RFC8520]  Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage
              Description Specification", RFC 8520,
              DOI 10.17487/RFC8520, March 2019,

Richardson, et al.      Expires 7 September 2020                [Page 6]

Internet-Draft                   SHG-MUD                      March 2020

   [qrcode]   Wikipedia, ., "QR Code", December 2019,

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

9.2.  Informative References

   [RFC8259]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", STD 90, RFC 8259,
              DOI 10.17487/RFC8259, December 2017,

              Pritikin, M., Richardson, M., Eckert, T., Behringer, M.,
              and K. Watsen, "Bootstrapping Remote Secure Key
              Infrastructures (BRSKI)", Work in Progress, Internet-
              Draft, draft-ietf-anima-bootstrapping-keyinfra-37, 26
              February 2020, <http://www.ietf.org/internet-drafts/draft-

              IEEE Standard, ., "IEEE 802.1AR Secure Device Identifier",
              2009, <http://standards.ieee.org/findstds/

              Wikipedia, ., "Chicken or the egg", December 2019,

              Internet, ., "QR Code Generators", December 2019,

   [dpp]      "Device Provisioning Protocol Specification", April 2018,

   [qrencode] Fukuchi, K., "QR encode", December 2019,

              ISO/IEC, ., "Information technology - Automatic
              identification and data capture techniques - QR Code bar
              code symbology specification (ISO/IEC 18004)", February

Richardson, et al.      Expires 7 September 2020                [Page 7]

Internet-Draft                   SHG-MUD                      March 2020

Authors' Addresses

   Michael Richardson
   Sandelman Software Works

   Email: mcr+ietf@sandelman.ca

   Jacques Latour
   CIRA Labs

   Email: Jacques.Latour@cira.ca

   Hassan Habibi Gharakheili
   UNSW Sydney

   Email: h.habibi@unsw.edu.au

Richardson, et al.      Expires 7 September 2020                [Page 8]