OPSWG J. Yang
Internet-Draft L. Xia
Intended status: Standards Track Huawei
Expires: September 7, 2020 March 06, 2020
Active-Scanning profiles for IoT devices
draft-yang-opsawg-iot-devices-active-scanning-00
Abstract
This draft extends MUD [RFC8520] model for the active scanning during
the end host device on-boarding. The according features include TCP/
UDP port scanning, weak password detection, mandatory and hazardous
services detection, etc, which can help administrator to discover
system security vulnerabilities in advance.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 7, 2020.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Yang & Xia Expires September 7, 2020 [Page 1]
Internet-Draft Active scanning for IoT devices March 2020
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Overview of Active Scanning IoT devices . . . . . . . . . . . 2
2.1. Port-Scanning . . . . . . . . . . . . . . . . . . . . . . 2
2.2. Service Discovery . . . . . . . . . . . . . . . . . . . . 3
2.3. Weak-password Cracking . . . . . . . . . . . . . . . . . 4
2.4. Frequency and Result of active scanning . . . . . . . . . 4
3. The ietf-mud-active-scanning model extension . . . . . . . . 5
3.1. The mud-active-scanning YANG model . . . . . . . . . . . 5
4. MUD File Example . . . . . . . . . . . . . . . . . . . . . . 10
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11
8. Informative References . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction
IoT devices use a large number of open-source software and
application components, and the system iteration is fast. Therefore,
various security vulnerabilities may exist. When an IoT device is on
boarding, the network administrator can quickly learn about the
security settings and technical support services of the device
through active scanning, detect security vulnerabilities in a timely
manner, objectively evaluate the network risk level, and rectify
network security vulnerabilities and incorrect configurations to
prevent hacker attacks. If we look firewalls and network monitoring
systems as passive means of defense, then security scanning can look
as an active preventive measure, which can effectively prevent hacker
attacks.
This document extends MUD RFC8520 to model the functions and
parameters of active scanning, including TCP/UDP port scanning, weak
password detection, mandatory and hazardous services detection, etc.
By using this scanning profile, the MUD-enabled active scanner can
obtain a lot of useful information to discover system security
vulnerabilities.
2. Overview of Active Scanning IoT devices
2.1. Port-Scanning
A port is a potential communication channel, that is, an intrusion
channel. Port scanning on IoT devices can obtain a lot of useful
information, which can be used to discover system security
vulnerabilities. The following scanning types are widely used:
Yang & Xia Expires September 7, 2020 [Page 2]
Internet-Draft Active scanning for IoT devices March 2020
o TCP SYN scanning: also called half-open scanning. In this mode,
the SYN packet is sent to the destination port. If the SYN/ACK
response is received, the port is open. If an RST packet is
received, it indicates that the port is disabled. If no reply is
received, it is determined that the port is filtered (Filtered).
In this mode, SYN packets are sent only to specific ports of the
target host, but no complete TCP connection is established.
Therefore, this mode is relatively covert and efficient. On a
fast network without intrusion firewalls, thousands of ports can
be scanned per second, and this mode is widely applicable.
o TCP connect scanning: Use the system network API to connect to the
port of the target device. If the connection fails, the port is
disabled. This scanning speed is slow. In addition, because the
complete TCP session will leave the connection information on the
target device, so this scanning mode is not hidden. Therefore,
TCP connect is considered only when TCP SYN cannot be used.
o UDP scanning: used to determine the UDP port status. Send a probe
packet to the UDP port of the target device. If the "ICMP port
unreachable" message is returned, the port is disabled. If no
reply is received, the UDP port may be open or blocked.
Therefore, the reverse exclusion method is used to determine which
UDP ports may be open. Although major services on the Internet
run over TCP, but there are still many UDP services, like DNS,
SNMP, and DHCP (the registered ports are 53, 16, 162, and 67/68),
and network attacks will not ignore these protocols.
The port scanning range can be selected or specified based on service
requirements, and widely be divided into the following modes:
o Standard: 4K port range, and usually the default mode.
o Fast: port range including all mainstreamed ports, including
21(ftp), 22(ssh), ...
o All: the port range of 0 to 65535.
o Specified: the customized port range, for example, 22 and 1100 to
1124
2.2. Service Discovery
When a IoT device is installed, some necessary services are usually
enabled for supporting the later use. For example, if the IoT device
need to access the Internet, HTTPS service must be enabled. In
addition, due to device performance or service requirements, some
services must be disabled. By MUD extension of scanning services
Yang & Xia Expires September 7, 2020 [Page 3]
Internet-Draft Active scanning for IoT devices March 2020
running on the device, the administrator have a knowledge of the
devices' services, which are mandatory and hazardous, furtherly to
discover the potential vulnerabilities.
2.3. Weak-password Cracking
A weak password is a password that contains only digits and letters,
for example, 123456, abcdef, 123abc, admin, and root, which can be
guessed or cracked easily. If the IoT device uses these weak
passwords, it is like putting the door key under the mat of the door.
This behavior is very dangerous.
Well-known protocols and databases, such as Telnet, FTP, SSH, POP3,
SNMP, Oracle, MySQL, DB2, and MongoDB, have massive default password
dictionaries, even we can also upload a customized dictionary
library. By active scanning these passwords of dictionaries, the
administrator can identify vulnerabilities and risks of IoT devices
in advance.
The password dictionary refers to the dictionary library for weak
password scanning. There are three types of dictionary: single user-
name mode, single password mode, and combination user-name-and-
password mode, which can be applied based-on customer's requirements:
o Single user-name mode: only scan the user name based-on user's
dictionary. For example: telnet_user_dictionary.txt contain
"root; admin; test; guest;"
o Single password mode: only scan the password based-on password's
dictionary. For example: telnet_password_dictionary.txt contain
"111111; 112233; 123123; 123321; 123456; abcdef; admin; password;"
o Combination mode: scan the user name and password together based-
on combination's dictionary. For example,
telnet_conbination_dictionary.txt contain "root:test; root:admin;
root:private; root:1234; root:root;"
2.4. Frequency and Result of active scanning
The execution mode of the active scanning, can be set with the
following:
o Immediate: active scanning will be executed immediately.
o Scheduled: active scanning will be executed in the scheduled time.
o Daily: active scanning will be executed periodically every day in
the scheduled time.
Yang & Xia Expires September 7, 2020 [Page 4]
Internet-Draft Active scanning for IoT devices March 2020
o Weekly: active scanning will be executed periodically every week
in the scheduled time.
o Monthly: active scanning will be executed periodically every month
in the scheduled time.
In addition, the scanning results can be saved with logs, and the
ending notification can be sent to somebody by email or SMS message,
which can notify the scanning completion to administrators in time.
3. The ietf-mud-active-scanning model extension
This document augments the "ietf-mud" MUD YANG module defined in
[RFC8520] for signaling the IoT device active scanning profile. This
document defines the YANG module "ietf-mud-active-scanning", which
has the following tree structure:
module: ietf-mud-active-scanning
augment /ietf-mud:mud:
+--rw active-scanning
+--rw log-save-uri inet:uri
+--rw scanning-frequency? scanning-frequency
+--rw start-time? yang:timestamp
+--rw notification-receiver-email? string
+--rw notification-receiver-sms? string
+--rw port-scanning* \[scanning-type\]
+--rw scanning-type port-scanning-type
+--rw scanning-mode? port-scanning-mode
+--rw scanning-range? uint16
+--rw mandatory_service-scanning* string
+--rw hazardous_service-scanning* string
+--rw weak-login-scanning* \[service-name\]
+--rw service-name string
+--rw dictionary-type? dictionary-type
+--rw user-dictionary? string
+--rw password-dictionary? string
+--rw combination-dictionary? string
3.1. The mud-active-scanning YANG model
module ietf-mud-active-scanning {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-mud-active-scanning";
prefix ietf-mud-active-scanning;
import ietf-mud {
prefix mud;
Yang & Xia Expires September 7, 2020 [Page 5]
Internet-Draft Active scanning for IoT devices March 2020
reference
"RFC 8520";
}
import ietf-inet-types {
prefix inet;
reference
"RFC 6991";
}
import ietf-yang-types {
prefix yang;
reference
"RFC 6991";
}
organization
"IETF OPSAWG (Ops Area) Working Group";
contact
"WG Web: http://tools.ietf.org/wg/opsawg/
WG List: opsawg@ietf.org
Author: Jie Yang
jay.yang@huawei.com
";
description
"This module contains YANG definition for the IoT device
active scanning profile.
Copyright (c) 2019 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
revision 2020-03-12 {
description
"Initial proposed standard.";
}
typedef scanning-frequency {
Yang & Xia Expires September 7, 2020 [Page 6]
Internet-Draft Active scanning for IoT devices March 2020
type enumeration {
enum immediate {
description
"Immediate scanning.";
}
enum daily {
description
"Scanning at an accurate time of every day.";
}
enum weekly {
description
"Scanning at an accurate time of every week.";
}
enum monthly {
description
"Scanning at an accurate time of every month.";
}
}
default "monthly";
description
"The execution mode of the active scanning,
called with the scanning frequency.";
}
typedef port-scanning-type {
type enumeration {
enum tcp-syn;
enum tcp-connect;
enum udp;
}
default "tcp-syn";
description
"Widest port scanning type.";
}
typedef port-scanning-mode {
type enumeration {
enum standard {
description
"Standard mode with scanning the ports
in range 0..4096.";
}
enum fast {
description
"Fast mode with sanning the ports in
range 20|21|23|25|37|53|67|68|69|80|110
|115|123|143|161|443|873.";
}
Yang & Xia Expires September 7, 2020 [Page 7]
Internet-Draft Active scanning for IoT devices March 2020
enum all {
description
"All mode with scanning all ports in range 0..65535";
}
enum specified {
description
"Specified mode with scanning the ports customized,
like in range 22|50..66|110";
}
}
default "standard";
description
"Widest port scanning mode.";
}
typedef dictionary-type {
type enumeration {
enum only-user-name;
enum only-password;
enum user-name-and-password;
}
default "user-name-and-password";
description
"Widest type of weak login dictionary.";
}
augment "/mud:mud/mud:" {
container active-scanning {
description
"Active scanning profiles supported by the device";
leaf log-save-uri {
type inet:uri;
description
"Log URI where saving active scanning results.";
}
leaf scanning-frequency {
type scanning-frequency;
description
"Active scanning frequency.";
}
leaf start-time {
type yang:timestamp;
description
"The accurate scanning time.
For example, scanning-frequency with monthly like
xxxx-03-12T02:00:00.00+08:00";
}
leaf receiver-email-notification {
Yang & Xia Expires September 7, 2020 [Page 8]
Internet-Draft Active scanning for IoT devices March 2020
type string;
description
"E-mail address which receive the ending notification
of active scanning.";
}
leaf receiver-sms-notification {
type string;
description
"SMS address which receive the ending notification
of active scanning.";
}
list port-scanning {
key "scanning-type";
description
"Active scanning ports.";
leaf scanning-type {
type port-scanning-type;
description
"Port scanning type.";
}
leaf scanning-mode {
type port-scanning-mode;
description
"Port scanning mode.";
}
leaf scanning-range {
type uint16;
description
"Port scanning range. For example, scanning-mode
with standard is 0..4096";
}
}
leaf mandatory_service-scanning {
type string;
description
"Scanning mandatory services on the devices,
which must be installed.";
}
leaf hazardous_service-scanning {
type string;
description
"Scanning hazardous services on the devices,
which mustn't be installed.";
}
list weak-login-scanning {
key "service-name";
description
"Active scanning weak login with user's name
Yang & Xia Expires September 7, 2020 [Page 9]
Internet-Draft Active scanning for IoT devices March 2020
and/or password.";
leaf service-name {
type string;
description
"The name of service on the device.";
}
leaf dictionary-type {
type dictionary-type;
description
"The dictionary type for scanning weak login.";
}
leaf user-dictionary {
when "./dictionary-type=only-user-name";
type string;
description
"The context in user-name's dictionary.
For example: root,admin,test,guest, ";
}
leaf password-dictionary {
when "./dictionary-type=only-password";
type string;
description
"The context in password's dictionary.
For example: 111111, 112233, admin, password,";
}
leaf combination-dictionary {
while "./dictionary-type=user-name-and-password";
type string;
description
"The context in user-name-and-password's dictionary.
For example: root:test, root:admin, root:1234,";
}
}
}
}
}
4. MUD File Example
Yang & Xia Expires September 7, 2020 [Page 10]
Internet-Draft Active scanning for IoT devices March 2020
This example below contains active scanning for a IoT
device. JSON encoding of YANG modelled data {{RFC7951}} is used to
illustrate the example.
{
"ietf-mud:mud": {
"mud-version": 1,
"mud-url": "https://example.com/IoTDevice",
"last-update": "2020-03-12T02:00:00.00+08:00",
"cache-validity": 100,
"is-supported": true,
"systeminfo": "IoT device name",
"active-scanning": {
"log-save-uri" : "d:/mud-scanning-log/",
"scanning-frequency" : immediate,
"receiver-email-notification" : "admin@device.com,
123@device.com,",
"receiver-sms-notification" : "008613812345679,
0086133123456,",
"port-scanning" : {
"scanning-type" : tcp-syn,
"scanning-mode" : standard,
}
"weak-login-scanning" : {
"service-name" : "telnet",
"dictionary-type" : user-name-and-password,
"combination-dictionary" : "root:test; root:1234; root:root;"
}
}
}
5. Security Considerations
Security considerations in [RFC8520] need to be taken into
consideration.
6. IANA Considerations
The IANA is requested to add "active-scanning" to the MUD extensions
registry as follows: Extension Name: Active-Scanning Standard
reference: This document
7. Acknowledgements
Thanks to ...
Yang & Xia Expires September 7, 2020 [Page 11]
Internet-Draft Active scanning for IoT devices March 2020
8. Informative References
[RFC7951] Lhotka, L., "JSON Encoding of Data Modeled with YANG",
RFC 7951, DOI 10.17487/RFC7951, August 2016,
<https://www.rfc-editor.org/info/rfc7951>.
[RFC8520] Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage
Description Specification", RFC 8520,
DOI 10.17487/RFC8520, March 2019,
<https://www.rfc-editor.org/info/rfc8520>.
Authors' Addresses
Jie Yang
Huawei
101 Software Avenue, Yuhuatai District
Nanjing, Jiangsu 210012
China
Email: jay.yang@huawei.com
Liang Xia (Frank)
Huawei
101 Software Avenue, Yuhuatai District,
Nanjing, Jiangsu 210012
China
Email: frank.xialiang@huawei.com
Yang & Xia Expires September 7, 2020 [Page 12]