[Nut-upsdev] TLS support in NUT
Roger Price
roger at rogerprice.org
Fri May 28 10:12:54 BST 2021
On Tue, 25 May 2021, Jim Klimov wrote:
> Just dropping a couple of comments/questions here:
>
> 1) Does IETF also require use of TLS for communications inside one host (over
> localhost)?
You have put your finger on a basic NUT exposure!
First of all: The IETF's view of security is in RFC 3552
https://datatracker.ietf.org/doc/html/rfc3552 in which clause 5 covers "Writing
Security Considerations Sections". In a Standards Track RFC authors MUST
describe
1. which attacks are out of scope (and why!)
2. which attacks are in-scope
2.1 and the protocol is susceptible to
2.2 and the protocol protects against
At least the following forms of attack MUST be considered: eavesdropping,
replay, message insertion, deletion, modification, and man-in-the-middle.
Potential denial of service attacks MUST be identified as well.
In our case, an attack on the lo interface is in-scope, and an attacker could
eavesdrop the plain-text password. If this threat is deemed real in a given
installation then we should say in the NUT documentation that the box running
upsd should be single-user accessible by the sysadmin only.
Our future RFC is not Standards Track and we are not held to the highest
standard. But we should say something. Quoting RFC 3552 clause 5: «While it is
not a requirement that any given protocol or system be immune to all forms of
attack, it is still necessary for authors to consider as many forms as
possible.»
I took the point of view that sniffing localhost traffic was unlikely since NUT
server and client are not generally accessible. One would not use a machine
serving employees/students for UPS management.
> 2) Would a solution for two separate hosts be acceptable, where two TLS-Shims
> are started:
> * one listens on the NUT server's network interface(s) and passes unencrypted
> packets to upsd on localhost (or via pipe) and replies back to the net,
> * another runs on client connecting to the NUT server, and the unmodified NUT
> clients connect to it on localhost (or via pipe) with the plaintext NUT
> protocol?
This is exactly the configuration I designed the shims for, and which I have
tested. I did not consider pipe interfaces to upsd and client since that
required modification of NUT code.
The IETF consider two separate hosts across the Internet to be the base case.
Quoting again from RFC 3552:
The threat environment addressed by the Security Considerations
section MUST at a minimum include deployment across the global
Internet across multiple administrative boundaries without assuming
that firewalls are in place, even if only to provide justification
for why such consideration is out of scope for the protocol. It is
not acceptable to only discuss threats applicable to LANs...
> This would be similar to use of stunnel (or maybe would just use stunnel if
> tested and deemed acceptable) to connect plaintext sides of the dialog using a
> secure channel.
>
> 3) In any case, having some solution for certificates is good, although people
> bothering about that (and a need to update the trust as these expire) might
> opt for a private CA and would trust its longer-lived cert instead
The proposed script generates certificates with unlimited validity “Dec 31
23:59:59 9999 GMT” as defined by RFC 5280 para 4.1.2.5.
Roger
More information about the Nut-upsdev
mailing list