IETF Logo Mail Archive

Re: [Gen-art] [OPSAWG] Genart early review of draft-ietf-opsawg-mud-08

"M. Ranganathan" <mranga@gmail.com> Thu, 31 August 2017 14:39 UTC

Return-Path: <mranga@gmail.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D6E8132DF0; Thu, 31 Aug 2017 07:39:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TPa7L4sAbQcd; Thu, 31 Aug 2017 07:39:10 -0700 (PDT)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 659C8132E13; Thu, 31 Aug 2017 07:39:07 -0700 (PDT)
Received: by mail-wm0-x233.google.com with SMTP id v2so6285104wmf.0; Thu, 31 Aug 2017 07:39:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=It9yk55Cg9x59By8gfRA1zp0v4KLs7UIz40Zw4xeD1g=; b=AjaTQkH2I5Tl31T+03GbPYVrcDsOsdy66ASICKClysQ6dZjeGOyg52KTQPygRDAb/d idQDXIkQ6/PgvhxJqdIrtzmeKZPe70LuJUl1DfRG4nI+cHXgCc17zux5Q6+V596f4Wg2 yDEgeO0Kj/mmz4gyeLrmMBXbD4adt/JqDWKmJXc55fYb/mR83WvYSMb+vSUqkjXOE1fK 4l2CV1xJVrRofeBmO5EiyjrPEysi4bovAhUmawbUcWXZHTH6BIY3ifNUUYffHp6FezsF Jdtgw0WiYSK1HRIv3NozPP1bo6cPJOs7Z4BztARWYdDtX9sNxCj/SUv4nycz773Xnthx CIDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=It9yk55Cg9x59By8gfRA1zp0v4KLs7UIz40Zw4xeD1g=; b=uEAuMRFGzDw2+AOIqZXHrg+xsEUCMme5FCqbixvxy93qqp2cSRMbRPvLAaLnmmBU2Y Cl9NHVk9CN7jLkf6hE01Lbv9l2noisLu0h7A96ogTNaP+e8dEONVSkWWQ1r+1/kbIwCl kPRfgbzvrSQsVeK25W+ILXU7xY1eN+8HDIseEktS1bnVspBsBzeM1EoESk1BFRORqWJC hhBtBrzx9a8FQ/cYjkfb4+88HomWFQRBfp4HOVVFZC9IR5quBZ9NrJb+asbypyy6Ozni S+OThYhYdyM3uq9Vedkz4Rjzt0QkZ/EN6CoVF/xHTxlM2srzDzlR88fGx54cPtVnzWpS A6iQ==
X-Gm-Message-State: AHPjjUiq8g6ODlje22/oYUa/kisOoCZYNoOMpDgLWGw8rIrr//8IxDKY NhhvQ2YL1zTwfsGAMfgyHQOYqWgO3Q==
X-Google-Smtp-Source: ADKCNb7zbhHE2Ulc3DVXkk4nmfGIHnXxu1R0sxAlirDfGtqhkFcBWXQRa1J1R7HQUuiOC5npM/nOIGU/onWoMFrRNnc=
X-Received: by 10.28.95.134 with SMTP id t128mr624749wmb.67.1504190345428; Thu, 31 Aug 2017 07:39:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.184.71 with HTTP; Thu, 31 Aug 2017 07:38:24 -0700 (PDT)
In-Reply-To: <8a26b512-495b-4315-a885-32acd41c5460@cisco.com>
References: <150411366399.21627.17047458871931107094@ietfa.amsl.com> <CAHiu4JMCtxFY9qu6q4h30Y=GExx69yLg7xRbSirgURy=7+4_Lw@mail.gmail.com> <8a26b512-495b-4315-a885-32acd41c5460@cisco.com>
From: "M. Ranganathan" <mranga@gmail.com>
Date: Thu, 31 Aug 2017 10:38:24 -0400
Message-ID: <CAHiu4JNQL60xjp2rBQ3t4ZAn63gNoN5LgTcGUG8k474DJvDgDQ@mail.gmail.com>
To: Eliot Lear <lear@cisco.com>
Cc: Robert Sparks <rjsparks@nostrum.com>, gen-art@ietf.org, draft-ietf-opsawg-mud.all@ietf.org, opsawg@ietf.org, ietf@ietf.org
Content-Type: multipart/alternative; boundary="001a1148e96e36c57605580d9b61"
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/FTDnMxYDOz5CzEYSadoWe0J6jKA>
Subject: Re: [Gen-art] [OPSAWG] Genart early review of draft-ietf-opsawg-mud-08
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Aug 2017 14:39:12 -0000

Hi Eliot,

Reply in line below:

On Thu, Aug 31, 2017 at 4:41 AM, Eliot Lear <lear@cisco.com> wrote:

> Hi Ranga,
>
> Robert wrote a great review, and I'll respond to him in due course with
> suggested changes.  I wanted to take just a moment to comment to you on
> your point:
>
> On 8/31/17 12:00 AM, M. Ranganathan wrote:
>
>
>
> On Wed, Aug 30, 2017 at 1:21 PM, Robert Sparks <rjsparks@nostrum.com>
> wrote:
>
>>
>>
>> Right now, you leave the DHCP server (when it's used) responsible for
>> clearing state in the MUD controller. Please discuss what happens when
>> those are distinct elements (as you have in the end of section 9.2) and
>> the DHCP server reboots. Perhaps it would make sense for the DHCP server
>> to hand the length of the lease it has granted to the MUD controller and
>> let the MUD controller clean up on its own?
>>
>
> I would like to add a few words to the comprehensive review presented by
> Robert Sparks (I hope it is proper etiquette on this list to do so).
>
> With respect to the observation above:
>
> There is also a cache timeout in the MUD profile. Does it make sense  that
> the MUD controller should take the minimum of the DHCP lease time and the
> cache timeout and use that to time out the installed ACLs (?) The DHCP
> server should also  pass to the MUD controller, some way of identifying the
> device to which the lease has been granted (for example the MAC address of
> the device).
>
> The draft also not specify how the DHCP server will communicate with the
> MUD controller (presumably via a simple REST interface but what is the URL
> to be used and how are the parameters passed?). I think this should be
> specified for interoperability between DHCP clients and MUD servers. Maybe
> words describing this interaction can be added here.
>
>
> That's right.  At the moment, this is an "internalized" function.  That is
> to say that the DHCP server is said to be tightly coupled to the MUD
> controller without standardized interfaces.  In my first implementation, I
> literally just tailed dhcpd syslog entries and triggered MUD based on
> DHCPREQUEST messages.  Clean-up state had to do with RELEASE or periodic
> SNMP queries.  Our implementation at Cisco does something different.
>
> However... if the OPSAWG would like, and there is interest, we can
> formalize that interface.  I don't want to do it in THIS draft (it's
> already fairly involved), but there's nothing to say we couldn't do some
> follow-on work.
>
> Fair enough?
>
> Eliot
>

No problem with waiting to see if there's interest from OPSAWG and others
before considering this.

By way of explanation on why I think this makes sense to standardize in MUD:

I had envisioned an architecture where the MUD controller runs in the
Service Provider cloud. The DHCP server would run in the CPE router (e.g.
as part of the firmware on a home router + NAT ).

If the statement above makes sense, since the home router is typically not
made by the same party as the service provider software, I was thinking
there should be a standardized interface between the DHCP server and MUD
controller.

Thanks.

Ranga




-- 
M. Ranganathan

v2.23.0 | Report a Bug | By Email