Re: [Iot-onboarding] [Mud] Some new stuff for mudmaker.org

Eliot Lear <lear@cisco.com> Wed, 25 March 2020 07:20 UTC

Return-Path: <lear@cisco.com>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F32773A0A06; Wed, 25 Mar 2020 00:20:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.601
X-Spam-Level:
X-Spam-Status: No, score=-9.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CRsKyqAUGQp4; Wed, 25 Mar 2020 00:20:29 -0700 (PDT)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3DBC3A0A04; Wed, 25 Mar 2020 00:20:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=699; q=dns/txt; s=iport; t=1585120829; x=1586330429; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=NERGVQF21XuCyopRFnavs9uqM7qHH8A3I3O2yEQqJqw=; b=bkT6JCuuB/P3DKPvHTINlNX3Eojzhf+i5ghQmUMpeoRp0O7NoRCTvKM8 8hy2867Meka+LTla9PuWTqxPx0UKdgH/Q7uG7fe0kipMLXUaHkqHiA/uX WrlLqxd+hpulLOsLuamDwSDIYrPL2zDgpdP+0OroHqnDDDO11/J4bM1s6 s=;
X-IPAS-Result: =?us-ascii?q?A0D0AADEBXte/xbLJq1mGwEBAQEBAQEFAQEBEQEBAwMBA?= =?us-ascii?q?QGBe4IpbFUgEiqEGYkCh3QliWyRWwoBAQEMAQEbFAQBAYREAoJLOBMCAwEBA?= =?us-ascii?q?QMCAwEBAQEFAQEBAgEFBG2FVgyFYwEBAQECASNWBQsLGAICJgICITYGE4MmA?= =?us-ascii?q?YJLAw4grGl1gTKILA2CIIEOKoxJggCBEScMFIIfLj6CG4IIKIMRMoIsBI4ro?= =?us-ascii?q?WVEgkaCVoUJimyEPR2CO4ETmBCEX5V4jHmDNAIEBgUCFYFpIoFYMxoIGxVlA?= =?us-ascii?q?YJBCTUSGA2ObYg3hUJAAzCMVYJCAQE?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.72,303,1580774400"; d="scan'208";a="22418361"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 25 Mar 2020 07:20:25 +0000
Received: from dhcp-10-61-102-54.cisco.com (dhcp-10-61-102-54.cisco.com [10.61.102.54]) by aer-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 02P7KOYj002056 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 25 Mar 2020 07:20:25 GMT
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Eliot Lear <lear@cisco.com>
In-Reply-To: <CAHiu4JNfWBBMZV0bO41Emdo4GO2EFmicw+E=np_Xey_xG4JsKA@mail.gmail.com>
Date: Wed, 25 Mar 2020 08:20:24 +0100
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, iot-onboarding@ietf.org, mud@ietf.org, Eliot Lear <lear=40cisco.com@dmarc.ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A19C04FE-3A50-4466-84D4-521C575C43C0@cisco.com>
References: <0DE46278-4708-42B6-8DFF-A8BC67B23F7E@cisco.com> <CAHiu4JPqXd2emEFCRK2dq0L6OFOcr-UdNkhJ2W+Cx5TUCLrprA@mail.gmail.com> <17397.1585086427@localhost> <CAHiu4JNfWBBMZV0bO41Emdo4GO2EFmicw+E=np_Xey_xG4JsKA@mail.gmail.com>
To: "M. Ranganathan" <mranga@gmail.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
X-Outbound-SMTP-Client: 10.61.102.54, dhcp-10-61-102-54.cisco.com
X-Outbound-Node: aer-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/LzYfNIdpeX7iPLWcvFJA50atUiA>
Subject: Re: [Iot-onboarding] [Mud] Some new stuff for mudmaker.org
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2020 07:20:34 -0000


> On 24 Mar 2020, at 23:39, M. Ranganathan <mranga@gmail.com> wrote:
>> 
> 
> Makes sense now. Still wondering what the network would do with the
> SBOM but that is a different thread.

Oh no it’s not! ;-)

If your NMS can pick up the SBOM, then the next step is to compare packages and versions on the device with known CVEs.  At that point, you have to decide on remediation strategies.  In some cases, those remediation strategies may just suck.  Imagine a ventilator being vulnerable today.  But one clearly GOOD strategy would be to limit that ventilator’s exposure to attacks.  How might one go about doing that?  I wonder…

Eliot