IETF Logo Mail Archive

Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DNS-Considerations

Carsten Bormann <cabo@tzi.org> Fri, 16 July 2021 16:45 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61B933A0DFA; Fri, 16 Jul 2021 09:45:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ZnOL6vpWehS; Fri, 16 Jul 2021 09:45:07 -0700 (PDT)
Received: from gabriel-smtp.zfn.uni-bremen.de (smtp.uni-bremen.de [134.102.50.15]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A8F83A0DF9; Fri, 16 Jul 2021 09:45:07 -0700 (PDT)
Received: from [192.168.217.118] (p548dcc89.dip0.t-ipconnect.de [84.141.204.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4GRHCc5ftvz2xLX; Fri, 16 Jul 2021 18:45:00 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <30852.1626378085@localhost>
Date: Fri, 16 Jul 2021 18:45:00 +0200
Cc: opsawg@ietf.org, iotops@ietf.org
X-Mao-Original-Outgoing-Id: 648146700.377526-b7be4f88bc584f71fc831448ee24c155
Content-Transfer-Encoding: quoted-printable
Message-Id: <CF64CD8E-9A3E-45BA-A816-2D0A93749438@tzi.org>
References: <25526.1626054262@localhost> <6F3C1EA9-DB7F-4E29-BA31-D7835C1CFBB4@tzi.org> <8763.1626373016@localhost> <A5FB4BD3-C1AA-41C2-ADA6-546FF91ACBCF@tzi.org> <30852.1626378085@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/BrlWFhLbc1w9m20PONhJVOSRT-4>
Subject: Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DNS-Considerations
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2021 16:45:13 -0000

On 2021-07-15, at 21:41, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> How, does an authoritative (or even authoritarian) firewall identify itself
> such that traffic that needs to traverse it can self-identify?
> APN has this problem.
> I described this problem back in 1996:
>  https://www.ietf.org/archive/id/draft-richardson-ipsec-aft-00.txt
>  https://www.ietf.org/archive/id/draft-richardson-ipsec-traversal-01.txt

I think one trap that many of these efforts fell into was that they tried to be small attachments to existing technology.

There is nothing wrong with describing a little hack that has some useful applications, but that won’t cover the gamut of use cases that we really have.
Looking at these uses cases we need to derive an understanding of the parties involved and what security (and “trust”) relationships they have, and what granularity of authorization of “desirable” traffic is required, desired, and achievable.
Note also the term “justifiable” in my problem statement!
Only then can we check whether a proposed solution actually solves a large enough problem.

Grüße, Carsten

v2.23.0 | Report a Bug | By Email