Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DNS-Considerations
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 16 July 2021 20:42 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 3ED493A0817;
Fri, 16 Jul 2021 13:42:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id RnlPBcBMUfTu; Fri, 16 Jul 2021 13:42:21 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19])
(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 8966C3A0816;
Fri, 16 Jul 2021 13:42:21 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
by tuna.sandelman.ca (Postfix) with ESMTP id 090E038A72;
Fri, 16 Jul 2021 16:45:25 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1])
by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id y3wrJwNG8sUC; Fri, 16 Jul 2021 16:45:21 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21])
by tuna.sandelman.ca (Postfix) with ESMTP id D071F38A48;
Fri, 16 Jul 2021 16:45:20 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1])
by sandelman.ca (Postfix) with ESMTP id 532B7407;
Fri, 16 Jul 2021 16:42:14 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Carsten Bormann <cabo@tzi.org>
cc: opsawg@ietf.org, iotops@ietf.org
In-Reply-To: <CF64CD8E-9A3E-45BA-A816-2D0A93749438@tzi.org>
References: <25526.1626054262@localhost>
<6F3C1EA9-DB7F-4E29-BA31-D7835C1CFBB4@tzi.org> <8763.1626373016@localhost>
<A5FB4BD3-C1AA-41C2-ADA6-546FF91ACBCF@tzi.org> <30852.1626378085@localhost>
<CF64CD8E-9A3E-45BA-A816-2D0A93749438@tzi.org>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;
<'$9xN5Ub#
z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha512; protocol="application/pgp-signature"
Date: Fri, 16 Jul 2021 16:42:14 -0400
Message-ID: <12901.1626468134@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/GNczMQ3aybMKIHJ5BFtzIqK2Pso>
Subject: Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DNS-Considerations
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>,
<mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>,
<mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2021 20:42:27 -0000
Carsten Bormann <cabo@tzi.org> wrote: > On 2021-07-15, at 21:41, Michael Richardson <mcr+ietf@sandelman.ca> wrote: >> >> How, does an authoritative (or even authoritarian) firewall identify itself >> such that traffic that needs to traverse it can self-identify? >> APN has this problem. >> I described this problem back in 1996: >> https://www.ietf.org/archive/id/draft-richardson-ipsec-aft-00.txt >> https://www.ietf.org/archive/id/draft-richardson-ipsec-traversal-01.txt > I think one trap that many of these efforts fell into was that they > tried to be small attachments to existing technology. In 1996, I'm not sure I'd say that IPsec was "existing" :-) The pushback that I got was that it seemed complex. NAT44 was not established, but it was visible in the form of actual security gateways. > Looking at these uses cases we need to derive an understanding of the > parties involved and what security (and “trust”) relationships they > have, and what granularity of authorization of “desirable” traffic is > required, desired, and achievable. Some things have progressed in 25 years. RPKI exists, although it is not well deployed. (My understanding is that one reason it is slow in ARIN region is that ARIN won't let you have their public key until you assure them you won't sue...) RPKI would allow a node to say, "I am authoritative for 2001:db8:1234/48" This could be very powerful if used correctly. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Iotops] Status update on MUD-IoT-DNS-Considerati… Michael Richardson
- Re: [Iotops] Status update on MUD-IoT-DNS-Conside… Eliot Lear
- Re: [Iotops] Status update on MUD-IoT-DNS-Conside… Michael Richardson
- Re: [Iotops] Status update on MUD-IoT-DNS-Conside… Eliot Lear
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Robert Kisteleki
- Re: [Iotops] Status update on MUD-IoT-DNS-Conside… Robert Kisteleki
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Carsten Bormann
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Michael Richardson
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Michael Richardson
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Carsten Bormann
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Toerless Eckert
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Michael Richardson
- Re: [Iotops] Status update on MUD-IoT-DNS-Conside… Eliot Lear
- Re: [Iotops] Status update on MUD-IoT-DNS-Conside… Michael Richardson
- Re: [Iotops] Status update on MUD-IoT-DNS-Conside… Eliot Lear
- Re: [Iotops] Status update on MUD-IoT-DNS-Conside… Michael Richardson
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Carsten Bormann
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Michael Richardson