Re: [Iotops] Status update on MUD-IoT-DNS-Considerations
Michael Richardson <mcr@sandelman.ca> Thu, 15 July 2021 21:03 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 7701A3A095A;
Thu, 15 Jul 2021 14:03:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id e3BR35Bh63t6; Thu, 15 Jul 2021 14:02:58 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca
[IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3])
(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id ADA833A094A;
Thu, 15 Jul 2021 14:02:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
by tuna.sandelman.ca (Postfix) with ESMTP id E6ABB38A95;
Thu, 15 Jul 2021 17:05:52 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1])
by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id dZV3hrmYCEFq; Thu, 15 Jul 2021 17:05:49 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247])
by tuna.sandelman.ca (Postfix) with ESMTP id 6459238A8D;
Thu, 15 Jul 2021 17:05:49 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1])
by sandelman.ca (Postfix) with ESMTP id DAE1A319;
Thu, 15 Jul 2021 17:02:46 -0400 (EDT)
From: Michael Richardson <mcr@sandelman.ca>
To: Eliot Lear <lear@lear.ch>, Robert Kisteleki <robert@ripe.net>,
opsawg@ietf.org, iotops@ietf.org
In-Reply-To: <b02e993b-3823-b01c-8c9f-08a65eab4bfe@lear.ch>
References: <25526.1626054262@localhost>
<a3bb99b1-b575-244c-f434-9696aa5b771d@lear.ch>
<f3f619a0-b8ef-882c-691f-96c70f8b04ee@ripe.net>
<b02e993b-3823-b01c-8c9f-08a65eab4bfe@lear.ch>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;
<'$9xN5Ub#
z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Date: Thu, 15 Jul 2021 17:02:46 -0400
Message-ID: <20862.1626382966@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/LWB52fNikoaT19pBcVLMbexcGeo>
Subject: Re: [Iotops] Status update on MUD-IoT-DNS-Considerations
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>,
<mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>,
<mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2021 21:03:04 -0000
Eliot Lear <lear@lear.ch> wrote: > What is and is not a good idea is highly contextual in this case. The > network CAN provide a level of protection to limit attacks on devices, but it > can only do so if it knows who that device wants to talk to. There is no > magic here. Either the bindings can be established or they can't. Right. So the advice boils down to: Dear IoT device Manufacturer, if you want your device protected, then avoid playing DNS games that can not be described easily MUD. ---- Maybe the document would go better as a song? https://www.youtube.com/watch?v=0NnzChrd0S4 my new lyrics: A lonely MUD controller gazing out of the window Staring at a IoT device that she just can't touch If at any time, he's in a IoT attack, she'll be by his side But he doesn't realize he hurts the Internet so much But all the DNS-filtering just ain't helping at all 'Cause he can't seem to keep hisself out of 8.8.8.8 So he goes out and he connects to the cloud the best way he knows how Another TLS connection laying cold in the IDS Listen to me [Chorus: TLC] Don't go chasing DNS flows Please stick to the servers and the stub resolvers that you're used to I know that you're gonna have it your way or nothing at all But I think you're moving too fast -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- [Iotops] Status update on MUD-IoT-DNS-Considerati… Michael Richardson
- Re: [Iotops] Status update on MUD-IoT-DNS-Conside… Eliot Lear
- Re: [Iotops] Status update on MUD-IoT-DNS-Conside… Michael Richardson
- Re: [Iotops] Status update on MUD-IoT-DNS-Conside… Eliot Lear
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Robert Kisteleki
- Re: [Iotops] Status update on MUD-IoT-DNS-Conside… Robert Kisteleki
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Carsten Bormann
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Michael Richardson
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Michael Richardson
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Carsten Bormann
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Toerless Eckert
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Michael Richardson
- Re: [Iotops] Status update on MUD-IoT-DNS-Conside… Eliot Lear
- Re: [Iotops] Status update on MUD-IoT-DNS-Conside… Michael Richardson
- Re: [Iotops] Status update on MUD-IoT-DNS-Conside… Eliot Lear
- Re: [Iotops] Status update on MUD-IoT-DNS-Conside… Michael Richardson
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Carsten Bormann
- Re: [Iotops] [OPSAWG] Status update on MUD-IoT-DN… Michael Richardson